From 58164eaff530a1e804f5710936dd37518ab5a90e Mon Sep 17 00:00:00 2001 From: Igor Mammedov Date: Mon, 10 Jun 2019 15:50:35 +0200 Subject: [PATCH 01/12] pc: fix possible NULL pointer dereference in pc_machine_get_device_memory_region_size() QEMU will crash when device-memory-region-size property is read if ms->device_memory wasn't initialized yet. Crash can be reproduced with: $QEMU -preconfig -qmp unix:qmp_socket,server,nowait & ./scripts/qmp/qom-get -s qmp_socket /machine.device-memory-region-size Instead of crashing return 0 if ms->device_memory hasn't been initialized. Signed-off-by: Igor Mammedov Message-Id: <1560174635-22602-1-git-send-email-imammedo@redhat.com> Signed-off-by: Paolo Bonzini --- hw/i386/pc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hw/i386/pc.c b/hw/i386/pc.c index e96360b47a..552f3401e2 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -2458,7 +2458,11 @@ pc_machine_get_device_memory_region_size(Object *obj, Visitor *v, Error **errp) { MachineState *ms = MACHINE(obj); - int64_t value = memory_region_size(&ms->device_memory->mr); + int64_t value = 0; + + if (ms->device_memory) { + value = memory_region_size(&ms->device_memory->mr); + } visit_type_int(v, name, &value, errp); } From c20b139620498b2f158b52e0c4ad7f6de35a520e Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Fri, 21 Jun 2019 13:28:54 +0200 Subject: [PATCH 02/12] checkpatch: do not warn for multiline parenthesized returned value While indeed we do not want to have return (a); it is less clear that this applies to return (a && b); Some editors indent more nicely if you have parentheses, and some people's eyes may appreciate that as well. Signed-off-by: Paolo Bonzini Reviewed-by: Eric Blake Reviewed-by: Richard Henderson Message-Id: <1561116534-21814-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini --- scripts/checkpatch.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index c2aaf421da..2f81371ffb 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -2296,7 +2296,8 @@ sub process { $value =~ s/\([^\(\)]*\)/1/) { } #print "value<$value>\n"; - if ($value =~ /^\s*(?:$Ident|-?$Constant)\s*$/) { + if ($value =~ /^\s*(?:$Ident|-?$Constant)\s*$/ && + $line =~ /;$/) { ERROR("return is not a function, parentheses are not required\n" . $herecurr); } elsif ($spacing !~ /\s+/) { From 9dc83cd9c3cd766263a7180bccaf67afe970d816 Mon Sep 17 00:00:00 2001 From: Max Reitz Date: Mon, 24 Jun 2019 21:39:13 +0200 Subject: [PATCH 03/12] i386/kvm: Fix build with -m32 find_next_bit() takes a pointer of type "const unsigned long *", but the first argument passed here is a "uint64_t *". These types are incompatible when compiling qemu with -m32. Just use ctz64() instead. Fixes: c686193072a47032d83cb4e131dc49ae30f9e5d Signed-off-by: Max Reitz Reviewed-by: Eduardo Habkost Message-Id: <20190624193913.28343-1-mreitz@redhat.com> Signed-off-by: Paolo Bonzini --- target/i386/kvm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/target/i386/kvm.c b/target/i386/kvm.c index e4b4f5756a..31490bf8b5 100644 --- a/target/i386/kvm.c +++ b/target/i386/kvm.c @@ -1043,14 +1043,15 @@ static int hv_cpuid_check_and_set(CPUState *cs, struct kvm_cpuid2 *cpuid, CPUX86State *env = &cpu->env; uint32_t r, fw, bits; uint64_t deps; - int i, dep_feat = 0; + int i, dep_feat; if (!hyperv_feat_enabled(cpu, feature) && !cpu->hyperv_passthrough) { return 0; } deps = kvm_hyperv_properties[feature].dependencies; - while ((dep_feat = find_next_bit(&deps, 64, dep_feat)) < 64) { + while (deps) { + dep_feat = ctz64(deps); if (!(hyperv_feat_enabled(cpu, dep_feat))) { fprintf(stderr, "Hyper-V %s requires Hyper-V %s\n", @@ -1058,7 +1059,7 @@ static int hv_cpuid_check_and_set(CPUState *cs, struct kvm_cpuid2 *cpuid, kvm_hyperv_properties[dep_feat].desc); return 1; } - dep_feat++; + deps &= ~(1ull << dep_feat); } for (i = 0; i < ARRAY_SIZE(kvm_hyperv_properties[feature].flags); i++) { From d6d10793dcfa33504745be40b49bd747ff8752ef Mon Sep 17 00:00:00 2001 From: Yan Zhao Date: Mon, 24 Jun 2019 17:18:10 +0800 Subject: [PATCH 04/12] intel_iommu: Fix incorrect "end" for vtd_address_space_unmap IOMMUNotifier is with inclusive ranges, so we should check against (VTD_ADDRESS_SIZE(s->aw_bits) - 1). Signed-off-by: Yan Zhao [peterx: split from another bigger patch] Reviewed-by: Eric Auger Signed-off-by: Peter Xu Message-Id: <20190624091811.30412-2-peterx@redhat.com> Signed-off-by: Paolo Bonzini --- hw/i386/intel_iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index 44b1231157..719ce19ab3 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -3379,12 +3379,12 @@ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n) * VT-d spec), otherwise we need to consider overflow of 64 bits. */ - if (end > VTD_ADDRESS_SIZE(s->aw_bits)) { + if (end > VTD_ADDRESS_SIZE(s->aw_bits) - 1) { /* * Don't need to unmap regions that is bigger than the whole * VT-d supported address space size */ - end = VTD_ADDRESS_SIZE(s->aw_bits); + end = VTD_ADDRESS_SIZE(s->aw_bits) - 1; } assert(start <= end); From 9a4bb8391fda2312803d44664575a662b9be7189 Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Mon, 24 Jun 2019 17:18:11 +0800 Subject: [PATCH 05/12] intel_iommu: Fix unexpected unmaps during global unmap This is an replacement work of Yan Zhao's patch: https://www.mail-archive.com/qemu-devel@nongnu.org/msg625340.html vtd_address_space_unmap() will do proper page mask alignment to make sure each IOTLB message will have correct masks for notification messages (2^N-1), but sometimes it can be expanded to even supercede the registered range. That could lead to unexpected UNMAP of already mapped regions in some other notifiers. Instead of doing mindless expension of the start address and address mask, we split the range into smaller ones and guarantee that each small range will have correct masks (2^N-1) and at the same time we should also try our best to generate as less IOTLB messages as possible. Reported-by: Yan Zhao Signed-off-by: Peter Xu Reviewed-by: Eric Auger Tested-by: Yan Zhao Message-Id: <20190624091811.30412-3-peterx@redhat.com> Signed-off-by: Paolo Bonzini --- hw/i386/intel_iommu.c | 67 ++++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 26 deletions(-) diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index 719ce19ab3..de86f53b4e 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -3363,11 +3363,28 @@ VTDAddressSpace *vtd_find_add_as(IntelIOMMUState *s, PCIBus *bus, int devfn) return vtd_dev_as; } +static uint64_t get_naturally_aligned_size(uint64_t start, + uint64_t size, int gaw) +{ + uint64_t max_mask = 1ULL << gaw; + uint64_t alignment = start ? start & -start : max_mask; + + alignment = MIN(alignment, max_mask); + size = MIN(size, max_mask); + + if (alignment <= size) { + /* Increase the alignment of start */ + return alignment; + } else { + /* Find the largest page mask from size */ + return 1ULL << (63 - clz64(size)); + } +} + /* Unmap the whole range in the notifier's scope. */ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n) { - IOMMUTLBEntry entry; - hwaddr size; + hwaddr size, remain; hwaddr start = n->start; hwaddr end = n->end; IntelIOMMUState *s = as->iommu_state; @@ -3388,39 +3405,37 @@ static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n) } assert(start <= end); - size = end - start; + size = remain = end - start + 1; - if (ctpop64(size) != 1) { - /* - * This size cannot format a correct mask. Let's enlarge it to - * suite the minimum available mask. - */ - int n = 64 - clz64(size); - if (n > s->aw_bits) { - /* should not happen, but in case it happens, limit it */ - n = s->aw_bits; - } - size = 1ULL << n; + while (remain >= VTD_PAGE_SIZE) { + IOMMUTLBEntry entry; + uint64_t mask = get_naturally_aligned_size(start, remain, s->aw_bits); + + assert(mask); + + entry.iova = start; + entry.addr_mask = mask - 1; + entry.target_as = &address_space_memory; + entry.perm = IOMMU_NONE; + /* This field is meaningless for unmap */ + entry.translated_addr = 0; + + memory_region_notify_one(n, &entry); + + start += mask; + remain -= mask; } - entry.target_as = &address_space_memory; - /* Adjust iova for the size */ - entry.iova = n->start & ~(size - 1); - /* This field is meaningless for unmap */ - entry.translated_addr = 0; - entry.perm = IOMMU_NONE; - entry.addr_mask = size - 1; + assert(!remain); trace_vtd_as_unmap_whole(pci_bus_num(as->bus), VTD_PCI_SLOT(as->devfn), VTD_PCI_FUNC(as->devfn), - entry.iova, size); + n->start, size); - map.iova = entry.iova; - map.size = entry.addr_mask; + map.iova = n->start; + map.size = size; iova_tree_remove(as->iova_tree, &map); - - memory_region_notify_one(n, &entry); } static void vtd_address_space_unmap_all(IntelIOMMUState *s) From d15d3d573aa16ac4748d7c0291e582ed9d007485 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Mon, 24 Jun 2019 08:16:35 -0700 Subject: [PATCH 06/12] ioapic: clear irq_eoi when updating the ioapic redirect table entry irq_eoi is used to count the number of irq injected during eoi broadcast. It should be set to 0 when updating the ioapic's redirect table entry. Suggested-by: Peter Xu Signed-off-by: Li Qiang Reviewed-by: Peter Xu Message-Id: <20190624151635.22494-1-liq3ea@163.com> Signed-off-by: Paolo Bonzini --- hw/intc/ioapic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/intc/ioapic.c b/hw/intc/ioapic.c index 7074489fdf..db9e518602 100644 --- a/hw/intc/ioapic.c +++ b/hw/intc/ioapic.c @@ -380,6 +380,7 @@ ioapic_mem_write(void *opaque, hwaddr addr, uint64_t val, /* restore RO bits */ s->ioredtbl[index] &= IOAPIC_RW_BITS; s->ioredtbl[index] |= ro_bits; + s->irq_eoi[index] = 0; ioapic_fix_edge_remote_irr(&s->ioredtbl[index]); ioapic_service(s); } From 4b03403f7684ef2dc2af5f8ab8ab52515562e3fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alex=20Benn=C3=A9e?= Date: Mon, 24 Jun 2019 13:38:35 +0100 Subject: [PATCH 07/12] target/i386: fix feature check in hyperv-stub.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 2d384d7c8 broken the build when built with: configure --without-default-devices --disable-user The reason was the conversion of cpu->hyperv_synic to cpu->hyperv_synic_kvm_only although the rest of the patch introduces a feature checking mechanism. So I've fixed the KVM_EXIT_HYPERV_SYNIC in hyperv-stub to do the same feature check as in the real hyperv.c Signed-off-by: Alex Bennée Cc: Vitaly Kuznetsov Cc: Paolo Bonzini Cc: Roman Kagan Message-Id: <20190624123835.28869-1-alex.bennee@linaro.org> Reviewed-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini --- target/i386/hyperv-stub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/hyperv-stub.c b/target/i386/hyperv-stub.c index fe548cbae2..0028527e79 100644 --- a/target/i386/hyperv-stub.c +++ b/target/i386/hyperv-stub.c @@ -15,7 +15,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit *exit) { switch (exit->type) { case KVM_EXIT_HYPERV_SYNIC: - if (!cpu->hyperv_synic) { + if (!hyperv_feat_enabled(cpu, HYPERV_FEAT_SYNIC)) { return -1; } From 6b7ac49d570c66754fad1b80cc200c7596d1facd Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 24 Jun 2019 20:18:46 +0200 Subject: [PATCH 08/12] minikconf: do not include variables from MINIKCONF_ARGS in config-all-devices.mak When minikconf writes config-devices.mak, it includes all variables including those from MINIKCONF_ARGS. This causes values from config-host.mak to "stick" to the ones used in generating config-devices.mak, because config-devices.mak is included after config-host.mak. Avoid this by omitting assignments coming from the command line in the output of minikconf. Reported-by: Christophe de Dinechin Reviewed-by: Christophe de Dinechin Tested-by: Christophe de Dinechin Signed-off-by: Paolo Bonzini --- scripts/minikconf.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/minikconf.py b/scripts/minikconf.py index 0ffc6c38da..3109a81db7 100644 --- a/scripts/minikconf.py +++ b/scripts/minikconf.py @@ -688,11 +688,13 @@ if __name__ == '__main__': data = KconfigData(mode) parser = KconfigParser(data) + external_vars = set() for arg in argv[3:]: m = re.match(r'^(CONFIG_[A-Z0-9_]+)=([yn]?)$', arg) if m is not None: name, value = m.groups() parser.do_assignment(name, value == 'y') + external_vars.add(name[7:]) else: fp = open(arg, 'r') parser.parse_file(fp) @@ -700,7 +702,8 @@ if __name__ == '__main__': config = data.compute_config() for key in sorted(config.keys()): - print ('CONFIG_%s=%s' % (key, ('y' if config[key] else 'n'))) + if key not in external_vars: + print ('CONFIG_%s=%s' % (key, ('y' if config[key] else 'n'))) deps = open(argv[2], 'w') for fname in data.previously_included: From ec7b1bbd2c470d8766b61617bd4d8ba46aa2056b Mon Sep 17 00:00:00 2001 From: Liran Alon Date: Tue, 25 Jun 2019 02:05:14 +0300 Subject: [PATCH 09/12] target/i386: kvm: Fix when nested state is needed for migration When vCPU is in VMX operation and enters SMM mode, it temporarily exits VMX operation but KVM maintained nested-state still stores the VMXON region physical address, i.e. even when the vCPU is in SMM mode then (nested_state->hdr.vmx.vmxon_pa != -1ull). Therefore, there is no need to explicitly check for KVM_STATE_NESTED_SMM_VMXON to determine if it is necessary to save nested-state as part of migration stream. Reviewed-by: Karl Heubaum Signed-off-by: Liran Alon Message-Id: <20190624230514.53326-1-liran.alon@oracle.com> Signed-off-by: Paolo Bonzini --- target/i386/machine.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/target/i386/machine.c b/target/i386/machine.c index 851b249d1a..704ba6de46 100644 --- a/target/i386/machine.c +++ b/target/i386/machine.c @@ -997,9 +997,8 @@ static bool vmx_nested_state_needed(void *opaque) { struct kvm_nested_state *nested_state = opaque; - return ((nested_state->format == KVM_STATE_NESTED_FORMAT_VMX) && - ((nested_state->hdr.vmx.vmxon_pa != -1ull) || - (nested_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_VMXON))); + return (nested_state->format == KVM_STATE_NESTED_FORMAT_VMX && + nested_state->hdr.vmx.vmxon_pa != -1ull); } static const VMStateDescription vmstate_vmx_nested_state = { From 6c22ea9d83ca91a3f5453d2699381a901f144ab5 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Fri, 5 Jul 2019 14:35:53 +0000 Subject: [PATCH 10/12] Makefile: generate header file with the list of devices enabled v2: generate config-devices.h which contains the list of devices enabled Message-Id: <20190705143554.10295-1-julio.montes@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Julio Montes --- Makefile.target | 4 ++++ scripts/create_config | 2 ++ 2 files changed, 6 insertions(+) diff --git a/Makefile.target b/Makefile.target index 72c267f7dc..7154e99f0a 100644 --- a/Makefile.target +++ b/Makefile.target @@ -45,6 +45,9 @@ include $(SRC_PATH)/tests/tcg/Makefile.include config-target.h: config-target.h-timestamp config-target.h-timestamp: config-target.mak +config-devices.h: config-devices.h-timestamp +config-devices.h-timestamp: config-devices.mak + ifdef CONFIG_TRACE_SYSTEMTAP stap: $(QEMU_PROG).stp-installed $(QEMU_PROG).stp $(QEMU_PROG)-simpletrace.stp $(QEMU_PROG)-log.stp @@ -168,6 +171,7 @@ obj-y += hw/$(TARGET_BASE_ARCH)/ endif generated-files-y += hmp-commands.h hmp-commands-info.h +generated-files-y += config-devices.h endif # CONFIG_SOFTMMU diff --git a/scripts/create_config b/scripts/create_config index d727e5e36e..00e86c82b0 100755 --- a/scripts/create_config +++ b/scripts/create_config @@ -58,6 +58,8 @@ case $line in name=${line%=*} echo "#define $name 1" ;; + CONFIG_*=n) # configuration + ;; CONFIG_*=*) # configuration name=${line%=*} value=${line#*=} From 60386ea270c8c9425b76d01ee42039f24d7bc833 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Fri, 5 Jul 2019 14:35:54 +0000 Subject: [PATCH 11/12] hw/i386: Fix linker error when ISAPC is disabled v2: include config-devices.h to use CONFIG_IDE_ISA Message-Id: <20190705143554.10295-2-julio.montes@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Julio Montes --- hw/i386/pc_piix.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c index c07c4a5b38..cc04c015c7 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c @@ -23,6 +23,7 @@ */ #include "qemu/osdep.h" +#include "config-devices.h" #include "qemu/units.h" #include "hw/hw.h" @@ -61,9 +62,11 @@ #define MAX_IDE_BUS 2 +#ifdef CONFIG_IDE_ISA static const int ide_iobase[MAX_IDE_BUS] = { 0x1f0, 0x170 }; static const int ide_iobase2[MAX_IDE_BUS] = { 0x3f6, 0x376 }; static const int ide_irq[MAX_IDE_BUS] = { 14, 15 }; +#endif /* PC hardware initialisation */ static void pc_init1(MachineState *machine, @@ -254,7 +257,10 @@ static void pc_init1(MachineState *machine, } idebus[0] = qdev_get_child_bus(&dev->qdev, "ide.0"); idebus[1] = qdev_get_child_bus(&dev->qdev, "ide.1"); - } else { + pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state); + } +#ifdef CONFIG_IDE_ISA +else { for(i = 0; i < MAX_IDE_BUS; i++) { ISADevice *dev; char busname[] = "ide.0"; @@ -268,9 +274,9 @@ static void pc_init1(MachineState *machine, busname[4] = '0' + i; idebus[i] = qdev_get_child_bus(DEVICE(dev), busname); } + pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state); } - - pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state); +#endif if (pcmc->pci_enabled && machine_usb(machine)) { pci_create_simple(pci_bus, piix3_devfn + 2, "piix3-usb-uhci"); From 03f990a5e31e28c9a2794729638f2117e028bfa5 Mon Sep 17 00:00:00 2001 From: Li Qiang Date: Fri, 21 Jun 2019 17:21:19 -0700 Subject: [PATCH 12/12] ioapic: use irq number instead of vector in ioapic_eoi_broadcast When emulating irqchip in qemu, such as following command: x86_64-softmmu/qemu-system-x86_64 -m 1024 -smp 4 -hda /home/test/test.img -machine kernel-irqchip=off --enable-kvm -vnc :0 -device edu -monitor stdio We will get a crash with following asan output: (qemu) /home/test/qemu5/qemu/hw/intc/ioapic.c:266:27: runtime error: index 35 out of bounds for type 'int [24]' ================================================================= ==113504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000003114 at pc 0x5579e3c7a80f bp 0x7fd004bf8c10 sp 0x7fd004bf8c00 WRITE of size 4 at 0x61b000003114 thread T4 #0 0x5579e3c7a80e in ioapic_eoi_broadcast /home/test/qemu5/qemu/hw/intc/ioapic.c:266 #1 0x5579e3c6f480 in apic_eoi /home/test/qemu5/qemu/hw/intc/apic.c:428 #2 0x5579e3c720a7 in apic_mem_write /home/test/qemu5/qemu/hw/intc/apic.c:802 #3 0x5579e3b1e31a in memory_region_write_accessor /home/test/qemu5/qemu/memory.c:503 #4 0x5579e3b1e6a2 in access_with_adjusted_size /home/test/qemu5/qemu/memory.c:569 #5 0x5579e3b28d77 in memory_region_dispatch_write /home/test/qemu5/qemu/memory.c:1497 #6 0x5579e3a1b36b in flatview_write_continue /home/test/qemu5/qemu/exec.c:3323 #7 0x5579e3a1b633 in flatview_write /home/test/qemu5/qemu/exec.c:3362 #8 0x5579e3a1bcb1 in address_space_write /home/test/qemu5/qemu/exec.c:3452 #9 0x5579e3a1bd03 in address_space_rw /home/test/qemu5/qemu/exec.c:3463 #10 0x5579e3b8b979 in kvm_cpu_exec /home/test/qemu5/qemu/accel/kvm/kvm-all.c:2045 #11 0x5579e3ae4499 in qemu_kvm_cpu_thread_fn /home/test/qemu5/qemu/cpus.c:1287 #12 0x5579e4cbdb9f in qemu_thread_start util/qemu-thread-posix.c:502 #13 0x7fd0146376da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #14 0x7fd01436088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e This is because in ioapic_eoi_broadcast function, we uses 'vector' to index the 's->irq_eoi'. To fix this, we should uses the irq number. Signed-off-by: Li Qiang Reviewed-by: Peter Xu Message-Id: <20190622002119.126834-1-liq3ea@163.com> --- hw/intc/ioapic.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/intc/ioapic.c b/hw/intc/ioapic.c index db9e518602..c408749876 100644 --- a/hw/intc/ioapic.c +++ b/hw/intc/ioapic.c @@ -245,8 +245,8 @@ void ioapic_eoi_broadcast(int vector) s->ioredtbl[n] = entry & ~IOAPIC_LVT_REMOTE_IRR; if (!(entry & IOAPIC_LVT_MASKED) && (s->irr & (1 << n))) { - ++s->irq_eoi[vector]; - if (s->irq_eoi[vector] >= SUCCESSIVE_IRQ_MAX_COUNT) { + ++s->irq_eoi[n]; + if (s->irq_eoi[n] >= SUCCESSIVE_IRQ_MAX_COUNT) { /* * Real hardware does not deliver the interrupt immediately * during eoi broadcast, and this lets a buggy guest make @@ -254,16 +254,16 @@ void ioapic_eoi_broadcast(int vector) * level-triggered interrupt. Emulate this behavior if we * detect an interrupt storm. */ - s->irq_eoi[vector] = 0; + s->irq_eoi[n] = 0; timer_mod_anticipate(s->delayed_ioapic_service_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + NANOSECONDS_PER_SECOND / 100); - trace_ioapic_eoi_delayed_reassert(vector); + trace_ioapic_eoi_delayed_reassert(n); } else { ioapic_service(s); } } else { - s->irq_eoi[vector] = 0; + s->irq_eoi[n] = 0; } } }