https://github.com/qemu/qemu
- HEAD
- refs/heads/block
- refs/heads/coverity
- refs/heads/master
- refs/heads/stable-0.10
- refs/heads/stable-0.11
- refs/heads/stable-0.12
- refs/heads/stable-0.13
- refs/heads/stable-0.14
- refs/heads/stable-0.15
- refs/heads/stable-1.0
- refs/heads/stable-1.1
- refs/heads/stable-1.2
- refs/heads/stable-1.3
- refs/heads/stable-1.4
- refs/heads/stable-1.5
- refs/heads/stable-1.6
- refs/heads/stable-1.7
- refs/heads/stable-2.0
- refs/heads/stable-2.1
- refs/heads/stable-2.10
- refs/heads/stable-2.11
- refs/heads/stable-2.12
- refs/heads/stable-2.2
- refs/heads/stable-2.3
- refs/heads/stable-2.4
- refs/heads/stable-2.5
- refs/heads/stable-2.6
- refs/heads/stable-2.7
- refs/heads/stable-2.8
- refs/heads/stable-2.9
- refs/heads/stable-3.0
- refs/heads/stable-3.1
- refs/heads/stable-4.0
- refs/heads/stable-4.1
- refs/heads/stable-4.2
- refs/heads/stable-5.0
- refs/heads/stable-6.0
- refs/heads/stable-6.0-staging
- refs/heads/stable-6.1
- refs/heads/stable-7.2
- refs/heads/stable-7.2-staging
- refs/heads/stable-8.0
- refs/heads/stable-8.0-staging
- refs/heads/stable-8.1
- refs/heads/stable-8.2
- refs/heads/stable-9.0
- refs/heads/staging
- refs/heads/staging-0.0
- refs/heads/staging-7.2
- refs/heads/staging-8.0
- refs/heads/staging-8.1
- refs/heads/staging-8.2
- refs/heads/staging-9.0
- refs/heads/staging-mjt-test
- refs/heads/stsquad-hotfix
- refs/notes/commits
- refs/remotes/github/master
- refs/remotes/github/stable-0.10
- refs/remotes/github/stable-0.11
- refs/remotes/github/stable-0.12
- refs/remotes/github/stable-0.13
- refs/remotes/github/stable-0.14
- refs/remotes/github/stable-0.15
- refs/remotes/github/stable-1.0
- refs/remotes/github/stable-1.1
- refs/remotes/github/stable-1.2
- refs/remotes/github/stable-1.3
- refs/remotes/github/stable-1.4
- refs/remotes/github/stable-1.5
- refs/remotes/github/stable-1.6
- refs/remotes/github/stable-1.7
- refs/remotes/github/stable-2.0
- refs/remotes/github/stable-2.1
- refs/remotes/github/stable-2.10
- refs/remotes/github/stable-2.11
- refs/remotes/github/stable-2.12
- refs/remotes/github/stable-2.2
- refs/remotes/github/stable-2.3
- refs/remotes/github/stable-2.4
- refs/remotes/github/stable-2.5
- refs/remotes/github/stable-2.6
- refs/remotes/github/stable-2.7
- refs/remotes/github/stable-2.8
- refs/remotes/github/stable-2.9
- refs/remotes/github/stable-3.0
- refs/remotes/github/stable-3.1
- refs/remotes/github/stable-4.0
- refs/remotes/github/stable-4.1
- refs/remotes/github/stable-4.2
- refs/remotes/github/stable-5.0
- refs/remotes/github/staging
- refs/tags/initial
- refs/tags/release_0_10_0
- refs/tags/release_0_10_1
- refs/tags/release_0_10_2
- refs/tags/release_0_5_1
- refs/tags/release_0_6_0
- refs/tags/release_0_6_1
- refs/tags/release_0_7_0
- refs/tags/release_0_7_1
- refs/tags/release_0_8_1
- refs/tags/release_0_8_2
- refs/tags/release_0_9_0
- refs/tags/release_0_9_1
- refs/tags/v0.1.0
- refs/tags/v0.1.1
- refs/tags/v0.1.3
- refs/tags/v0.1.4
- refs/tags/v0.1.5
- refs/tags/v0.1.6
- refs/tags/v0.10.0
- refs/tags/v0.10.1
- refs/tags/v0.10.2
- refs/tags/v0.10.3
- refs/tags/v0.10.4
- refs/tags/v0.10.5
- refs/tags/v0.10.6
- refs/tags/v0.11.0
- refs/tags/v0.11.0-rc0
- refs/tags/v0.11.0-rc1
- refs/tags/v0.11.0-rc2
- refs/tags/v0.11.1
- refs/tags/v0.12.0
- refs/tags/v0.12.0-rc0
- refs/tags/v0.12.0-rc1
- refs/tags/v0.12.0-rc2
- refs/tags/v0.12.1
- refs/tags/v0.12.2
- refs/tags/v0.12.3
- refs/tags/v0.12.4
- refs/tags/v0.12.5
- refs/tags/v0.13.0
- refs/tags/v0.13.0-rc0
- refs/tags/v0.13.0-rc1
- refs/tags/v0.13.0-rc2
- refs/tags/v0.13.0-rc3
- refs/tags/v0.14.0
- refs/tags/v0.14.0-rc0
- refs/tags/v0.14.0-rc1
- refs/tags/v0.14.0-rc2
- refs/tags/v0.15.0
- refs/tags/v0.15.0-rc0
- refs/tags/v0.15.0-rc1
- refs/tags/v0.15.0-rc2
- refs/tags/v0.15.1
- refs/tags/v0.2.0
- refs/tags/v0.3.0
- refs/tags/v0.4.0
- refs/tags/v0.4.1
- refs/tags/v0.4.2
- refs/tags/v0.4.3
- refs/tags/v0.4.4
- refs/tags/v0.5.0
- refs/tags/v0.5.1
- refs/tags/v0.6.0
- refs/tags/v0.6.1
- refs/tags/v0.7.0
- refs/tags/v0.7.1
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.1
- refs/tags/v1.0-rc0
- refs/tags/v1.0-rc1
- refs/tags/v1.0-rc2
- refs/tags/v1.0-rc3
- refs/tags/v1.0.1
- refs/tags/v1.1-rc0
- refs/tags/v1.1-rc1
- refs/tags/v1.1-rc2
- refs/tags/v1.1.0
- refs/tags/v1.1.0-rc2
- refs/tags/v1.1.0-rc3
- refs/tags/v1.1.0-rc4
- refs/tags/v1.1.1
- refs/tags/v1.1.2
- refs/tags/v1.2.0-rc0
- refs/tags/v1.2.1
- refs/tags/v1.2.2
- refs/tags/v1.3.0
- refs/tags/v1.3.0-rc0
- refs/tags/v1.3.0-rc1
- refs/tags/v1.3.0-rc2
- refs/tags/v1.3.1
- refs/tags/v1.4.1
- refs/tags/v1.4.2
- refs/tags/v1.5.0
- refs/tags/v1.5.0-rc0
- refs/tags/v1.5.0-rc1
- refs/tags/v1.5.0-rc2
- refs/tags/v1.5.0-rc3
- refs/tags/v1.5.1
- refs/tags/v1.5.2
- refs/tags/v1.5.3
- refs/tags/v1.6.0
- refs/tags/v1.6.0-rc0
- refs/tags/v1.6.0-rc1
- refs/tags/v1.6.0-rc2
- refs/tags/v1.6.0-rc3
- refs/tags/v1.6.1
- refs/tags/v1.6.2
- refs/tags/v1.7.0
- refs/tags/v1.7.0-rc0
- refs/tags/v1.7.0-rc1
- refs/tags/v1.7.0-rc2
- refs/tags/v1.7.1
- refs/tags/v1.7.2
- refs/tags/v2.0.1
- refs/tags/v2.0.2
- v9.1.0-rc0
- v9.0.2
- v9.0.1
- v9.0.0-rc4
- v9.0.0-rc3
- v9.0.0-rc2
- v9.0.0-rc1
- v9.0.0-rc0
- v9.0.0
- v8.2.6
- v8.2.5
- v8.2.4
- v8.2.3
- v8.2.2
- v8.2.1
- v8.2.0-rc4
- v8.2.0-rc3
- v8.2.0-rc2
- v8.2.0-rc1
- v8.2.0-rc0
- v8.2.0
- v8.1.5
- v8.1.4
- v8.1.3
- v8.1.2
- v8.1.1
- v8.1.0-rc4
- v8.1.0-rc3
- v8.1.0-rc2
- v8.1.0-rc1
- v8.1.0-rc0
- v8.1.0
- v8.0.5
- v8.0.4
- v8.0.3
- v8.0.2
- v8.0.1
- v8.0.0-rc4
- v8.0.0-rc3
- v8.0.0-rc2
- v8.0.0-rc1
- v8.0.0-rc0
- v8.0.0
- v7.2.9
- v7.2.8
- v7.2.7
- v7.2.6
- v7.2.5
- v7.2.4
- v7.2.3
- v7.2.2
- v7.2.13
- v7.2.12
- v7.2.11
- v7.2.10
- v7.2.1
- v7.2.0-rc4
- v7.2.0-rc3
- v7.2.0-rc2
- v7.2.0-rc1
- v7.2.0-rc0
- v7.2.0
- v7.1.0-rc4
- v7.1.0-rc3
- v7.1.0-rc2
- v7.1.0-rc1
- v7.1.0-rc0
- v7.1.0
- v7.0.0-rc4
- v7.0.0-rc3
- v7.0.0-rc2
- v7.0.0-rc1
- v7.0.0-rc0
- v7.0.0
- v6.2.0-rc4
- v6.2.0-rc3
- v6.2.0-rc2
- v6.2.0-rc1
- v6.2.0-rc0
- v6.2.0
- v6.1.1
- v6.1.0-rc4
- v6.1.0-rc3
- v6.1.0-rc2
- v6.1.0-rc1
- v6.1.0-rc0
- v6.1.0
- v6.0.1
- v6.0.0-rc5
- v6.0.0-rc4
- v6.0.0-rc3
- v6.0.0-rc2
- v6.0.0-rc1
- v6.0.0-rc0
- v6.0.0
- v5.2.0-rc4
- v5.2.0-rc3
- v5.2.0-rc2
- v5.2.0-rc1
- v5.2.0-rc0
- v5.2.0
- v5.1.0-rc3
- v5.1.0-rc2
- v5.1.0-rc1
- v5.1.0-rc0
- v5.1.0
- v5.0.1
- v5.0.0-rc4
- v5.0.0-rc3
- v5.0.0-rc2
- v5.0.0-rc1
- v5.0.0-rc0
- v5.0.0
- v4.2.1
- v4.2.0-rc5
- v4.2.0-rc4
- v4.2.0-rc3
- v4.2.0-rc2
- v4.2.0-rc1
- v4.2.0-rc0
- v4.2.0
- v4.1.1
- v4.1.0-rc5
- v4.1.0-rc4
- v4.1.0-rc3
- v4.1.0-rc2
- v4.1.0-rc1
- v4.1.0-rc0
- v4.1.0
- v4.0.1
- v4.0.0-rc4
- v4.0.0-rc3
- v4.0.0-rc2
- v4.0.0-rc1
- v4.0.0-rc0
- v4.0.0
- v3.1.1.1
- v3.1.1
- v3.1.0-rc5
- v3.1.0-rc4
- v3.1.0-rc3
- v3.1.0-rc2
- v3.1.0-rc1
- v3.1.0-rc0
- v3.1.0
- v3.0.1
- v3.0.0-rc4
- v3.0.0-rc3
- v3.0.0-rc2
- v3.0.0-rc1
- v3.0.0-rc0
- v3.0.0
- v2.9.1
- v2.9.0-rc5
- v2.9.0-rc4
- v2.9.0-rc3
- v2.9.0-rc2
- v2.9.0-rc1
- v2.9.0-rc0
- v2.9.0
- v2.8.1.1
- v2.8.1
- v2.8.0-rc4
- v2.8.0-rc3
- v2.8.0-rc2
- v2.8.0-rc1
- v2.8.0-rc0
- v2.8.0
- v2.7.1
- v2.7.0-rc5
- v2.7.0-rc4
- v2.7.0-rc3
- v2.7.0-rc2
- v2.7.0-rc1
- v2.7.0-rc0
- v2.7.0
- v2.6.2
- v2.6.1
- v2.6.0-rc5
- v2.6.0-rc4
- v2.6.0-rc3
- v2.6.0-rc2
- v2.6.0-rc1
- v2.6.0-rc0
- v2.6.0
- v2.5.1.1
- v2.5.1
- v2.5.0-rc4
- v2.5.0-rc3
- v2.5.0-rc2
- v2.5.0-rc1
- v2.5.0-rc0
- v2.5.0
- v2.4.1
- v2.4.0.1
- v2.4.0-rc4
- v2.4.0-rc3
- v2.4.0-rc2
- v2.4.0-rc1
- v2.4.0-rc0
- v2.4.0
- v2.3.1
- v2.3.0-rc4
- v2.3.0-rc3
- v2.3.0-rc2
- v2.3.0-rc1
- v2.3.0-rc0
- v2.3.0
- v2.2.1
- v2.2.0-rc5
- v2.2.0-rc4
- v2.2.0-rc3
- v2.2.0-rc2
- v2.2.0-rc1
- v2.2.0-rc0
- v2.2.0
- v2.12.1
- v2.12.0-rc4
- v2.12.0-rc3
- v2.12.0-rc2
- v2.12.0-rc1
- v2.12.0-rc0
- v2.12.0
- v2.11.2
- v2.11.1
- v2.11.0-rc5
- v2.11.0-rc4
- v2.11.0-rc3
- v2.11.0-rc2
- v2.11.0-rc1
- v2.11.0-rc0
- v2.11.0
- v2.10.2
- v2.10.1
- v2.10.0-rc4
- v2.10.0-rc3
- v2.10.0-rc2
- v2.10.0-rc1
- v2.10.0-rc0
- v2.10.0
- v2.1.3
- v2.1.2
- v2.1.1
- v2.1.0-rc5
- v2.1.0-rc4
- v2.1.0-rc3
- v2.1.0-rc2
- v2.1.0-rc1
- v2.1.0-rc0
- v2.1.0
- v2.0.0-rc3
- v2.0.0-rc2
- v2.0.0-rc1
- v2.0.0-rc0
- v2.0.0
- v1.4.0-rc2
- v1.4.0-rc1
- v1.4.0-rc0
- v1.4.0
- v1.2.0-rc3
- v1.2.0-rc2
- v1.2.0-rc1
- v1.2.0
- v1.0-rc4
- v1.0
- v0.14.1
- trivial-patches-pull-request
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 46300eb | Michael Tokarev | 16 July 2024, 05:41:13 UTC | Update version for 8.2.6 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 16 July 2024, 05:41:13 UTC |
| 57d9378 | Vincent Fu | 03 May 2024, 17:50:04 UTC | hw/nvme: fix number of PIDs for FDP RUH update The number of PIDs is in the upper 16 bits of cdw10. So we need to right-shift by 16 bits instead of only a single bit. Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Cc: qemu-stable@nongnu.org Signed-off-by: Vincent Fu <vincent.fu@samsung.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> (cherry picked from commit 3936bbdf9a2e9233875f850c7576c79d06add261) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 12 July 2024, 18:50:41 UTC |
| 55b151b | Markus Armbruster | 28 June 2024, 11:27:56 UTC | sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments When a command's arguments are specified as an explicit type T, generated documentation points to the members of T. Example: ## # @announce-self: # # Trigger generation of broadcast RARP frames to update network [...] ## { 'command': 'announce-self', 'boxed': true, 'data' : 'AnnounceParameters'} generates "announce-self" (Command) ------------------------- Trigger generation of broadcast RARP frames to update network [...] Arguments ~~~~~~~~~ The members of "AnnounceParameters" Except when the command takes its arguments unboxed , i.e. it doesn't have 'boxed': true, we generate *nothing*. A few commands have a reference in their doc comment to compensate, but most don't. Example: ## # @blockdev-snapshot-sync: # # Takes a synchronous snapshot of a block device. # # For the arguments, see the documentation of BlockdevSnapshotSync. [...] ## { 'command': 'blockdev-snapshot-sync', 'data': 'BlockdevSnapshotSync', 'allow-preconfig': true } generates "blockdev-snapshot-sync" (Command) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Takes a synchronous snapshot of a block device. For the arguments, see the documentation of BlockdevSnapshotSync. [...] Same for event data. Fix qapidoc.py to generate the reference regardless of boxing. Delete now redundant references in the doc comments. Fixes: 4078ee5469e5 (docs/sphinx: Add new qapi-doc Sphinx extension) Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-ID: <20240628112756.794237-1-armbru@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> (cherry picked from commit e389929d19a543ea5b34d02553b355f9f1c03162) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: context fixups in qapi/block-core.json due to missing v8.2.0-1951-g2746f060be18 "qapi: Move error documentation to new "Errors" sections" v8.2.0-1952-g53d5c36d8de3 "qapi: Delete useless "Returns" sections") | 08 July 2024, 19:55:53 UTC |
| 8f7bb12 | Maxim Mikityanskiy | 03 July 2024, 19:08:12 UTC | char-stdio: Restore blocking mode of stdout on exit qemu_chr_open_fd() sets stdout into non-blocking mode. Restore the old fd flags on exit to avoid breaking unsuspecting applications that run on the same terminal after qemu and don't expect to get EAGAIN. While at at, also ensure term_exit is called once (at the moment it's called both from char_stdio_finalize() and as the atexit() hook. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2423 Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com> Link: https://lore.kernel.org/r/20240703190812.3459514-1-maxtram95@gmail.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a0124e333e2176640f233e5ea57a2f413985d9b5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 July 2024, 12:04:16 UTC |
| b932f9f | Stefano Garzarella | 01 July 2024, 07:52:08 UTC | virtio: remove virtio_tswap16s() call in vring_packed_event_read() Commit d152cdd6f6 ("virtio: use virtio accessor to access packed event") switched using of address_space_read_cached() to virito_lduw_phys_cached() to access packed descriptor event. When we used address_space_read_cached(), we needed to call virtio_tswap16s() to handle the endianess of the field, but virito_lduw_phys_cached() already handles it internally, so we no longer need to call virtio_tswap16s() (as the commit had done for `off_wrap`, but forgot for `flags`). Fixes: d152cdd6f6 ("virtio: use virtio accessor to access packed event") Cc: jasowang@redhat.com Cc: qemu-stable@nongnu.org Reported-by: Xoykie <xoykie@gmail.com> Link: https://lore.kernel.org/qemu-devel/CAFU8RB_pjr77zMLsM0Unf9xPNxfr_--Tjr49F_eX32ZBc5o2zQ@mail.gmail.com Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Message-Id: <20240701075208.19634-1-sgarzare@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 7aa6492401e95fb296dec7cda81e67d91f6037d7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 July 2024, 21:13:20 UTC |
| 0d2c267 | Cindy Lu | 28 May 2024, 08:48:15 UTC | virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one() In function kvm_virtio_pci_vector_use_one(), the function will only use the irqfd/vector for itself. Therefore, in the undo label, the failing process is incorrect. To fix this, we can just remove this label. Fixes: f9a09ca3ea ("vhost: add support for configure interrupt") Cc: qemu-stable@nongnu.org Signed-off-by: Cindy Lu <lulu@redhat.com> Message-Id: <20240528084840.194538-1-lulu@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit a113d041e8d0b152d72a7c2bf47dd09aabf9ade2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 July 2024, 21:13:01 UTC |
| aea89f4 | Kevin Wolf | 25 April 2024, 12:56:02 UTC | block: Parse filenames only when explicitly requested When handling image filenames from legacy options such as -drive or from tools, these filenames are parsed for protocol prefixes, including for the json:{} pseudo-protocol. This behaviour is intended for filenames that come directly from the command line and for backing files, which may come from the image file itself. Higher level management tools generally take care to verify that untrusted images don't contain a bad (or any) backing file reference; 'qemu-img info' is a suitable tool for this. However, for other files that can be referenced in images, such as qcow2 data files or VMDK extents, the string from the image file is usually not verified by management tools - and 'qemu-img info' wouldn't be suitable because in contrast to backing files, it already opens these other referenced files. So here the string should be interpreted as a literal local filename. More complex configurations need to be specified explicitly on the command line or in QMP. This patch changes bdrv_open_inherit() so that it only parses filenames if a new parameter parse_filename is true. It is set for the top level in bdrv_open(), for the file child and for the backing file child. All other callers pass false and disable filename parsing this way. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> (cherry picked from commit 7ead946998610657d38d1a505d5f25300d4ca613) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: backport patch to 8.2, without: v8.2.0-132-g6bc30f194985 "graph-lock: remove AioContext locking" v8.2.0-133-gb49f4755c7fa "block: remove AioContext locking") | 03 July 2024, 20:48:39 UTC |
| 46fdbe6 | Kevin Wolf | 25 April 2024, 12:49:40 UTC | iotests/270: Don't store data-file with json: prefix in image We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> (cherry picked from commit 7e1110664ecbc4826f3c978ccb06b6c1bce823e6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 July 2024, 20:03:02 UTC |
| 6a2774e | Kevin Wolf | 25 April 2024, 12:49:40 UTC | iotests/244: Don't store data-file with protocol in image We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> (cherry picked from commit 2eb42a728d27a43fdcad5f37d3f65706ce6deba5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 July 2024, 20:03:02 UTC |
| d7e7f34 | Kevin Wolf | 11 April 2024, 13:06:01 UTC | qcow2: Don't open data_file with BDRV_O_NO_IO One use case for 'qemu-img info' is verifying that untrusted images don't reference an unwanted external file, be it as a backing file or an external data file. To make sure that calling 'qemu-img info' can't already have undesired side effects with a malicious image, just don't open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do I/O, we don't need to have it open. This changes the output of iotests case 061, which used 'qemu-img info' to show that opening an image with an invalid data file fails. After this patch, it succeeds. Replace this part of the test with a qemu-io call, but keep the final 'qemu-img info' to show that the invalid data file is correctly displayed in the output. Fixes: CVE-2024-4467 Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> (cherry picked from commit bd385a5298d7062668e804d73944d52aec9549f1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 July 2024, 20:03:02 UTC |
| 38fb9d1 | Richard Henderson | 25 June 2024, 18:35:26 UTC | target/arm: Fix FJCVTZS vs flush-to-zero Input denormals cause the Javascript inexact bit (output to Z) to be set. Cc: qemu-stable@nongnu.org Fixes: 6c1f6f2733a ("target/arm: Implement ARMv8.3-JSConv") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2375 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240625183536.1672454-4-richard.henderson@linaro.org [PMM: fixed hardcoded tab in test case] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 7619129f0d4a14d918227c5c47ad7433662e9ccc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 July 2024, 06:49:20 UTC |
| 8c56d9f | Richard Henderson | 25 June 2024, 18:35:24 UTC | target/arm: Fix VCMLA Dd, Dn, Dm[idx] The inner loop, bounded by eltspersegment, must not be larger than the outer loop, bounded by elements. Cc: qemu-stable@nongnu.org Fixes: 18fc2405781 ("target/arm: Implement SVE fp complex multiply add (indexed)") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2376 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240625183536.1672454-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 76bccf3cb9d9383da0128bbc6d1300cddbe3ae8f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 July 2024, 06:03:21 UTC |
| 40e0416 | Chuang Xu | 11 June 2024, 03:23:14 UTC | i386/cpu: fixup number of addressable IDs for processor cores in the physical package When QEMU is started with: -cpu host,host-cache-info=on,l3-cache=off \ -smp 2,sockets=1,dies=1,cores=1,threads=2 Guest can't acquire maximum number of addressable IDs for processor cores in the physical package from CPUID[04H]. When creating a CPU topology of 1 core per package, host-cache-info only uses the Host's addressable core IDs field (CPUID.04H.EAX[bits 31-26]), resulting in a conflict (on the multicore Host) between the Guest core topology information in this field and the Guest's actual cores number. Fix it by removing the unnecessary condition to cover 1 core per package case. This is safe because cores_per_pkg will not be 0 and will be at least 1. Fixes: d7caf13b5fcf ("x86: cpu: fixup number of addressable IDs for logical processors sharing cache") Signed-off-by: Guixiong Wei <weiguixiong@bytedance.com> Signed-off-by: Yipeng Yin <yinyipeng@bytedance.com> Signed-off-by: Chuang Xu <xuchuangxclwt@bytedance.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Message-ID: <20240611032314.64076-1-xuchuangxclwt@bytedance.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 903916f0a017fe4b7789f1c6c6982333a5a71876) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup for 8.2 due to other changes in this area past 9.0) | 01 July 2024, 06:49:12 UTC |
| df0e72d | Thomas Huth | 18 April 2024, 10:10:47 UTC | tests: Update our CI to use CentOS Stream 9 instead of 8 RHEL 9 (and thus also the derivatives) have been available since two years now, so according to QEMU's support policy, we can drop the active support for the previous major version 8 now. Another reason for doing this is that Centos Stream 8 will go EOL soon: https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/ "After May 31, 2024, CentOS Stream 8 will be archived and no further updates will be provided." Thus upgrade our CentOS Stream container to major version 9 now. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-ID: <20240418101056.302103-5-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 641b1efe01b2dd6e7ac92f23d392dcee73508746) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 30 June 2024, 12:27:33 UTC |
| 5d9f246 | Fabiano Rosas | 17 June 2024, 18:57:17 UTC | migration: Fix file migration with fdset When the "file:" migration support was added we missed the special case in the qemu_open_old implementation that allows for a particular file name format to be used to refer to a set of file descriptors that have been previously provided to QEMU via the add-fd QMP command. When using this fdset feature, we should not truncate the migration file because being given an fd means that the management layer is in control of the file and will likely already have some data written to it. This is further indicated by the presence of the 'offset' argument, which indicates the start of the region where QEMU is allowed to write. Fix the issue by replacing the O_TRUNC flag on open by an ftruncate call, which will take the offset into consideration. Fixes: 385f510df5 ("migration: file URI offset") Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Prasad Pandit <pjp@fedoraproject.org> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> (cherry picked from commit 6d3279655ac49b806265f08415165f471d33e032) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: context fixup in migration/file.c due to missing v8.2.0-1958-gb7b03eb614d0 "migration/multifd: Add outgoing QIOChannelFile support") | 30 June 2024, 12:04:18 UTC |
| 1229d60 | Richard Henderson | 19 June 2024, 05:41:13 UTC | tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers Simplify the logic for two-part, 32-bit pc-relative addresses. Rather than assume all such fit in int32_t, do some arithmetic and assert a result, do some arithmetic first and then check to see if the pieces are in range. Cc: qemu-stable@nongnu.org Fixes: dacc51720db ("tcg/loongarch64: Implement tcg_out_mov and tcg_out_movi") Reviewed-by: Song Gao <gaosong@loongson.cn> Reported-by: Song Gao <gaosong@loongson.cn> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 521d7fb3ebdf88112ed13556a93e3037742b9eb8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 June 2024, 12:23:05 UTC |
| f4564fc | Clément Chigot | 06 June 2024, 14:43:31 UTC | target/sparc: use signed denominator in sdiv helper The result has to be done with the signed denominator (b32) instead of the unsigned value passed in argument (b). Cc: qemu-stable@nongnu.org Fixes: 1326010322d6 ("target/sparc: Remove CC_OP_DIV") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2319 Signed-off-by: Clément Chigot <chigot@adacore.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20240606144331.698361-1-chigot@adacore.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 6b4965373e561b77f91cfbdf41353635c9661358) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 June 2024, 12:22:44 UTC |
| 1649e95 | Ilya Leoshkevich | 14 June 2024, 15:46:40 UTC | linux-user: Make TARGET_NR_setgroups affect only the current thread Like TARGET_NR_setuid, TARGET_NR_setgroups should affect only the calling thread, and not the entire process. Therefore, implement it using a syscall, and not a libc call. Cc: qemu-stable@nongnu.org Fixes: 19b84f3c35d7 ("added setgroups and getgroups syscalls") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240614154710.1078766-1-iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 54b27921026df384f67df86f04c39539df375c60) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 June 2024, 12:22:26 UTC |
| 40682cf | Anton Johansson | 12 June 2024, 13:30:31 UTC | accel/tcg: Fix typo causing tb->page_addr[1] to not be recorded For TBs crossing page boundaries, the 2nd page will never be recorded/removed, as the index of the 2nd page is computed from the address of the 1st page. This is due to a typo, fix it. Cc: qemu-stable@nongnu.org Fixes: deba78709a ("accel/tcg: Always lock pages before translation") Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240612133031.15298-1-anjo@rev.ng> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 3b279f73fa37bec8d3ba04a15f5153d6491cffaf) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 June 2024, 12:22:00 UTC |
| d08c1fd | Gerd Hoffmann | 05 June 2024, 13:14:41 UTC | stdvga: fix screen blanking In case the display surface uses a shared buffer (i.e. uses vga vram directly instead of a shadow) go unshare the buffer before clearing it. This avoids vga memory corruption, which in turn fixes unblanking not working properly with X11. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2067 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20240605131444.797896-2-kraxel@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit b1cf266c82cb1211ee2785f1813a6a3f3e693390) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 June 2024, 07:04:36 UTC |
| 1798f38 | Philippe Mathieu-Daudé | 22 April 2024, 12:47:23 UTC | hw/audio/virtio-snd: Always use little endian audio format The VIRTIO Sound Device conforms with the Virtio spec v1.2, thus only use little endianness. Remove the suspicious target_words_bigendian() noticed during code review. Cc: qemu-stable@nongnu.org Fixes: eb9ad377bb ("virtio-sound: handle control messages and streams") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240422211830.25606-1-philmd@linaro.org> (cherry picked from commit a276ec8e2632c9015d0f9b4e47194e4e91dfa8bb) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 June 2024, 07:03:40 UTC |
| fdbeeb4 | Dongwon Kim | 26 April 2024, 22:50:59 UTC | ui/gtk: Draw guest frame at refresh cycle Draw routine needs to be manually invoked in the next refresh if there is a scanout blob from the guest. This is to prevent a situation where there is a scheduled draw event but it won't happen bacause the window is currently in inactive state (minimized or tabified). If draw is not done for a long time, gl_block timeout and/or fence timeout (on the guest) will happen eventually. v2: Use gd_gl_area_draw(vc) in gtk-gl-area.c Suggested-by: Vivek Kasireddy <vivek.kasireddy@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dongwon Kim <dongwon.kim@intel.com> Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20240426225059.3871283-1-dongwon.kim@intel.com> (cherry picked from commit 77bf310084dad38b3a2badf01766c659056f1cf2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 11 June 2024, 07:12:47 UTC |
| fa275f2 | Alexey Dobriyan | 30 April 2024, 10:53:33 UTC | virtio-net: drop too short packets early Reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1451 creates small packet (1 segment, len = 10 == n->guest_hdr_len), then destroys queue. "if (n->host_hdr_len != n->guest_hdr_len)" is triggered, if body creates zero length/zero segment packet as there is nothing after guest header. qemu_sendv_packet_async() tries to send it. slirp discards it because it is smaller than Ethernet header, but returns 0 because tx hooks are supposed to return total length of data. 0 is propagated upwards and is interpreted as "packet has been sent" which is terrible because queue is being destroyed, nobody is waiting for TX to complete and assert it triggered. Fix is discard such empty packets instead of sending them. Length 1 packets will go via different codepath: virtqueue_push(q->tx_vq, elem, 0); virtio_notify(vdev, q->tx_vq); g_free(elem); and aren't problematic. Signed-off-by: Alexey Dobriyan <adobriyan@yandex-team.ru> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 2c3e4e2de699cd4d9f6c71f30a22d8f125cd6164) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 11 June 2024, 07:09:45 UTC |
| 3e09472 | Mark Cave-Ayland | 06 June 2024, 09:53:19 UTC | target/i386: fix size of EBP writeback in gen_enter() The calculation of FrameTemp is done using the size indicated by mo_pushpop() before being written back to EBP, but the final writeback to EBP is done using the size indicated by mo_stacksize(). In the case where mo_pushpop() is MO_32 and mo_stacksize() is MO_16 then the final writeback to EBP is done using MO_16 which can leave junk in the top 16-bits of EBP after executing ENTER. Change the writeback of EBP to use the same size indicated by mo_pushpop() to ensure that the full value is written back. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2198 Message-ID: <20240606095319.229650-5-mark.cave-ayland@ilande.co.uk> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 3973615e7fbaeef1deeaa067577e373781ced70a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 11 June 2024, 07:02:19 UTC |
| 909772f | Michael Tokarev | 08 June 2024, 21:24:07 UTC | Update version for 8.2.5 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 08 June 2024, 21:24:07 UTC |
| 6feae1d | lanyanzhi | 04 June 2024, 07:38:31 UTC | target/loongarch: fix a wrong print in cpu dump description: loongarch_cpu_dump_state() want to dump all loongarch cpu state registers, but there is a tiny typographical error when printing "PRCFG2". Cc: qemu-stable@nongnu.org Signed-off-by: lanyanzhi <lanyanzhi22b@ict.ac.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn> Message-Id: <20240604073831.666690-1-lanyanzhi22b@ict.ac.cn> Signed-off-by: Song Gao <gaosong@loongson.cn> (cherry picked from commit 78f932ea1f7b3b9b0ac628dc2a91281318fe51fa) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 07 June 2024, 05:10:45 UTC |
| af008b3 | Bernhard Beschow | 12 May 2024, 09:59:45 UTC | ui/sdl2: Allow host to power down screen By default, SDL disables the screen saver which prevents the host from powering down the screen even if the screen is locked. This results in draining the battery needlessly when the host isn't connected to a wall charger. Fix that by enabling the screen saver. Signed-off-by: Bernhard Beschow <shentey@gmail.com> Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20240512095945.1879-1-shentey@gmail.com> (cherry picked from commit 2e701e6785cd8cc048c608751c6e4f6253c67ab6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 06 June 2024, 11:20:10 UTC |
| 276ec92 | Xinyu Li | 02 June 2024, 10:09:04 UTC | target/i386: fix SSE and SSE2 feature check Features check of CPUID_SSE and CPUID_SSE2 should use cpuid_features, rather than cpuid_ext_features. Signed-off-by: Xinyu Li <lixinyu20s@ict.ac.cn> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Message-ID: <20240602100904.2137939-1-lixinyu20s@ict.ac.cn> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit da7c95920d027dbb00c6879c1da0216b19509191) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 06 June 2024, 11:17:00 UTC |
| d84afeb | Paolo Bonzini | 03 June 2024, 10:01:12 UTC | target/i386: fix xsave.flat from kvm-unit-tests xsave.flat checks that "executing the XSETBV instruction causes a general- protection fault (#GP) if ECX = 0 and EAX[2:1] has the value 10b". QEMU allows that option, so the test fails. Add the condition. Cc: qemu-stable@nongnu.org Fixes: 892544317fe ("target/i386: implement XSAVE and XRSTOR of AVX registers", 2022-10-18) Reported-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 7604bbc2d87d153e65e38cf2d671a5a9a35917b1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 06 June 2024, 11:14:19 UTC |
| 2891807 | Alistair Francis | 14 May 2024, 05:16:15 UTC | disas/riscv: Decode all of the pmpcfg and pmpaddr CSRs Previously we only listed a single pmpcfg CSR and the first 16 pmpaddr CSRs. This patch fixes this to list all 16 pmpcfg and all 64 pmpaddr CSRs are part of the disassembly. Reported-by: Eric DeVolder <eric_devolder@yahoo.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Fixes: ea10325917 ("RISC-V Disassembler") Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240514051615.330979-1-alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 915758c537b5fe09575291f4acd87e2d377a93de) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:07:40 UTC |
| ae5edeb | Yong-Xuan Wang | 15 May 2024, 09:11:28 UTC | target/riscv/kvm.c: Fix the hart bit setting of AIA In AIA spec, each hart (or each hart within a group) has a unique hart number to locate the memory pages of interrupt files in the address space. The number of bits required to represent any hart number is equal to ceil(log2(hmax + 1)), where hmax is the largest hart number among groups. However, if the largest hart number among groups is a power of 2, QEMU will pass an inaccurate hart-index-bit setting to Linux. For example, when the guest OS has 4 harts, only ceil(log2(3 + 1)) = 2 bits are sufficient to represent 4 harts, but we passes 3 to Linux. The code needs to be updated to ensure accurate hart-index-bit settings. Additionally, a Linux patch[1] is necessary to correctly recover the hart index when the guest OS has only 1 hart, where the hart-index-bit is 0. [1] https://lore.kernel.org/lkml/20240415064905.25184-1-yongxuan.wang@sifive.com/t/ Signed-off-by: Yong-Xuan Wang <yongxuan.wang@sifive.com> Reviewed-by: Andrew Jones <ajones@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240515091129.28116-1-yongxuan.wang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 190b867f28cb5781f3cd01a3deb371e4211595b1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:06:26 UTC |
| 935be46 | Alistair Francis | 14 May 2024, 02:39:10 UTC | target/riscv: rvzicbo: Fixup CBO extension register calculation When running the instruction ``` cbo.flush 0(x0) ``` QEMU would segfault. The issue was in cpu_gpr[a->rs1] as QEMU does not have cpu_gpr[0] allocated. In order to fix this let's use the existing get_address() helper. This also has the benefit of performing pointer mask calculations on the address specified in rs1. The pointer masking specificiation specifically states: """ Cache Management Operations: All instructions in Zicbom, Zicbop and Zicboz """ So this is the correct behaviour and we previously have been incorrectly not masking the address. Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reported-by: Fabian Thomas <fabian.thomas@cispa.de> Fixes: e05da09b7cfd ("target/riscv: implement Zicbom extension") Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240514023910.301766-1-alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit c5eb8d6336741dbcb98efcc347f8265bf60bc9d1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:06:15 UTC |
| 37d6c6e | Alexei Filippov | 03 May 2024, 10:30:52 UTC | target/riscv: do not set mtval2 for non guest-page faults Previous patch fixed the PMP priority in raise_mmu_exception() but we're still setting mtval2 incorrectly. In riscv_cpu_tlb_fill(), after pmp check in 2 stage translation part, mtval2 will be set in case of successes 2 stage translation but failed pmp check. In this case we gonna set mtval2 via env->guest_phys_fault_addr in context of riscv_cpu_tlb_fill(), as this was a guest-page-fault, but it didn't and mtval2 should be zero, according to RISCV privileged spec sect. 9.4.4: When a guest page-fault is taken into M-mode, mtval2 is written with either zero or guest physical address that faulted, shifted by 2 bits. *For other traps, mtval2 is set to zero...* Signed-off-by: Alexei Filippov <alexei.filippov@syntacore.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-ID: <20240503103052.6819-1-alexei.filippov@syntacore.com> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 6c9a344247132ac6c3d0eb9670db45149a29c88f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:05:48 UTC |
| 6da92af | Daniel Henrique Barboza | 13 April 2024, 10:59:28 UTC | target/riscv: prioritize pmp errors in raise_mmu_exception() raise_mmu_exception(), as is today, is prioritizing guest page faults by checking first if virt_enabled && !first_stage, and then considering the regular inst/load/store faults. There's no mention in the spec about guest page fault being a higher priority that PMP faults. In fact, privileged spec section 3.7.1 says: "Attempting to fetch an instruction from a PMP region that does not have execute permissions raises an instruction access-fault exception. Attempting to execute a load or load-reserved instruction which accesses a physical address within a PMP region without read permissions raises a load access-fault exception. Attempting to execute a store, store-conditional, or AMO instruction which accesses a physical address within a PMP region without write permissions raises a store access-fault exception." So, in fact, we're doing it wrong - PMP faults should always be thrown, regardless of also being a first or second stage fault. The way riscv_cpu_tlb_fill() and get_physical_address() work is adequate: a TRANSLATE_PMP_FAIL error is immediately reported and reflected in the 'pmp_violation' flag. What we need is to change raise_mmu_exception() to prioritize it. Reported-by: Joseph Chan <jchan@ventanamicro.com> Fixes: 82d53adfbb ("target/riscv/cpu_helper.c: Invalid exception on MMU translation stage") Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-ID: <20240413105929.7030-1-alexei.filippov@syntacore.com> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 68e7c86927afa240fa450578cb3a4f18926153e4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:05:38 UTC |
| 0f95784 | Max Chou | 22 March 2024, 09:25:58 UTC | target/riscv: rvv: Remove redudant SEW checking for vector fp narrow/widen instructions If the checking functions check both the single and double width operators at the same time, then the single width operator checking functions (require_rvf[min]) will check whether the SEW is 8. Signed-off-by: Max Chou <max.chou@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240322092600.1198921-5-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 93cb52b7a3ccc64e8d28813324818edae07e21d5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:05:10 UTC |
| c4173e4 | Max Chou | 22 March 2024, 09:25:57 UTC | target/riscv: rvv: Check single width operator for vfncvt.rod.f.f.w The opfv_narrow_check needs to check the single width float operator by require_rvf. Signed-off-by: Max Chou <max.chou@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240322092600.1198921-4-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 692f33a3abcaae789b08623e7cbdffcd2c738c89) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:05:02 UTC |
| d813f35 | Max Chou | 22 March 2024, 09:25:56 UTC | target/riscv: rvv: Check single width operator for vector fp widen instructions The require_scale_rvf function only checks the double width operator for the vector floating point widen instructions, so most of the widen checking functions need to add require_rvf for single width operator. The vfwcvt.f.x.v and vfwcvt.f.xu.v instructions convert single width integer to double width float, so the opfxv_widen_check function doesn’t need require_rvf for the single width operator(integer). Signed-off-by: Max Chou <max.chou@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240322092600.1198921-3-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 7a999d4dd704aa71fe6416871ada69438b56b1e5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:04:55 UTC |
| 749907f | Max Chou | 22 March 2024, 09:25:55 UTC | target/riscv: rvv: Fix Zvfhmin checking for vfwcvt.f.f.v and vfncvt.f.f.w instructions According v spec 18.4, only the vfwcvt.f.f.v and vfncvt.f.f.w instructions will be affected by Zvfhmin extension. And the vfwcvt.f.f.v and vfncvt.f.f.w instructions only support the conversions of * From 1*SEW(16/32) to 2*SEW(32/64) * From 2*SEW(32/64) to 1*SEW(16/32) Signed-off-by: Max Chou <max.chou@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240322092600.1198921-2-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 17b713c0806e72cd8edc6c2ddd8acc5be0475df6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:04:38 UTC |
| 4cba687 | Yangyu Chen | 11 May 2024, 11:26:48 UTC | target/riscv/cpu.c: fix Zvkb extension config This code has a typo that writes zvkb to zvkg, causing users can't enable zvkb through the config. This patch gets this fixed. Signed-off-by: Yangyu Chen <cyy@cyyself.name> Fixes: ea61ef7097d0 ("target/riscv: Move vector crypto extensions to riscv_cpu_extensions") Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Max Chou <max.chou@sifive.com> Reviewed-by: Weiwei Li <liwei1518@gmail.com> Message-ID: <tencent_7E34EEF0F90B9A68BF38BEE09EC6D4877C0A@qq.com> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit ff33b7a9699e977a050a1014c617a89da1bf8295) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:04:18 UTC |
| ec182b1 | Huang Tao | 25 March 2024, 02:16:54 UTC | target/riscv: Fix the element agnostic function problem In RVV and vcrypto instructions, the masked and tail elements are set to 1s using vext_set_elems_1s function if the vma/vta bit is set. It is the element agnostic policy. However, this function can't deal the big endian situation. This patch fixes the problem by adding handling of such case. Signed-off-by: Huang Tao <eric.huang@linux.alibaba.com> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240325021654.6594-1-eric.huang@linux.alibaba.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 75115d880c6d396f8a2d56aab8c12236d85a90e0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:03:41 UTC |
| cf7143f | Daniel Henrique Barboza | 22 April 2024, 17:14:25 UTC | target/riscv/kvm: tolerate KVM disable ext errors Running a KVM guest using a 6.9-rc3 kernel, in a 6.8 host that has zkr enabled, will fail with a kernel oops SIGILL right at the start. The reason is that we can't expose zkr without implementing the SEED CSR. Disabling zkr in the guest would be a workaround, but if the KVM doesn't allow it we'll error out and never boot. In hindsight this is too strict. If we keep proceeding, despite not disabling the extension in the KVM vcpu, we'll not add the extension in the riscv,isa. The guest kernel will be unaware of the extension, i.e. it doesn't matter if the KVM vcpu has it enabled underneath or not. So it's ok to keep booting in this case. Change our current logic to not error out if we fail to disable an extension in kvm_set_one_reg(), but show a warning and keep booting. It is important to throw a warning because we must make the user aware that the extension is still available in the vcpu, meaning that an ill-behaved guest can ignore the riscv,isa settings and use the extension. The case we're handling happens with an EINVAL error code. If we fail to disable the extension in KVM for any other reason, error out. We'll also keep erroring out when we fail to enable an extension in KVM, since adding the extension in riscv,isa at this point will cause a guest malfunction because the extension isn't enabled in the vcpu. Suggested-by: Andrew Jones <ajones@ventanamicro.com> Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Andrew Jones <ajones@ventanamicro.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240422171425.333037-2-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 1215d45b2aa97512a2867e401aa59f3d0c23cb23) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:02:52 UTC |
| cd1228a | yang.zhang | 09 April 2024, 01:44:45 UTC | hw/intc/riscv_aplic: APLICs should add child earlier than realize Since only root APLICs can have hw IRQ lines, aplic->parent should be initialized first. Fixes: e8f79343cf ("hw/intc: Add RISC-V AIA APLIC device emulation") Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Signed-off-by: yang.zhang <yang.zhang@hexintek.com> Cc: qemu-stable <qemu-stable@nongnu.org> Message-ID: <20240409014445.278-1-gaoshanliukou@163.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit c76b121840c6ca79dc6305a5f4bcf17c72217d9c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 10:00:16 UTC |
| b9b2f3b | Eric Blake | 18 May 2024, 02:50:15 UTC | iotests: test NBD+TLS+iothread Prevent regressions when using NBD with TLS in the presence of iothreads, adding coverage the fix to qio channels made in the previous patch. The shell function pick_unused_port() was copied from nbdkit.git/tests/functions.sh.in, where it had all authors from Red Hat, agreeing to the resulting relicensing from 2-clause BSD to GPLv2. CC: qemu-stable@nongnu.org CC: "Richard W.M. Jones" <rjones@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-ID: <20240531180639.1392905-6-eblake@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit a73c99378022ebb785481e84cfe1e81097546268) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 09:59:47 UTC |
| 9a6143a | Eric Blake | 18 May 2024, 02:50:14 UTC | qio: Inherit follow_coroutine_ctx across TLS Since qemu 8.2, the combination of NBD + TLS + iothread crashes on an assertion failure: qemu-kvm: ../io/channel.c:534: void qio_channel_restart_read(void *): Assertion `qemu_get_current_aio_context() == qemu_coroutine_get_aio_context(co)' failed. It turns out that when we removed AioContext locking, we did so by having NBD tell its qio channels that it wanted to opt in to qio_channel_set_follow_coroutine_ctx(); but while we opted in on the main channel, we did not opt in on the TLS wrapper channel. qemu-iotests has coverage of NBD+iothread and NBD+TLS, but apparently no coverage of NBD+TLS+iothread, or we would have noticed this regression sooner. (I'll add that in the next patch) But while we could manually opt in to the TLS channel in nbd/server.c (a one-line change), it is more generic if all qio channels that wrap other channels inherit the follow status, in the same way that they inherit feature bits. CC: Stefan Hajnoczi <stefanha@redhat.com> CC: Daniel P. Berrangé <berrange@redhat.com> CC: qemu-stable@nongnu.org Fixes: https://issues.redhat.com/browse/RHEL-34786 Fixes: 06e0f098 ("io: follow coroutine AioContext in qio_channel_yield()", v8.2.0) Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-ID: <20240518025246.791593-5-eblake@redhat.com> (cherry picked from commit 199e84de1c903ba5aa1f7256310bbc4a20dd930b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 June 2024, 09:58:16 UTC |
| 71c7036 | Marcin Juszkiewicz | 26 May 2024, 20:45:51 UTC | target/arm: Disable SVE extensions when SVE is disabled Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2304 Reported-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> Message-id: 20240526204551.553282-1-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit daf9748ac002ec35258e5986b6257961fd04b565) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 01 June 2024, 04:20:15 UTC |
| 3f47098 | Andrey Shumilin | 23 May 2024, 15:06:20 UTC | hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n> In gic_cpu_read() and gic_cpu_write(), we delegate the handling of reading and writing the Non-Secure view of the GICC_APR<n> registers to functions gic_apr_ns_view() and gic_apr_write_ns_view(). Unfortunately we got the order of the arguments wrong, swapping the CPU number and the register number (which the compiler doesn't catch because they're both integers). Most guests probably didn't notice this bug because directly accessing the APR registers is typically something only done by firmware when it is doing state save for going into a sleep mode. Correct the mismatched call arguments. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: qemu-stable@nongnu.org Fixes: 51fd06e0ee ("hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers") Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru> [PMM: Rewrote commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alex Bennée<alex.bennee@linaro.org> (cherry picked from commit daafa78b297291fea36fb4daeed526705fa7c035) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 30 May 2024, 14:13:29 UTC |
| 0970313 | Zenghui Yu | 23 May 2024, 15:06:19 UTC | hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers We wrongly encoded ID_AA64PFR1_EL1 using {3,0,0,4,2} in hvf_sreg_match[] so we fail to get the expected ARMCPRegInfo from cp_regs hash table with the wrong key. Fix it with the correct encoding {3,0,0,4,1}. With that fixed, the Linux guest can properly detect FEAT_SSBS2 on my M1 HW. All DBG{B,W}{V,C}R_EL1 registers are also wrongly encoded with op0 == 14. It happens to work because HVF_SYSREG(CRn, CRm, 14, op1, op2) equals to HVF_SYSREG(CRn, CRm, 2, op1, op2), by definition. But we shouldn't rely on it. Cc: qemu-stable@nongnu.org Fixes: a1477da3ddeb ("hvf: Add Apple Silicon support") Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev> Reviewed-by: Alexander Graf <agraf@csgraf.de> Message-id: 20240503153453.54389-1-zenghui.yu@linux.dev Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 19ed42e8adc87a3c739f61608b66a046bb9237e2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 30 May 2024, 14:11:56 UTC |
| 8965709 | Daniel P. Berrangé | 13 May 2024, 11:15:51 UTC | gitlab: use 'setarch -R' to workaround tsan bug The TSAN job started failing when gitlab rolled out their latest release. The root cause is a change in the Google COS version used on shared runners. This brings a kernel running with vm.mmap_rnd_bits = 31 which is incompatible with TSAN in LLVM < 18, which only supports upto '28'. LLVM 18 can support upto '30', and failing that will re-exec itself to turn off VA randomization. Our LLVM is too old for now, but we can run with 'setarch -R make ..' to turn off VA randomization ourselves. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240513111551.488088-4-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit b563959b906db53fb4bcaef1351f11a51c4b9582) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 19:05:10 UTC |
| 3b36dd0 | Daniel P. Berrangé | 13 May 2024, 11:15:50 UTC | gitlab: use $MAKE instead of 'make' The lcitool generated containers have '$MAKE' set to the path of the right 'make' binary. Using the env variable makes it possible to override the choice per job. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20240513111551.488088-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit c53f7a107879a2b7e719b07692a05289bf603fde) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 19:05:10 UTC |
| fc88204 | Daniel P. Berrangé | 13 May 2024, 11:15:49 UTC | dockerfiles: add 'MAKE' env variable to remaining containers All the lcitool generated containers define a "MAKE" env. It will be convenient for later patches if all containers do this. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20240513111551.488088-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit bad7a2759c69417a5558f0f19d4ede58c08705e8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 19:05:10 UTC |
| ca07996 | Richard Henderson | 07 May 2024, 17:53:56 UTC | gitlab: Update msys2-64bit runner tags Gitlab has deprecated and removed support for windows-1809 and shared-windows. Update to saas-windows-medium-amd64 per https://about.gitlab.com/blog/2024/01/22/windows-2022-support-for-gitlab-saas-runners/ Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Message-Id: <20240507175356.281618-1-richard.henderson@linaro.org> (cherry picked from commit 36fa7c686e9eac490002ffc439c4affaa352c17c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 11:27:37 UTC |
| 52031d6 | Paolo Bonzini | 25 May 2024, 08:03:22 UTC | target/i386: no single-step exception after MOV or POP SS Intel SDM 18.3.1.4 "If an occurrence of the MOV or POP instruction loads the SS register executes with EFLAGS.TF = 1, no single-step debug exception occurs following the MOV or POP instruction." Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit f0f0136abba688a6516647a79cc91e03fad6d5d7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 11:27:37 UTC |
| c6171d5 | Paolo Bonzini | 24 May 2024, 15:17:47 UTC | target/i386: disable jmp_opt if EFLAGS.RF is 1 If EFLAGS.RF is 1, special processing in gen_eob_worker() is needed and therefore goto_tb cannot be used. Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 8225bff7c5db504f50e54ef66b079854635dba70) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 11:27:37 UTC |
| 93fa768 | Jiaxun Yang | 20 May 2024, 21:06:31 UTC | hw/loongarch/virt: Fix FDT memory node address width Higher bits for memory nodes were omitted at qemu_fdt_setprop_cells. Cc: qemu-stable@nongnu.org Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com> Reviewed-by: Song Gao <gaosong@loongson.cn> Message-Id: <20240520-loongarch-fdt-memnode-v1-1-5ea9be93911e@flygoat.com> Signed-off-by: Song Gao <gaosong@loongson.cn> (cherry picked from commit 6204af704a071ea68d3af55c0502b112a7af9546) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:49:58 UTC |
| d679c82 | Song Gao | 26 April 2024, 09:15:43 UTC | hw/loongarch: Fix fdt memory node wrong 'reg' The right fdt memory node like [1], not [2] [1] memory@0 { device_type = "memory"; reg = <0x00 0x00 0x00 0x10000000>; }; [2] memory@0 { device_type = "memory"; reg = <0x02 0x00 0x02 0x10000000>; }; Reviewed-by: Bibo Mao <maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn> Message-Id: <20240426091551.2397867-10-gaosong@loongson.cn> (cherry picked from commit b11f9814526b833b3a052be2559457b1affad7f5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:49:58 UTC |
| e3a2aa9 | Fiona Ebner | 17 May 2024, 07:53:36 UTC | hw/core/machine: move compatibility flags for VirtIO-net USO to machine 8.1 Migration from an 8.2 or 9.0 binary to an 8.1 binary with machine version 8.1 can fail with: > kvm: Features 0x1c0010130afffa7 unsupported. Allowed features: 0x10179bfffe7 > kvm: Failed to load virtio-net:virtio > kvm: error while loading state for instance 0x0 of device '0000:00:12.0/virtio-net' > kvm: load of migration failed: Operation not permitted The series 53da8b5a99 virtio-net: Add support for USO features 9da1684954 virtio-net: Add USO flags to vhost support. f03e0cf63b tap: Add check for USO features 2ab0ec3121 tap: Add USO support to tap device. only landed in QEMU 8.2, so the compatibility flags should be part of machine version 8.1. Moving the flags unfortunately breaks forward migration with machine version 8.1 from a binary without this patch to a binary with this patch. Fixes: 53da8b5a99 ("virtio-net: Add support for USO features") Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> (cherry picked from commit 9710401276a0eb2fc6d467d9abea1f5e3fe2c362) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 9b98ab7 | donsheng | 21 May 2024, 20:01:14 UTC | target-i386: hyper-v: Correct kvm_hv_handle_exit return value This bug fix addresses the incorrect return value of kvm_hv_handle_exit for KVM_EXIT_HYPERV_SYNIC, which should be EXCP_INTERRUPT. Handling of KVM_EXIT_HYPERV_SYNIC in QEMU needs to be synchronous. This means that async_synic_update should run in the current QEMU vCPU thread before returning to KVM, returning EXCP_INTERRUPT to guarantee this. Returning 0 can cause async_synic_update to run asynchronously. One problem (kvm-unit-tests's hyperv_synic test fails with timeout error) caused by this bug: When a guest VM writes to the HV_X64_MSR_SCONTROL MSR to enable Hyper-V SynIC, a VM exit is triggered and processed by the kvm_hv_handle_exit function of the QEMU vCPU. This function then calls the async_synic_update function to set synic->sctl_enabled to true. A true value of synic->sctl_enabled is required before creating SINT routes using the hyperv_sint_route_new() function. If kvm_hv_handle_exit returns 0 for KVM_EXIT_HYPERV_SYNIC, the current QEMU vCPU thread may return to KVM and enter the guest VM before running async_synic_update. In such case, the hyperv_synic test’s subsequent call to synic_ctl(HV_TEST_DEV_SINT_ROUTE_CREATE, ...) immediately after writing to HV_X64_MSR_SCONTROL can cause QEMU’s hyperv_sint_route_new() function to return prematurely (because synic->sctl_enabled is false). If the SINT route is not created successfully, the SINT interrupt will not be fired, resulting in a timeout error in the hyperv_synic test. Fixes: 267e071bd6d6 (“hyperv: make overlay pages for SynIC”) Suggested-by: Chao Gao <chao.gao@intel.com> Signed-off-by: Dongsheng Zhang <dongsheng.x.zhang@intel.com> Message-ID: <20240521200114.11588-1-dongsheng.x.zhang@intel.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 84d4b72854869821eb89813c195927fdd3078c12) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 90e023f | Richard Henderson | 10 May 2024, 09:03:41 UTC | tcg/loongarch64: Fill out tcg_out_{ld,st} for vector regs TCG register spill/fill uses tcg_out_ld/st with all types, not necessarily going through INDEX_op_{ld,st}_vec. Cc: qemu-stable@nongnu.org Fixes: 16288ded944 ("tcg/loongarch64: Lower basic tcg vec ops to LSX") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2336 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn> Tested-by: Song Gao <gaosong@loongson.cn> (cherry picked from commit c9290dfebfdba5c13baa5e1f10e13a1c876b0643) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 355527b | Dongwon Kim | 08 May 2024, 17:53:58 UTC | ui/gtk: Check if fence_fd is equal to or greater than 0 'fence_fd' needs to be validated always before being referenced And the passing condition should include '== 0' as 0 is a valid value for the file descriptor. Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@linaro.org> Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: Vivek Kasireddy <vivek.kasireddy@intel.com> Signed-off-by: Dongwon Kim <dongwon.kim@intel.com> Message-Id: <20240508175403.3399895-2-dongwon.kim@intel.com> (cherry picked from commit e4e62514e3cc2fc9dbae44af8b80f61c730beab4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| f44d239 | hikalium | 12 May 2024, 11:14:35 UTC | ui/gtk: Fix mouse/motion event scaling issue with GTK display backend Remove gtk_widget_get_scale_factor() usage from the calculation of the motion events in the GTK backend to make it work correctly on environments that have `gtk_widget_get_scale_factor() != 1`. This scale factor usage had been introduced in the commit f14aab420c and at that time the window size was used for calculating the things and it was working correctly. However, in the commit 2f31663ed4 the logic switched to use the widget size instead of window size and because of the change the usage of scale factor becomes invalid (since widgets use `vc->gfx.scale_{x, y}` for scaling). Tested on Crostini on ChromeOS (15823.51.0) with an external display. Fixes: 2f31663ed4 ("ui/gtk: use widget size for cursor motion event") Fixes: f14aab420c ("ui: fix incorrect pointer position on highdpi with gtk") Signed-off-by: hikalium <hikalium@hikalium.com> Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20240512111435.30121-3-hikalium@hikalium.com> (cherry picked from commit 37e91415018db3656b46cdea8f9e4d47b3ff130d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 05bfa96 | Thomas Huth | 13 May 2024, 11:40:10 UTC | configure: Fix error message when C compiler is not working If you try to run the configure script on a system without a working C compiler, you get a very misleading error message: ERROR: Unrecognized host OS (uname -s reports 'Linux') Some people already opened bug tickets because of this problem: https://gitlab.com/qemu-project/qemu/-/issues/2057 https://gitlab.com/qemu-project/qemu/-/issues/2288 We should rather tell the user that we were not able to use the C compiler instead, otherwise they will have a hard time to figure out what was going wrong. While we're at it, let's also suppress the "unrecognized host CPU" message in this case since it is rather misleading than helpful. Fixes: 264b803721 ("configure: remove compiler sanity check") Message-ID: <20240513114010.51608-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 371d60dfdb47dd18d163a7759968ba138089371e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 19a931f | Paolo Bonzini | 07 May 2024, 10:48:22 UTC | configure: quote -D options that are passed through to meson Ensure that they go through unmodified, instead of removing one layer of quoting. -D is a pretty specialized option and most options that can have spaces do not need it (for example, c_args is covered by --extra-cflags). Therefore it's unlikely that this causes actual trouble. However, a somewhat realistic failure case would be with -Dpkg_config_path and a pkg-config directory that contains spaces. Cc: qemu-stable@nongnu.org Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 23b1f53c2c8990ed745acede171e49645af3d6d0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 2b95625 | Paolo Bonzini | 08 May 2024, 09:10:54 UTC | target/i386: fix feature dependency for WAITPKG The VMX feature bit depends on general availability of WAITPKG, not the other way round. Fixes: 33cc88261c3 ("target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE", 2023-08-28) Cc: qemu-stable@nongnu.org Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit fe01af5d47d4cf7fdf90c54d43f784e5068c8d72) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| 1cc3cb9 | Paolo Bonzini | 09 May 2024, 13:55:47 UTC | target/i386: rdpkru/wrpkru are no-prefix instructions Reject 0x66/0xf3/0xf2 in front of them. Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 40a3ec7b5ffde500789d016660a171057d6b467c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 May 2024, 04:32:40 UTC |
| eb761b4 | Paolo Bonzini | 09 May 2024, 10:38:10 UTC | target/i386: fix operand size for DATA16 REX.W POPCNT According to the manual, 32-bit vs 64-bit is governed by REX.W and REX ignores the 0x66 prefix. This can be confirmed with this program: #include <stdio.h> int main() { int x = 0x12340000; int y; asm("popcntl %1, %0" : "=r" (y) : "r" (x)); printf("%x\n", y); asm("mov $-1, %0; .byte 0x66; popcntl %1, %0" : "+r" (y) : "r" (x)); printf("%x\n", y); asm("mov $-1, %0; .byte 0x66; popcntq %q1, %q0" : "+r" (y) : "r" (x)); printf("%x\n", y); } which prints 5/ffff0000/5 on real hardware and 5/ffff0000/ffff0000 on QEMU. Cc: qemu-stable@nongnu.org Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 41c685dc59bb611096f3bb6a663cfa82e4cba97b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: drop removal of mo_64_32() helper function in target/i386/tcg/translate.c due to missing-in-8.2 v9.0.0-542-gaef4f4affde2 "target/i386: remove now-converted opcodes from old decoder" which removed other user of it) | 27 May 2024, 04:32:26 UTC |
| 7d7b770 | Mattias Nissler | 23 August 2023, 09:29:30 UTC | hw/remote/vfio-user: Fix config space access byte order PCI config space is little-endian, so on a big-endian host we need to perform byte swaps for values as they are passed to and received from the generic PCI config space access machinery. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jagannathan Raman <jag.raman@oracle.com> Signed-off-by: Mattias Nissler <mnissler@rivosinc.com> Message-ID: <20240507094210.300566-6-mnissler@rivosinc.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit e6578f1f68a0e90789a841ada532c3e494c9a04c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 May 2024, 06:03:37 UTC |
| 7dbebba | Song Gao | 07 May 2024, 02:22:39 UTC | hw/loongarch/virt: Fix memory leak The char pointer 'ramName' point to a block of memory, but never free it. Use 'g_autofree' to automatically free it. Resolves: Coverity CID 1544773 Fixes: 0cf1478d6 ("hw/loongarch: Add numa support") Signed-off-by: Song Gao <gaosong@loongson.cn> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20240507022239.3113987-1-gaosong@loongson.cn> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 54c52ec719fb8c83bbde54cb87b58688ab27c166) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: context fixup in hw/loongarch/virt.c due to missing-in-8.2 v9.0.0-266-gd771ca1c10 "hw/loongarch: Move boot functions to boot.c") | 13 May 2024, 06:03:37 UTC |
| 819f92e | Richard Henderson | 02 May 2024, 16:55:24 UTC | target/sparc: Fix FMUL8x16 This instruction has f32 as source1, which alters the decoding of the register number, which means we've been passing the wrong data for odd register numbers. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240502165528.244004-4-richard.henderson@linaro.org> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> (cherry picked from commit 9157dccc7e71f7c94581c38f38acbef9a21bbe9a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 May 2024, 06:03:37 UTC |
| d3da3d0 | Richard Henderson | 02 May 2024, 16:55:23 UTC | target/sparc: Fix FEXPAND This is a 2-operand instruction, not 3-operand. Worse, we took the source from the wrong operand. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240502165528.244004-3-richard.henderson@linaro.org> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> (cherry picked from commit 7b616f36de0bde126e1ba6b0793ed26fc414a1ff) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 May 2024, 06:03:37 UTC |
| 50ed4f8 | Ruihan Li | 15 April 2024, 06:45:21 UTC | target/i386: Give IRQs a chance when resetting HF_INHIBIT_IRQ_MASK When emulated with QEMU, interrupts will never come in the following loop. However, if the NOP instruction is uncommented, interrupts will fire as normal. loop: cli call do_sti jmp loop do_sti: sti # nop ret This behavior is different from that of a real processor. For example, if KVM is enabled, interrupts will always fire regardless of whether the NOP instruction is commented or not. Also, the Intel Software Developer Manual states that after the STI instruction is executed, the interrupt inhibit should end as soon as the next instruction (e.g., the RET instruction if the NOP instruction is commented) is executed. This problem is caused because the previous code may choose not to end the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the case where the STI instruction is immediately followed by the RET instruction), so that IRQs may not have a change to trigger. This commit fixes the problem by always terminating the current TB to give IRQs a chance to trigger when HF_INHIBIT_IRQ_MASK is reset. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn> Message-ID: <20240415064518.4951-4-lrh2000@pku.edu.cn> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 6a5a63f74ba5c5355b7a8468d3d814bfffe928fb) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 May 2024, 06:03:37 UTC |
| 1332b8d | Michael Tokarev | 13 May 2024, 05:29:15 UTC | Update version for 8.2.4 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 May 2024, 05:29:15 UTC |
| 07d4640 | Philippe Mathieu-Daudé | 30 April 2024, 11:10:19 UTC | target/sh4: Fix SUBV opcode The documentation says: SUBV Rm, Rn Rn - Rm -> Rn, underflow -> T The overflow / underflow can be calculated as: T = ((Rn ^ Rm) & (Result ^ Rn)) >> 31 However we were using the incorrect: T = ((Rn ^ Rm) & (Result ^ Rm)) >> 31 Fix by using the Rn register instead of Rm. Add tests provided by Paul Cercueil. Cc: qemu-stable@nongnu.org Fixes: ad8d25a11f ("target-sh4: implement addv and subv using TCG") Reported-by: Paul Cercueil <paul@crapouillou.net> Suggested-by: Paul Cercueil <paul@crapouillou.net> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2318 Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp> Message-Id: <20240430163125.77430-3-philmd@linaro.org> (cherry picked from commit e88a856efd1d3c3ffa8e53da4831eff8da290808) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 May 2024, 06:37:20 UTC |
| dc5390a | Philippe Mathieu-Daudé | 30 April 2024, 10:41:53 UTC | target/sh4: Fix ADDV opcode The documentation says: ADDV Rm, Rn Rn + Rm -> Rn, overflow -> T But QEMU implementation was: ADDV Rm, Rn Rn + Rm -> Rm, overflow -> T Fix by filling the correct Rm register. Add tests provided by Paul Cercueil. Cc: qemu-stable@nongnu.org Fixes: ad8d25a11f ("target-sh4: implement addv and subv using TCG") Reported-by: Paul Cercueil <paul@crapouillou.net> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2317 Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp> Message-Id: <20240430163125.77430-2-philmd@linaro.org> (cherry picked from commit c365e6b0705788866a65e7b8206bd4c5332595cd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 May 2024, 06:37:20 UTC |
| 7b4804c | Philippe Mathieu-Daudé | 22 April 2024, 12:58:12 UTC | hw/arm/npcm7xx: Store derivative OTP fuse key in little endian Use little endian for derivative OTP fuse key. Cc: qemu-stable@nongnu.org Fixes: c752bb079b ("hw/nvram: NPCM7xx OTP device model") Suggested-by: Avi Fishman <Avi.Fishman@nuvoton.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20240422125813.1403-1-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit eb656a60fd93262b1e519b3162888bf261df7f68) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 May 2024, 10:17:18 UTC |
| dfcbb9e | Alexandra Diupina | 28 April 2024, 18:11:31 UTC | hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields The DMA descriptor structures for this device have a set of "address extension" fields which extend the 32 bit source addresses with an extra 16 bits to give a 48 bit address: https://docs.amd.com/r/en-US/ug1085-zynq-ultrascale-trm/ADDR_EXT-Field However, we misimplemented this address extension in several ways: * we only extracted 12 bits of the extension fields, not 16 * we didn't shift the extension field up far enough * we accidentally did the shift as 32-bit arithmetic, which meant that we would have an overflow instead of setting bits [47:32] of the resulting 64-bit address Add a type cast and use extract64() instead of extract32() to avoid integer overflow on addition. Fix bit fields extraction according to documentation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: qemu-stable@nongnu.org Fixes: d3c6369a96 ("introduce xlnx-dpdma") Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru> Message-id: 20240428181131.23801-1-adiupina@astralinux.ru [PMM: adjusted commit message] Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 4b00855f0ee2e2eee8fd2500ffef27c108be6dc3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 May 2024, 10:16:29 UTC |
| d5cf8be | Jeuk Kim | 05 February 2024, 03:20:15 UTC | hw/ufs: Fix buffer overflow bug It fixes the buffer overflow vulnerability in the ufs device. The bug was detected by sanitizers. You can reproduce it by: cat << EOF |\ qemu-system-x86_64 \ -display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \ file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \ ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio outl 0xcf8 0x80000810 outl 0xcfc 0xe0000000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0000058 0x1 0xa7 write 0xa 0x1 0x50 EOF Resolves: #2299 Fixes: 329f16624499 ("hw/ufs: Support for Query Transfer Requests") Reported-by: Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com> (cherry picked from commit f2c8aeb1afefcda92054c448b21fc59cdd99db30) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 May 2024, 10:03:01 UTC |
| 5479d91 | Thomas Huth | 29 April 2024, 10:01:13 UTC | .gitlab-ci.d/cirrus.yml: Shorten the runtime of the macOS and FreeBSD jobs Cirrus-CI introduced limitations to the free CI minutes. To avoid that we are consuming them too fast, let's drop the usual targets that are not that important since they are either a subset of another target (like i386 or ppc being a subset of x86_64 or ppc64 respectively), or since there is still a similar target with the opposite endianness (like xtensa/xtensael, microblaze/microblazeel etc.). Message-ID: <20240429100113.53357-1-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit a88a04906b966ffdcda23a5a456abe10aa8c826e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 01 May 2024, 08:10:41 UTC |
| 5b5655f | Peter Maydell | 15 April 2024, 15:18:45 UTC | tests/avocado: update sunxi kernel from armbian to 6.6.16 The Linux kernel 5.10.16 binary for sunxi has been removed from apt.armbian.com. This means that the avocado tests for these machines will be skipped (status CANCEL) if the old binary isn't present in the avocado cache. Update to 6.6.16, in the same way we did in commit e384db41d8661 when we moved to 5.10.16 in 2021. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2284 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Strahinja Jankovic <strahinja.p.jankovic@gmail.com> Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com> Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> Message-id: 20240415151845.1564201-1-peter.maydell@linaro.org (cherry picked from commit dcc5c018c7e6acddf81951bcbdf1019b9ab45f56) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 01 May 2024, 06:01:23 UTC |
| 7e5f593 | Michael Tokarev | 24 April 2024, 20:18:56 UTC | target/loongarch/cpu.c: typo fix: expection Fixes: 1590154ee437 ("target/loongarch: Fix qemu-system-loongarch64 assert failed with the option '-d int'") Fixes: ef9b43bb8e2d (in stable-8.2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 0cbb322f70e8a87e4acbffecef5ea8f9448f3513) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 30 April 2024, 17:11:36 UTC |
| f6abce2 | Li Zhijian | 22 April 2024, 08:53:12 UTC | backends/cryptodev-builtin: Fix local_error leaks It seems that this error does not need to be propagated to the upper, directly output the error to avoid the leaks Closes: https://gitlab.com/qemu-project/qemu/-/issues/2283 Fixes: 2fda101de07 ("virtio-crypto: Support asynchronous mode") Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: zhenwei pi <pizhenwei@bytedance.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 06479dbf3d7d245572c4b3016e5a1d923ff04d66) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 30 April 2024, 17:10:14 UTC |
| 3775106 | Eric Blake | 08 April 2024, 16:00:44 UTC | nbd/server: Mark negotiation functions as coroutine_fn nbd_negotiate() is already marked coroutine_fn. And given the fix in the previous patch to have nbd_negotiate_handle_starttls not create and wait on a g_main_loop (as that would violate coroutine constraints), it is worth marking the rest of the related static functions reachable only during option negotiation as also being coroutine_fn. Suggested-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Signed-off-by: Eric Blake <eblake@redhat.com> Message-ID: <20240408160214.1200629-6-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> [eblake: drop one spurious coroutine_fn marking] Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 4fa333e08dd96395a99ea8dd9e4c73a29dd23344) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 28 April 2024, 12:43:45 UTC |
| cb4c222 | Zhu Yangyang | 08 April 2024, 16:00:43 UTC | nbd/server: do not poll within a coroutine context Coroutines are not supposed to block. Instead, they should yield. The client performs TLS upgrade outside of an AIOContext, during synchronous handshake; this still requires g_main_loop. But the server responds to TLS upgrade inside a coroutine, so a nested g_main_loop is wrong. Since the two callbacks no longer share more than the setting of data.complete and data.error, it's just as easy to use static helpers instead of trying to share a common code path. It is also possible to add assertions that no other code is interfering with the eventual path to qio reaching the callback, whether or not it required a yield or main loop. Fixes: f95910f ("nbd: implement TLS support in the protocol negotiation") Signed-off-by: Zhu Yangyang <zhuyangyang14@huawei.com> [eblake: move callbacks to their use point, add assertions] Signed-off-by: Eric Blake <eblake@redhat.com> Message-ID: <20240408160214.1200629-5-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> (cherry picked from commit ae6d91a7e9b77abb029ed3fa9fad461422286942) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 28 April 2024, 12:43:45 UTC |
| 6fee9ef | Michael Tokarev | 31 March 2024, 10:07:34 UTC | linux-user: do_setsockopt: fix SOL_ALG.ALG_SET_KEY This setsockopt accepts zero-lengh optlen (current qemu implementation does not allow this). Also, there's no need to make a copy of the key, it is enough to use lock_user() (which accepts zero length already). Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2197 Fixes: f31dddd2fc "linux-user: Add support for setsockopt() option SOL_ALG" Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Message-Id: <20240331100737.2724186-2-mjt@tls.msk.ru> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 04f6fb897a5aeb3e356a7b889869c9962f9c16c7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 28 April 2024, 12:43:45 UTC |
| 55b88e6 | Li Zhijian | 17 April 2024, 02:56:34 UTC | migration/colo: Fix bdrv_graph_rdlock_main_loop: Assertion `!qemu_in_coroutine()' failed. bdrv_activate_all() should not be called from the coroutine context, move it to the QEMU thread colo_process_incoming_thread() with the bql_lock protected. The backtrace is as follows: #4 0x0000561af7948362 in bdrv_graph_rdlock_main_loop () at ../block/graph-lock.c:260 #5 0x0000561af7907a68 in graph_lockable_auto_lock_mainloop (x=0x7fd29810be7b) at /patch/to/qemu/include/block/graph-lock.h:259 #6 0x0000561af79167d1 in bdrv_activate_all (errp=0x7fd29810bed0) at ../block.c:6906 #7 0x0000561af762b4af in colo_incoming_co () at ../migration/colo.c:935 #8 0x0000561af7607e57 in process_incoming_migration_co (opaque=0x0) at ../migration/migration.c:793 #9 0x0000561af7adbeeb in coroutine_trampoline (i0=-106876144, i1=22042) at ../util/coroutine-ucontext.c:175 #10 0x00007fd2a5cf21c0 in () at /lib64/libc.so.6 Cc: qemu-stable@nongnu.org Cc: Fabiano Rosas <farosas@suse.de> Closes: https://gitlab.com/qemu-project/qemu/-/issues/2277 Fixes: 2b3912f135 ("block: Mark bdrv_first_blk() and bdrv_is_root_node() GRAPH_RDLOCK") Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> Reviewed-by: Zhang Chen <chen.zhang@intel.com> Tested-by: Zhang Chen <chen.zhang@intel.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/r/20240417025634.1014582-1-lizhijian@fujitsu.com Signed-off-by: Peter Xu <peterx@redhat.com> (cherry picked from commit 2cc637f1ea08d2a1b19fc5b1a30bc609f948de93) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup bql_lock() => qemu_mutex_lock_iothread() for v8.2.0-444-g195801d700c0 "system/cpus: rename qemu_mutex_lock_iothread() to bql_lock()") | 28 April 2024, 12:42:40 UTC |
| cbae108 | Daniel Henrique Barboza | 08 December 2023, 18:38:33 UTC | target/riscv/kvm: change timer regs size to u64 KVM_REG_RISCV_TIMER regs are always u64 according to the KVM API, but at this moment we'll return u32 regs if we're running a RISCV32 target. Use the kvm_riscv_reg_id_u64() helper in RISCV_TIMER_REG() to fix it. Reported-by: Andrew Jones <ajones@ventanamicro.com> Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Andrew Jones <ajones@ventanamicro.com> Message-ID: <20231208183835.2411523-4-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 10f86d1b845087d14b58d65dd2a6e3411d1b6529) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 April 2024, 17:03:22 UTC |
| 125b95d | Daniel Henrique Barboza | 08 December 2023, 18:38:32 UTC | target/riscv/kvm: change KVM_REG_RISCV_FP_D to u64 KVM_REG_RISCV_FP_D regs are always u64 size. Using kvm_riscv_reg_id() in RISCV_FP_D_REG() ends up encoding the wrong size if we're running with TARGET_RISCV32. Create a new helper that returns a KVM ID with u64 size and use it with RISCV_FP_D_REG(). Reported-by: Andrew Jones <ajones@ventanamicro.com> Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Andrew Jones <ajones@ventanamicro.com> Message-ID: <20231208183835.2411523-3-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 450bd6618fda3d2e2ab02b2fce1c79efd5b66084) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 April 2024, 17:03:22 UTC |
| bbdcc89 | Daniel Henrique Barboza | 08 December 2023, 18:38:31 UTC | target/riscv/kvm: change KVM_REG_RISCV_FP_F to u32 KVM_REG_RISCV_FP_F regs have u32 size according to the API, but by using kvm_riscv_reg_id() in RISCV_FP_F_REG() we're returning u64 sizes when running with TARGET_RISCV64. The most likely reason why no one noticed this is because we're not implementing kvm_cpu_synchronize_state() in RISC-V yet. Create a new helper that returns a KVM ID with u32 size and use it in RISCV_FP_F_REG(). Reported-by: Andrew Jones <ajones@ventanamicro.com> Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Andrew Jones <ajones@ventanamicro.com> Message-ID: <20231208183835.2411523-2-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 49c211ffca00fdf7c0c29072c224e88527a14838) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 April 2024, 17:03:22 UTC |
| 8216663 | Michael Tokarev | 24 April 2024, 03:03:52 UTC | Update version for 8.2.3 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 24 April 2024, 03:03:52 UTC |
| 51da750 | Harsh Prateek Bora | 24 January 2024, 00:30:55 UTC | ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS. Initialize the machine specific max_cpus limit as per the maximum range of CPU IPIs available. Keeping between 4096 to 8192 will throw IRQ not free error due to XIVE/XICS limitation and keeping beyond 8192 will hit assert in tcg_region_init or spapr_xive_claim_irq. Logs: Without patch fix: [root@host build]# qemu-system-ppc64 -accel tcg -smp 10,maxcpus=4097 qemu-system-ppc64: IRQ 4096 is not free [root@host build]# On LPAR: [root@host build]# qemu-system-ppc64 -accel tcg -smp 10,maxcpus=8193 ** ERROR:../tcg/region.c:774:tcg_region_init: assertion failed: (region_size >= 2 * page_size) Bail out! ERROR:../tcg/region.c:774:tcg_region_init: assertion failed: (region_size >= 2 * page_size) Aborted (core dumped) [root@host build]# On x86: [root@host build]# qemu-system-ppc64 -accel tcg -smp 10,maxcpus=8193 qemu-system-ppc64: ../hw/intc/spapr_xive.c:596: spapr_xive_claim_irq: Assertion `lisn < xive->nr_irqs' failed. Aborted (core dumped) [root@host build]# With patch fix: [root@host build]# qemu-system-ppc64 -accel tcg -smp 10,maxcpus=4097 qemu-system-ppc64: Invalid SMP CPUs 4097. The max CPUs supported by machine 'pseries-8.2' is 4096 [root@host build]# Reported-by: Kowshik Jois <kowsjois@linux.ibm.com> Tested-by: Kowshik Jois <kowsjois@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> (cherry picked from commit c4f91d7b7be76c47015521ab0109c6e998a369b0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 16 April 2024, 18:15:05 UTC |
| c513ee1 | Harsh Prateek Bora | 24 January 2024, 00:30:55 UTC | ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs. spapr_irq_init currently uses existing macro SPAPR_XIRQ_BASE to refer to the range of CPU IPIs during initialization of nr-irqs property. It is more appropriate to have its own define which can be further reused as appropriate for correct interpretation. Suggested-by: Cedric Le Goater <clg@kaod.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> Tested-by: Kowshik Jois <kowsjois@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> (cherry picked from commit 2df5c1f5b014126595a26c6797089d284a3b211c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 16 April 2024, 18:14:52 UTC |
| 1a78b89 | BALATON Zoltan | 11 April 2024, 19:24:43 UTC | hw/pci-host/ppc440_pcix: Do not expose a bridge device on PCI bus Real 460EX SoC apparently does not expose a bridge device and having it appear on PCI bus confuses an AmigaOS file system driver that uses this to detect which machine it is running on. Cc: qemu-stable@nongnu.org Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20240411192443.B4D644E6026@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 6e4aceba2079e3df42edc89d44f4ee02343bb09e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 16 April 2024, 14:27:52 UTC |
| dd784cb | BALATON Zoltan | 10 April 2024, 22:25:43 UTC | hw/isa/vt82c686: Keep track of PIRQ/PINT pins separately Move calculation of mask after the switch which sets the function number for PIRQ/PINT pins to make sure the state of these pins are kept track of separately and IRQ is raised if any of them is active. Cc: qemu-stable@nongnu.org Fixes: 7e01bd80c1 hw/isa/vt82c686: Bring back via_isa_set_irq() Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20240410222543.0EA534E6005@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit f33274265a242df5d9fdb00915fe72fbb1b2a3c4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 16 April 2024, 14:27:39 UTC |
| fcbb086 | Cindy Lu | 12 April 2024, 06:26:55 UTC | virtio-pci: fix use of a released vector During the booting process of the non-standard image, the behavior of the called function in qemu is as follows: 1. vhost_net_stop() was triggered by guest image. This will call the function virtio_pci_set_guest_notifiers() with assgin= false, virtio_pci_set_guest_notifiers() will release the irqfd for vector 0 2. virtio_reset() was triggered, this will set configure vector to VIRTIO_NO_VECTOR 3.vhost_net_start() was called (at this time, the configure vector is still VIRTIO_NO_VECTOR) and then call virtio_pci_set_guest_notifiers() with assgin=true, so the irqfd for vector 0 is still not "init" during this process 4. The system continues to boot and sets the vector back to 0. After that msix_fire_vector_notifier() was triggered to unmask the vector 0 and meet the crash To fix the issue, we need to support changing the vector after VIRTIO_CONFIG_S_DRIVER_OK is set. (gdb) bt 0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 1 0x00007fc87148ec53 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 2 0x00007fc87143e956 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 3 0x00007fc8714287f4 in __GI_abort () at abort.c:79 4 0x00007fc87142871b in __assert_fail_base (fmt=0x7fc8715bbde0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5606413efd53 "ret == 0", file=0x5606413ef87d "../accel/kvm/kvm-all.c", line=1837, function=<optimized out>) at assert.c:92 5 0x00007fc871437536 in __GI___assert_fail (assertion=0x5606413efd53 "ret == 0", file=0x5606413ef87d "../accel/kvm/kvm-all.c", line=1837, function=0x5606413f06f0 <__PRETTY_FUNCTION__.19> "kvm_irqchip_commit_routes") at assert.c:101 6 0x0000560640f884b5 in kvm_irqchip_commit_routes (s=0x560642cae1f0) at ../accel/kvm/kvm-all.c:1837 7 0x0000560640c98f8e in virtio_pci_one_vector_unmask (proxy=0x560643c65f00, queue_no=4294967295, vector=0, msg=..., n=0x560643c6e4c8) at ../hw/virtio/virtio-pci.c:1005 8 0x0000560640c99201 in virtio_pci_vector_unmask (dev=0x560643c65f00, vector=0, msg=...) at ../hw/virtio/virtio-pci.c:1070 9 0x0000560640bc402e in msix_fire_vector_notifier (dev=0x560643c65f00, vector=0, is_masked=false) at ../hw/pci/msix.c:120 10 0x0000560640bc40f1 in msix_handle_mask_update (dev=0x560643c65f00, vector=0, was_masked=true) at ../hw/pci/msix.c:140 11 0x0000560640bc4503 in msix_table_mmio_write (opaque=0x560643c65f00, addr=12, val=0, size=4) at ../hw/pci/msix.c:231 12 0x0000560640f26d83 in memory_region_write_accessor (mr=0x560643c66540, addr=12, value=0x7fc86b7bc628, size=4, shift=0, mask=4294967295, attrs=...) at ../system/memory.c:497 13 0x0000560640f270a6 in access_with_adjusted_size (addr=12, value=0x7fc86b7bc628, size=4, access_size_min=1, access_size_max=4, access_fn=0x560640f26c8d <memory_region_write_accessor>, mr=0x560643c66540, attrs=...) at ../system/memory.c:573 14 0x0000560640f2a2b5 in memory_region_dispatch_write (mr=0x560643c66540, addr=12, data=0, op=MO_32, attrs=...) at ../system/memory.c:1521 15 0x0000560640f37bac in flatview_write_continue (fv=0x7fc65805e0b0, addr=4273803276, attrs=..., ptr=0x7fc871e9c028, len=4, addr1=12, l=4, mr=0x560643c66540) at ../system/physmem.c:2714 16 0x0000560640f37d0f in flatview_write (fv=0x7fc65805e0b0, addr=4273803276, attrs=..., buf=0x7fc871e9c028, len=4) at ../system/physmem.c:2756 17 0x0000560640f380bf in address_space_write (as=0x560642161ae0 <address_space_memory>, addr=4273803276, attrs=..., buf=0x7fc871e9c028, len=4) at ../system/physmem.c:2863 18 0x0000560640f3812c in address_space_rw (as=0x560642161ae0 <address_space_memory>, addr=4273803276, attrs=..., buf=0x7fc871e9c028, len=4, is_write=true) at ../system/physmem.c:2873 --Type <RET> for more, q to quit, c to continue without paging-- 19 0x0000560640f8aa55 in kvm_cpu_exec (cpu=0x560642f205e0) at ../accel/kvm/kvm-all.c:2915 20 0x0000560640f8d731 in kvm_vcpu_thread_fn (arg=0x560642f205e0) at ../accel/kvm/kvm-accel-ops.c:51 21 0x00005606411949f4 in qemu_thread_start (args=0x560642f292b0) at ../util/qemu-thread-posix.c:541 22 0x00007fc87148cdcd in start_thread (arg=<optimized out>) at pthread_create.c:442 23 0x00007fc871512630 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 (gdb) MST: coding style and typo fixups Fixes: f9a09ca3ea ("vhost: add support for configure interrupt") Cc: qemu-stable@nongnu.org Signed-off-by: Cindy Lu <lulu@redhat.com> Message-ID: <2321ade5f601367efe7380c04e3f61379c59b48f.1713173550.git.mst@redhat.com> Cc: Lei Yang <leiyang@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Cindy Lu <lulu@redhat.com> (cherry picked from commit 2ce6cff94df2650c460f809e5ad263f1d22507c0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 15 April 2024, 20:44:26 UTC |
| 6e29509 | Richard Henderson | 24 February 2024, 02:29:41 UTC | linux-user/x86_64: Handle the vsyscall page in open_self_maps_{2,4} This is the only case in which we expect to have no host memory backing for a guest memory page, because in general linux user processes cannot map any pages in the top half of the 64-bit address space. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2170 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 4ef1f559f270c66b3ffc23f6c845ff3d008c6356) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 14 April 2024, 15:57:33 UTC |
| e2dfadf | Philippe Mathieu-Daudé | 10 April 2024, 05:32:37 UTC | hw/audio/virtio-snd: Remove unused assignment Coverity reported: >>> CID 1542933: Code maintainability issues (UNUSED_VALUE) >>> CID 1542934: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "NULL" to "stream" here, but that stored value is overwritten before it can be used. Simply remove the unused assignments. Resolves: Coverity CID 1542933 Resolves: Coverity CID 1542934 Fixes: 731655f87f ("virtio-snd: rewrite invalid tx/rx message handling") Fixes: 20cd0c8655 ("virtio-snd: rewrite invalid tx/rx message handling" in stable-8.2) Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <20240410053712.34747-1-philmd@linaro.org> (cherry picked from commit dcb0a1ac03d6b5ba6c7fcbe467f0215738006113) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 10 April 2024, 17:32:12 UTC |
| 1cfe459 | Philippe Mathieu-Daudé | 09 April 2024, 17:54:05 UTC | hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() If a fragmented packet size is too short, do not try to calculate its checksum. Reproduced using: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest -m 32M \ -device igb,netdev=net0 \ -netdev user,id=net0 \ -qtest stdio outl 0xcf8 0x80000810 outl 0xcfc 0xe0000000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0000403 0x1 0x02 writel 0xe0003808 0xffffffff write 0xe000381a 0x1 0x5b write 0xe000381b 0x1 0x00 EOF Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 Fixes: CVE-2024-3567 Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma <zheyuma97@gmail.com> Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-Id: <20240410070459.49112-1-philmd@linaro.org> (cherry picked from commit 83ddb3dbba2ee0f1767442ae6ee665058aeb1093) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 10 April 2024, 17:32:12 UTC |
| 35a67d2 | Philippe Mathieu-Daudé | 09 April 2024, 14:19:27 UTC | hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set Per "SD Host Controller Standard Specification Version 3.00": * 2.2.5 Transfer Mode Register (Offset 00Ch) Writes to this register shall be ignored when the Command Inhibit (DAT) in the Present State register is 1. Do not update the TRNMOD register when Command Inhibit (DAT) bit is set to avoid the present-status register going out of sync, leading to malicious guest using DMA mode and overflowing the FIFO buffer: $ cat << EOF | qemu-system-i386 \ -display none -nographic -nodefaults \ -machine accel=qtest -m 512M \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio outl 0xcf8 0x80001013 outl 0xcfc 0x91 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0x9100002c 0x1 0x05 write 0x91000058 0x1 0x16 write 0x91000005 0x1 0x04 write 0x91000028 0x1 0x08 write 0x16 0x1 0x21 write 0x19 0x1 0x20 write 0x9100000c 0x1 0x01 write 0x9100000e 0x1 0x20 write 0x9100000f 0x1 0x00 write 0x9100000c 0x1 0x00 write 0x91000020 0x1 0x00 EOF Stack trace (part): ================================================================= ==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 WRITE of size 1 at 0x615000029900 thread T0 #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 ... 0x615000029900 is located 0 bytes to the right of 512-byte region [0x615000029700,0x615000029900) allocated by thread T0 here: #0 0x55d5f7237b27 in __interceptor_calloc #1 0x7f9e36dd4c50 in g_malloc0 #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10 #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 ... SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 in sdhci_write_dataport Add assertions to ensure the fifo_buffer[] is not overflowed by malicious accesses to the Buffer Data Port register. Fixes: CVE-2024-3447 Cc: qemu-stable@nongnu.org Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <CAFEAcA9iLiv1XGTGKeopgMa8Y9+8kvptvsb8z2OBeuy+5=NUfg@mail.gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240409145524.27913-1-philmd@linaro.org> (cherry picked from commit 9e4b27ca6bf4974f169bbca7f3dca117b1208b6f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 10 April 2024, 17:32:12 UTC |
| 9666bd2 | Philippe Mathieu-Daudé | 08 April 2024, 10:44:28 UTC | hw/net/lan9118: Fix overflow in MIL TX FIFO When the MAC Interface Layer (MIL) transmit FIFO is full, truncate the packet, and raise the Transmitter Error (TXE) flag. Broken since model introduction in commit 2a42499017 ("LAN9118 emulation"). When using the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/2267 we get: hw/net/lan9118.c:798:17: runtime error: index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]') #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43 #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9 #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9 #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5 #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18 #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16 #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18 #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19 #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12 #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18 ... [*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER" Cc: qemu-stable@nongnu.org Reported-by: Will Lester Reported-by: Chuhong Yuan <hslester96@gmail.com> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20240409133801.23503-3-philmd@linaro.org> (cherry picked from commit ad766d603f39888309cfb1433ba2de1d0e9e4f58) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 10 April 2024, 17:32:12 UTC |
| 4e6240e | Philippe Mathieu-Daudé | 08 April 2024, 10:44:22 UTC | hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition The magic 2048 is explained in the LAN9211 datasheet (DS00002414A) in chapter 1.4, "10/100 Ethernet MAC": The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. [...] Note, the use of the constant in lan9118_receive() reveals that our implementation is using the same buffer for both tx and rx. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20240409133801.23503-2-philmd@linaro.org> (cherry picked from commit a45223467e4e185fff1c76a6483784fa379ded77) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 10 April 2024, 17:32:12 UTC |
| 516bdbc | Philippe Mathieu-Daudé | 08 April 2024, 15:40:23 UTC | backends/cryptodev: Do not abort for invalid session ID Instead of aborting when a session ID is invalid, return VIRTIO_CRYPTO_INVSESS ("Invalid session id"). Reproduced using: $ cat << EOF | qemu-system-i386 -display none \ -machine q35,accel=qtest -m 512M -nodefaults \ -object cryptodev-backend-builtin,id=cryptodev0 \ -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \ -qtest stdio outl 0xcf8 0x80000804 outw 0xcfc 0x06 outl 0xcf8 0x80000820 outl 0xcfc 0xe0008000 write 0x10800e 0x1 0x01 write 0xe0008016 0x1 0x01 write 0xe0008020 0x4 0x00801000 write 0xe0008028 0x4 0x00c01000 write 0xe000801c 0x1 0x01 write 0x110000 0x1 0x05 write 0x110001 0x1 0x04 write 0x108002 0x1 0x11 write 0x108008 0x1 0x48 write 0x10800c 0x1 0x01 write 0x108018 0x1 0x10 write 0x10801c 0x1 0x02 write 0x10c002 0x1 0x01 write 0xe000b005 0x1 0x00 EOF Assertion failed: (session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]), function cryptodev_builtin_close_session, file cryptodev-builtin.c, line 430. Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma <zheyuma97@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2274 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: zhenwei pi <pizhenwei@bytedance.com> Message-Id: <20240409094757.9127-1-philmd@linaro.org> (cherry picked from commit eaf2bd29538d039df80bb4b1584de33a61312bc6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 10 April 2024, 17:32:12 UTC |
