diff --git a/0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch b/0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch new file mode 100644 index 0000000..feb4f26 --- /dev/null +++ b/0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch @@ -0,0 +1,47 @@ +From e5cdc492ec39f777b0bd877ca794f3b2ccdcffec Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Wed, 22 May 2013 14:50:18 +0200 +Subject: [PATCH] rtl8139: flush queued packets when RxBufPtr is written + +Net queues support efficient "receive disable". For example, tap's file +descriptor will not be polled while its peer has receive disabled. This +saves CPU cycles for needlessly copying and then dropping packets which +the peer cannot receive. + +rtl8139 is missing the qemu_flush_queued_packets() call that wakes the +queue up when receive becomes possible again. + +As a result, the Windows 7 guest driver reaches a state where the +rtl8139 cannot receive packets. The driver has actually refilled the +receive buffer but we never resume reception. + +The bug can be reproduced by running a large FTP 'get' inside a Windows +7 guest: + + $ qemu -netdev tap,id=tap0,... + -device rtl8139,netdev=tap0 + +The Linux guest driver does not trigger the bug, probably due to a +different buffer management strategy. + +Reported-by: Oliver Francke +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 00b7ade807b5ce6779ddd86ce29c5521ec5c529a) +--- + hw/rtl8139.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/rtl8139.c b/hw/rtl8139.c +index d7716be..2c4d9bd 100644 +--- a/hw/rtl8139.c ++++ b/hw/rtl8139.c +@@ -2575,6 +2575,9 @@ static void rtl8139_RxBufPtr_write(RTL8139State *s, uint32_t val) + /* this value is off by 16 */ + s->RxBufPtr = MOD2(val + 0x10, s->RxBufferSize); + ++ /* more buffer space may be available so try to receive */ ++ qemu_flush_queued_packets(qemu_get_queue(s->nic)); ++ + DPRINTF(" CAPR write: rx buffer length %d head 0x%04x read 0x%04x\n", + s->RxBufferSize, s->RxBufAddr, s->RxBufPtr); + } diff --git a/0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch b/0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch new file mode 100644 index 0000000..c77113d --- /dev/null +++ b/0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch @@ -0,0 +1,44 @@ +From ad0343a9c903b79c6dd3ecdafb05a704c14514b9 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 5 Apr 2013 11:30:24 +0200 +Subject: [PATCH] spice-qemu-char: vmc_write: Don't write more bytes then we're + asked too + +This one took me eons to debug, but I've finally found it now, oh well. + +The usage of the MIN macro in this line: + last_out = MIN(len, qemu_chr_be_can_write(scd->chr)); + +Causes qemu_chr_be_can_write to be called *twice*, since the MIN macro +evaluates its arguments twice (bad MIN macro, bad!). And the result of +the call can change between the 2 calls since the guest may have consumed +some data from the virtio ringbuffer between the calls! + +When this happens it is possible for qemu_chr_be_can_write to return less +then len in the call made for the comparision, and then to return more then +len in the actual call for the return-value of MIN, after which we will end +up writing len data + some extra garbage, not good. + +This patch fixes this by only calling qemu_chr_be_can_write once. + +Signed-off-by: Hans de Goede +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 75c439bc65c07d76f5e74c734ed5432bc6114a3b) +--- + spice-qemu-char.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/spice-qemu-char.c b/spice-qemu-char.c +index 5065240..82f3f77 100644 +--- a/spice-qemu-char.c ++++ b/spice-qemu-char.c +@@ -41,7 +41,8 @@ static int vmc_write(SpiceCharDeviceInstance *sin, const uint8_t *buf, int len) + uint8_t* p = (uint8_t*)buf; + + while (len > 0) { +- last_out = MIN(len, qemu_chr_be_can_write(scd->chr)); ++ int can_write = qemu_chr_be_can_write(scd->chr); ++ last_out = MIN(len, can_write); + if (last_out <= 0) { + break; + } diff --git a/qemu.spec b/qemu.spec index 580f540..e8cb640 100644 --- a/qemu.spec +++ b/qemu.spec @@ -131,7 +131,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 1.4.2 -Release: 2%{?dist} +Release: 3%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -243,6 +243,10 @@ Patch0202: 0202-acpi_piix4-Drop-minimum_version_id-to-handle-qemu-kv.patch Patch0203: 0203-i8254-Fix-migration-from-qemu-kvm-1.1.patch Patch0204: 0204-pc_piix-Add-compat-handling-for-qemu-kvm-VGA-mem-siz.patch Patch0205: 0205-qxl-Add-rom_size-compat-property-fix-migration-from-.patch +# Fix rtl8139 + windows 7 + large transfers (bz #970240) +Patch0206: 0206-rtl8139-flush-queued-packets-when-RxBufPtr-is-writte.patch +# Fix crash on large drag and drop file transfer w/ spice (bz #969109) +Patch0207: 0207-spice-qemu-char-vmc_write-Don-t-write-more-bytes-the.patch BuildRequires: SDL-devel BuildRequires: zlib-devel @@ -775,6 +779,10 @@ CAC emulation development files. %patch0203 -p1 %patch0204 -p1 %patch0205 -p1 +# Fix rtl8139 + windows 7 + large transfers (bz #970240) +%patch0206 -p1 +# Fix crash on large drag and drop file transfer w/ spice (bz #969109) +%patch0207 -p1 %build %if %{with kvmonly} @@ -1421,6 +1429,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Jun 11 2013 Cole Robinson - 2:1.4.2-3 +- Fix rtl8139 + windows 7 + large transfers (bz #970240) +- Fix crash on large drag and drop file transfer w/ spice (bz #969109) + * Mon May 27 2013 Dan HorĂ¡k - 2:1.4.2-2 - Install the qemu-kvm.1 man page only on arches with kvm