[Qemu-devel] [PULL 0/3] QMP queue

[Qemu-devel] [PULL 0/3] QMP queue

[Luiz Capitulino]

One qapi fix and two fixes that affect the dump-guest-memory QMP command.

The changes (since 87d23f78aa79b72da022afda358bbc8a8509ca70) are available
in the following repository:

    git://repo.or.cz/qemu/qmp-unstable.git queue/qmp

Luiz Capitulino (1):
  target-i386: fix abort on bad PML4E/PDPTE/PDE/PTE addresses

Michael Roth (1):
  qapi: pad GenericList value fields to 64 bits

Qiao Nuohan (1):
  target-i386: Fix mask of pte index in memory mapping

 include/qapi/visitor.h            |  5 ++++-
 scripts/qapi-types.py             | 10 ++++++++--
 target-i386/arch_memory_mapping.c | 12 +++++++-----
 tests/test-qmp-output-visitor.c   |  5 ++++-
 4 files changed, 23 insertions(+), 9 deletions(-)

-- 
1.8.1.4

[Qemu-devel] [PULL 1/3] qapi: pad GenericList value fields to 64 bits

[Luiz Capitulino]

From: Michael Roth <mdroth@linux.vnet.ibm.com>

With the introduction of native list types, we now have types such as
int64List where the 'value' field is not a pointer, but the actual
64-bit value.

On 32-bit architectures, this can lead to situations where 'next' field
offset in GenericList does not correspond to the 'next' field in the
types that we cast to GenericList when using the visit_next_list()
interface, causing issues when we attempt to traverse linked list
structures of these types.

To fix this, pad the 'value' field of GenericList and other
schema-defined/native *List types out to 64-bits.

This is less memory-efficient for 32-bit architectures, but allows us to
continue to rely on list-handling interfaces that target GenericList to
simply visitor implementations.

In the future we can improve efficiency by defaulting to using native C
array backends to handle list of non-pointer types, which would be more
memory efficient in itself and allow us to roll back this change.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 include/qapi/visitor.h          |  5 ++++-
 scripts/qapi-types.py           | 10 ++++++++--
 tests/test-qmp-output-visitor.c |  5 ++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/include/qapi/visitor.h b/include/qapi/visitor.h
index 1fef18c..28c21d8 100644
--- a/include/qapi/visitor.h
+++ b/include/qapi/visitor.h
@@ -18,7 +18,10 @@
 
 typedef struct GenericList
 {
-    void *value;
+    union {
+        void *value;
+        uint64_t padding;
+    };
     struct GenericList *next;
 } GenericList;
 
diff --git a/scripts/qapi-types.py b/scripts/qapi-types.py
index fd42d71..ddcfed9 100644
--- a/scripts/qapi-types.py
+++ b/scripts/qapi-types.py
@@ -22,7 +22,10 @@ def generate_fwd_struct(name, members, builtin_type=False):
 
 typedef struct %(name)sList
 {
-    %(type)s value;
+    union {
+        %(type)s value;
+        uint64_t padding;
+    };
     struct %(name)sList *next;
 } %(name)sList;
 ''',
@@ -35,7 +38,10 @@ typedef struct %(name)s %(name)s;
 
 typedef struct %(name)sList
 {
-    %(name)s *value;
+    union {
+        %(name)s *value;
+        uint64_t padding;
+    };
     struct %(name)sList *next;
 } %(name)sList;
 ''',
diff --git a/tests/test-qmp-output-visitor.c b/tests/test-qmp-output-visitor.c
index 0942a41..b2fa9a7 100644
--- a/tests/test-qmp-output-visitor.c
+++ b/tests/test-qmp-output-visitor.c
@@ -295,7 +295,10 @@ static void test_visitor_out_struct_errors(TestOutputVisitorData *data,
 
 typedef struct TestStructList
 {
-    TestStruct *value;
+    union {
+        TestStruct *value;
+        uint64_t padding;
+    };
     struct TestStructList *next;
 } TestStructList;
 
-- 
1.8.1.4

[Qemu-devel] [PULL 2/3] target-i386: fix abort on bad PML4E/PDPTE/PDE/PTE addresses

[Luiz Capitulino]

The code used to walk IA-32e page-tables, and possibly PAE page-tables,
uses the bit mask ~0xfff to get the next PML4E/PDPTE/PDE/PTE address.

However, as we use a uint64_t to store the resulting address, that mask
gets expanded to 0xfffffffffffff000 which not only ends up selecting
reserved bits but also selects the XD bit (execute-disable) which
happens to be enabled by Windows 8, causing qemu_get_ram_ptr() to abort.

This commit fixes that problem by replacing ~0xfff by a correct mask
that only selects the address bit range (ie. bits 51:12).

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
 target-i386/arch_memory_mapping.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/target-i386/arch_memory_mapping.c b/target-i386/arch_memory_mapping.c
index 844893f..24884bd 100644
--- a/target-i386/arch_memory_mapping.c
+++ b/target-i386/arch_memory_mapping.c
@@ -75,6 +75,8 @@ static void walk_pte2(MemoryMappingList *list,
 }
 
 /* PAE Paging or IA-32e Paging */
+#define PLM4_ADDR_MASK 0xffffffffff000 /* selects bits 51:12 */
+
 static void walk_pde(MemoryMappingList *list, hwaddr pde_start_addr,
                      int32_t a20_mask, target_ulong start_line_addr)
 {
@@ -105,7 +107,7 @@ static void walk_pde(MemoryMappingList *list, hwaddr pde_start_addr,
             continue;
         }
 
-        pte_start_addr = (pde & ~0xfff) & a20_mask;
+        pte_start_addr = (pde & PLM4_ADDR_MASK) & a20_mask;
         walk_pte(list, pte_start_addr, a20_mask, line_addr);
     }
 }
@@ -208,7 +210,7 @@ static void walk_pdpe(MemoryMappingList *list,
             continue;
         }
 
-        pde_start_addr = (pdpe & ~0xfff) & a20_mask;
+        pde_start_addr = (pdpe & PLM4_ADDR_MASK) & a20_mask;
         walk_pde(list, pde_start_addr, a20_mask, line_addr);
     }
 }
@@ -231,7 +233,7 @@ static void walk_pml4e(MemoryMappingList *list,
         }
 
         line_addr = ((i & 0x1ffULL) << 39) | (0xffffULL << 48);
-        pdpe_start_addr = (pml4e & ~0xfff) & a20_mask;
+        pdpe_start_addr = (pml4e & PLM4_ADDR_MASK) & a20_mask;
         walk_pdpe(list, pdpe_start_addr, a20_mask, line_addr);
     }
 }
@@ -249,7 +251,7 @@ int cpu_get_memory_mapping(MemoryMappingList *list, CPUArchState *env)
         if (env->hflags & HF_LMA_MASK) {
             hwaddr pml4e_addr;
 
-            pml4e_addr = (env->cr[3] & ~0xfff) & env->a20_mask;
+            pml4e_addr = (env->cr[3] & PLM4_ADDR_MASK) & env->a20_mask;
             walk_pml4e(list, pml4e_addr, env->a20_mask);
         } else
 #endif
-- 
1.8.1.4

[Qemu-devel] [PULL 3/3] target-i386: Fix mask of pte index in memory mapping

[Luiz Capitulino]

From: Qiao Nuohan <qiaonuohan@cn.fujitsu.com>

Function walk_pte() needs pte index to calculate virtual address.
However, pte index of PAE paging or IA-32e paging is 9 bit, so the mask
should be 0x1ff.

Signed-off-by: Qiao Nuohan <qiaonuohan@cn.fujitsu.com>
Reviewed-by: Jesse Larrew <jlarrew@linux.vnet.ibm.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 target-i386/arch_memory_mapping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-i386/arch_memory_mapping.c b/target-i386/arch_memory_mapping.c
index 24884bd..5096fbd 100644
--- a/target-i386/arch_memory_mapping.c
+++ b/target-i386/arch_memory_mapping.c
@@ -38,7 +38,7 @@ static void walk_pte(MemoryMappingList *list, hwaddr pte_start_addr,
             continue;
         }
 
-        start_vaddr = start_line_addr | ((i & 0x1fff) << 12);
+        start_vaddr = start_line_addr | ((i & 0x1ff) << 12);
         memory_mapping_list_add_merge_sorted(list, start_paddr,
                                              start_vaddr, 1 << 12);
     }
-- 
1.8.1.4

Re: [Qemu-devel] [PULL 0/3] QMP queue

[Anthony Liguori]

Pulled.  Thanks.

Regards,

Anthony Liguori