Skip to main content

Browse the archive

https://github.com/qemu/qemu
04 August 2024, 22:51:34 UTC
sort by:
Revision Author Date Message Commit Date
83a9cdb Michael Tokarev 07 August 2023, 12:05:10 UTC Update version for 8.0.4 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 07 August 2023, 12:05:10 UTC
7cb0210 Matt Borgerson 13 July 2023, 07:29:01 UTC target/i386: Check CR0.TS before enter_mmx When CR0.TS=1, execution of x87 FPU, MMX, and some SSE instructions will cause a Device Not Available (DNA) exception (#NM). System software uses this exception event to lazily context switch FPU state. Before this patch, enter_mmx helpers may be generated just before #NM generation, prematurely resetting FPU state before the guest has a chance to save it. Signed-off-by: Matt Borgerson <contact@mborgerson.com> Message-ID: <CADc=-s5F10muEhLs4f3mxqsEPAHWj0XFfOC2sfFMVHrk9fcpMg@mail.gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit b2ea6450d8e1336a33eb958ccc64604bc35a43dd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
979cdfb Nicholas Piggin 30 July 2023, 11:18:42 UTC target/ppc: Fix VRMA page size for ISA v3.0 Until v2.07s, the VRMA page size (L||LP) was encoded in LPCR[VRMASD]. In v3.0 that moved to the partition table PS field. The powernv machine can now run KVM HPT guests on POWER9/10 CPUs with this fix and the patch to add ASDR. Fixes: 3367c62f522b ("target/ppc: Support for POWER9 native hash") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Message-ID: <20230730111842.39292-1-npiggin@gmail.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> (cherry picked from commit 0e2a3ec36885f6d79a96230f582d4455878c6373) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
b96bb74 Nicholas Piggin 26 July 2023, 18:22:27 UTC target/ppc: Fix pending HDEC when entering PM state HDEC is defined to not wake from PM state. There is a check in the HDEC timer to avoid setting the interrupt if we are in a PM state, but no check on PM entry to lower HDEC if it already fired. This can cause a HDECR wake up and QEMU abort with unsupported exception in Power Save mode. Fixes: 4b236b621bf ("ppc: Initial HDEC support") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Message-ID: <20230726182230.433945-4-npiggin@gmail.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> (cherry picked from commit 9915dac4847f3cc5ffd36e4c374a4eec83fe09b5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
bfe876c Nicholas Piggin 26 July 2023, 18:22:25 UTC target/ppc: Implement ASDR register for ISA v3.0 for HPT The ASDR register was introduced in ISA v3.0. It has not been implemented for HPT. With HPT, ASDR is the format of the slbmte RS operand (containing VSID), which matches the ppc_slb_t field. Fixes: 3367c62f522b ("target/ppc: Support for POWER9 native hash") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Message-ID: <20230726182230.433945-2-npiggin@gmail.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> (cherry picked from commit 9201af096962a1967ce5d0b270ed16ae4edd3db6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
1d711f9 Hawkins Jiawei 04 July 2023, 03:34:34 UTC vdpa: Return -EIO if device ack is VIRTIO_NET_ERR in _load_mq() According to VirtIO standard, "The class, command and command-specific-data are set by the driver, and the device sets the ack byte. There is little it can do except issue a diagnostic if ack is not VIRTIO_NET_OK." Therefore, QEMU should stop sending the queued SVQ commands and cancel the device startup if the device's ack is not VIRTIO_NET_OK. Yet the problem is that, vhost_vdpa_net_load_mq() returns 1 based on `*s->status != VIRTIO_NET_OK` when the device's ack is VIRTIO_NET_ERR. As a result, net->nc->info->load() also returns 1, this makes vhost_net_start_one() incorrectly assume the device state is successfully loaded by vhost_vdpa_net_load() and return 0, instead of goto `fail` label to cancel the device startup, as vhost_net_start_one() only cancels the device startup when net->nc->info->load() returns a negative value. This patch fixes this problem by returning -EIO when the device's ack is not VIRTIO_NET_OK. Fixes: f64c7cda69 ("vdpa: Add vhost_vdpa_net_load_mq") Signed-off-by: Hawkins Jiawei <yin31149@gmail.com> Acked-by: Jason Wang <jasowang@redhat.com> Acked-by: Eugenio Pérez <eperezma@redhat.com> Message-Id: <ec515ebb0b4f56368751b9e318e245a5d994fa72.1688438055.git.yin31149@gmail.com> Tested-by: Lei Yang <leiyang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit f45fd95ec9e8104f6af801c734375029dda0f542) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
f43e4e2 Hawkins Jiawei 04 July 2023, 03:34:33 UTC vdpa: Return -EIO if device ack is VIRTIO_NET_ERR in _load_mac() According to VirtIO standard, "The class, command and command-specific-data are set by the driver, and the device sets the ack byte. There is little it can do except issue a diagnostic if ack is not VIRTIO_NET_OK." Therefore, QEMU should stop sending the queued SVQ commands and cancel the device startup if the device's ack is not VIRTIO_NET_OK. Yet the problem is that, vhost_vdpa_net_load_mac() returns 1 based on `*s->status != VIRTIO_NET_OK` when the device's ack is VIRTIO_NET_ERR. As a result, net->nc->info->load() also returns 1, this makes vhost_net_start_one() incorrectly assume the device state is successfully loaded by vhost_vdpa_net_load() and return 0, instead of goto `fail` label to cancel the device startup, as vhost_net_start_one() only cancels the device startup when net->nc->info->load() returns a negative value. This patch fixes this problem by returning -EIO when the device's ack is not VIRTIO_NET_OK. Fixes: f73c0c43ac ("vdpa: extract vhost_vdpa_net_load_mac from vhost_vdpa_net_load") Signed-off-by: Hawkins Jiawei <yin31149@gmail.com> Acked-by: Jason Wang <jasowang@redhat.com> Acked-by: Eugenio Pérez <eperezma@redhat.com> Message-Id: <a21731518644abbd0c495c5b7960527c5911f80d.1688438055.git.yin31149@gmail.com> Tested-by: Lei Yang <leiyang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit b479bc3c9d5e473553137641fd31069c251f0d6e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
ade1bed Hawkins Jiawei 07 July 2023, 16:44:42 UTC vdpa: Fix possible use-after-free for VirtQueueElement QEMU uses vhost_handle_guest_kick() to forward guest's available buffers to the vdpa device in SVQ avail ring. In vhost_handle_guest_kick(), a `g_autofree` `elem` is used to iterate through the available VirtQueueElements. This `elem` is then passed to `svq->ops->avail_handler`, specifically to the vhost_vdpa_net_handle_ctrl_avail(). If this handler fails to process the CVQ command, vhost_handle_guest_kick() regains ownership of the `elem`, and either frees it or requeues it. Yet the problem is that, vhost_vdpa_net_handle_ctrl_avail() mistakenly frees the `elem`, even if it fails to forward the CVQ command to vdpa device. This can result in a use-after-free for the `elem` in vhost_handle_guest_kick(). This patch solves this problem by refactoring vhost_vdpa_net_handle_ctrl_avail() to only freeing the `elem` if it owns it. Fixes: bd907ae4b0 ("vdpa: manual forward CVQ buffers") Signed-off-by: Hawkins Jiawei <yin31149@gmail.com> Message-Id: <e3f2d7db477734afe5c6a5ab3fa8b8317514ea34.1688746840.git.yin31149@gmail.com> Reviewed-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 031b1abacbdb3f4e016b6b926f7e7876c05339bb) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 17:49:49 UTC
e85ab8f Zhenzhong Duan 03 July 2023, 07:15:06 UTC vfio/pci: Disable INTx in vfio_realize error path When vfio realize fails, INTx isn't disabled if it has been enabled. This may confuse host side with unhandled interrupt report. Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier") Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Joao Martins <joao.m.martins@oracle.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> (cherry picked from commit adee0da0368f50b3ee934cdeeb6076466dabb268) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 05 August 2023, 05:39:54 UTC
48be003 Thomas Huth 02 August 2023, 13:57:23 UTC include/hw/i386/x86-iommu: Fix struct X86IOMMU_MSIMessage for big endian hosts The first bitfield here is supposed to be used as a 64-bit equivalent to the "uint64_t msi_addr" in the union. To make this work correctly on big endian hosts, too, the __addr_hi field has to be part of the bitfield, and the the bitfield members must be declared with "uint64_t" instead of "uint32_t" - otherwise the values are placed in the wrong bytes on big endian hosts. Same applies to the 32-bit "msi_data" field: __resved1 must be part of the bitfield, and the members must be declared with "uint32_t" instead of "uint16_t". Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230802135723.178083-7-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit e1e56c07d1fa24aa37a7e89e6633768fc8ea8705) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
dab9a65 Thomas Huth 02 August 2023, 13:57:22 UTC hw/i386/x86-iommu: Fix endianness issue in x86_iommu_irq_to_msi_message() The values in "msg" are assembled in host endian byte order (the other field are also not swapped), so we must not swap the __addr_head here. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230802135723.178083-6-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit 37cf5cecb039a063c0abe3b51ae30f969e73aa84) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
e0711f7 Thomas Huth 02 August 2023, 13:57:21 UTC hw/i386/intel_iommu: Fix index calculation in vtd_interrupt_remap_msi() The values in "addr" are populated locally in this function in host endian byte order, so we must not swap the index_l field here. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230802135723.178083-5-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit fcd8027423300b201b37842b88393dc5c6c8ee9e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
4f558fd Thomas Huth 02 August 2023, 13:57:20 UTC hw/i386/intel_iommu: Fix struct VTDInvDescIEC on big endian hosts On big endian hosts, we need to reverse the bitfield order in the struct VTDInvDescIEC, just like it is already done for the other bitfields in the various structs of the intel-iommu device. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230802135723.178083-4-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit 4572b22cf9ba432fa3955686853c706a1821bbc7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
b3c94ec Thomas Huth 02 August 2023, 13:57:19 UTC hw/i386/intel_iommu: Fix endianness problems related to VTD_IR_TableEntry The code already tries to do some endianness handling here, but currently fails badly: - While it already swaps the data when logging errors / tracing, it fails to byteswap the value before e.g. accessing entry->irte.present - entry->irte.source_id is swapped with le32_to_cpu(), though this is a 16-bit value - The whole union is apparently supposed to be swapped via the 64-bit data[2] array, but the struct is a mixture between 32 bit values (the first 8 bytes) and 64 bit values (the second 8 bytes), so this cannot work as expected. Fix it by converting the struct to two proper 64-bit bitfields, and by swapping the values only once for everybody right after reading the data from memory. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230802135723.178083-3-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit 642ba89672279fbdd14016a90da239c85e845d18) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
bc5740e Thomas Huth 02 August 2023, 13:57:18 UTC hw/i386/intel_iommu: Fix trivial endianness problems After reading the guest memory with dma_memory_read(), we have to make sure that we byteswap the little endian data to the host's byte order. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230802135723.178083-2-thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit cc2a08480e19007c05be8fe5b6893e20448954dc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
715e812 Yuri Benditovich 28 July 2023, 08:40:49 UTC pci: do not respond config requests after PCI device eject Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224964 In migration with VF failover, Windows guest and ACPI hot unplug we do not need to satisfy config requests, otherwise the guest immediately detects the device and brings up its driver. Many network VF's are stuck on the guest PCI bus after the migration. Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com> Message-Id: <20230728084049.191454-1-yuri.benditovich@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 348e354417b64c484877354ee7cc66f29fa6c7df) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
868b90e Helge Deller 30 July 2023, 16:30:19 UTC target/hppa: Move iaoq registers and thus reduce generated code size On hppa the Instruction Address Offset Queue (IAOQ) registers specifies the next to-be-executed instructions addresses. Each generated TB writes those registers at least once, so those registers are used heavily in generated code. Looking at the generated assembly, for a x86-64 host this code to write the address $0x7ffe826f into iaoq_f is generated: 0x7f73e8000184: c7 85 d4 01 00 00 6f 82 movl $0x7ffe826f, 0x1d4(%rbp) 0x7f73e800018c: fe 7f 0x7f73e800018e: c7 85 d8 01 00 00 73 82 movl $0x7ffe8273, 0x1d8(%rbp) 0x7f73e8000196: fe 7f With the trivial change, by moving the variables iaoq_f and iaoq_b to the top of struct CPUArchState, the offset to %rbp is reduced (from 0x1d4 to 0), which allows the x86-64 tcg to generate 3 bytes less of generated code per move instruction: 0x7fc1e800018c: c7 45 00 6f 82 fe 7f movl $0x7ffe826f, (%rbp) 0x7fc1e8000193: c7 45 04 73 82 fe 7f movl $0x7ffe8273, 4(%rbp) Overall this is a reduction of generated code (not a reduction of number of instructions). A test run with checks the generated code size by running "/bin/ls" with qemu-user shows that the code size shrinks from 1616767 to 1569273 bytes, which is ~97% of the former size. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Helge Deller <deller@gmx.de> Cc: qemu-stable@nongnu.org (cherry picked from commit f8c0fd9804f435a20c3baa4c0c77ba9a02af24ef) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
60c42b8 zhenwei pi 03 August 2023, 02:43:14 UTC cryptodev: Handle unexpected request to avoid crash Generally guest side should discover which services the device is able to offer, then do requests on device. However it's also possible to break this rule in a guest. Handle unexpected request here to avoid NULL pointer dereference. Fixes: e7a775fd ('cryptodev: Account statistics') Cc: Gonglei <arei.gonglei@huawei.com> Cc: Mauro Matteo Cascella <mcascell@redhat.com> Cc: Xiao Lei <nop.leixiao@gmail.com> Cc: Yongkang Jia <kangel@zju.edu.cn> Reported-by: Yiming Tao <taoym@zju.edu.cn> Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> Message-Id: <20230803024314.29962-3-pizhenwei@bytedance.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 15b11a1da6a4b7c6b8bb37883f52b544dee2b8fd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
49f1e02 zhenwei pi 03 August 2023, 02:43:13 UTC virtio-crypto: verify src&dst buffer length for sym request For symmetric algorithms, the length of ciphertext must be as same as the plaintext. The missing verification of the src_len and the dst_len in virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. This patch is originally written by Yiming Tao for QEMU-SECURITY, resend it(a few changes of error message) in qemu-devel. Fixes: CVE-2023-3180 Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") Cc: Gonglei <arei.gonglei@huawei.com> Cc: Mauro Matteo Cascella <mcascell@redhat.com> Cc: Yiming Tao <taoym@zju.edu.cn> Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
fd902c5 Li Feng 31 July 2023, 12:10:06 UTC vhost: fix the fd leak When the vhost-user reconnect to the backend, the notifer should be cleanup. Otherwise, the fd resource will be exhausted. Fixes: f9a09ca3ea ("vhost: add support for configure interrupt") Signed-off-by: Li Feng <fengli@smartx.com> Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com> Message-Id: <20230731121018.2856310-2-fengli@smartx.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Tested-by: Fiona Ebner <f.ebner@proxmox.com> (cherry picked from commit 18f2971ce403008d5e1c2875b483c9d1778143dc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
18963f4 Eric Auger 17 July 2023, 16:21:26 UTC hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command() In the virtio_iommu_handle_command() when a PROBE request is handled, output_size takes a value greater than the tail size and on a subsequent iteration we can get a stack out-of-band access. Initialize the output_size on each iteration. The issue was found with ASAN. Credits to: Yiming Tao(Zhejiang University) Gaoning Pan(Zhejiang University) Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request") Signed-off-by: Eric Auger <eric.auger@redhat.com> Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <20230717162126.11693-1-eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit cf2f89edf36a59183166ae8721a8d7ab5cd286bd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
71e05c4 Peter Maydell 01 August 2023, 15:45:19 UTC target/m68k: Fix semihost lseek offset computation The arguments for deposit64 are (value, start, length, fieldval); this appears to have thought they were (value, fieldval, start, length). Reorder the parameters to match the actual function. Cc: qemu-stable@nongnu.org Fixes: 950272506d ("target/m68k: Use semihosting/syscalls.h") Reported-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230801154519.3505531-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 8caaae7319a5f7ca449900c0e6bfcaed78fa3ae2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
3d81ba8 Keith Packard 31 July 2023, 23:52:45 UTC target/nios2: Fix semihost lseek offset computation The arguments for deposit64 are (value, start, length, fieldval); this appears to have thought they were (value, fieldval, start, length). Reorder the parameters to match the actual function. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Fixes: d1e23cbaa403b2d ("target/nios2: Use semihosting/syscalls.h") Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20230731235245.295513-1-keithp@keithp.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 71e2dd6aa1bdbac19c661638a4ae91816002ac9e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
adef4fe Keith Packard 01 August 2023, 15:22:45 UTC target/nios2: Pass semihosting arg to exit Instead of using R_ARG0 (the semihost function number), use R_ARG1 (the provided exit status). Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20230801152245.332749-1-keithp@keithp.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit c11d5bdae79a8edaf00dfcb2e49c064a50c67671) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
f8592e9 David Woodhouse 07 April 2023, 15:12:00 UTC hw/xen: fix off-by-one in xen_evtchn_set_gsi() Coverity points out (CID 1508128) a bounds checking error. We need to check for gsi >= IOAPIC_NUM_PINS, not just greater-than. Also fix up an assert() that has the same problem, that Coverity didn't see. Fixes: 4f81baa33ed6 ("hw/xen: Support GSI mapping to PIRQ") Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230801175747.145906-2-dwmw2@infradead.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit cf885b19579646d6a085470658bc83432d6786d2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
5300472 Daniel P. Berrangé 20 June 2023, 08:45:34 UTC io: remove io watch if TLS channel is closed during handshake The TLS handshake make take some time to complete, during which time an I/O watch might be registered with the main loop. If the owner of the I/O channel invokes qio_channel_close() while the handshake is waiting to continue the I/O watch must be removed. Failing to remove it will later trigger the completion callback which the owner is not expecting to receive. In the case of the VNC server, this results in a SEGV as vnc_disconnect_start() tries to shutdown a client connection that is already gone / NULL. CVE-2023-3354 Reported-by: jiangyegen <jiangyegen@huawei.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 10be627d2b5ec2d6b3dce045144aa739eef678b4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
ca93a30 Anthony PERARD 04 July 2023, 17:18:19 UTC xen-block: Avoid leaks on new error path Commit 189829399070 ("xen-block: Use specific blockdev driver") introduced a new error path, without taking care of allocated resources. So only allocate the qdicts after the error check, and free both `filename` and `driver` when we are about to return and thus taking care of both success and error path. Coverity only spotted the leak of qdicts (*_layer variables). Reported-by: Peter Maydell <peter.maydell@linaro.org> Fixes: Coverity CID 1508722, 1398649 Fixes: 189829399070 ("xen-block: Use specific blockdev driver") Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Paul Durrant <paul@xen.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20230704171819.42564-1-anthony.perard@citrix.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> (cherry picked from commit aa36243514a777f76c8b8a19b1f8a71f27ec6c78) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
157529e Anthony PERARD 14 July 2023, 15:27:20 UTC thread-pool: signal "request_cond" while locked thread_pool_free() might have been called on the `pool`, which would be a reason for worker_thread() to quit. In this case, `pool->request_cond` is been destroyed. If worker_thread() didn't managed to signal `request_cond` before it been destroyed by thread_pool_free(), we got: util/qemu-thread-posix.c:198: qemu_cond_signal: Assertion `cond->initialized' failed. One backtrace: __GI___assert_fail (assertion=0x55555614abcb "cond->initialized", file=0x55555614ab88 "util/qemu-thread-posix.c", line=198, function=0x55555614ad80 <__PRETTY_FUNCTION__.17104> "qemu_cond_signal") at assert.c:101 qemu_cond_signal (cond=0x7fffb800db30) at util/qemu-thread-posix.c:198 worker_thread (opaque=0x7fffb800dab0) at util/thread-pool.c:129 qemu_thread_start (args=0x7fffb8000b20) at util/qemu-thread-posix.c:505 start_thread (arg=<optimized out>) at pthread_create.c:486 Reported here: https://lore.kernel.org/all/ZJwoK50FcnTSfFZ8@MacBook-Air-de-Roger.local/T/#u To avoid issue, keep lock while sending a signal to `request_cond`. Fixes: 900fa208f506 ("thread-pool: replace semaphore with condition variable") Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20230714152720.5077-1-anthony.perard@citrix.com> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com> (cherry picked from commit f4f71363fcdb1092ff64d2bba6f9af39570c2f2b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
5a87bce Helge Deller 28 July 2023, 19:23:10 UTC linux-user/armeb: Fix __kernel_cmpxchg() for armeb Commit 7f4f0d9ea870 ("linux-user/arm: Implement __kernel_cmpxchg with host atomics") switched to use qatomic_cmpxchg() to swap a word with the memory content, but missed to endianess-swap the oldval and newval values when emulating an armeb CPU, which expects words to be stored in big endian in the guest memory. The bug can be verified with qemu >= v7.0 on any little-endian host, when starting the armeb binary of the upx program, which just hangs without this patch. Cc: qemu-stable@nongnu.org Signed-off-by: Helge Deller <deller@gmx.de> Reported-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com> Reported-by: John Reiser <jreiser@BitWagon.com> Closes: https://github.com/upx/upx/issues/687 Message-Id: <ZMQVnqY+F+5sTNFd@p100> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 38dd78c41eaf08b490c9e7ec68fc508bbaa5cb1d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
f8e673d Richard Henderson 28 July 2023, 17:22:52 UTC target/ppc: Disable goto_tb with architectural singlestep The change to use translator_use_goto_tb went too far, as the CF_SINGLE_STEP flag managed by the translator only handles gdb single stepping and not the architectural single stepping modeled in DisasContext.singlestep_enabled. Fixes: 6e9cc373ec5 ("target/ppc: Use translator_use_goto_tb") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1795 Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 2e718e665706d5fcc3e3501bda26f277f055ed85) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 04 August 2023, 16:14:46 UTC
357b424 Richard Henderson 22 July 2023, 14:25:30 UTC util/interval-tree: Use qatomic_set_mb in rb_link_node Ensure that the stores to rb_left and rb_right are complete before inserting the new node into the tree. Otherwise a concurrent reader could see garbage in the new leaf. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 4c8baa02d36379507afd17bdea87aabe0aa32ed3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: s/qatomic_set_mb/qatomic_mb_set/ for 8.0 - it was renamed later) 04 August 2023, 16:13:51 UTC
b2ec463 Richard Henderson 22 July 2023, 19:43:45 UTC util/interval-tree: Use qatomic_read for left/right while searching Fixes a race condition (generally without optimization) in which the subtree is re-read after the protecting if condition. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 055b86e0f0b4325117055d8d31c49011258f4af3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 01 August 2023, 05:59:58 UTC
2eee26f Peter Maydell 27 July 2023, 10:39:06 UTC target/arm: Avoid writing to constant TCGv in trans_CSEL() In commit 0b188ea05acb5 we changed the implementation of trans_CSEL() to use tcg_constant_i32(). However, this change was incorrect, because the implementation of the function sets up the TCGv_i32 rn and rm to be either zero or else a TCG temp created in load_reg(), and these TCG temps are then in both cases written to by the emitted TCG ops. The result is that we hit a TCG assertion: qemu-system-arm: ../../tcg/tcg.c:4455: tcg_reg_alloc_mov: Assertion `!temp_readonly(ots)' failed. (or on a non-debug build, just produce a garbage result) Adjust the code so that rn and rm are always writeable temporaries whether the instruction is using the special case "0" or a normal register as input. Cc: qemu-stable@nongnu.org Fixes: 0b188ea05acb5 ("target/arm: Use tcg_constant in trans_CSEL") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230727103906.2641264-1-peter.maydell@linaro.org (cherry picked from commit 2b0d656ab6484cae7f174e194215a6d50343ecd2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 18:06:29 UTC
2bff614 Peter Maydell 25 July 2023, 09:56:51 UTC target/arm: Special case M-profile in debug_helper.c code A lot of the code called from helper_exception_bkpt_insn() is written assuming A-profile, but we will also call this helper on M-profile CPUs when they execute a BKPT insn. This used to work by accident, but recent changes mean that we will hit an assert when some of this code calls down into lower level functions that end up calling arm_security_space_below_el3(), arm_el_is_aa64(), and other functions that now explicitly assert that the guest CPU is not M-profile. Handle M-profile directly to avoid the assertions: * in arm_debug_target_el(), M-profile debug exceptions always go to EL1 * in arm_debug_exception_fsr(), M-profile always uses the short format FSR (compare commit d7fe699be54b2, though in this case the code in arm_v7m_cpu_do_interrupt() does not need to look at the FSR value at all) Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1775 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230721143239.1753066-1-peter.maydell@linaro.org (cherry picked from commit 5d78893f39caf94c8587141e2219b57a7d63dd5c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
220869a Peter Maydell 25 July 2023, 09:56:51 UTC hw/arm/smmu: Handle big-endian hosts correctly The implementation of the SMMUv3 has multiple places where it reads a data structure from the guest and directly operates on it without doing a guest-to-host endianness conversion. Since all SMMU data structures are little-endian, this means that the SMMU doesn't work on a big-endian host. In particular, this causes the Avocado test machine_aarch64_virt.py:Aarch64VirtMachine.test_alpine_virt_tcg_gic_max to fail on an s390x host. Add appropriate byte-swapping on reads and writes of guest in-memory data structures so that the device works correctly on big-endian hosts. As part of this we constrain queue_read() to operate only on Cmd structs and queue_write() on Evt structs, because in practice these are the only data structures the two functions are used with, and we need to know what the data structure is to be able to byte-swap its parts correctly. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Message-id: 20230717132641.764660-1-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org (cherry picked from commit c6445544d4cea2628fbad3bad09f3d3a03c749d3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
123b429 Viktor Prutyanov 26 June 2023, 09:12:58 UTC virtio-net: pass Device-TLB enable/disable events to vhost If vhost is enabled for virtio-net, Device-TLB enable/disable events must be passed to vhost for proper IOMMU unmap flag selection. Signed-off-by: Viktor Prutyanov <viktor@daynix.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-Id: <20230626091258.24453-3-viktor@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit cd9b8346884353ba9ae6560b44b7cccdf00a6633) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
8eed78e Viktor Prutyanov 26 June 2023, 09:12:57 UTC vhost: register and change IOMMU flag depending on Device-TLB state The guest can disable or never enable Device-TLB. In these cases, it can't be used even if enabled in QEMU. So, check Device-TLB state before registering IOMMU notifier and select unmap flag depending on that. Also, implement a way to change IOMMU notifier flag if Device-TLB state is changed. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2001312 Signed-off-by: Viktor Prutyanov <viktor@daynix.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-Id: <20230626091258.24453-2-viktor@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit ee071f67f7a103c66f85f68ffe083712929122e3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
5f3fe56 Viktor Prutyanov 12 May 2023, 13:51:20 UTC virtio-pci: add handling of PCI ATS and Device-TLB enable/disable According to PCIe Address Translation Services specification 5.1.3., ATS Control Register has Enable bit to enable/disable ATS. Guest may enable/disable PCI ATS and, accordingly, Device-TLB for the VirtIO PCI device. So, raise/lower a flag and call a trigger function to pass this event to a device implementation. Signed-off-by: Viktor Prutyanov <viktor@daynix.com> Message-Id: <20230512135122.70403-2-viktor@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 206e91d143301414df2deb48a411e402414ba6db) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
0827053 Thomas Huth 20 July 2023, 17:53:07 UTC target/loongarch: Fix the CSRRD CPUID instruction on big endian hosts The test in tests/avocado/machine_loongarch.py is currently failing on big endian hosts like s390x. By comparing the traces between running the QEMU_EFI.fd bios on a s390x and on a x86 host, it's quickly obvious that the CSRRD instruction for the CPUID is behaving differently. And indeed: The code currently does a long read (i.e. 64 bit) from the address that points to the CPUState->cpu_index field (with tcg_gen_ld_tl() in the trans_csrrd() function). But this cpu_index field is only an "int" (i.e. 32 bit). While this dirty pointer magic works on little endian hosts, it of course fails on big endian hosts. Fix it by using a proper helper function instead. Message-Id: <20230720175307.854460-1-thuth@redhat.com> Reviewed-by: Song Gao <gaosong@loongson.cn> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit c34ad459926f6c600a55fe6782a27edfa405d60b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
c8b714f Ilya Leoshkevich 24 July 2023, 08:16:00 UTC target/s390x: Fix assertion failure in VFMIN/VFMAX with type 13 Type 13 is reserved, so using it should result in specification exception. Due to an off-by-1 error the code triggers an assertion at a later point in time instead. Cc: qemu-stable@nongnu.org Fixes: da4807527f3b ("s390x/tcg: Implement VECTOR FP (MAXIMUM|MINIMUM)") Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Message-Id: <20230724082032.66864-8-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit ff537b0370ab5918052b8d8a798e803c47272406) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
c5498fd Ilya Leoshkevich 24 July 2023, 08:15:58 UTC target/s390x: Make MC raise specification exception when class >= 16 MC requires bit positions 8-11 (upper 4 bits of class) to be zeros, otherwise it must raise a specification exception. Cc: qemu-stable@nongnu.org Fixes: 20d143e2cab8 ("s390x/tcg: Implement MONITOR CALL") Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Message-Id: <20230724082032.66864-6-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 9c028c057adce49304c6e4a51f6b426bd4f8f6b8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
76507ab Ilya Leoshkevich 24 July 2023, 08:15:57 UTC target/s390x: Fix ICM with M3=0 When the mask is zero, access exceptions should still be recognized for 1 byte at the second-operand address. CC should be set to 0. Cc: qemu-stable@nongnu.org Fixes: e023e832d0ac ("s390x: translate engine for s390x CPU") Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Message-Id: <20230724082032.66864-5-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit a2025557ed4d8d5e6a4d0dd681717c390f51f5be) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
e5e8a86 Ilya Leoshkevich 24 July 2023, 08:15:56 UTC target/s390x: Fix CONVERT TO LOGICAL/FIXED with out-of-range inputs CONVERT TO LOGICAL/FIXED deviate from IEEE 754 in that they raise an inexact exception on out-of-range inputs. float_flag_invalid_cvti aligns nicely with that behavior, so convert it to S390_IEEE_MASK_INEXACT. Cc: qemu-stable@nongnu.org Fixes: defb0e3157af ("s390x: Implement opcode helpers") Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Message-Id: <20230724082032.66864-4-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 53684e344a27da770acc9012740334154ddea24f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
6bd56e0 Ilya Leoshkevich 24 July 2023, 08:15:55 UTC target/s390x: Fix CLM with M3=0 When the mask is zero, access exceptions should still be recognized for 1 byte at the second-operand address. CC should be set to 0. Cc: qemu-stable@nongnu.org Fixes: defb0e3157af ("s390x: Implement opcode helpers") Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Message-Id: <20230724082032.66864-3-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 4b6e4c0b8223681ae85462794848db4386de1a8d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
bdbf5e1 Ilya Leoshkevich 24 July 2023, 08:15:54 UTC target/s390x: Make CKSM raise an exception if R2 is odd R2 designates an even-odd register pair; the instruction should raise a specification exception when R2 is not even. Cc: qemu-stable@nongnu.org Fixes: e023e832d0ac ("s390x: translate engine for s390x CPU") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Message-Id: <20230724082032.66864-2-iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 761b0aa9381e2f755b9b594f7f3033d564561751) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
6f7c39a Ilya Leoshkevich 19 July 2023, 22:11:18 UTC tcg/{i386, s390x}: Add earlyclobber to the op_add2's first output i386 and s390x implementations of op_add2 require an earlyclobber, which is currently missing. This breaks VCKSM in s390x guests. E.g., on x86_64 the following op: add2_i32 tmp2,tmp3,tmp2,tmp3,tmp3,tmp2 dead: 0 2 3 4 5 pref=none,0xffff is translated to: addl %ebx, %r12d adcl %r12d, %ebx Introduce a new C_N1_O1_I4 constraint, and make sure that earlyclobber of aliased outputs is honored. Cc: qemu-stable@nongnu.org Fixes: 82790a870992 ("tcg: Add markup for output requires new register") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230719221310.1968845-7-iii@linux.ibm.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 22d2e5351a18aff5a9c7e3984b50ecce61ff8975) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
59a728a Jordan Niethe 17 July 2023, 09:30:01 UTC tcg/ppc: Fix race in goto_tb implementation Commit 20b6643324 ("tcg/ppc: Reorg goto_tb implementation") modified goto_tb to ensure only a single instruction was patched to prevent incorrect behavior if a thread was in the middle of multiple instructions when they were replaced. However this introduced a race between loading the jmp target into TCG_REG_TB and patching and executing the direct branch. The relevant part of the goto_tb implementation: ld TCG_REG_TB, TARGET_ADDR_LOCATION(TCG_REG_TB) patch_location: mtctr TCG_REG_TB bctr tb_target_set_jmp_target() will replace 'patch_location' with a direct branch if the target is in range. The direct branch now relies on TCG_REG_TB being set up correctly by the ld. Prior to this commit multiple instructions were patched in for the direct branch case; these instructions would initialize TCG_REG_TB to the same value as the branch target. Imagine the following sequence: 1) Thread A is executing the goto_tb sequence and loads the jmp target into TCG_REG_TB. 2) Thread B updates the jmp target address and calls tb_target_set_jmp_target(). This patches a new direct branch into the goto_tb sequence. 3) Thread A executes the newly patched direct branch. The value in TCG_REG_TB still contains the old jmp target. TCG_REG_TB MUST contain the translation block's tc.ptr. Execution will eventually crash after performing memory accesses generated from a faulty value in TCG_REG_TB. This presents as segfaults or illegal instruction exceptions. Do not revert commit 20b6643324 as it did fix a different race condition. Instead remove the direct branch optimization and always use indirect branches. The direct branch optimization can be re-added later with a race free sequence. Fixes: 20b6643324 ("tcg/ppc: Reorg goto_tb implementation") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1726 Reported-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com> Tested-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com> Tested-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Co-developed-by: Benjamin Gray <bgray@linux.ibm.com> Signed-off-by: Jordan Niethe <jniethe5@gmail.com> Signed-off-by: Benjamin Gray <bgray@linux.ibm.com> Message-Id: <20230717093001.13167-1-jniethe5@gmail.com> (cherry picked from commit 736a1588c104e9995c1831df33554df1f1def8b8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 06:10:51 UTC
5a61789 Denis V. Lunev 27 July 2023, 10:58:28 UTC qemu-nbd: regression with arguments passing into nbd_client_thread() Unfortunately commit 03b67621445d601c9cdc7dfe25812e9f19b81488 (8.0: feb0814b3b48e75b336ad72eb303f9d579c94083) Author: Denis V. Lunev <den@openvz.org> Date: Mon Jul 17 16:55:40 2023 +0200 qemu-nbd: pass structure into nbd_client_thread instead of plain char* has introduced a regression. struct NbdClientOpts resides on stack inside 'if' block. This specifically means that this stack space could be reused once the execution will leave that block of the code. This means that parameters passed into nbd_client_thread could be overwritten at any moment. The patch moves the data to the namespace of main() function effectively preserving it for the whole process lifetime. Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Eric Blake <eblake@redhat.com> CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> CC: <qemu-stable@nongnu.org> Reviewed-by: Eric Blake <eblake@redhat.com> Message-ID: <20230727105828.324314-1-den@openvz.org> Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit e5b815b0defcc3617f473ba70c3e675ef0ee69c2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: add reference to feb0814b3b48e75b336ad72eb303f9d579c94083 for 8.0 branch) 31 July 2023, 06:10:51 UTC
bdfecfb Denis V. Lunev 17 July 2023, 14:55:41 UTC qemu-nbd: fix regression with qemu-nbd --fork run over ssh Commit e6df58a5578fee7a50bbf36f4a50a2781cff855d Author: Hanna Reitz <hreitz@redhat.com> Date: Wed May 8 23:18:18 2019 +0200 qemu-nbd: Do not close stderr has introduced an interesting regression. Original behavior of ssh somehost qemu-nbd /home/den/tmp/file -f raw --fork was the following: * qemu-nbd was started as a daemon * the command execution is done and ssh exited with success The patch has changed this behavior and 'ssh' command now hangs forever. According to the normal specification of the daemon() call, we should endup with STDERR pointing to /dev/null. That should be done at the very end of the successful startup sequence when the pipe to the bootstrap process (used for diagnostics) is no longer needed. This could be achived in the same way as done for 'qemu-nbd -c' case. That was commit 0eaf453e, also fixing up e6df58a5. STDOUT copying to STDERR does the trick. This also leads to proper 'ssh' connection closing which fixes my original problem. Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Eric Blake <eblake@redhat.com> CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> CC: Hanna Reitz <hreitz@redhat.com> CC: <qemu-stable@nongnu.org> Message-ID: <20230717145544.194786-3-den@openvz.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 5c56dd27a2c905c9cf2472d2fd057621ce5fd00d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
feb0814 Denis V. Lunev 17 July 2023, 14:55:40 UTC qemu-nbd: pass structure into nbd_client_thread instead of plain char* We are going to pass additional flag inside next patch. Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Eric Blake <eblake@redhat.com> CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> CC: <qemu-stable@nongnu.org> Message-ID: <20230717145544.194786-2-den@openvz.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 03b67621445d601c9cdc7dfe25812e9f19b81488) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
f90a8b9 Helge Deller 17 July 2023, 10:39:38 UTC linux-user: Fix signed math overflow in brk() syscall Fix the math overflow when calculating the new_malloc_size. new_host_brk_page and brk_page are unsigned integers. If userspace reduces the heap, new_host_brk_page is lower than brk_page which results in a huge positive number (but should actually be negative). Fix it by adding a proper check and as such make the code more readable. Signed-off-by: Helge Deller <deller@gmx.de> Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Fixes: 86f04735ac ("linux-user: Fix brk() to release pages") Cc: qemu-stable@nongnu.org Buglink: https://github.com/upx/upx/issues/683 (cherry picked from commit eac78a4b0b7da4de2c0a297f4d528ca9cc6256a3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
c4a4731 Helge Deller 17 July 2023, 10:27:13 UTC linux-user: Prohibit brk() to to shrink below initial heap address Since commit 86f04735ac ("linux-user: Fix brk() to release pages") it's possible for userspace applications to reduce their memory footprint by calling brk() with a lower address and free up memory. Before that commit guest heap memory was never unmapped. But the Linux kernel prohibits to reduce brk() below the initial memory address which is set at startup by the set_brk() function in binfmt_elf.c. Such a range check was missed in commit 86f04735ac. This patch adds the missing check by storing the initial brk value in initial_target_brk and verify any new brk addresses against that value. Tested with the i386 upx binary from https://github.com/upx/upx/releases/download/v4.0.2/upx-4.0.2-i386_linux.tar.xz Signed-off-by: Helge Deller <deller@gmx.de> Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com> Fixes: 86f04735ac ("linux-user: Fix brk() to release pages") Cc: qemu-stable@nongnu.org Buglink: https://github.com/upx/upx/issues/683 (cherry picked from commit dfe49864afb06e7e452a4366051697bc4fcfc1a5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
0102c92 Helge Deller 17 July 2023, 06:37:17 UTC linux-user: Fix qemu brk() to not zero bytes on current page The qemu brk() implementation is too aggressive and cleans remaining bytes on the current page above the last brk address. But some existing applications are buggy and read/write bytes above their current heap address. On a phyiscal machine this does not trigger a runtime error as long as the access happens on the same page. Additionally the Linux kernel allocates only full pages and does no zeroing on already allocated pages, even if the brk address is lowered. Fix qemu to behave the same way as the kernel does. Do not touch already allocated pages, and - when running with different page sizes of guest and host - zero out only those memory areas where the host page size is bigger than the guest page size. Signed-off-by: Helge Deller <deller@gmx.de> Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com> Fixes: 86f04735ac ("linux-user: Fix brk() to release pages") Cc: qemu-stable@nongnu.org Buglink: https://github.com/upx/upx/issues/683 (cherry picked from commit 15ad98536ad9410fb32ddf1ff09389b677643faa) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
5de88d6 Klaus Jensen 18 July 2023, 09:44:17 UTC hw/nvme: fix endianness issue for shadow doorbells In commit 2fda0726e514 ("hw/nvme: fix missing endian conversions for doorbell buffers"), we fixed shadow doorbells for big-endian guests running on little endian hosts. But I did not fix little-endian guests on big-endian hosts. Fix this. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1765 Fixes: 3f7fe8de3d49 ("hw/nvme: Implement shadow doorbell buffer support") Cc: qemu-stable@nongnu.org Reported-by: Thomas Huth <thuth@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> (cherry picked from commit ea3c76f1494d0c75873c3b470e6e048202661ad8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
0167759 Andreas Schwab 06 July 2023, 11:34:19 UTC linux-user: Make sure initial brk(0) is page-aligned Fixes: 86f04735ac ("linux-user: Fix brk() to release pages") Signed-off-by: Andreas Schwab <schwab@suse.de> Message-Id: <mvmpm55qnno.fsf@suse.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit d28b3c90cfad1a7e211ae2bce36ecb9071086129) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
35720b3 Mauro Matteo Cascella 04 July 2023, 08:41:22 UTC ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) A wrong exit condition may lead to an infinite loop when inflating a valid zlib buffer containing some extra bytes in the `inflate_buffer` function. The bug only occurs post-authentication. Return the buffer immediately if the end of the compressed data has been reached (Z_STREAM_END). Fixes: CVE-2023-3255 Fixes: 0bf41cab ("ui/vnc: clipboard support") Reported-by: Kevin Denis <kevin.denis@synacktiv.com> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20230704084210.101822-1-mcascell@redhat.com> (cherry picked from commit d921fea338c1059a27ce7b75309d7a2e485f710b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
d1063b6 Philippe Mathieu-Daudé 11 July 2023, 15:34:08 UTC linux-user/arm: Do not allocate a commpage at all for M-profile CPUs Since commit fbd3c4cff6 ("linux-user/arm: Mark the commpage executable") executing bare-metal (linked with rdimon.specs) cortex-M code fails as: $ qemu-arm -cpu cortex-m3 ~/hello.exe.m3 qemu-arm: ../../accel/tcg/user-exec.c:492: page_set_flags: Assertion `last <= GUEST_ADDR_MAX' failed. Aborted (core dumped) Commit 4f5c67f8df ("linux-user/arm: Take more care allocating commpage") already took care of not allocating a commpage for M-profile CPUs, however it had to be reverted as commit 6cda41daa2. Re-introduce the M-profile fix from commit 4f5c67f8df. Fixes: fbd3c4cff6 ("linux-user/arm: Mark the commpage executable") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1755 Reported-by: Christophe Lyon <christophe.lyon@linaro.org> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230711153408.68389-1-philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit d713cf4d6c71076513a10528303b3e337b4d5998) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
fa72d8b Richard Henderson 07 July 2023, 10:17:44 UTC tcg: Fix info_in_idx increment in layout_arg_by_ref Off by one error, failing to take into account that layout_arg_1 already incremented info_in_idx for the first piece. We only need care for the n-1 TCG_CALL_ARG_BY_REF_N pieces here. Cc: qemu-stable@nongnu.org Fixes: 313bdea84d2 ("tcg: Add TCG_CALL_{RET,ARG}_BY_REF") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1751 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit e18ed26ce785f74a17e6f3a095647e08ba6fc669) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
7b336dc Pierrick Bouvier 05 July 2023, 12:10:23 UTC linux-user/syscall: Implement execve without execveat Support for execveat syscall was implemented in 55bbe4 and is available since QEMU 8.0.0. It relies on host execveat, which is widely available on most of Linux kernels today. However, this change breaks qemu-user self emulation, if "host" qemu version is less than 8.0.0. Indeed, it does not implement yet execveat. This strange use case happens with most of distribution today having binfmt support. With a concrete failing example: $ qemu-x86_64-7.2 qemu-x86_64-8.0 /bin/bash -c /bin/ls /bin/bash: line 1: /bin/ls: Function not implemented -> not implemented means execve returned ENOSYS qemu-user-static 7.2 and 8.0 can be conveniently grabbed from debian packages qemu-user-static* [1]. One usage of this is running wine-arm64 from linux-x64 (details [2]). This is by updating qemu embedded in docker image that we ran into this issue. The solution to update host qemu is not always possible. Either it's complicated or ask you to recompile it, or simply is not accessible (GitLab CI, GitHub Actions). Thus, it could be worth to implement execve without relying on execveat, which is the goal of this patch. This patch was tested with example presented in this commit message. [1] http://ftp.us.debian.org/debian/pool/main/q/qemu/ [1] https://www.linaro.org/blog/emulate-windows-on-arm/ Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-Id: <20230705121023.973284-1-pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 7a8d9f3a0e882df50681e40f09c29cfb4966ea2d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
c280ac3 Olaf Hering 12 July 2023, 07:47:22 UTC hw/ide/piix: properly initialize the BMIBA register According to the 82371FB documentation (82371FB.pdf, 2.3.9. BMIBA-BUS MASTER INTERFACE BASE ADDRESS REGISTER, April 1997), the register is 32bit wide. To properly reset it to default values, all 32bit need to be cleared. Bit #0 "Resource Type Indicator (RTE)" needs to be enabled. The initial change wrote just the lower 8 bit, leaving parts of the "Bus Master Interface Base Address" address at bit 15:4 unchanged. Fixes: e6a71ae327 ("Add support for 82371FB (Step A1) and Improved support for 82371SB (Function 1)") Signed-off-by: Olaf Hering <olaf@aepfle.de> Reviewed-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20230712074721.14728-1-olaf@aepfle.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 230dfd9257e92259876c113e58b5f0d22b056d2e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
520d5fb Marcin Nowakowski 30 June 2023, 07:28:06 UTC target/mips: enable GINVx support for I6400 and I6500 GINVI and GINVT operations are supported on MIPS I6400 and I6500 cores, so indicate that properly in CP0.Config5 register bits [16:15]. Cc: qemu-stable@nongnu.org Signed-off-by: Marcin Nowakowski <marcin.nowakowski@fungible.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230630072806.3093704-1-marcin.nowakowski@fungible.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit baf21eebc3e1026d21d94fdf8ca470050e49968f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
b2b1b99 Ilya Leoshkevich 04 July 2023, 08:12:30 UTC target/s390x: Fix LRA when DAT is off LRA should perform DAT regardless of whether it's on or off. Disable DAT check for MMU_S390_LRA. Fixes: defb0e3157af ("s390x: Implement opcode helpers") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <20230704081506.276055-7-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit b0ef81062d2404ccef0289b1cc6e70244901c9be) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
523f529 Ilya Leoshkevich 04 July 2023, 08:12:29 UTC target/s390x: Fix LRA overwriting the top 32 bits on DAT error When a DAT error occurs, LRA is supposed to write the error information to the bottom 32 bits of R1, and leave the top 32 bits of R1 alone. Fix by passing the original value of R1 into helper and copying the top 32 bits to the return value. Fixes: d8fe4a9c284f ("target-s390: Convert LRA") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <20230704081506.276055-6-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 6da311a60d58dba27f5f790217d5ebba944e34ab) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
eefa524 Ilya Leoshkevich 04 July 2023, 08:12:28 UTC target/s390x: Fix MVCRL with a large value in R0 Using a large R0 causes an assertion error: qemu-s390x: target/s390x/tcg/mem_helper.c:183: access_prepare_nf: Assertion `size > 0 && size <= 4096' failed. Even though PoP explicitly advises against using more than 8 bits for the size, an emulator crash is never a good thing. Fix by truncating the size to 8 bits. Fixes: ea0a1053e276 ("s390x/tcg: Implement Miscellaneous-Instruction-Extensions Facility 3 for the s390x") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <20230704081506.276055-5-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 92a57534619a4058544ce8f9c0beae3e054f342b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
aa30895 Ilya Leoshkevich 04 July 2023, 08:12:27 UTC target/s390x: Fix MDEB and MDEBR These instructions multiply 32 bits by 32 bits, not 32 bits by 64 bits. Fixes: 83b00736f3d8 ("target-s390: Convert FP MULTIPLY") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <20230704081506.276055-4-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit fed9a4fe0ce0ec917a6b3a2da0a7ecd3cb9eba56) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
70ba7cb Ilya Leoshkevich 04 July 2023, 08:12:26 UTC target/s390x: Fix EPSW CC reporting EPSW should explicitly calculate and insert CC, like IPM does. Fixes: e30a9d3fea58 ("target-s390: Implement EPSW") Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <20230704081506.276055-3-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 110b1bac2ecd94a78a1d38003e24e37367bf074e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
f48e3ec Avihai Horon 04 July 2023, 13:39:27 UTC vfio: Fix null pointer dereference bug in vfio_bars_finalize() vfio_realize() has the following flow: 1. vfio_bars_prepare() -- sets VFIOBAR->size. 2. msix_early_setup(). 3. vfio_bars_register() -- allocates VFIOBAR->mr. After vfio_bars_prepare() is called msix_early_setup() can fail. If it does fail, vfio_bars_register() is never called and VFIOBAR->mr is not allocated. In this case, vfio_bars_finalize() is called as part of the error flow to free the bars' resources. However, vfio_bars_finalize() calls object_unparent() for VFIOBAR->mr after checking only VFIOBAR->size, and thus we get a null pointer dereference. Fix it by checking VFIOBAR->mr in vfio_bars_finalize(). Fixes: 89d5202edc50 ("vfio/pci: Allow relocating MSI-X MMIO") Signed-off-by: Avihai Horon <avihaih@nvidia.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> (cherry picked from commit 8af87a3ec7e42ff1b9cf75ceee0451c31e34d153) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
43462f7 Helge Deller 08 July 2023, 05:24:00 UTC linux-user: Fix accept4(SOCK_NONBLOCK) syscall The Linux accept4() syscall allows two flags only: SOCK_NONBLOCK and SOCK_CLOEXEC, and returns -EINVAL if any other bits have been set. Change the qemu implementation accordingly, which means we can not use the fcntl_flags_tbl[] translation table which allows too many other values. Beside the correction in behaviour, this actually fixes the accept4() emulation for hppa, mips and alpha targets for which SOCK_NONBLOCK is different than TARGET_SOCK_NONBLOCK (aka O_NONBLOCK). The fix can be verified with the testcase of the debian lwt package, which hangs forever in a read() syscall without this patch. Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit dca4c8384d68bbf5d67f50a5446865d92d61f032) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:38 UTC
741df48 Helge Deller 08 July 2023, 05:00:25 UTC linux-user: Fix fcntl() and fcntl64() to return O_LARGEFILE for 32-bit targets When running a 32-bit guest on a 64-bit host, fcntl[64](F_GETFL) should return with the TARGET_O_LARGEFILE flag set, because all 64-bit hosts support large files unconditionally. But on 64-bit hosts, O_LARGEFILE has the value 0, so the flag translation can't be done with the fcntl_flags_tbl[]. Instead add the TARGET_O_LARGEFILE flag afterwards. Note that for 64-bit guests the compiler will optimize away this code, since TARGET_O_LARGEFILE is zero. Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit e0ddf8eac9f83c0bc5a3d39605d873ee0fe53421) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 31 July 2023, 05:52:37 UTC
73d6ac2 Nicholas Piggin 29 June 2023, 02:07:13 UTC hw/ppc: Fix clock update drift The clock update logic reads the clock twice to compute the new clock value, with a value derived from the later time subtracted from a value derived from the earlier time. The delta causes time to be lost. This can ultimately result in time becoming unsynchronized between CPUs and that can cause OS lockups, timeouts, watchdogs, etc. This can be seen running a KVM guest (that causes lots of TB updates) on a powernv SMP machine. Fix this by reading the clock once. Cc: qemu-stable@nongnu.org Fixes: dbdd25065e90 ("Implement time-base start/stop helpers.") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Frederic Barrat <fbarrat@linux.ibm.com> Message-ID: <20230629020713.327745-1-npiggin@gmail.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> (cherry picked from commit 2ad2e113deb5663e69a05dd6922cbfc6d7ea34d3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 17 July 2023, 11:23:05 UTC
720db12 Fiona Ebner 06 July 2023, 13:14:18 UTC qemu_cleanup: begin drained section after vm_shutdown() in order to avoid requests being stuck in a BlockBackend's request queue during cleanup. Having such requests can lead to a deadlock [0] with a virtio-scsi-pci device using iothread that's busy with IO when initiating a shutdown with QMP 'quit'. There is a race where such a queued request can continue sometime (maybe after bdrv_child_free()?) during bdrv_root_unref_child() [1]. The completion will hold the AioContext lock and wait for the BQL during SCSI completion, but the main thread will hold the BQL and wait for the AioContext as part of bdrv_root_unref_child(), leading to the deadlock [0]. [0]: > Thread 3 (Thread 0x7f3bbd87b700 (LWP 135952) "qemu-system-x86"): > #0 __lll_lock_wait (futex=futex@entry=0x564183365f00 <qemu_global_mutex>, private=0) at lowlevellock.c:52 > #1 0x00007f3bc1c0d843 in __GI___pthread_mutex_lock (mutex=0x564183365f00 <qemu_global_mutex>) at ../nptl/pthread_mutex_lock.c:80 > #2 0x0000564182939f2e in qemu_mutex_lock_impl (mutex=0x564183365f00 <qemu_global_mutex>, file=0x564182b7f774 "../softmmu/physmem.c", line=2593) at ../util/qemu-thread-posix.c:94 > #3 0x000056418247cc2a in qemu_mutex_lock_iothread_impl (file=0x564182b7f774 "../softmmu/physmem.c", line=2593) at ../softmmu/cpus.c:504 > #4 0x00005641826d5325 in prepare_mmio_access (mr=0x5641856148a0) at ../softmmu/physmem.c:2593 > #5 0x00005641826d6fe7 in address_space_stl_internal (as=0x56418679b310, addr=4276113408, val=16418, attrs=..., result=0x0, endian=DEVICE_LITTLE_ENDIAN) at /home/febner/repos/qemu/memory_ldst.c.inc:318 > #6 0x00005641826d7154 in address_space_stl_le (as=0x56418679b310, addr=4276113408, val=16418, attrs=..., result=0x0) at /home/febner/repos/qemu/memory_ldst.c.inc:357 > #7 0x0000564182374b07 in pci_msi_trigger (dev=0x56418679b0d0, msg=...) at ../hw/pci/pci.c:359 > #8 0x000056418237118b in msi_send_message (dev=0x56418679b0d0, msg=...) at ../hw/pci/msi.c:379 > #9 0x0000564182372c10 in msix_notify (dev=0x56418679b0d0, vector=8) at ../hw/pci/msix.c:542 > #10 0x000056418243719c in virtio_pci_notify (d=0x56418679b0d0, vector=8) at ../hw/virtio/virtio-pci.c:77 > #11 0x00005641826933b0 in virtio_notify_vector (vdev=0x5641867a34a0, vector=8) at ../hw/virtio/virtio.c:1985 > #12 0x00005641826948d6 in virtio_irq (vq=0x5641867ac078) at ../hw/virtio/virtio.c:2461 > #13 0x0000564182694978 in virtio_notify (vdev=0x5641867a34a0, vq=0x5641867ac078) at ../hw/virtio/virtio.c:2473 > #14 0x0000564182665b83 in virtio_scsi_complete_req (req=0x7f3bb000e5d0) at ../hw/scsi/virtio-scsi.c:115 > #15 0x00005641826670ce in virtio_scsi_complete_cmd_req (req=0x7f3bb000e5d0) at ../hw/scsi/virtio-scsi.c:641 > #16 0x000056418266736b in virtio_scsi_command_complete (r=0x7f3bb0010560, resid=0) at ../hw/scsi/virtio-scsi.c:712 > #17 0x000056418239aac6 in scsi_req_complete (req=0x7f3bb0010560, status=2) at ../hw/scsi/scsi-bus.c:1526 > #18 0x000056418239e090 in scsi_handle_rw_error (r=0x7f3bb0010560, ret=-123, acct_failed=false) at ../hw/scsi/scsi-disk.c:242 > #19 0x000056418239e13f in scsi_disk_req_check_error (r=0x7f3bb0010560, ret=-123, acct_failed=false) at ../hw/scsi/scsi-disk.c:265 > #20 0x000056418239e482 in scsi_dma_complete_noio (r=0x7f3bb0010560, ret=-123) at ../hw/scsi/scsi-disk.c:340 > #21 0x000056418239e5d9 in scsi_dma_complete (opaque=0x7f3bb0010560, ret=-123) at ../hw/scsi/scsi-disk.c:371 > #22 0x00005641824809ad in dma_complete (dbs=0x7f3bb000d9d0, ret=-123) at ../softmmu/dma-helpers.c:107 > #23 0x0000564182480a72 in dma_blk_cb (opaque=0x7f3bb000d9d0, ret=-123) at ../softmmu/dma-helpers.c:127 > #24 0x00005641827bf78a in blk_aio_complete (acb=0x7f3bb00021a0) at ../block/block-backend.c:1563 > #25 0x00005641827bfa5e in blk_aio_write_entry (opaque=0x7f3bb00021a0) at ../block/block-backend.c:1630 > #26 0x000056418295638a in coroutine_trampoline (i0=-1342102448, i1=32571) at ../util/coroutine-ucontext.c:177 > #27 0x00007f3bc0caed40 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 > #28 0x00007f3bbd8757f0 in ?? () > #29 0x0000000000000000 in ?? () > > Thread 1 (Thread 0x7f3bbe3e9280 (LWP 135944) "qemu-system-x86"): > #0 __lll_lock_wait (futex=futex@entry=0x5641856f2a00, private=0) at lowlevellock.c:52 > #1 0x00007f3bc1c0d8d1 in __GI___pthread_mutex_lock (mutex=0x5641856f2a00) at ../nptl/pthread_mutex_lock.c:115 > #2 0x0000564182939f2e in qemu_mutex_lock_impl (mutex=0x5641856f2a00, file=0x564182c0e319 "../util/async.c", line=728) at ../util/qemu-thread-posix.c:94 > #3 0x000056418293a140 in qemu_rec_mutex_lock_impl (mutex=0x5641856f2a00, file=0x564182c0e319 "../util/async.c", line=728) at ../util/qemu-thread-posix.c:149 > #4 0x00005641829532d5 in aio_context_acquire (ctx=0x5641856f29a0) at ../util/async.c:728 > #5 0x000056418279d5df in bdrv_set_aio_context_commit (opaque=0x5641856e6e50) at ../block.c:7493 > #6 0x000056418294e288 in tran_commit (tran=0x56418630bfe0) at ../util/transactions.c:87 > #7 0x000056418279d880 in bdrv_try_change_aio_context (bs=0x5641856f7130, ctx=0x56418548f810, ignore_child=0x0, errp=0x0) at ../block.c:7626 > #8 0x0000564182793f39 in bdrv_root_unref_child (child=0x5641856f47d0) at ../block.c:3242 > #9 0x00005641827be137 in blk_remove_bs (blk=0x564185709880) at ../block/block-backend.c:914 > #10 0x00005641827bd689 in blk_remove_all_bs () at ../block/block-backend.c:583 > #11 0x0000564182798699 in bdrv_close_all () at ../block.c:5117 > #12 0x000056418248a5b2 in qemu_cleanup () at ../softmmu/runstate.c:821 > #13 0x0000564182738603 in qemu_default_main () at ../softmmu/main.c:38 > #14 0x0000564182738631 in main (argc=30, argv=0x7ffd675a8a48) at ../softmmu/main.c:48 > > (gdb) p *((QemuMutex*)0x5641856f2a00) > $1 = {lock = {__data = {__lock = 2, __count = 2, __owner = 135952, ... > (gdb) p *((QemuMutex*)0x564183365f00) > $2 = {lock = {__data = {__lock = 2, __count = 0, __owner = 135944, ... [1]: > Thread 1 "qemu-system-x86" hit Breakpoint 5, bdrv_drain_all_end () at ../block/io.c:551 > #0 bdrv_drain_all_end () at ../block/io.c:551 > #1 0x00005569810f0376 in bdrv_graph_wrlock (bs=0x0) at ../block/graph-lock.c:156 > #2 0x00005569810bd3e0 in bdrv_replace_child_noperm (child=0x556982e2d7d0, new_bs=0x0) at ../block.c:2897 > #3 0x00005569810bdef2 in bdrv_root_unref_child (child=0x556982e2d7d0) at ../block.c:3227 > #4 0x00005569810e8137 in blk_remove_bs (blk=0x556982e42880) at ../block/block-backend.c:914 > #5 0x00005569810e7689 in blk_remove_all_bs () at ../block/block-backend.c:583 > #6 0x00005569810c2699 in bdrv_close_all () at ../block.c:5117 > #7 0x0000556980db45b2 in qemu_cleanup () at ../softmmu/runstate.c:821 > #8 0x0000556981062603 in qemu_default_main () at ../softmmu/main.c:38 > #9 0x0000556981062631 in main (argc=30, argv=0x7ffd7a82a418) at ../softmmu/main.c:48 > [Switching to Thread 0x7fe76dab2700 (LWP 103649)] > > Thread 3 "qemu-system-x86" hit Breakpoint 4, blk_inc_in_flight (blk=0x556982e42880) at ../block/block-backend.c:1505 > #0 blk_inc_in_flight (blk=0x556982e42880) at ../block/block-backend.c:1505 > #1 0x00005569810e8f36 in blk_wait_while_drained (blk=0x556982e42880) at ../block/block-backend.c:1312 > #2 0x00005569810e9231 in blk_co_do_pwritev_part (blk=0x556982e42880, offset=3422961664, bytes=4096, qiov=0x556983028060, qiov_offset=0, flags=0) at ../block/block-backend.c:1402 > #3 0x00005569810e9a4b in blk_aio_write_entry (opaque=0x556982e2cfa0) at ../block/block-backend.c:1628 > #4 0x000055698128038a in coroutine_trampoline (i0=-2090057872, i1=21865) at ../util/coroutine-ucontext.c:177 > #5 0x00007fe770f50d40 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 > #6 0x00007ffd7a829570 in ?? () > #7 0x0000000000000000 in ?? () Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Message-ID: <20230706131418.423713-1-f.ebner@proxmox.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit ca2a5e630dc1f569266fb663bf0b65e4eb433fb2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 09 July 2023, 13:02:39 UTC
bcb1e05 Laurent Vivier 05 June 2023, 14:21:25 UTC virtio-net: correctly report maximum tx_queue_size value Maximum value for tx_queue_size depends on the backend type. 1024 for vDPA/vhost-user, 256 for all the others. The value is returned by virtio_net_max_tx_queue_size() to set the parameter: n->net_conf.tx_queue_size = MIN(virtio_net_max_tx_queue_size(n), n->net_conf.tx_queue_size); But the parameter checking uses VIRTQUEUE_MAX_SIZE (1024). So the parameter is silently ignored and ethtool reports a different value than the one provided by the user. ... -netdev tap,... -device virtio-net,tx_queue_size=1024 # ethtool -g enp0s2 Ring parameters for enp0s2: Pre-set maximums: RX: 256 RX Mini: n/a RX Jumbo: n/a TX: 256 Current hardware settings: RX: 256 RX Mini: n/a RX Jumbo: n/a TX: 256 ... -netdev vhost-user,... -device virtio-net,tx_queue_size=2048 Invalid tx_queue_size (= 2048), must be a power of 2 between 256 and 1024 With this patch the correct maximum value is checked and displayed. For vDPA/vhost-user: Invalid tx_queue_size (= 2048), must be a power of 2 between 256 and 1024 For all the others: Invalid tx_queue_size (= 512), must be a power of 2 between 256 and 256 Fixes: 2eef278b9e63 ("virtio-net: fix tx queue size for !vhost-user") Cc: mst@redhat.com Cc: qemu-stable@nongnu.org Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 4271f4038372f174dbafffacca1a748d058a03ba) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 09 July 2023, 11:46:14 UTC
a342ce9 Michael Tokarev 08 July 2023, 21:34:33 UTC Update version for 8.0.3 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 08 July 2023, 21:34:33 UTC
fb64b62 Richard Henderson 04 July 2023, 13:08:48 UTC target/arm: Fix SME full tile indexing For the outer product set of insns, which take an entire matrix tile as output, the argument is not a combined tile+column. Therefore using get_tile_rowcol was incorrect, as we extracted the tile number from itself. The test case relies only on assembler support for SME, since no release of GCC recognizes -march=armv9-a+sme yet. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230622151201.1578522-5-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: dropped now-unneeded changes to sysregs CFLAGS] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 1f51573f7925b80e79a29f87c7d9d6ead60960c0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup context in tests/tcg/aarch64/Makefile.target) 08 July 2023, 06:17:22 UTC
d2402a8 Mark Cave-Ayland 29 June 2023, 08:25:22 UTC accel/tcg: Assert one page in tb_invalidate_phys_page_range__locked Ensure that that both the start and last addresses are within the same guest page. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230629082522.606219-3-mark.cave-ayland@ilande.co.uk> [rth: Use tcg_debug_assert, simplify the expression] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit e665cf72fe6357945fdbecf747dac58c0c7c7c66) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 02 July 2023, 19:10:28 UTC
78e8c9c Mark Cave-Ayland 29 June 2023, 08:25:21 UTC accel/tcg: Fix start page passed to tb_invalidate_phys_page_range__locked Due to a copy-paste error in tb_invalidate_phys_range, the wrong start address was passed to tb_invalidate_phys_page_range__locked. Correct is to use the start of each page in turn. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Fixes: e506ad6a05 ("accel/tcg: Pass last not end to tb_invalidate_phys_range") Message-Id: <20230629082522.606219-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 3307e08c6f142bb3d2406cfbc0ee19359748b51a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 02 July 2023, 19:09:17 UTC
477ab90 Dongwon Kim 21 June 2023, 21:31:50 UTC ui/gtk: set the area of the scanout texture correctly x and y offsets and width and height of the scanout texture is not correctly configured in case guest scanout frame is dmabuf. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: Vivek Kasireddy <vivek.kasireddy@intel.com> Signed-off-by: Dongwon Kim <dongwon.kim@intel.com> Message-ID: <20230621213150.29573-1-dongwon.kim@intel.com> (cherry picked from commit 37802a24eb4e535d96d6fe0273505d2b5c6528c2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 02 July 2023, 04:49:12 UTC
df1e45c Richard Henderson 29 June 2023, 08:08:35 UTC linux-user: Avoid mmap of the last byte of the reserved_va There is an overflow problem in mmap_find_vma_reserved: when reserved_va == UINT32_MAX, end may overflow to 0. Rather than a larger rewrite at this time, simply avoid the final byte of the VA, which avoids searching the final page, which avoids the overflow. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1741 Fixes: 95059f9c ("include/exec: Change reserved_va semantics to last byte") Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-Id: <20230629080835.71371-1-richard.henderson@linaro.org> (cherry picked from commit 605a8b5491a119a2a6efbf61e5a38f9374645990) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 01 July 2023, 10:57:27 UTC
383fb8c Shameer Kolothum 13 June 2023, 14:09:43 UTC vfio/pci: Call vfio_prepare_kvm_msi_virq_batch() in MSI retry path When vfio_enable_vectors() returns with less than requested nr_vectors we retry with what kernel reported back. But the retry path doesn't call vfio_prepare_kvm_msi_virq_batch() and this results in, qemu-system-aarch64: vfio: Error: Failed to enable 4 MSI vectors, retry with 1 qemu-system-aarch64: ../hw/vfio/pci.c:602: vfio_commit_kvm_msi_virq_batch: Assertion `vdev->defer_kvm_irq_routing' failed Fixes: dc580d51f7dd ("vfio: defer to commit kvm irq routing when enable msi/msix") Reviewed-by: Longpeng <longpeng2@huawei.com> Signed-off-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> (cherry picked from commit c17408892319712c12357e5d1c6b305499c58c2a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 30 June 2023, 16:02:13 UTC
58b3e4f Zhenzhong Duan 29 June 2023, 08:40:38 UTC vfio/pci: Fix a segfault in vfio_realize The kvm irqchip notifier is only registered if the device supports INTx, however it's unconditionally removed in vfio realize error path. If the assigned device does not support INTx, this will cause QEMU to crash when vfio realize fails. Change it to conditionally remove the notifier only if the notify hook is setup. Before fix: (qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1 Connection closed by foreign host. After fix: (qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1 Error: vfio 0000:81:11.1: xres and yres properties require display=on (qemu) Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier") Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Joao Martins <joao.m.martins@oracle.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> (cherry picked from commit 357bd7932a136613d700ee8bc83e9165f059d1f7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 30 June 2023, 16:00:39 UTC
55ee115 Nicholas Piggin 30 May 2023, 13:12:12 UTC target/ppc: Fix decrementer time underflow and infinite timer loop It is possible to store a very large value to the decrementer that it does not raise the decrementer exception so the timer is scheduled, but the next time value wraps and is treated as in the past. This can occur if (u64)-1 is stored on a zero-triggered exception, or (u64)-1 is stored twice on an underflow-triggered exception, for example. If such a value is set in DECAR, it gets stored to the decrementer by the timer function, which then immediately causes another timer, which hangs QEMU. Clamp the decrementer to the implemented width, and use that as the value for the timer calculation, effectively preventing this overflow. Reported-by: sdicaro@DDCI.com Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Message-Id: <20230530131214.373524-1-npiggin@gmail.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> (cherry picked from commit 09d2db9f46e38e2da990df8ad914d735d764251a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 30 June 2023, 06:18:28 UTC
ce63312 Laurent Vivier 02 June 2023, 16:27:35 UTC vhost: fix vhost_dev_enable_notifiers() error case in vhost_dev_enable_notifiers(), if virtio_bus_set_host_notifier(true) fails, we call vhost_dev_disable_notifiers() that executes virtio_bus_set_host_notifier(false) on all queues, even on queues that have failed to be initialized. This triggers a core dump in memory_region_del_eventfd(): virtio_bus_set_host_notifier: unable to init event notifier: Too many open files (-24) vhost VQ 1 notifier binding failed: 24 .../softmmu/memory.c:2611: memory_region_del_eventfd: Assertion `i != mr->ioeventfd_nb' failed. Fix the problem by providing to vhost_dev_disable_notifiers() the number of queues to disable. Fixes: 8771589b6f81 ("vhost: simplify vhost_dev_enable_notifiers") Cc: longpeng2@huawei.com Signed-off-by: Laurent Vivier <lvivier@redhat.com> Message-Id: <20230602162735.3670785-1-lvivier@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 92099aa4e9a3bb6856c290afaf41c76f9e3dd9fd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 30 June 2023, 06:13:00 UTC
246b0cf Eugenio Pérez 02 June 2023, 17:33:28 UTC vdpa: mask _F_CTRL_GUEST_OFFLOADS for vhost vdpa devices QEMU does not emulate it so it must be disabled as long as the backend does not support it. Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Message-Id: <20230602173328.1917385-1-eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Tested-by: Lei Yang <leiyang@redhat.com> (cherry picked from commit 51e84244a7799172f4239482199e9b4bdcd23172) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 30 June 2023, 06:11:26 UTC
5e88385 Nicholas Piggin 27 June 2023, 06:14:06 UTC icount: don't adjust virtual time backwards after warp The icount-based QEMU_CLOCK_VIRTUAL runs ahead of the RT clock at times. When warping, it is possible it is still ahead at the end of the warp, which causes icount adaptive mode to adjust it backward. This can result in the machine observing time going backwards. Prevent this by clamping adaptive adjustment to 0 at minimum. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Message-ID: <20230627061406.241847-1-npiggin@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 67f85346ca9305d9fb3254ceff735ceaadeb0911) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 29 June 2023, 15:17:49 UTC
a76c512 Markus Armbruster 15 May 2023, 15:11:04 UTC Revert "hw/sparc64/niagara: Use blk_name() instead of open-coding it" This reverts commit 1881f336a33a8a99cb17ab1c57ed953682e8e107. This commit breaks "-drive if=pflash,readonly=on,file=image.iso". It claims to merely replace an open-coded version of blk_name() by a call, but that's not the case. Sorry for the inconvenience! Reported-by: Jakub Jermář <jakub@jermar.eu> Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20230515151104.1350155-1-armbru@redhat.com> Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> (cherry picked from commit ac5e8c1dec246950d73e22dceab5cb36e82aac0b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 28 June 2023, 15:57:11 UTC
8c792a5 Vivek Kasireddy 23 June 2023, 06:04:54 UTC virtio-gpu: Make non-gl display updates work again when blob=true In the case where the console does not have gl capability, and if blob is set to true, make sure that the display updates still work. Commit e86a93f55463 accidentally broke this by misplacing the return statement (in resource_flush) causing the updates to be silently ignored. Fixes: e86a93f55463 ("virtio-gpu: splitting one extended mode guest fb into n-scanouts") Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: Dongwon Kim <dongwon.kim@intel.com> Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20230623060454.3749910-1-vivek.kasireddy@intel.com> (cherry picked from commit 34e29d85a7734802317c4cac9ad52b10d461c1dc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 28 June 2023, 15:52:17 UTC
dc4c852 Marc-André Lureau 19 March 2023, 11:10:17 UTC ui: return NULL when getting cursor without a console VNC may try to get the current cursor even when there are no consoles and crashes. Simple reproducer is qemu with -nodefaults. Fixes: (again) https://gitlab.com/qemu-project/qemu/-/issues/1548 Fixes: commit 385ac97f8 ("ui: keep current cursor with QemuConsole") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230428154807.2143652-1-marcandre.lureau@redhat.com> (cherry picked from commit 333e7599a0d723801235f675719008ce43db93e3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 28 June 2023, 15:50:48 UTC
aab37b2 Ani Sinha 19 June 2023, 06:52:09 UTC vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present When a peer nic is still attached to the vdpa backend, it is too early to free up the vhost-net and vdpa structures. If these structures are freed here, then QEMU crashes when the guest is being shut down. The following call chain would result in an assertion failure since the pointer returned from vhost_vdpa_get_vhost_net() would be NULL: do_vm_stop() -> vm_state_notify() -> virtio_set_status() -> virtio_net_vhost_status() -> get_vhost_net(). Therefore, we defer freeing up the structures until at guest shutdown time when qemu_cleanup() calls net_cleanup() which then calls qemu_del_net_client() which would eventually call vhost_vdpa_cleanup() again to free up the structures. This time, the loop in net_cleanup() ensures that vhost_vdpa_cleanup() will be called one last time when all the peer nics are detached and freed. All unit tests pass with this change. CC: imammedo@redhat.com CC: jusual@redhat.com CC: mst@redhat.com Fixes: CVE-2023-3301 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929 Signed-off-by: Ani Sinha <anisinha@redhat.com> Message-Id: <20230619065209.442185-1-anisinha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit a0d7215e339b61c7d7a7b3fcf754954d80d93eb8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: context change for stable-8.0) 26 June 2023, 16:55:29 UTC
d33534a Eugenio Pérez 02 June 2023, 17:34:51 UTC vdpa: fix not using CVQ buffer in case of error Bug introducing when refactoring. Otherway, the guest never received the used buffer. Fixes: be4278b65fc1 ("vdpa: extract vhost_vdpa_net_cvq_add from vhost_vdpa_net_handle_ctrl_avail") Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Message-Id: <20230602173451.1917999-1-eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Tested-by: Lei Yang <leiyang@redhat.com> (cherry picked from commit d45243bcfc61a3c34f96a4fc34bffcb9929daba0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 26 June 2023, 16:55:29 UTC
46fe2de Prasad Pandit 29 May 2023, 11:43:33 UTC vhost: release virtqueue objects in error path vhost_dev_start function does not release virtqueue objects when event_notifier_init() function fails. Release virtqueue objects and log a message about function failure. Signed-off-by: Prasad Pandit <pjp@fedoraproject.org> Message-Id: <20230529114333.31686-3-ppandit@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Fixes: f9a09ca3ea ("vhost: add support for configure interrupt") Reviewed-by: Peter Xu <peterx@redhat.com> Cc: qemu-stable@nongnu.org Acked-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 77ece20ba04582d94c345ac0107ddff2fd18d27a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 26 June 2023, 16:55:29 UTC
c105258 Prasad Pandit 29 May 2023, 11:43:32 UTC vhost: release memory_listener object in error path vhost_dev_start function does not release memory_listener object in case of an error. This may crash the guest when vhost is unable to set memory table: stack trace of thread 125653: Program terminated with signal SIGSEGV, Segmentation fault #0 memory_listener_register (qemu-kvm + 0x6cda0f) #1 vhost_dev_start (qemu-kvm + 0x699301) #2 vhost_net_start (qemu-kvm + 0x45b03f) #3 virtio_net_set_status (qemu-kvm + 0x665672) #4 qmp_set_link (qemu-kvm + 0x548fd5) #5 net_vhost_user_event (qemu-kvm + 0x552c45) #6 tcp_chr_connect (qemu-kvm + 0x88d473) #7 tcp_chr_new_client (qemu-kvm + 0x88cf83) #8 tcp_chr_accept (qemu-kvm + 0x88b429) #9 qio_net_listener_channel_func (qemu-kvm + 0x7ac07c) #10 g_main_context_dispatch (libglib-2.0.so.0 + 0x54e2f) Release memory_listener objects in the error path. Signed-off-by: Prasad Pandit <pjp@fedoraproject.org> Message-Id: <20230529114333.31686-2-ppandit@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Fixes: c471ad0e9b ("vhost_net: device IOTLB support") Cc: qemu-stable@nongnu.org Acked-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 1e3ffb34f764f8ac4c003b2b2e6a775b2b073a16) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 26 June 2023, 16:55:29 UTC
b62e5d8 Helge Deller 24 June 2023, 09:45:52 UTC target/hppa: Update to SeaBIOS-hppa version 8 Update SeaBIOS-hppa to version 8. Fixes: - boot of HP-UX with SMP, and - reboot of Linux and HP-UX with SMP Enhancements: - show qemu version in boot menu - adds exit menu entry in boot menu to quit emulation - allow to trace PCD_CHASSIS codes & machine run status Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 34ec3aea54368a92b62a55c656335885ba8c65ef) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 26 June 2023, 16:35:09 UTC
06f32b3 Helge Deller 20 June 2023, 19:39:47 UTC target/hppa: New SeaBIOS-hppa version 7 Update SeaBIOS-hppa to version 7 which fixes a boot problem with Debian-12 install CD images. The problem with Debian-12 is, that the ramdisc got bigger than what the firmware could load in one call to the LSI scsi driver. Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit bb9c998ca9343d445c76b69fa15dea9db692f526) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: pick this one before picking next 34ec3aea54368a92b6 "SeaBIOS-hppa version 8") 26 June 2023, 16:34:58 UTC
29c7530 Helge Deller 23 June 2023, 22:28:44 UTC target/hppa: Provide qemu version via fw_cfg to firmware Give current QEMU version string to SeaBIOS-hppa via fw_cfg interface so that the firmware can show the QEMU version in the boot menu info. Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 069d296669448b9eef72c6332ae84af962d9582c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 26 June 2023, 16:34:58 UTC
8fa1462 Helge Deller 23 June 2023, 06:24:30 UTC target/hppa: Fix OS reboot issues When the OS triggers a reboot, the reset helper function sends a qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET) together with an EXCP_HLT exception to halt the CPUs. So, at reboot when initializing the CPUs again, make sure to set all instruction pointers to the firmware entry point, disable any interrupts, disable data and instruction translations, enable PSW_Q bit and tell qemu to unhalt (halted=0) the CPUs again. This fixes the various reboot issues which were seen when rebooting a Linux VM, including the case where even the monarch CPU has been virtually halted from the OS (e.g. via "chcpu -d 0" inside the Linux VM). Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 50ba97e928b44ff5bc731c9ffe68d86acbe44639) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 26 June 2023, 16:34:58 UTC
deb40cf Peter Maydell 20 June 2023, 16:20:24 UTC pc-bios/keymaps: Use the official xkb name for Arabic layout, not the legacy synonym The xkb official name for the Arabic keyboard layout is 'ara'. However xkb has for at least the past 15 years also permitted it to be named via the legacy synonym 'ar'. In xkeyboard-config 2.39 this synoynm was removed, which breaks compilation of QEMU: FAILED: pc-bios/keymaps/ar /home/fred/qemu-git/src/qemu/build-full/qemu-keymap -f pc-bios/keymaps/ar -l ar xkbcommon: ERROR: Couldn't find file "symbols/ar" in include paths xkbcommon: ERROR: 1 include paths searched: xkbcommon: ERROR: /usr/share/X11/xkb xkbcommon: ERROR: 3 include paths could not be added: xkbcommon: ERROR: /home/fred/.config/xkb xkbcommon: ERROR: /home/fred/.xkb xkbcommon: ERROR: /etc/xkb xkbcommon: ERROR: Abandoning symbols file "(unnamed)" xkbcommon: ERROR: Failed to compile xkb_symbols xkbcommon: ERROR: Failed to compile keymap The upstream xkeyboard-config change removing the compat mapping is: https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/commit/470ad2cd8fea84d7210377161d86b31999bb5ea6 Make QEMU always ask for the 'ara' xkb layout, which should work on both older and newer xkeyboard-config. We leave the QEMU name for this keyboard layout as 'ar'; it is not the only one where our name for it deviates from the xkb standard name. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-id: 20230620162024.1132013-1-peter.maydell@linaro.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1709 (cherry picked from commit 497fad38979c16b6412388927401e577eba43d26) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 25 June 2023, 22:31:47 UTC
cf79502 Peter Maydell 22 June 2023, 13:08:23 UTC host-utils: Avoid using __builtin_subcll on buggy versions of Apple Clang We use __builtin_subcll() to do a 64-bit subtract with borrow-in and borrow-out when the host compiler supports it. Unfortunately some versions of Apple Clang have a bug in their implementation of this intrinsic which means it returns the wrong value. The effect is that a QEMU built with the affected compiler will hang when emulating x86 or m68k float80 division. The upstream LLVM issue is: https://github.com/llvm/llvm-project/issues/55253 The commit that introduced the bug apparently never made it into an upstream LLVM release without the subsequent fix https://github.com/llvm/llvm-project/commit/fffb6e6afdbaba563189c1f715058ed401fbc88d but unfortunately it did make it into Apple Clang 14.0, as shipped in Xcode 14.3 (14.2 is reported to be OK). The Apple bug number is FB12210478. Add ifdefs to avoid use of __builtin_subcll() on Apple Clang version 14 or greater. There is not currently a version of Apple Clang which has the bug fix -- when one appears we should be able to add an upper bound to the ifdef condition so we can start using the builtin again. We make the lower bound a conservative "any Apple clang with major version 14 or greater" because the consequences of incorrectly disabling the builtin when it would work are pretty small and the consequences of not disabling it when we should are pretty bad. Many thanks to those users who both reported this bug and also did a lot of work in identifying the root cause; in particular to Daniel Bertalan and osy. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1631 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1659 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Tested-by: Daniel Bertalan <dani@danielbertalan.dev> Tested-by: Tested-By: Solra Bizna <solra@bizna.name> Message-id: 20230622130823.1631719-1-peter.maydell@linaro.org (cherry picked from commit b0438861efe1dfbdfdd9fa1d9aa05100d37ea8ee) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 25 June 2023, 22:31:07 UTC
72a23f2 Bastian Koppelmann 12 June 2023, 11:32:44 UTC target/tricore: Add CHECK_REG_PAIR() for insn accessing 64 bit regs some insns were not checking if an even index was used to access a 64 bit register. In the worst case that could lead to a buffer overflow as reported in https://gitlab.com/qemu-project/qemu/-/issues/1698. Reported-by: Siqi Chen <coc.cyqh@gmail.com> Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Message-Id: <20230612113245.56667-4-kbastian@mail.uni-paderborn.de> (cherry picked from commit 6991777ec4b2a344d47bddec62744bedd9883d78) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 23 June 2023, 06:46:01 UTC
b9e1415 Siqi Chen 12 June 2023, 11:32:42 UTC target/tricore: Fix out-of-bounds index in imask instruction When translating "imask" instruction of Tricore architecture, QEMU did not check whether the register index was out of bounds, resulting in a global-buffer-overflow. Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698 Reported-by: Siqi Chen <coc.cyqh@gmail.com> Signed-off-by: Siqi Chen <coc.cyqh@gmail.com> Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Message-Id: <20230612065633.149152-1-coc.cyqh@gmail.com> Message-Id: <20230612113245.56667-2-kbastian@mail.uni-paderborn.de> (cherry picked from commit d34b092cab606a47a0d76edde45aab7100bb2435) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 23 June 2023, 06:44:47 UTC
4553eee Peter Maydell 06 June 2023, 13:49:17 UTC hw/timer/nrf51_timer: Don't lose time when timer is queried in tight loop The nrf51_timer has a free-running counter which we implement using the pattern of using two fields (update_counter_ns, counter) to track the last point at which we calculated the counter value, and the counter value at that time. Then we can find the current counter value by converting the difference in wall-clock time between then and now to a tick count that we need to add to the counter value. Unfortunately the nrf51_timer's implementation of this has a bug which means it loses time every time update_counter() is called. After updating s->counter it always sets s->update_counter_ns to 'now', even though the actual point when s->counter hit the new value will be some point in the past (half a tick, say). In the worst case (guest code in a tight loop reading the counter, icount mode) the counter is continually queried less than a tick after it was last read, so s->counter never advances but s->update_counter_ns does, and the guest never makes forward progress. The fix for this is to only advance update_counter_ns to the timestamp of the last tick, not all the way to 'now'. (This is the pattern used in hw/misc/mps2-fpgaio.c's counter.) Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Joel Stanley <joel@jms.id.au> Message-id: 20230606134917.3782215-1-peter.maydell@linaro.org (cherry picked from commit d2f9a79a8cf6ab992e1d0f27ad05b3e582d2b18a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> 22 June 2023, 07:38:38 UTC
back to top