[qemu/f19] Fix rtl8139 + windows 7 + large transfers (bz #970240) Fix crash on large drag and drop file transfe

Cole Robinson crobinso at fedoraproject.org
Tue Jun 11 20:54:12 UTC 2013 

commit 0067bd1e40d90c88b388864d1e6d339656b1b3ca
Author: Cole Robinson <crobinso at redhat.com>
Date:   Tue Jun 11 16:54:00 2013 -0400

    Fix rtl8139 + windows 7 + large transfers (bz #970240)
    Fix crash on large drag and drop file transfer w/ spice (bz #969109)

 ...sh-queued-packets-when-RxBufPtr-is-writte.patch |   47 ++++++++++++++++++++
 ...char-vmc_write-Don-t-write-more-bytes-the.patch |   44 ++++++++++++++++++
 qemu.spec                                          |   14 +++++-
 3 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch b/0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch
new file mode 100644
index 0000000..feb4f26
--- /dev/null
+++ b/0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch
@@ -0,0 +1,47 @@
+From e5cdc492ec39f777b0bd877ca794f3b2ccdcffec Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha at redhat.com>
+Date: Wed, 22 May 2013 14:50:18 +0200
+Subject: [PATCH] rtl8139: flush queued packets when RxBufPtr is written
+
+Net queues support efficient "receive disable".  For example, tap's file
+descriptor will not be polled while its peer has receive disabled.  This
+saves CPU cycles for needlessly copying and then dropping packets which
+the peer cannot receive.
+
+rtl8139 is missing the qemu_flush_queued_packets() call that wakes the
+queue up when receive becomes possible again.
+
+As a result, the Windows 7 guest driver reaches a state where the
+rtl8139 cannot receive packets.  The driver has actually refilled the
+receive buffer but we never resume reception.
+
+The bug can be reproduced by running a large FTP 'get' inside a Windows
+7 guest:
+
+  $ qemu -netdev tap,id=tap0,...
+         -device rtl8139,netdev=tap0
+
+The Linux guest driver does not trigger the bug, probably due to a
+different buffer management strategy.
+
+Reported-by: Oliver Francke <oliver.francke at filoo.de>
+Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
+(cherry picked from commit 00b7ade807b5ce6779ddd86ce29c5521ec5c529a)
+---
+ hw/rtl8139.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/rtl8139.c b/hw/rtl8139.c
+index d7716be..2c4d9bd 100644
+--- a/hw/rtl8139.c
++++ b/hw/rtl8139.c
+@@ -2575,6 +2575,9 @@ static void rtl8139_RxBufPtr_write(RTL8139State *s, uint32_t val)
+     /* this value is off by 16 */
+     s->RxBufPtr = MOD2(val + 0x10, s->RxBufferSize);
+ 
++    /* more buffer space may be available so try to receive */
++    qemu_flush_queued_packets(qemu_get_queue(s->nic));
++
+     DPRINTF(" CAPR write: rx buffer length %d head 0x%04x read 0x%04x\n",
+         s->RxBufferSize, s->RxBufAddr, s->RxBufPtr);
+ }
diff --git a/0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch b/0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch
new file mode 100644
index 0000000..c77113d
--- /dev/null
+++ b/0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch
@@ -0,0 +1,44 @@
+From ad0343a9c903b79c6dd3ecdafb05a704c14514b9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede at redhat.com>
+Date: Fri, 5 Apr 2013 11:30:24 +0200
+Subject: [PATCH] spice-qemu-char: vmc_write: Don't write more bytes then we're
+ asked too
+
+This one took me eons to debug, but I've finally found it now, oh well.
+
+The usage of the MIN macro in this line:
+    last_out = MIN(len, qemu_chr_be_can_write(scd->chr));
+
+Causes qemu_chr_be_can_write to be called *twice*, since the MIN macro
+evaluates its arguments twice (bad MIN macro, bad!). And the result of
+the call can change between the 2 calls since the guest may have consumed
+some data from the virtio ringbuffer between the calls!
+
+When this happens it is possible for qemu_chr_be_can_write to return less
+then len in the call made for the comparision, and then to return more then
+len in the actual call for the return-value of MIN, after which we will end
+up writing len data + some extra garbage, not good.
+
+This patch fixes this by only calling qemu_chr_be_can_write once.
+
+Signed-off-by: Hans de Goede <hdegoede at redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
+(cherry picked from commit 75c439bc65c07d76f5e74c734ed5432bc6114a3b)
+---
+ spice-qemu-char.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/spice-qemu-char.c b/spice-qemu-char.c
+index 5065240..82f3f77 100644
+--- a/spice-qemu-char.c
++++ b/spice-qemu-char.c
+@@ -41,7 +41,8 @@ static int vmc_write(SpiceCharDeviceInstance *sin, const uint8_t *buf, int len)
+     uint8_t* p = (uint8_t*)buf;
+ 
+     while (len > 0) {
+-        last_out = MIN(len, qemu_chr_be_can_write(scd->chr));
++        int can_write = qemu_chr_be_can_write(scd->chr);
++        last_out = MIN(len, can_write);
+         if (last_out <= 0) {
+             break;
+         }
diff --git a/qemu.spec b/qemu.spec
index 580f540..e8cb640 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -131,7 +131,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 1.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -243,6 +243,10 @@ Patch0202: 0202-acpi_piix4-Drop-minimum_version_id-to-handle-qemu-kv.patch
 Patch0203: 0203-i8254-Fix-migration-from-qemu-kvm-1.1.patch
 Patch0204: 0204-pc_piix-Add-compat-handling-for-qemu-kvm-VGA-mem-siz.patch
 Patch0205: 0205-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
+# Fix rtl8139 + windows 7 + large transfers (bz #970240)
+Patch0206: 0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch
+# Fix crash on large drag and drop file transfer w/ spice (bz #969109)
+Patch0207: 0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch
 
 BuildRequires: SDL-devel
 BuildRequires: zlib-devel
@@ -775,6 +779,10 @@ CAC emulation development files.
 %patch0203 -p1
 %patch0204 -p1
 %patch0205 -p1
+# Fix rtl8139 + windows 7 + large transfers (bz #970240)
+%patch0206 -p1
+# Fix crash on large drag and drop file transfer w/ spice (bz #969109)
+%patch0207 -p1
 
 %build
 %if %{with kvmonly}
@@ -1421,6 +1429,10 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Jun 11 2013 Cole Robinson <crobinso at redhat.com> - 2:1.4.2-3
+- Fix rtl8139 + windows 7 + large transfers (bz #970240)
+- Fix crash on large drag and drop file transfer w/ spice (bz #969109)
+
 * Mon May 27 2013 Dan HorĂ¡k <dan[at]danny.cz> - 2:1.4.2-2
 - Install the qemu-kvm.1 man page only on arches with kvm

More information about the scm-commits mailing list