iced
> Philippe tries to fix the same thing with another approach). Not
> benchmarked.
>
> Maybe it helps ...
>
Gerd's patch just remind my approach here, Just add here:
https://mail.gnu.org/archive/html/qemu-devel/2020-09/msg00906.html
But I check and record it in the device MR
> [AJB: Won't merge without confirmation from appropriate people.]
>
> Signed-off-by: Alex Bennée
> Cc: "Kővágó, Zoltán"
> Cc: Li Qiang
> Cc: Li Qiang
These two are both my email address, please use the gmail address.
I'm an individual contributor in qemu pr
a9bc3 ("virtio-gpu: Refactor virtio_gpu_set_scanout")
> Fixes: 32db3c63ae11 ("virtio-gpu: Add virtio_gpu_set_scanout_blob")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/383
> Reported-by: Alexander Bulekov
> Signed-off-by: Gerd Hoffmann
R
Gerd Hoffmann 于2021年6月4日周五 下午6:37写道:
>
> Free in correct order to avoid use-after-free.
>
> Resolves: CID 1453812
> Signed-off-by: Gerd Hoffmann
Sorry, my fault.
Reviewed-by: Li Qiang
> ---
> contrib/vhost-user-gpu/vhost-user-gpu.c | 2 +-
> 1 file changed, 1
6
Reported-by: Li Qiang
Reviewed-by: Prasad J Pandit
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 4
1 file changed, 4 insertions(+)
diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
index a16a311d80..7172104b19 100644
--- a/contrib/vhost-user-g
Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
Fixes: CVE-2021-3544
Reported-by: Li Qiang
Reviewed-by: Prasad J Pandit
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/vhost-user-gpu/vhost-user
.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/vhost-user-gpu.c | 24
contrib/vhost-user-gpu/virgl.c | 9 +
contrib/vhost-user-gpu/vugpu.h | 2 +-
3 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/contrib/vhost-user-gpu/vhost
Check whether the 'res' has already been attach_backing to avoid
memory leak.
Fixes: CVE-2021-3544
Reported-by: Li Qiang
virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
in resource attach backing")
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++
Otherwise some of the 'resp' will be leaked to guest.
Fixes: CVE-2021-3545
Reported-by: Li Qiang
virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
in getting capset info dispatch")
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 1 +
1 file changed, 1
If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
be leaked.
Fixes: CVE-2021-3544
Reported-by: Li Qiang
virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
in resource attach backing")
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 5 +++
The 'res->iov' will be leaked if the guest trigger following sequences:
virgl_cmd_create_resource_2d
virgl_resource_attach_backing
virgl_cmd_resource_unref
This patch fixes this.
Fixes: CVE-2021-3544
Reported-by: Li Qiang
virtio-gpu fix: 5e8e3c4c75 ("virtio-
memory write access is assigned CVE-2021-3545.
Abstract 'vg_cleanup_mapping_iov' to make code more clearly.
Li Qiang (8):
vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info
(CVE-2021-3545)
vhost-user-gpu: fix resource leak in 'vg_resource_create_2d'
(CVE-2021-3544
If the guest trigger following sequences, the attach_backing will be leaked:
vg_resource_create_2d
vg_resource_attach_backing
vg_resource_unref
This patch fix this by freeing 'res->iov' in vg_resource_destroy.
Fixes: CVE-2021-3544
Reported-by: Li Qiang
virtio-gpu
Philippe Mathieu-Daudé 于2021年5月11日周二 上午3:25写道:
>
> On 5/5/21 11:35 AM, Marc-André Lureau wrote:
> > Hi
> >
> > On Wed, May 5, 2021 at 1:28 PM Li Qiang > <mailto:liq...@gmail.com>> wrote:
> >
> > Marc-André Lureau > <mai
P J P 于2021年5月6日周四 下午1:53写道:
>
> +-- On Wed, 5 May 2021, Li Qiang wrote --+
> | P J P 于2021年5月5日周三 下午3:24写道:
> | > - vg_ctrl_response(g, cmd, , sizeof(resp));
> | > + vg_ctrl_response(g, cmd, , sizeof(resp.hdr));
> | >
> | > * While memset(3) is okay, sho
Marc-André Lureau 于2021年5月5日周三 下午5:10写道:
>
> Hi
>
> On Wed, May 5, 2021 at 9:21 AM Li Qiang wrote:
>>
>> These security issue is low severity and is similar with the
>> virtio-vga/virtio-gpu device. All of them can be triggered by
>> the guest user.
>>
Marc-André Lureau 于2021年5月5日周三 下午5:08写道:
>
> Hi
>
> On Wed, May 5, 2021 at 12:03 PM P J P wrote:
>>
>> +-- On Tue, 4 May 2021, Li Qiang wrote --+
>> | diff --git a/contrib/vhost-user-gpu/virgl.c
>> b/contrib/vhost-user-gpu/virgl.c
>> | index c669d7
P J P 于2021年5月5日周三 下午3:48写道:
>
> +-- On Tue, 4 May 2021, Li Qiang wrote --+
> | diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
> | index 6a332d601f..c669d73a1d 100644
> | --- a/contrib/vhost-user-gpu/virgl.c
> | +++ b/contrib/vhost-user-gpu/vir
P J P 于2021年5月5日周三 下午3:39写道:
>
> +-- On Tue, 4 May 2021, Li Qiang wrote --+
> | Check whether the 'res' has already been attach_backing to avoid
> | memory leak.
> |
> | Signed-off-by: Li Qiang
> | ---
> | contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +
> | 1
P J P 于2021年5月5日周三 下午3:24写道:
>
> +-- On Tue, 4 May 2021, Li Qiang wrote --+
> | Otherwise some of the 'resp' will be leaked to guest.
> |
> | diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
> | index 9e6660c7ab..6a332d601f 100644
> |
> | +
These security issue is low severity and is similar with the
virtio-vga/virtio-gpu device. All of them can be triggered by
the guest user.
Li Qiang (7):
vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info
vhost-user-gpu: fix resource leak in 'vg_resource_create_2d'
vhost-user
If the guest trigger following sequences, the attach_backing will be leaked:
vg_resource_create_2d
vg_resource_attach_backing
vg_resource_unref
This patch fix this by freeing 'res->iov' in vg_resource_destroy.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/vh
If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
be leaked.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
index c669d73a1d
If 'virgl_cmd_get_capset' set 'max_size' to 0,
the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
This patch avoid this by checking the returned 'max_size'.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 4
1 file changed, 4 insertions(+)
diff --git
Check whether the 'res' has already been attach_backing to avoid
memory leak.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c
b/contrib/vhost-user-gpu/vhost-user-gpu.c
index
The 'res->iov' will be leaked if the guest trigger following sequences:
virgl_cmd_create_resource_2d
virgl_resource_attach_backing
virgl_cmd_resource_unref
This patch fixes this.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 7 +++
1 file changed
Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c
b/contrib/vhost-user-gpu/vhost-user-gpu.c
index f73f292c9f
Otherwise some of the 'resp' will be leaked to guest.
Signed-off-by: Li Qiang
---
contrib/vhost-user-gpu/virgl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
index 9e6660c7ab..6a332d601f 100644
--- a/contrib/vhost-user-gpu
o-link. We were not doing that.
>
> Reported-by: Li Qiang ,
> Signed-off-by: Alexander Bulekov
Tested-by: Li Qiang
Reviewed-by: Li Qiang
> ---
> v2: Fix a mistake in the added QEMU_LDFLAGS line
>
> configure | 10 ++
> 1 file changed, 10 insertions(+)
>
&g
/qemu/build/../subprojects/libvhost-user/libvhost-user.c:191:
undefined reference to `__sanitizer_cov_trace_cmp8'
Let's avoid this error by enforcing fuzzing and sanitizers together.
Signed-off-by: Li Qiang
---
configure | 3 +++
1 file changed, 3 insertions(+)
diff --git a/configure b/configure
Alexander Bulekov 于2021年2月19日周五 上午10:15写道:
>
> On 210219 1006, Li Qiang wrote:
> > Alexander Bulekov 于2021年2月19日周五 上午9:56写道:
> > >
> > > On 210218 1441, Peter Maydell wrote:
> > > > On Thu, 18 Feb 2021 at 14:13, P J P wrote:
> > > > >
&
t; > command unit(CU) base address OR receive unit (RU) base address
> > > OR command block (CB) address from guest. If these values are not
> > > checked, it may lead to an infinite loop kind of issues. Add checks
> > > to avoid it.
So could you please prov
6
> Reported-by: Cheolwoo Myung
> Signed-off-by: Prasad J Pandit
Reviewed-by: Li Qiang
> ---
> hw/scsi/mptsas.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
> index f86616544b..adff5b0bf2 100644
> ---
ion_write_accessor
> softmmu/memory.c:491:5
>
> Cc: qemu-sta...@nongnu.org
> Reported-by: OSS-Fuzz
> Reported-by: Alexander Bulekov
> Buglink: https://bugs.launchpad.net/qemu/+bug/1914638
> Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
> Signed
Philippe Mathieu-Daudé 于2020年12月3日周四 下午8:38写道:
>
> On 12/3/20 1:02 PM, Li Qiang wrote:
> > Philippe Mathieu-Daudé 于2020年12月3日周四 下午7:37写道:
> >>
> >> Hi Li,
> >>
> >> On 12/3/20 12:21 PM, Li Qiang wrote:
> >>> Philippe Mathieu-Daudé 于
Philippe Mathieu-Daudé 于2020年12月3日周四 下午7:37写道:
>
> Hi Li,
>
> On 12/3/20 12:21 PM, Li Qiang wrote:
> > Philippe Mathieu-Daudé 于2020年12月2日周三 上午3:13写道:
> >>
> >> cdb_len can not be zero... (or less than 6) here, else we have a
> >> out-of-bound read
ngth() is used.
Where is this?
So I think your intention is to ensure 'cdb_len' is consistent with
'cdb[0]>>5'.
Please correct me if I'm wrong.
Thanks,
Li Qiang
>
> Figured out after reviewing:
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg757937.html
>
> And rep
Philippe Mathieu-Daudé 于2020年12月2日周三 上午3:11写道:
>
> Missed in fd250172842 ("qtest: add a reproducer for LP#1878642").
>
> Reviewed-by: Thomas Huth
> Signed-off-by: Philippe Mathieu-Daudé
Reviewed-by: Li Qiang
> ---
> tests/qtest/fuzz-test.c | 1 +
> 1 fil
Alex Chen 于2020年11月26日周四 下午7:40写道:
>
> On 2020/11/26 18:50, Li Qiang wrote:
> > Alex Chen
> >>
> >> Only one of the options -s and -f can be used. When -f is used,
> >> the fd is created externally and does not need to be closed.
> >> When -s is u
-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -1154,6 +1154,9 @@ int main(int argc, char **argv)
> process_requests(sock);
> error:
> g_free(rpath);
> +if (sock_name) {
> +close(sock);
> +}
If 'proxy_socket' failed, you call close(-1).
Maybe
Alex Chen 于2020年11月25日周三 下午6:37写道:
>
> The fixture->fd is created in fixture_setup() and, likewise, needs to be
> closed
> in fixture_tear_down().
>
> Reported-by: Euler Robot
> Signed-off-by: Alex Chen
Reviewed-by: Li Qiang
> ---
> tests/test-qga.c | 1 +
Alex Chen 于2020年11月26日周四 下午3:10写道:
>
> Free the 'sioc' when the qio_channel_socket_connect_sync() fails.
>
> Reported-by: Euler Robot
> Signed-off-by: Alex Chen
Reviewed-by: Li Qiang
> ---
> ui/vnc.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git
s://github.com/google/oss-fuzz
> [2] https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg06331.html
> [3] https://lists.gnu.org/archive/html/qemu-devel/2020-10/msg06345.html
> [4]
> https://github.com/google/oss-fuzz/blob/fbf916ce14952ba192e58fe8550096b868fcf62d/projects/qemu/pr
}
> >
> > -if (!s->cancelled) {
> > g_strlcpy(s->bitmap_name, bitmap_name, sizeof(s->bitmap_name));
> > s->bitmap = bdrv_find_dirty_bitmap(s->bs, s->bitmap_name);
> >
> >
>
> I don't think it's correct as "cancel_incoming_locked(s)" can change the
> value of "s->cancelled".
>
Hi Laurent,
You're right. So I think this can simply assign 'bitmap_name' to NULL
to make compiler happy.
Thanks,
Li Qiang
> Thanks,
> Laurent
>
standards.
>
It is also a best practice to avoid large stack allocation according.
-->https://wiki.sei.cmu.edu/confluence/display/c/MEM05-C.+Avoid+large+stack+allocations
Though I don't see any issue here.
Thanks,
Li Qiang
> > Signed-off-by: Elena Afanasova
> > ---
>
by: Markus Armbruster
Reviewed-by: Li Qiang
> ---
> target/i386/cpu.c | 15 +++
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 49d8958528..c3d3766133 100644
> --- a/target/i386/cpu.c
> +++ b/tar
map_name, bitmap_name, sizeof(s->bitmap_name));
> ^~
>
> Reported-by: Euler Robot
> Signed-off-by: Chen Qun
Reviewed-by: Li Qiang
> ---
> migration/block-dirty-bitmap.c | 2 --
> 1 file changed, 2
Eduardo Habkost 于2020年10月9日周五 上午4:31写道:
>
> Fix the following crash:
>
> $ qemu-system-x86_64 -object can-host-socketcan,id=obj0
> Segmentation fault (core dumped)
>
> Signed-off-by: Eduardo Habkost
Reviewed-by: Li Qiang
> ---
> Cc: Pavel Pisa
> Cc: Vikram G
on fault (core dumped)
>
> Signed-off-by: Eduardo Habkost
Reviewed-by: Li Qiang
> ---
> Cc: "Daniel P. Berrangé"
> Cc: qemu-devel@nongnu.org
> ---
> authz/listfile.c | 5 +
> 1 file changed, 5 insertions(+)
>
> diff --git a/authz/listfile.c b/authz/listfile.c
&
Laurent Vivier 于2020年10月9日周五 下午7:40写道:
>
> .class_init is already set to serial_mm_class_init.
>
> Remove the duplicate entry.
>
> Fixes: 17fd1a6490b1 ("serial-mm: add "regshift" property")
> Cc: marcandre.lur...@redhat.com
> Signed-off-by: Laurent
gt; Signed-off-by: Elena Afanasova
Reviewed-by: Li Qiang
> ---
> hw/net/spapr_llan.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hw/net/spapr_llan.c b/hw/net/spapr_llan.c
> index 2093f1bad0..581320a0e7 100644
> --- a/hw/net/spapr_llan.c
&
Greg Kurz 于2020年10月3日周六 上午12:07写道:
>
> Signed-off-by: Greg Kurz
Reviewed-by: Li Qiang
> ---
> hw/acpi/piix4.c |4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
> index 894d357f8c35..67a1ea41914f 100644
P J P 于2020年9月29日周二 下午2:22写道:
>
> Hello Li,
>
> +-- On Fri, 18 Sep 2020, Li Qiang wrote --+
> | P J P 于2020年9月18日周五 下午6:26写道:
> | > +-- On Fri, 18 Sep 2020, Li Qiang wrote --+
> | > | Update v2: use an assert() call
> | > |
> ->https://lists.non
>
> Signed-off-by: Colin Xu
Reviewed-by: Li Qiang
> ---
> ui/input-linux.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/ui/input-linux.c b/ui/input-linux.c
> index ab351a418701..34cc531190f9 100644
> --- a/ui/input-linux.c
> +++ b/ui/in
Philippe Mathieu-Daudé 于2020年9月22日周二 下午6:46写道:
>
> On 9/22/20 12:37 PM, Li Qiang wrote:
> > Philippe Mathieu-Daudé 于2020年9月22日周二 下午4:19写道:
> >>
> >> On 9/22/20 3:34 AM, Alexander Bulekov wrote:
> >>> On 200815 0020, Li Qiang wrote:
> >>
8
> #4 fdctrl_write hw/block/fdc.c:962
> #5 portio_write ioport.c:205
> #6 memory_region_write_accessor memory.c:483
> #7 access_with_adjusted_size memory.c:544
> #8 memory_region_dispatch_write memory.c:1476
>
> Reported-by: Ruhr-University
> Signed-off-by: Pra
Philippe Mathieu-Daudé 于2020年9月22日周二 下午4:19写道:
>
> On 9/22/20 3:34 AM, Alexander Bulekov wrote:
> > On 200815 0020, Li Qiang wrote:
> >> In 'map_page' we need to check the return value of
> >> 'dma_memory_map' to ensure the we actully maped something.
> &g
uardo,
IIUC, most of the properties can be dev-spec or class-spec.
Do we have any principle or rule to specify the property to be dev or class?
Maybe if the property which is always the same between instances can
be a class-property?
Thanks,
Li Qiang
> Eduardo Habkost (24):
> crypto
Ping!!
Li Qiang 于2020年9月15日周二 下午9:38写道:
>
> ping!!
>
> Li Qiang 于2020年9月7日周一 上午9:39写道:
> >
> > Ping!
> >
> > Li Qiang 于2020年9月1日周二 下午6:34写道:
> > >
> > > Ping.
> > >
> > > Li Qiang 于2020年8月15日周六 下
Michael S. Tsirkin 于2020年9月21日周一 下午8:31写道:
>
> On Mon, Sep 21, 2020 at 07:44:42PM +0800, Li Qiang wrote:
> > Michael S. Tsirkin 于2020年9月21日周一 下午7:30写道:
> > >
> > > The following changes since commit
> > > 053a4177817db307ec854356e95b5b350800a216:
>
If error occurs while processing the virtio request we should call
'virtqueue_detach_element' to detach the element from the virtqueue
before free the elem.
Fixes: 5f503cd9f3 ("virtio-pmem: add virtio device")
Reviewed-by: Pankaj Gupta
Signed-off-by: Li Qiang
---
hw/virtio/virtio-
ecated cpu-add command(s)
>
> Jason Wang (3):
> linux headers: sync to 5.9-rc4
> vhost: switch to use IOTLB v2 format
> vhost-vdpa: batch updating IOTLB mappings
>
> Li Qiang (1):
> virtio-mem: detach the element from the virtqueue when error occur
gration/multifd.c:308:
> +ram_counters.transferred += transferred;;
> total: 1 errors, 1 warnings, 2073 lines checked
>
> Fixes: d32ca5ad798 ("multifd: Split multifd code into its own file")
> Signed-off-by: Philippe Mathieu-Daudé
Reviewed-by: Li Qiang
> ---
> migra
Paolo Bonzini 于2020年9月20日周日 下午3:56写道:
>
> On 08/09/20 18:41, Li Qiang wrote:
> > Currently the qemu device fuzzer find some DMA to MMIO issue. If the
> > device handling MMIO currently trigger a DMA which the address is MMIO,
> > this will reenter the device MMIO handle
Philippe Mathieu-Daudé 于2020年9月20日周日 下午11:54写道:
>
> Instead of only displaying the property missing, also display
> the object name. This help developer to quickly figure out the
> mistake without opening a debugger.
>
> Signed-off-by: Philippe Mathieu-Daudé
Reviewed-by: Li Qi
Laurent Vivier 于2020年9月20日周日 下午11:21写道:
>
> in vhost_vdpa_listener_region_del(), try_unmap is always true and so,
> vhost_vdpa_dma_unmap() is always called. We can remove the variable
>
> Signed-off-by: Laurent Vivier
Reviewed-by: Li Qiang
> ---
> hw/virtio/vhost-vdpa
in 'ADDRESS_SPACE_ST_CACHED'.
Buglink: https://bugs.launchpad.net/qemu/+bug/1890333
Fixes: db812c4073c7 ("virtio: update MemoryRegionCaches when guest negotiates
features")
Reported-by: Alexander Bulekov
Signed-off-by: Li Qiang
---
hw/virtio/virtio.c | 17 -
1 file
P J P 于2020年9月18日周五 下午6:26写道:
>
> +-- On Fri, 18 Sep 2020, Li Qiang wrote --+
> | Update v2: use an assert() call
> | ->https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08336.html
> ...
> | I think it is better to defer this check to 'ide_cancel_dma_sync'.
>
tag:
Reviewed-by: Li Qiang
> Signed-off-by: Laurent Vivier
> ---
> hw/virtio/vhost-vdpa.c | 6 --
> 1 file changed, 6 deletions(-)
>
> diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
> index 4580f3efd8a2..23a4a957ef77 100644
> --- a/hw/virtio/vhos
BDRV_SECTOR_SIZE, 0) < 0) {
FLOPPY_DPRINTF("error formatting sector %d\n", fd_sector(cur_drv));
fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM | FD_SR0_SEEK, 0x00, 0x00);
} else {
Also there seems exists the same issue in 'fdctrl_read_data'
Thanks,
Li Qiang
> 2.26.2
>
>
of
the handlers of 'ide_cmd_table' will check
whether the 's->blk' is NULL in the beginning of 'ide_exec_cmd'.
So I think it is reasonable to check 's->blk' at the begining of
'ide_cancel_dma_sync'.
I'm not a blk expert, please correct me if I'm wrong.
Thanks,
Li Qiang
> 2.26.2
>
>
e_push() is called.
>
> Reported-by: Alexander Bulekov
> Buglink: https://bugs.launchpad.net/qemu/+bug/1890360
> Fixes: 827805a2492c1bbf1c0712ed18ee069b4ebf3dd6 ("virtio-blk: Convert
> VirtIOBlockReq.out to structrue")
> Signed-off-by: Stefan Hajnoczi
Reviewed-b
Stefano Garzarella 于2020年9月16日周三 下午11:27写道:
>
> This patch fixes wrong indentation of some vdpa_ops fields introduced
> with the initial commit 108a64818e ("vhost-vdpa: introduce vhost-vdpa
> backend")
>
> Signed-off-by: Stefano Garzarella
Reviewed-by: Li Qiang
>
fer *mrb)
> req->in = (void *)in_iov[in_num - 1].iov_base
>+ in_iov[in_num - 1].iov_len
>- sizeof(struct virtio_blk_inhdr);
> -iov_discard_back(in_iov, _num, sizeof(struct virtio_blk_inhdr));
> + iov_discard_back_undoable(in_iov, _num, sizeof(struct
> virtio_blk_inhdr),
> + >inhdr_undo);
>
> type = virtio_ldl_p(vdev, >out.type);
>
It seems there is another error path need to do the undo operations.
case VIRTIO_BLK_T_WRITE_ZEROS & ~VIRTIO_BLK_T_OUT
handler has an error path.
Thanks,
Li Qiang
> --
> 2.26.2
>
Stefan Hajnoczi 于2020年9月16日周三 下午6:09写道:
>
> On Sun, Aug 16, 2020 at 04:26:45PM +0800, Li Qiang wrote:
> > Stefan Hajnoczi 于2020年8月12日周三 下午6:52写道:
>
> Thanks for your review!
>
> > > +/* Discard more bytes than vector size */
> > > +iov_random(, _c
P J P 于2020年9月16日周三 上午2:25写道:
>
> From: Prasad J Pandit
Reviewed-by: Li Qiang
>
> While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
> retires a TD if it has passed its time frame. It does not check if
> the TD was already processed once and holds an e
Chuan Zheng 于2020年9月16日周三 下午2:11写道:
>
> Compare page hash results for recorded sampled page.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: Dr. David Alan Gilbert
Reviewed-by: Li Qiang
> ---
> mi
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> Implement calculate_dirtyrate() function.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: Dr. David Alan Gilbert
Reviewed-by: Li Qiang
> ---
> mi
d-by: David Edmondson
Reviewed-by: Li Qiang
> ---
> migration/dirtyrate.c | 24
> migration/dirtyrate.h | 6 ++
> 2 files changed, 30 insertions(+)
>
> diff --git a/migration/dirtyrate.c b/migration/dirtyrate.c
> index 903f728..bcff10e 10
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> Compare page hash results for recorded sampled page.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: Dr. David Alan Gilbert
> ---
> migration/dirtyrate.c | 63
> +++
> 1
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> In order to sample real RAM, skip ramblock with size below MIN_RAMBLOCK_SIZE
> which is set as 128M.
>
> Signed-off-by: Chuan Zheng
> Reviewed-by: David Edmondson
> Reviewed-by: Dr. David Alan Gilbert
Reviewed-by: Li Qian
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> Record hash results for each sampled page, crc32 is taken to calculate
> hash results for each sampled length in TARGET_PAGE_SIZE.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: David Edmondson
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> Add dirtyrate statistics functions to record/update dirtyrate info.
>
> Signed-off-by: Chuan Zheng
> Reviewed-by: Dr. David Alan Gilbert
Reviewed-by: Li Qiang
> ---
> migration/dirtyrate.c | 32
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> RAMBLOCK_FOREACH_MIGRATABLE is need in dirtyrate measure,
> move the existing definition up into migration/ram.h
>
> Signed-off-by: Chuan Zheng
> Reviewed-by: Dr. David Alan Gilbert
> Reviewed-by: David Edmondson
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> Add RamblockDirtyInfo to store sampled page info of each ramblock.
>
> Signed-off-by: Chuan Zheng
> Reviewed-by: Dr. David Alan Gilbert
> Reviewed-by: David Edmondson
Reviewed-by: Li Qiang
> ---
> migration/dirtyrate.h | 18
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> add DirtyRateStatus to denote calculating status.
>
> Signed-off-by: Chuan Zheng
> Reviewed-by: Dr. David Alan Gilbert
Reviewed-by: Li Qiang
> ---
> migration/dirtyrate.c | 26 ++
> qa
Chuan Zheng 于2020年9月15日周二 上午10:34写道:
>
> Add get_dirtyrate_thread() functions to setup query-dirtyrate
> framework.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: Dr. David Alan Gilbert
> Reviewed-by: David Edmondson
Reviewed-by: Li Qi
he link in the commit msg.
I find it is another DMA to MMIO issue which we have discussed a lot
but didn't come up with an
satisfying solution.
Maybe we can try to the DMA to MMIO issue direction.
CC: Peter, Jason and Alex
Thanks,
Li Qiang
> +return;
> +}
> irq_num = bus->map_irq(pci_dev, irq_num);
> if (bus->set_irq)
> break;
> --
> 2.26.2
>
>
ping!!
Li Qiang 于2020年9月7日周一 上午9:39写道:
>
> Ping!
>
> Li Qiang 于2020年9月1日周二 下午6:34写道:
> >
> > Ping.
> >
> > Li Qiang 于2020年8月15日周六 下午3:21写道:
> > >
> > > In 'map_page' we need to check the return value of
> > > 'dma_memory_map
.dirty_rate' is 0 if this error occurs ?
Maybe we should set the DirtyRateStat.dirty_rate to -1 in
reset_dirtyrate_stat function.
As you say:
+# If this field return '-1', it means querying is not
+# start or not complete.
The '0' may confuse the people there is no dirty page.
Than
Chuan Zheng 于2020年9月14日周一 下午4:52写道:
>
> Compare page hash results for recorded sampled page.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: Dr. David Alan Gilbert
> ---
> migration/dirtyrate.c | 63
> +++
> 1 file
Chuan Zheng 于2020年9月14日周一 下午4:52写道:
>
> Implement calculate_dirtyrate() function.
>
> Signed-off-by: Chuan Zheng
> Signed-off-by: YanYing Zhuang
> Reviewed-by: Dr. David Alan Gilbert
> ---
> migration/dirtyrate.c | 45 +++--
> 1 file changed, 43
et 'total_index'.
In the end use the 'index'.
> +ret = false;
> +goto out;
> +}
> +
> +RAMBLOCK_FOREACH_MIGRATABLE(block) {
> + if (index >= total_index) {
> +break;
> +}
> +info = [index];
> +get_ram
Zheng Chuan 于2020年9月13日周日 上午10:59写道:
>
>
>
> On 2020/9/10 21:51, Li Qiang wrote:
> > Chuan Zheng 于2020年9月9日周三 下午10:14写道:
> >>
> >> Record hash results for each sampled page, crc32 is taken to calculate
> >> hash results for each sampled length in TAR
tain the currently individuals and the some qemu developer
and also some organizations who uses qemu.
Thanks,
Li Qiang
>
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
>
>
; +if (td.cbp > td.be) {
> +trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
> +ohci_die(ohci);
> +return 1;
> +}
> len = (td.be - td.cbp) + 1;
> }
> +if (len > sizeof(ohci->usb_buf)) {
> +len = sizeof(ohci->usb_buf);
> +}
>
3. Then here is the heap overflow.
So I think it can be more easier to review to split this to 3 patches.
Thanks,
Li Qiang
> pktlen = len;
> if (len && dir != OHCI_TD_DIR_IN) {
> --
> 2.26.2
>
>
ions(-)
>
> diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
> index 380acfa7c8a..b683f64f1d3 100644
> --- a/hw/timer/hpet.c
> +++ b/hw/timer/hpet.c
Maybe we also remove the
"//#define HPET_DEBUG"
in the head of this file?
Thanks,
Li Qiang
> @@ -416,20 +416,6 @@ static v
Alexander Bulekov 于2020年9月9日周三 下午10:28写道:
>
> On 200909 1258, Li Qiang wrote:
> > Gerd Hoffmann 于2020年9月9日周三 下午12:49写道:
> > >
> > > On Wed, Sep 09, 2020 at 10:15:47AM +0800, Jason Wang wrote:
> > > >
> > > > On 2020/9/9 上午12:41, Li Qia
if (ret == -1) {
> +return NULL;
> +}
>
> calculate_dirtyrate(config);
>
> +ret = dirtyrate_set_state(, DIRTY_RATE_STATUS_MEASURING,
> + DIRTY_RATE_STATUS_MEASURED);
Doesn't need to check the 'ret'?
Just curious you checked other place
Chuan Zheng 于2020年9月9日周三 下午10:14写道:
>
> Implement qmp_cal_dirty_rate()/qmp_get_dirty_rate() function which could be
> called
>
> Signed-off-by: Chuan Zheng
> ---
> migration/dirtyrate.c | 62
> +++
> qapi/migration.json | 50
1 - 100 of 832 matches
Mail list logo
