https://github.com/qemu/qemu
- HEAD
- refs/heads/block
- refs/heads/coverity
- refs/heads/master
- refs/heads/stable-0.10
- refs/heads/stable-0.11
- refs/heads/stable-0.12
- refs/heads/stable-0.13
- refs/heads/stable-0.14
- refs/heads/stable-0.15
- refs/heads/stable-1.0
- refs/heads/stable-1.1
- refs/heads/stable-1.2
- refs/heads/stable-1.3
- refs/heads/stable-1.4
- refs/heads/stable-1.5
- refs/heads/stable-1.6
- refs/heads/stable-1.7
- refs/heads/stable-2.0
- refs/heads/stable-2.1
- refs/heads/stable-2.10
- refs/heads/stable-2.11
- refs/heads/stable-2.12
- refs/heads/stable-2.2
- refs/heads/stable-2.3
- refs/heads/stable-2.4
- refs/heads/stable-2.5
- refs/heads/stable-2.6
- refs/heads/stable-2.7
- refs/heads/stable-2.8
- refs/heads/stable-2.9
- refs/heads/stable-3.0
- refs/heads/stable-3.1
- refs/heads/stable-4.0
- refs/heads/stable-4.1
- refs/heads/stable-4.2
- refs/heads/stable-5.0
- refs/heads/stable-6.0
- refs/heads/stable-6.0-staging
- refs/heads/stable-6.1
- refs/heads/stable-7.2
- refs/heads/stable-7.2-staging
- refs/heads/stable-8.0
- refs/heads/stable-8.0-staging
- refs/heads/stable-8.1
- refs/heads/stable-8.2
- refs/heads/stable-9.0
- refs/heads/staging
- refs/heads/staging-0.0
- refs/heads/staging-7.2
- refs/heads/staging-8.0
- refs/heads/staging-8.1
- refs/heads/staging-8.2
- refs/heads/staging-9.0
- refs/heads/staging-mjt-test
- refs/heads/stsquad-hotfix
- refs/notes/commits
- refs/remotes/github/master
- refs/remotes/github/stable-0.10
- refs/remotes/github/stable-0.11
- refs/remotes/github/stable-0.12
- refs/remotes/github/stable-0.13
- refs/remotes/github/stable-0.14
- refs/remotes/github/stable-0.15
- refs/remotes/github/stable-1.0
- refs/remotes/github/stable-1.1
- refs/remotes/github/stable-1.2
- refs/remotes/github/stable-1.3
- refs/remotes/github/stable-1.4
- refs/remotes/github/stable-1.5
- refs/remotes/github/stable-1.6
- refs/remotes/github/stable-1.7
- refs/remotes/github/stable-2.0
- refs/remotes/github/stable-2.1
- refs/remotes/github/stable-2.10
- refs/remotes/github/stable-2.11
- refs/remotes/github/stable-2.12
- refs/remotes/github/stable-2.2
- refs/remotes/github/stable-2.3
- refs/remotes/github/stable-2.4
- refs/remotes/github/stable-2.5
- refs/remotes/github/stable-2.6
- refs/remotes/github/stable-2.7
- refs/remotes/github/stable-2.8
- refs/remotes/github/stable-2.9
- refs/remotes/github/stable-3.0
- refs/remotes/github/stable-3.1
- refs/remotes/github/stable-4.0
- refs/remotes/github/stable-4.1
- refs/remotes/github/stable-4.2
- refs/remotes/github/stable-5.0
- refs/remotes/github/staging
- refs/tags/initial
- refs/tags/release_0_10_0
- refs/tags/release_0_10_1
- refs/tags/release_0_10_2
- refs/tags/release_0_5_1
- refs/tags/release_0_6_0
- refs/tags/release_0_6_1
- refs/tags/release_0_7_0
- refs/tags/release_0_7_1
- refs/tags/release_0_8_1
- refs/tags/release_0_8_2
- refs/tags/release_0_9_0
- refs/tags/release_0_9_1
- refs/tags/v0.1.0
- refs/tags/v0.1.1
- refs/tags/v0.1.3
- refs/tags/v0.1.4
- refs/tags/v0.1.5
- refs/tags/v0.1.6
- refs/tags/v0.10.0
- refs/tags/v0.10.1
- refs/tags/v0.10.2
- refs/tags/v0.10.3
- refs/tags/v0.10.4
- refs/tags/v0.10.5
- refs/tags/v0.10.6
- refs/tags/v0.11.0
- refs/tags/v0.11.0-rc0
- refs/tags/v0.11.0-rc1
- refs/tags/v0.11.0-rc2
- refs/tags/v0.11.1
- refs/tags/v0.12.0
- refs/tags/v0.12.0-rc0
- refs/tags/v0.12.0-rc1
- refs/tags/v0.12.0-rc2
- refs/tags/v0.12.1
- refs/tags/v0.12.2
- refs/tags/v0.12.3
- refs/tags/v0.12.4
- refs/tags/v0.12.5
- refs/tags/v0.13.0
- refs/tags/v0.13.0-rc0
- refs/tags/v0.13.0-rc1
- refs/tags/v0.13.0-rc2
- refs/tags/v0.13.0-rc3
- refs/tags/v0.14.0
- refs/tags/v0.14.0-rc0
- refs/tags/v0.14.0-rc1
- refs/tags/v0.14.0-rc2
- refs/tags/v0.15.0
- refs/tags/v0.15.0-rc0
- refs/tags/v0.15.0-rc1
- refs/tags/v0.15.0-rc2
- refs/tags/v0.15.1
- refs/tags/v0.2.0
- refs/tags/v0.3.0
- refs/tags/v0.4.0
- refs/tags/v0.4.1
- refs/tags/v0.4.2
- refs/tags/v0.4.3
- refs/tags/v0.4.4
- refs/tags/v0.5.0
- refs/tags/v0.5.1
- refs/tags/v0.6.0
- refs/tags/v0.6.1
- refs/tags/v0.7.0
- refs/tags/v0.7.1
- refs/tags/v0.8.1
- refs/tags/v0.8.2
- refs/tags/v0.9.0
- refs/tags/v0.9.1
- refs/tags/v1.0-rc0
- refs/tags/v1.0-rc1
- refs/tags/v1.0-rc2
- refs/tags/v1.0-rc3
- refs/tags/v1.0.1
- refs/tags/v1.1-rc0
- refs/tags/v1.1-rc1
- refs/tags/v1.1-rc2
- refs/tags/v1.1.0
- refs/tags/v1.1.0-rc2
- refs/tags/v1.1.0-rc3
- refs/tags/v1.1.0-rc4
- refs/tags/v1.1.1
- refs/tags/v1.1.2
- refs/tags/v1.2.0-rc0
- refs/tags/v1.2.1
- refs/tags/v1.2.2
- refs/tags/v1.3.0
- refs/tags/v1.3.0-rc0
- refs/tags/v1.3.0-rc1
- refs/tags/v1.3.0-rc2
- refs/tags/v1.3.1
- refs/tags/v1.4.1
- refs/tags/v1.4.2
- refs/tags/v1.5.0
- refs/tags/v1.5.0-rc0
- refs/tags/v1.5.0-rc1
- refs/tags/v1.5.0-rc2
- refs/tags/v1.5.0-rc3
- refs/tags/v1.5.1
- refs/tags/v1.5.2
- refs/tags/v1.5.3
- refs/tags/v1.6.0
- refs/tags/v1.6.0-rc0
- refs/tags/v1.6.0-rc1
- refs/tags/v1.6.0-rc2
- refs/tags/v1.6.0-rc3
- refs/tags/v1.6.1
- refs/tags/v1.6.2
- refs/tags/v1.7.0
- refs/tags/v1.7.0-rc0
- refs/tags/v1.7.0-rc1
- refs/tags/v1.7.0-rc2
- refs/tags/v1.7.1
- refs/tags/v1.7.2
- refs/tags/v2.0.1
- refs/tags/v2.0.2
- 71090deb4c84e18ab6270d517cfcc43eea95fdc4
- v9.1.0-rc2
- v9.1.0-rc1
- v9.1.0-rc0
- v9.0.2
- v9.0.1
- v9.0.0-rc4
- v9.0.0-rc3
- v9.0.0-rc2
- v9.0.0-rc1
- v9.0.0-rc0
- v9.0.0
- v8.2.6
- v8.2.5
- v8.2.4
- v8.2.3
- v8.2.2
- v8.2.1
- v8.2.0-rc4
- v8.2.0-rc3
- v8.2.0-rc2
- v8.2.0-rc1
- v8.2.0-rc0
- v8.2.0
- v8.1.5
- v8.1.4
- v8.1.3
- v8.1.2
- v8.1.1
- v8.1.0-rc4
- v8.1.0-rc3
- v8.1.0-rc2
- v8.1.0-rc1
- v8.1.0-rc0
- v8.1.0
- v8.0.5
- v8.0.4
- v8.0.3
- v8.0.2
- v8.0.1
- v8.0.0-rc4
- v8.0.0-rc3
- v8.0.0-rc2
- v8.0.0-rc1
- v8.0.0-rc0
- v8.0.0
- v7.2.9
- v7.2.8
- v7.2.7
- v7.2.6
- v7.2.5
- v7.2.4
- v7.2.3
- v7.2.2
- v7.2.13
- v7.2.12
- v7.2.11
- v7.2.10
- v7.2.1
- v7.2.0-rc4
- v7.2.0-rc3
- v7.2.0-rc2
- v7.2.0-rc1
- v7.2.0-rc0
- v7.2.0
- v7.1.0-rc4
- v7.1.0-rc3
- v7.1.0-rc2
- v7.1.0-rc1
- v7.1.0-rc0
- v7.1.0
- v7.0.0-rc4
- v7.0.0-rc3
- v7.0.0-rc2
- v7.0.0-rc1
- v7.0.0-rc0
- v7.0.0
- v6.2.0-rc4
- v6.2.0-rc3
- v6.2.0-rc2
- v6.2.0-rc1
- v6.2.0-rc0
- v6.2.0
- v6.1.1
- v6.1.0-rc4
- v6.1.0-rc3
- v6.1.0-rc2
- v6.1.0-rc1
- v6.1.0-rc0
- v6.1.0
- v6.0.1
- v6.0.0-rc5
- v6.0.0-rc4
- v6.0.0-rc3
- v6.0.0-rc2
- v6.0.0-rc1
- v6.0.0-rc0
- v6.0.0
- v5.2.0-rc4
- v5.2.0-rc3
- v5.2.0-rc2
- v5.2.0-rc1
- v5.2.0-rc0
- v5.2.0
- v5.1.0-rc3
- v5.1.0-rc2
- v5.1.0-rc1
- v5.1.0-rc0
- v5.1.0
- v5.0.1
- v5.0.0-rc4
- v5.0.0-rc3
- v5.0.0-rc2
- v5.0.0-rc1
- v5.0.0-rc0
- v5.0.0
- v4.2.1
- v4.2.0-rc5
- v4.2.0-rc4
- v4.2.0-rc3
- v4.2.0-rc2
- v4.2.0-rc1
- v4.2.0-rc0
- v4.2.0
- v4.1.1
- v4.1.0-rc5
- v4.1.0-rc4
- v4.1.0-rc3
- v4.1.0-rc2
- v4.1.0-rc1
- v4.1.0-rc0
- v4.1.0
- v4.0.1
- v4.0.0-rc4
- v4.0.0-rc3
- v4.0.0-rc2
- v4.0.0-rc1
- v4.0.0-rc0
- v4.0.0
- v3.1.1.1
- v3.1.1
- v3.1.0-rc5
- v3.1.0-rc4
- v3.1.0-rc3
- v3.1.0-rc2
- v3.1.0-rc1
- v3.1.0-rc0
- v3.1.0
- v3.0.1
- v3.0.0-rc4
- v3.0.0-rc3
- v3.0.0-rc2
- v3.0.0-rc1
- v3.0.0-rc0
- v3.0.0
- v2.9.1
- v2.9.0-rc5
- v2.9.0-rc4
- v2.9.0-rc3
- v2.9.0-rc2
- v2.9.0-rc1
- v2.9.0-rc0
- v2.9.0
- v2.8.1.1
- v2.8.1
- v2.8.0-rc4
- v2.8.0-rc3
- v2.8.0-rc2
- v2.8.0-rc1
- v2.8.0-rc0
- v2.8.0
- v2.7.1
- v2.7.0-rc5
- v2.7.0-rc4
- v2.7.0-rc3
- v2.7.0-rc2
- v2.7.0-rc1
- v2.7.0-rc0
- v2.7.0
- v2.6.2
- v2.6.1
- v2.6.0-rc5
- v2.6.0-rc4
- v2.6.0-rc3
- v2.6.0-rc2
- v2.6.0-rc1
- v2.6.0-rc0
- v2.6.0
- v2.5.1.1
- v2.5.1
- v2.5.0-rc4
- v2.5.0-rc3
- v2.5.0-rc2
- v2.5.0-rc1
- v2.5.0-rc0
- v2.5.0
- v2.4.1
- v2.4.0.1
- v2.4.0-rc4
- v2.4.0-rc3
- v2.4.0-rc2
- v2.4.0-rc1
- v2.4.0-rc0
- v2.4.0
- v2.3.1
- v2.3.0-rc4
- v2.3.0-rc3
- v2.3.0-rc2
- v2.3.0-rc1
- v2.3.0-rc0
- v2.3.0
- v2.2.1
- v2.2.0-rc5
- v2.2.0-rc4
- v2.2.0-rc3
- v2.2.0-rc2
- v2.2.0-rc1
- v2.2.0-rc0
- v2.2.0
- v2.12.1
- v2.12.0-rc4
- v2.12.0-rc3
- v2.12.0-rc2
- v2.12.0-rc1
- v2.12.0-rc0
- v2.12.0
- v2.11.2
- v2.11.1
- v2.11.0-rc5
- v2.11.0-rc4
- v2.11.0-rc3
- v2.11.0-rc2
- v2.11.0-rc1
- v2.11.0-rc0
- v2.11.0
- v2.10.2
- v2.10.1
- v2.10.0-rc4
- v2.10.0-rc3
- v2.10.0-rc2
- v2.10.0-rc1
- v2.10.0-rc0
- v2.10.0
- v2.1.3
- v2.1.2
- v2.1.1
- v2.1.0-rc5
- v2.1.0-rc4
- v2.1.0-rc3
- v2.1.0-rc2
- v2.1.0-rc1
- v2.1.0-rc0
- v2.1.0
- v2.0.0-rc3
- v2.0.0-rc2
- v2.0.0-rc1
- v2.0.0-rc0
- v2.0.0
- v1.4.0-rc2
- v1.4.0-rc1
- v1.4.0-rc0
- v1.4.0
- v1.2.0-rc3
- v1.2.0-rc2
- v1.2.0-rc1
- v1.2.0
- v1.0-rc4
- v1.0
- v0.14.1
- trivial-patches-pull-request
Take a new snapshot of a software origin
If the archived software origin currently browsed is not synchronized with its upstream version (for instance when new commits have been issued), you can explicitly request Software Heritage to take a new snapshot of it.
Use the form below to proceed. Once a request has been submitted and accepted, it will be processed as soon as possible. You can then check its processing state by visiting this dedicated page.
Processing "take a new snapshot" request ...
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 71090de | Michael Tokarev | 22 December 2023, 18:59:29 UTC | Update version for 7.2.8 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 22 December 2023, 18:59:29 UTC |
| fe0c889 | Jean-Philippe Brucker | 19 December 2023, 17:57:50 UTC | target/arm/helper: Propagate MDCR_EL2.HPMN into PMCR_EL0.N MDCR_EL2.HPMN allows an hypervisor to limit the number of PMU counters available to EL1 and EL0 (to keep the others to itself). QEMU already implements this split correctly, except for PMCR_EL0.N reads: the number of counters read by EL1 or EL0 should be the one configured in MDCR_EL2.HPMN. Cc: qemu-stable@nongnu.org Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Message-id: 20231215144652.4193815-2-jean-philippe@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 6980c31dec42b6daebf7fec13b2d39ed87bb4766) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:11 UTC |
| 775bb79 | Patrick Venture | 16 November 2023, 16:36:33 UTC | system/memory: use ldn_he_p/stn_he_p Using direct pointer dereferencing can allow for unaligned accesses, which was seen during execution with sanitizers enabled. Cc: qemu-stable@nongnu.org Reviewed-by: Chris Rauer <crauer@google.com> Reviewed-by: Peter Foley <pefoley@google.com> Signed-off-by: Patrick Venture <venture@google.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: David Hildenbrand <david@redhat.com> Message-ID: <20231116163633.276671-1-venture@google.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 2b8fe81b3c2e76d241510a9a85496d544e42f5ec) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 4131b1f | Peter Maydell | 04 December 2023, 13:34:16 UTC | target/arm: Disable SME if SVE is disabled There is no architectural requirement that SME implies SVE, but our implementation currently assumes it. (FEAT_SME_FA64 does imply SVE.) So if you try to run a CPU with eg "-cpu max,sve=off" you quickly run into an assert when the guest tries to write to SMCR_EL1: #6 0x00007ffff4b38e96 in __GI___assert_fail (assertion=0x5555566e69cb "sm", file=0x5555566e5b24 "../../target/arm/helper.c", line=6865, function=0x5555566e82f0 <__PRETTY_FUNCTION__.31> "sve_vqm1_for_el_sm") at ./assert/assert.c:101 #7 0x0000555555ee33aa in sve_vqm1_for_el_sm (env=0x555557d291f0, el=2, sm=false) at ../../target/arm/helper.c:6865 #8 0x0000555555ee3407 in sve_vqm1_for_el (env=0x555557d291f0, el=2) at ../../target/arm/helper.c:6871 #9 0x0000555555ee3724 in smcr_write (env=0x555557d291f0, ri=0x555557da23b0, value=2147483663) at ../../target/arm/helper.c:6995 #10 0x0000555555fd1dba in helper_set_cp_reg64 (env=0x555557d291f0, rip=0x555557da23b0, value=2147483663) at ../../target/arm/tcg/op_helper.c:839 #11 0x00007fff60056781 in code_gen_buffer () Avoid this unsupported and slightly odd combination by disabling SME when SVE is not present. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2005 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20231127173318.674758-1-peter.maydell@linaro.org (cherry picked from commit f7767ca301796334f74b9b642b395a4bd3e3dbac) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| aada709 | Fiona Ebner | 22 November 2023, 12:58:26 UTC | ui/vnc-clipboard: fix inflate_buffer Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still required, because it can happen that stream.avail_in becomes zero before coming across a return value of Z_STREAM_END in the loop. This fixes the host->guest direction of the clipboard with noVNC and TigerVNC as clients. Fixes: d921fea338 ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)") Reported-by: Friedrich Weber <f.weber@proxmox.com> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231122125826.228189-1-f.ebner@proxmox.com> (cherry picked from commit ebfbf394671163c14e2b24d98f3927a3151d1aff) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 591618f | Volker Rümelin | 11 November 2023, 10:40:20 UTC | ui/gtk-egl: move function calls back to regular code path Commit 6f189a08c1 ("ui/gtk-egl: Check EGLSurface before doing scanout") introduced a regression when QEMU is running with a virtio-gpu-gl-device on a host under X11. After the guest has initialized the virtio-gpu-gl-device, the guest screen only shows "Display output is not active.". Commit 6f189a08c1 moved all function calls in gd_egl_scanout_texture() to a code path which is only called once after gd_egl_init() succeeds in gd_egl_scanout_texture(). Move all function calls in gd_egl_scanout_texture() back to the regular code path so they get always called if one of the gd_egl_init() calls was successful. Fixes: 6f189a08c1 ("ui/gtk-egl: Check EGLSurface before doing scanout") Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231111104020.26183-1-vr_qemu@t-online.de> (cherry picked from commit 53a939f1bf8e4a3e38f9449fac44f572676966ad) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 7b15f81 | Antonio Caggiano | 16 October 2023, 12:32:15 UTC | ui/gtk-egl: Check EGLSurface before doing scanout The first time gd_egl_scanout_texture() is called, there's a possibility that the GTK drawing area might not be realized yet, in which case its associated GdkWindow is NULL. This means gd_egl_init() was also skipped and the EGLContext and EGLSurface stored in the VirtualGfxConsole are not valid yet. Continuing with the scanout in this conditions would result in hitting an assert in libepoxy: "Couldn't find current GLX or EGL context". A possible workaround is to just ignore the scanout request, giving the the GTK drawing area some time to finish its realization. At that point, the gd_egl_init() will succeed and the EGLContext and EGLSurface stored in the VirtualGfxConsole will be valid. Signed-off-by: Antonio Caggiano <quic_acaggian@quicinc.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231016123215.2699269-1-quic_acaggian@quicinc.com> (cherry picked from commit 6f189a08c1b0085808af1bfbf4567f0da193ecc1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 62b7c90 | Robert Hoo | 13 November 2023, 08:13:49 UTC | msix: unset PCIDevice::msix_vector_poll_notifier in rollback In the rollback in msix_set_vector_notifiers(), original patch forgot to undo msix_vector_poll_notifier pointer. Fixes: bbef882cc193 ("msi: add API to get notified about pending bit poll") Signed-off-by: Robert Hoo <robert.hoo.linux@gmail.com> Message-Id: <20231113081349.1307-1-robert.hoo.linux@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 2d37fe9e5e61b04bddbed00dbb7436e61a01c115) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 95743c7 | Philippe Mathieu-Daudé | 20 November 2023, 13:00:17 UTC | hw/acpi/erst: Do not ignore Error* in realize handler erst_realizefn() passes @errp to functions without checking for failure. If it runs into another failure, it trips error_setv()'s assertion. Use the ERRP_GUARD() macro and check *errp, as suggested in commit ae7c80a7bd ("error: New macro ERRP_GUARD()"). Cc: qemu-stable@nongnu.org Fixes: f7e26ffa59 ("ACPI ERST: support for ACPI ERST feature") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20231120130017.81286-1-philmd@linaro.org> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 20bc50137f3add52eb4788b420d717de27fed14b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| ab0c94f | Akihiko Odaki | 23 November 2023, 07:56:29 UTC | pcie_sriov: Remove g_new assertion g_new() aborts if the allocation fails so it returns NULL only if the requested allocation size is zero. register_vfs() makes such an allocation if NumVFs is zero so it should not assert that g_new() returns a non-NULL value. Fixes: 7c0fa8dff8 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)") Buglink: https://issues.redhat.com/browse/RHEL-17209 Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20231123075630.12057-1-akihiko.odaki@daynix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Yanghang Liu<yanghliu@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 714a1415d7a69174e1640fcdd6eaae180fe438aa) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| a7a2570 | Volker Rümelin | 05 November 2023, 17:25:51 UTC | hw/audio/hda-codec: fix multiplication overflow After a relatively short time, there is an multiplication overflow when multiplying (now - buft_start) with hda_bytes_per_second(). While the uptime now - buft_start only overflows after 2**63 ns = 292.27 years, this happens hda_bytes_per_second() times faster with the multiplication. At 44100 samples/s * 2 channels * 2 bytes/channel = 176400 bytes/s that is 14.52 hours. After the multiplication overflow the affected audio stream stalls. Replace the multiplication and following division with muldiv64() to prevent a multiplication overflow. Fixes: 280c1e1cdb ("audio/hda: create millisecond timers that handle IO") Reported-by: M_O_Bz <m_o_bz@163.com> Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Message-Id: <20231105172552.8405-1-vr_qemu@t-online.de> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 74e8593e7e51d6b11ae9c56a3f4e7bb714bac4ec) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| a386866 | Thomas Huth | 30 March 2023, 15:26:13 UTC | hw/mips/malta: Fix the malta machine on big endian hosts Booting a Linux kernel with the malta machine is currently broken on big endian hosts. The cpu_to_gt32 macro wants to byteswap a value for little endian targets only, but uses the wrong way to do this: cpu_to_[lb]e32 works the other way round on big endian hosts! Fix it by using the same ways on both, big and little endian hosts. Fixes: 0c8427baf0 ("hw/mips/malta: Use bootloader helper to set BAR registers") Cc: qemu-stable@nongnu.org Message-Id: <20230330152613.232082-1-thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit dc96009afd8cf2372fa1bbced0bcbcbb2c5d6f1b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: adjust context for before v7.2.0-677-g0e45355c5c) | 20 December 2023, 16:11:10 UTC |
| adfe37a | Fam Zheng | 24 November 2023, 11:56:54 UTC | vmdk: Don't corrupt desc file in vmdk_write_cid If the text description file is larger than DESC_SIZE, we force the last byte in the buffer to be 0 and write it out. This results in a corruption. Try to allocate a big buffer in this case. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1923 Signed-off-by: Fam Zheng <fam@euphon.net> Message-ID: <20231124115654.3239137-1-fam@euphon.net> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 9fb7b350ba9816ebca8a7614fec486fd4269ab2d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixups in block/vmdk.c due to missing-in-7.2 v8.0.0-2084-g28944f99c4 "vmdk: mark more functions as coroutine_fns and GRAPH_RDLOCK") | 20 December 2023, 16:11:10 UTC |
| 313f191 | Philippe Mathieu-Daudé | 21 November 2023, 17:40:46 UTC | hw/virtio: Add VirtioPCIDeviceTypeInfo::instance_finalize field The VirtioPCIDeviceTypeInfo structure, added in commit a4ee4c8baa ("virtio: Helper for registering virtio device types") got extended in commit 8ea90ee690 ("virtio: add class_size") with the @class_size field. Do similarly with the @instance_finalize field. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-2-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 837053a7f491b445088eac647abe7f462c50f59a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 06239e6 | Philippe Mathieu-Daudé | 21 November 2023, 17:40:50 UTC | hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array Commit 0be6bfac62 ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 9e4aa1fafe added: DEFINE_PROP_ARRAY("pg0-lock", XlnxVersalEFuseCtrl, extra_pg0_lock_n16, extra_pg0_lock_spec, qdev_prop_uint16, uint16_t), but forgot to free the 'extra_pg0_lock_spec' array. Do it in the instance_finalize() handler. Cc: qemu-stable@nongnu.org Fixes: 9e4aa1fafe ("hw/nvram: Xilinx Versal eFuse device") # v6.2.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-6-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 4f10c66077e39969940d928077560665e155cac8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| b1c7853 | Philippe Mathieu-Daudé | 21 November 2023, 17:40:49 UTC | hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize() Commit 0be6bfac62 ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 68fbcc344e added: DEFINE_PROP_ARRAY("read-only", XlnxEFuse, ro_bits_cnt, ro_bits, qdev_prop_uint32, uint32_t), but forgot to free the 'ro_bits' array. Do it in the instance_finalize handler. Cc: qemu-stable@nongnu.org Fixes: 68fbcc344e ("hw/nvram: Introduce Xilinx eFuse QOM") # v6.2.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-5-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 49b3e28b7bdfe771150d05c4b5860aa7854a4232) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| 10e169d | Philippe Mathieu-Daudé | 21 November 2023, 17:40:48 UTC | hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() Commit 0be6bfac62 ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 4fb013afcc added: DEFINE_PROP_ARRAY("oscclk", MPS2SCC, num_oscclk, oscclk_reset, qdev_prop_uint32, uint32_t), but forgot to free the 'oscclk_reset' array. Do it in the instance_finalize() handler. Cc: qemu-stable@nongnu.org Fixes: 4fb013afcc ("hw/misc/mps2-scc: Support configurable number of OSCCLK values") # v6.0.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-4-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 896dd6ff7b9f2575f1a908a07f26a70b58d8b675) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 20 December 2023, 16:11:10 UTC |
| ac1749e | Philippe Mathieu-Daudé | 21 November 2023, 17:40:47 UTC | hw/virtio: Free VirtIOIOMMUPCI::vdev.reserved_regions[] on finalize() Commit 0be6bfac62 ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 8077b8e549 added: DEFINE_PROP_ARRAY("reserved-regions", VirtIOIOMMUPCI, vdev.nb_reserved_regions, vdev.reserved_regions, qdev_prop_reserved_region, ReservedRegion), but forgot to free the 'vdev.reserved_regions' array. Do it in the instance_finalize() handler. Cc: qemu-stable@nongnu.org Fixes: 8077b8e549 ("virtio-iommu-pci: Add array of Interval properties") # v5.1.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Message-id: 20231121174051.63038-3-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit c9a4aa06dfce0fde1e279e1ea0c1945582ec0d16) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup hw/virtio/virtio-iommu-pci.c for before v8.1.0-2552-g41cc70cdf5, "virtio-iommu: Rename reserved_regions into prop_resv_regions" -- so now patch subject matches actual change again) | 20 December 2023, 16:11:10 UTC |
| ac179ff | Peter Maydell | 20 November 2023, 15:01:21 UTC | target/arm: Set IL bit for pauth, SVE access, BTI trap syndromes The syndrome register value always has an IL field at bit 25, which is 0 for a trap on a 16 bit instruction, and 1 for a trap on a 32 bit instruction (or for exceptions which aren't traps on a known instruction, like PC alignment faults). This means that our syn_*() functions should always either take an is_16bit argument to determine whether to set the IL bit, or else unconditionally set it. We missed setting the IL bit for the syndrome for three kinds of trap: * an SVE access exception * a pointer authentication check failure * a BTI (branch target identification) check failure All of these traps are AArch64 only, and so the instruction causing the trap is always 64 bit. This means we can unconditionally set the IL bit in the syn_*() function. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20231120150121.3458408-1-peter.maydell@linaro.org Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 11a3c4a286d5dc603582ea0a1fca62c2ec0a1aee) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 December 2023, 09:32:56 UTC |
| d9a0224 | Philippe Mathieu-Daudé | 14 November 2023, 14:48:31 UTC | tests/avocado: Replace assertRegexpMatches() for Python 3.12 compatibility assertRegexpMatches() has been removed in Python 3.12 and should be replaced by assertRegex(). See: https://docs.python.org/3.12/whatsnew/3.12.html#id3 Inspired-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20231114144832.71612-1-philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit f0a663b4ced2bf315936c774c2b6ff398fce8905) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: adjust context for before v8.1.0-1582-g684750ab4f "python/qemu: rename command() to cmd()") | 29 November 2023, 13:20:11 UTC |
| dff5791 | Thomas Huth | 14 November 2023, 13:43:26 UTC | tests/avocado: Replace assertEquals() for Python 3.12 compatibility assertEquals() has been removed in Python 3.12 and should be replaced by assertEqual(). See: https://docs.python.org/3.12/whatsnew/3.12.html#id3 Message-ID: <20231114134326.287242-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 861f724d03e1748cda1c5b9ec8457a368590cbd5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: adjust context in pc_cpu_hotplug_props.py & cpu_queries.py for before v8.1.0-1582-g684750ab4f "python/qemu: rename command() to cmd()") | 29 November 2023, 13:20:11 UTC |
| e79947a | Richard Henderson | 14 November 2023, 20:13:29 UTC | linux-user: Fix loaddr computation for some elf files The file offset of the load segment is not relevant to the low address, only the beginning of the virtual address page. Cc: qemu-stable@nongnu.org Fixes: a93934fecd4 ("elf: take phdr offset into account when calculating the program load address") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1952 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 82d70a84c8ee42ef969a9cfddc0f5b30b16165f5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 29 November 2023, 13:20:11 UTC |
| 3c0463a | Akihiko Odaki | 01 June 2023, 03:18:59 UTC | net: Update MemReentrancyGuard for NIC Recently MemReentrancyGuard was added to DeviceState to record that the device is engaging in I/O. The network device backend needs to update it when delivering a packet to a device. This implementation follows what bottom half does, but it does not add a tracepoint for the case that the network device backend started delivering a packet to a device which is already engaging in I/O. This is because such reentrancy frequently happens for qemu_flush_queued_packets() and is insignificant. Fixes: CVE-2023-3019 Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 29 November 2023, 13:20:11 UTC |
| fdebed6 | Akihiko Odaki | 01 June 2023, 03:18:58 UTC | net: Provide MemReentrancyGuard * to qemu_new_nic() Recently MemReentrancyGuard was added to DeviceState to record that the device is engaging in I/O. The network device backend needs to update it when delivering a packet to a device. In preparation for such a change, add MemReentrancyGuard * as a parameter of qemu_new_nic(). Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 7d0fefdf81f5973334c344f6b8e1896c309dff66) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup in hw/net/xen_nic.c due to lack of v8.1.0-2771-g25967ff69f "hw/xen: update Xen PV NIC to XenDevice model" and removed hw/net/igb.c bits) | 29 November 2023, 13:19:39 UTC |
| b9fd6d9 | Niklas Cassel | 08 November 2023, 22:26:57 UTC | hw/ide/ahci: fix legacy software reset Legacy software contains a standard mechanism for generating a reset to a Serial ATA device - setting the SRST (software reset) bit in the Device Control register. Serial ATA has a more robust mechanism called COMRESET, also referred to as port reset. A port reset is the preferred mechanism for error recovery and should be used in place of software reset. Commit e2a5d9b3d9c3 ("hw/ide/ahci: simplify and document PxCI handling") (mjt: 1e5ad6b06b1e in stable-7.2 series, v7.2.6) improved the handling of PxCI, such that PxCI gets cleared after handling a non-NCQ, or NCQ command (instead of incorrectly clearing PxCI after receiving anything - even a FIS that failed to parse, which should NOT clear PxCI, so that you can see which command slot that caused an error). However, simply clearing PxCI after a non-NCQ, or NCQ command, is not enough, we also need to clear PxCI when receiving a SRST in the Device Control register. A legacy software reset is performed by the host sending two H2D FISes, the first H2D FIS asserts SRST, and the second H2D FIS deasserts SRST. The first H2D FIS will not get a D2H reply, and requires the FIS to have the C bit set to one, such that the HBA itself will clear the bit in PxCI. The second H2D FIS will get a D2H reply once the diagnostic is completed. The clearing of the bit in PxCI for this command should ideally be done in ahci_init_d2h() (if it was a legacy software reset that caused the reset (a COMRESET does not use a command slot)). However, since the reset value for PxCI is 0, modify ahci_reset_port() to actually clear PxCI to 0, that way we can avoid complex logic in ahci_init_d2h(). This fixes an issue for FreeBSD where the device would fail to reset. The problem was not noticed in Linux, because Linux uses a COMRESET instead of a legacy software reset by default. Fixes: e2a5d9b3d9c3 ("hw/ide/ahci: simplify and document PxCI handling") Reported-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com> Message-ID: <20231108222657.117984-1-nks@flawful.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit eabb921250666501ae78714b60090200b639fcfe) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: mention 1e5ad6b06b1e for stable-7.2) | 22 November 2023, 11:25:06 UTC |
| d38d749 | Richard Henderson | 17 November 2023, 19:31:35 UTC | target/arm: Fix SME FMOPA (16-bit), BFMOPA Perform the loop increment unconditionally, not nested within the predication. Cc: qemu-stable@nongnu.org Fixes: 3916841ac75 ("target/arm: Implement FMOPA, FMOPS (widening)") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1985 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231117193135.1180657-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 3efd8495735c69b863476e9003e624877382a72d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 22 November 2023, 11:25:06 UTC |
| 14f0c7e | Michael Tokarev | 21 November 2023, 09:02:48 UTC | Update version for 7.2.7 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 November 2023, 09:02:48 UTC |
| a536d6a | Bastian Koppelmann | 21 July 2023, 06:06:05 UTC | target/tricore: Rename tricore_feature this name is used by capstone and will lead to a build failure of QEMU, when capstone is enabled. So we rename it to tricore_has_feature(), to match has_feature() in translate.c. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1774 Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230721060605.76636-1-kbastian@mail.uni-paderborn.de> (cherry picked from commit f8cfdd2038c1823301e6df753242e465b1dc8539) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: update context in target/tricore/cpu.c, target/tricore/op_helper.c, drop chunks in target/tricore/helper.c) | 19 November 2023, 18:15:23 UTC |
| 38312c2 | Marc-André Lureau | 08 November 2023, 10:56:49 UTC | tracetool: avoid invalid escape in Python string This is an error in Python 3.12; fix it by using a raw string literal. Cc: <qemu-stable@nongnu.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20231108105649.60453-1-marcandre.lureau@redhat.com> (cherry picked from commit 4d96307c5b4fac40c6ca25f38318b4b65d315de0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 19 November 2023, 18:15:23 UTC |
| 15764a7 | Ilya Leoshkevich | 06 November 2023, 09:31:25 UTC | tests/tcg/s390x: Test LAALG with negative cc_src Add a small test to prevent regressions. Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-ID: <20231106093605.1349201-5-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit ebc14107f1f3ac1db13132cd28cf94adcd38e5d7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: context fix in tests/tcg/s390x/Makefile.target) | 19 November 2023, 18:15:23 UTC |
| 154760b | Ilya Leoshkevich | 06 November 2023, 09:31:24 UTC | target/s390x: Fix LAALG not updating cc_src LAALG uses op_laa() and wout_addu64(). The latter expects cc_src to be set, but the former does not do it. This can lead to assertion failures if something sets cc_src to neither 0 nor 1 before. Fix by introducing op_laa_addu64(), which sets cc_src, and using it for LAALG. Fixes: 4dba4d6fef61 ("target/s390x: Use atomic operations for LOAD AND OP") Cc: qemu-stable@nongnu.org Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-ID: <20231106093605.1349201-4-iii@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit bea402482a8c94389638cbd3d7fe3963fb317f4c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 19 November 2023, 18:15:23 UTC |
| 8e8cae1 | Fiona Ebner | 06 September 2023, 13:09:22 UTC | tests/qtest: ahci-test: add test exposing reset issue with pending callback Before commit "hw/ide: reset: cancel async DMA operation before resetting state", this test would fail, because a reset with a pending write operation would lead to an unsolicited write to the first sector of the disk. The test writes a pattern to the beginning of the disk and verifies that it is still intact after a reset with a pending operation. It also checks that the pending operation actually completes correctly. Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Message-ID: <20230906130922.142845-2-f.ebner@proxmox.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit cc610857bbd3551f4b86ae2299336b5d9aa0db2b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 19 November 2023, 18:15:23 UTC |
| 471a931 | Fiona Ebner | 06 September 2023, 13:09:21 UTC | hw/ide: reset: cancel async DMA operation before resetting state If there is a pending DMA operation during ide_bus_reset(), the fact that the IDEState is already reset before the operation is canceled can be problematic. In particular, ide_dma_cb() might be called and then use the reset IDEState which contains the signature after the reset. When used to construct the IO operation this leads to ide_get_sector() returning 0 and nsector being 1. This is particularly bad, because a write command will thus destroy the first sector which often contains a partition table or similar. Traces showing the unsolicited write happening with IDEState 0x5595af6949d0 being used after reset: > ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 > ahci_reset_port ahci(0x5595af6923f0)[0]: reset port > ide_reset IDEstate 0x5595af6949d0 > ide_reset IDEstate 0x5595af694da8 > ide_bus_reset_aio aio_cancel > dma_aio_cancel dbs=0x7f64600089a0 > dma_blk_cb dbs=0x7f64600089a0 ret=0 > dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 > ahci_populate_sglist ahci(0x5595af6923f0)[0] > ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 > ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE > dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 > dma_blk_cb dbs=0x7f6420802010 ret=0 > (gdb) p *qiov > $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, > iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", > size = 512}}} > (gdb) bt > #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, > cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010) > at ../block/block-backend.c:1682 > #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>) > at ../softmmu/dma-helpers.c:179 > #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, > sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, > io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>, > io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, > cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0, > dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 > #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, > sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, > cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0) > at ../softmmu/dma-helpers.c:280 > #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>) > at ../hw/ide/core.c:953 > #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) > at ../softmmu/dma-helpers.c:107 > #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 > #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) > at ../block/block-backend.c:1527 > #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 > #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 > #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>, > i1=<optimized out>) at ../util/coroutine-ucontext.c:177 Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: simon.rowe@nutanix.com Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 7d7512019fc40c577e2bdd61f114f31a9eb84a8e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 19 November 2023, 18:15:23 UTC |
| 18460b3 | Philippe Mathieu-Daudé | 14 September 2023, 09:02:41 UTC | target/mips: Fix TX79 LQ/SQ opcodes The base register address offset is *signed*. Cc: qemu-stable@nongnu.org Fixes: aaaa82a9f9 ("target/mips/tx79: Introduce LQ opcode (Load Quadword)") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230914090447.12557-1-philmd@linaro.org> (cherry picked from commit 18f86aecd6a1bea0f78af14587a684ad966d8d3a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 19 November 2023, 18:15:23 UTC |
| 9bc1741 | Philippe Mathieu-Daudé | 14 September 2023, 08:39:37 UTC | target/mips: Fix MSA BZ/BNZ opcodes displacement The PC offset is *signed*. Cc: qemu-stable@nongnu.org Reported-by: Sergey Evlashev <vectorchiefrocks@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1624 Fixes: c7a9ef7517 ("target/mips: Introduce decode tree bindings for MSA ASE") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230914085807.12241-1-philmd@linaro.org> (cherry picked from commit 04591b3ddd9a96b9298a1dd437a6464ab55e62ee) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 19 November 2023, 18:15:23 UTC |
| 2c1c0cd | Dongwon Kim | 12 October 2023, 22:26:43 UTC | ui/gtk-egl: apply scale factor when calculating window's dimension Scale factor needs to be applied when calculating width/height of the GTK windows. Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Dongwon Kim <dongwon.kim@intel.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231012222643.13996-1-dongwon.kim@intel.com> (cherry picked from commit 47fd6ab1e334962890bc3e8d2e32857f6594e1c1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 07 November 2023, 17:24:06 UTC |
| ad8457e | Marc-André Lureau | 17 October 2023, 11:16:42 UTC | ui/gtk: force realization of drawing area Fixes the GL context creation from a widget that isn't yet realized (in a hidden tab for example). Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1727 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Antonio Caggiano <quic_acaggian@quicinc.com> Message-Id: <20231017111642.1155545-1-marcandre.lureau@redhat.com> (cherry picked from commit 565f85a9c293818a91a3d3414311303de7e00cec) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 07 November 2023, 17:24:01 UTC |
| 091798a | BALATON Zoltan | 01 November 2023, 20:45:39 UTC | ati-vga: Implement fallback for pixman routines Pixman routines can fail if no implementation is available and it will become optional soon so add fallbacks when pixman does not work. Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <ed0fba3f74e48143f02228b83bf8796ca49f3e7d.1698871239.git.balaton@eik.bme.hu> (cherry picked from commit 08730ee0cc01c3fceb907a93436d15170a7556c4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 07 November 2023, 17:23:38 UTC |
| 0d7c40a | Vladimir Sementsov-Ogievskiy | 06 November 2023, 15:00:28 UTC | block/nvme: nvme_process_completion() fix bound for cid NVMeQueuePair::reqs has length NVME_NUM_REQS, which less than NVME_QUEUE_SIZE by 1. Fixes: 1086e95da17050 ("block/nvme: switch to a NVMeRequest freelist") Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru> Message-id: 20231017125941.810461-5-vsementsov@yandex-team.ru Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit cc8fb0c3ae3c950eb40e969607e17ff16a7519ac) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 07 November 2023, 16:22:08 UTC |
| 26bb3ab | Peter Maydell | 31 October 2023, 17:37:23 UTC | target/arm: Correctly propagate stage 1 BTI guarded bit in a two-stage walk In a two-stage translation, the result of the BTI guarded bit should be the guarded bit from the first stage of translation, as there is no BTI guard information in stage two. Our code tried to do this, but got it wrong, because we currently have two fields where the GP bit information might live (ARMCacheAttrs::guarded and CPUTLBEntryFull::extra::arm::guarded), and we were storing the GP bit in the latter during the stage 1 walk but trying to copy the former in combine_cacheattrs(). Remove the duplicated storage, and always use the field in CPUTLBEntryFull; correctly propagate the stage 1 value to the output in get_phys_addr_twostage(). Note for stable backports: in v8.0 and earlier the field is named result->f.guarded, not result->f.extra.arm.guarded. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1950 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20231031173723.26582-1-peter.maydell@linaro.org (cherry picked from commit 4c09abeae8704970ff03bf2196973f6bf08ab6f9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: replace f.extra.arm.guarded -> f.guarded due to v8.1.0-1179-ga81fef4b64) | 03 November 2023, 16:35:34 UTC |
| e19b7b8 | Peter Maydell | 12 May 2023, 14:43:37 UTC | target/arm: Fix handling of SW and NSW bits for stage 2 walks We currently don't correctly handle the VSTCR_EL2.SW and VTCR_EL2.NSW configuration bits. These allow configuration of whether the stage 2 page table walks for Secure IPA and NonSecure IPA should do their descriptor reads from Secure or NonSecure physical addresses. (This is separate from how the translation table base address and other parameters are set: an NS IPA always uses VTTBR_EL2 and VTCR_EL2 for its base address and walk parameters, regardless of the NSW bit, and similarly for Secure.) Provide a new function ptw_idx_for_stage_2() which returns the MMU index to use for descriptor reads, and use it to set up the .in_ptw_idx wherever we call get_phys_addr_lpae(). For a stage 2 walk, wherever we call get_phys_addr_lpae(): * .in_ptw_idx should be ptw_idx_for_stage_2() of the .in_mmu_idx * .in_secure should be true if .in_mmu_idx is Stage2_S This allows us to correct S1_ptw_translate() so that it consistently always sets its (out_secure, out_phys) to the result it gets from the S2 walk (either by calling get_phys_addr_lpae() or by TLB lookup). This makes better conceptual sense because the S2 walk should return us an (address space, address) tuple, not an address that we then randomly assign to S or NS. Our previous handling of SW and NSW was broken, so guest code trying to use these bits to put the s2 page tables in the "other" address space wouldn't work correctly. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1600 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230504135425.2748672-3-peter.maydell@linaro.org (cherry picked from commit fcc0b0418fff655f20fd0cf86a1bbdc41fd2e7c6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 November 2023, 16:19:06 UTC |
| 6861482 | Peter Maydell | 12 May 2023, 14:43:37 UTC | target/arm: Don't allow stage 2 page table walks to downgrade to NS Bit 63 in a Table descriptor is only the NSTable bit for stage 1 translations; in stage 2 it is RES0. We were incorrectly looking at it all the time. This causes problems if: * the stage 2 table descriptor was incorrectly setting the RES0 bit * we are doing a stage 2 translation in Secure address space for a NonSecure stage 1 regime -- in this case we would incorrectly do an immediate downgrade to NonSecure A bug elsewhere in the code currently prevents us from getting to the second situation, but when we fix that it will be possible. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20230504135425.2748672-2-peter.maydell@linaro.org (cherry picked from commit 21a4ab8318ba6f049aac244e237cd1557586e216) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 November 2023, 16:19:06 UTC |
| d9da3f8 | Fabiano Rosas | 17 February 2023, 20:11:35 UTC | target/arm: Don't access TCG code when debugging with KVM When TCG is disabled this part of the code should not be reachable, so wrap it with an ifdef for now. Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 0d3de77a07f4f774f7a9248afa8ea497ad5f2ae5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: trivial change which makes two subsequent cherry-picks to apply cleanly) | 03 November 2023, 16:18:23 UTC |
| 3e273f4 | Daniel P. Berrangé | 10 January 2023, 17:49:01 UTC | Revert "linux-user: fix compat with glibc >= 2.36 sys/mount.h" This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532. glibc has fixed (in 2.36.9000-40-g774058d729) the problem that caused a clash when both sys/mount.h annd linux/mount.h are included, and backported this to the 2.36 stable release too: https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E It is saner for QEMU to remove the workaround it applied for glibc 2.36 and expect distros to ship the 2.36 maint release with the fix. This avoids needing to add a further workaround to QEMU to deal with the fact that linux/brtfs.h now also pulls in linux/mount.h via linux/fs.h since Linux 6.1 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20230110174901.2580297-3-berrange@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu> (cherry picked from commit 6003159ce18faad4e1bc7bf9c85669019cd4950e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 November 2023, 12:09:22 UTC |
| cc64f9a | Daniel P. Berrangé | 10 January 2023, 17:49:00 UTC | Revert "linux-user: add more compat ioctl definitions" This reverts commit c5495f4ecb0cdaaf2e9dddeb48f1689cdb520ca0. glibc has fixed (in 2.36.9000-40-g774058d729) the problem that caused a clash when both sys/mount.h annd linux/mount.h are included, and backported this to the 2.36 stable release too: https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E It is saner for QEMU to remove the workaround it applied for glibc 2.36 and expect distros to ship the 2.36 maint release with the fix. This avoids needing to add a further workaround to QEMU to deal with the fact that linux/brtfs.h now also pulls in linux/mount.h via linux/fs.h since Linux 6.1 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20230110174901.2580297-2-berrange@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu> (cherry picked from commit 9f0246539ae84a5e21efd1cc4516fc343f08115a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 November 2023, 12:09:11 UTC |
| e4a44eb | Andrey Drobyshev | 19 September 2023, 16:57:58 UTC | qemu-iotests: 024: add rebasing test case for overlay_size > backing_size Before previous commit, rebase was getting infitely stuck in case of rebasing within the same backing chain and when overlay_size > backing_size. Let's add this case to the rebasing test 024 to make sure it doesn't break again. Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Reviewed-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> Message-ID: <20230919165804.439110-3-andrey.drobyshev@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 827171c3180533f4ad0bc338ea166f401bb5d348) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 November 2023, 12:04:24 UTC |
| 1e67bd7 | Andrey Drobyshev | 19 September 2023, 16:57:57 UTC | qemu-img: rebase: stop when reaching EOF of old backing file In case when we're rebasing within one backing chain, and when target image is larger than old backing file, bdrv_is_allocated_above() ends up setting *pnum = 0. As a result, target offset isn't getting incremented, and we get stuck in an infinite for loop. Let's detect this case and proceed further down the loop body, as the offsets beyond the old backing size need to be explicitly zeroed. Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Reviewed-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> Message-ID: <20230919165804.439110-2-andrey.drobyshev@virtuozzo.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 8b097fd6b06ec295faefd4f30f96f8709abc9605) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 November 2023, 12:04:24 UTC |
| 6367e82 | Akihiko Odaki | 29 October 2023, 14:50:16 UTC | tests/tcg: Add -fno-stack-protector A build of GCC 13.2 will have stack protector enabled by default if it was configured with --enable-default-ssp option. For such a compiler, it is necessary to explicitly disable stack protector when linking without standard libraries. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20230731091042.139159-3-akihiko.odaki@daynix.com> [AJB: fix comment string typo] Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20231029145033.592566-3-alex.bennee@linaro.org> (cherry picked from commit 580731dcc87eb27a2b0dc20ec331f1ce51864c97) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 November 2023, 12:04:24 UTC |
| 3081171 | Akihiko Odaki | 31 July 2023, 09:10:39 UTC | tests/migration: Add -fno-stack-protector A build of GCC 13.2 will have stack protector enabled by default if it was configured with --enable-default-ssp option. For such a compiler, it is necessary to explicitly disable stack protector when linking without standard libraries. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230731091042.139159-2-akihiko.odaki@daynix.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 7a06a8fec9df3b6a0f72e7b37dff0969430aab96) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 02 November 2023, 12:04:24 UTC |
| d241c15 | Glenn Miles | 24 October 2023, 19:19:45 UTC | misc/led: LED state is set opposite of what is expected Testing of the LED state showed that when the LED polarity was set to GPIO_POLARITY_ACTIVE_LOW and a low logic value was set on the input GPIO of the LED, the LED was being turn off when it was expected to be turned on. Fixes: ddb67f6402 ("hw/misc/led: Allow connecting from GPIO output") Signed-off-by: Glenn Miles <milesg@linux.vnet.ibm.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au> Message-id: 20231024191945.4135036-1-milesg@linux.vnet.ibm.com Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 6f83dc67168d17856744275e2a0d7a6addf6cfb9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 31 October 2023, 17:39:03 UTC |
| cec02bc | Lu Gao | 21 March 2022, 05:56:18 UTC | hw/sd/sdhci: Block Size Register bits [14:12] is lost Block Size Register bits [14:12] is SDMA Buffer Boundary, it is missed in register write, but it is needed in SDMA transfer. e.g. it will be used in sdhci_sdma_transfer_multi_blocks to calculate boundary_ variables. Missing this field will cause wrong operation for different SDMA Buffer Boundary settings. Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Fixes: dfba99f17f ("hw/sdhci: Fix DMA Transfer Block Size field") Signed-off-by: Lu Gao <lu.gao@verisilicon.com> Signed-off-by: Jianxian Wen <jianxian.wen@verisilicon.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-ID: <20220321055618.4026-1-lu.gao@verisilicon.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit ae5f70baf549925080fcdbc6c1939c98a4a39246) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 24 October 2023, 06:12:49 UTC |
| ef93ba0 | Helge Deller | 14 October 2023, 04:50:55 UTC | lasips2: LASI PS/2 devices are not user-createable Those PS/2 ports are created with the LASI controller when a 32-bit PA-RISC machine is created. Mark them not user-createable to avoid showing them in the qemu device list. Signed-off-by: Helge Deller <deller@gmx.de> Cc: qemu-stable@nongnu.org (cherry picked from commit a1e6a5c46219bada2c7b932748527553b36559ae) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| cb79e6a | Mikulas Patocka | 28 September 2023, 16:42:08 UTC | linux-user/sh4: Fix crashes on signal delivery sh4 uses gUSA (general UserSpace Atomicity) to provide atomicity on CPUs that don't have atomic instructions. A gUSA region that adds 1 to an atomic variable stored in @R2 looks like this: 4004b6: 03 c7 mova 4004c4 <gusa+0x10>,r0 4004b8: f3 61 mov r15,r1 4004ba: 09 00 nop 4004bc: fa ef mov #-6,r15 4004be: 22 63 mov.l @r2,r3 4004c0: 01 73 add #1,r3 4004c2: 32 22 mov.l r3,@r2 4004c4: 13 6f mov r1,r15 R0 contains a pointer to the end of the gUSA region R1 contains the saved stack pointer R15 contains negative length of the gUSA region When this region is interrupted by a signal, the kernel detects if R15 >= -128U. If yes, the kernel rolls back PC to the beginning of the region and restores SP by copying R1 to R15. The problem happens if we are interrupted by a signal at address 4004c4. R15 still holds the value -6, but the atomic value was already written by an instruction at address 4004c2. In this situation we can't undo the gUSA. The function unwind_gusa does nothing, the signal handler attempts to push a signal frame to the address -6 and crashes. This patch fixes it, so that if we are interrupted at the last instruction in a gUSA region, we copy R1 to R15 to restore the correct stack pointer and avoid crashing. There's another bug: if we are interrupted in a delay slot, we save the address of the instruction in the delay slot. We must save the address of the previous instruction. Cc: qemu-stable@nongnu.org Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Reviewed-by: Yoshinori Sato <ysato@users.sourcefoege.jp> Message-Id: <b16389f7-6c62-70b7-59b3-87533c0bcc@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 3b894b699c9a9c064466e128c18be80a3f2113bc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| ea3c95a | Mikulas Patocka | 28 September 2023, 19:55:20 UTC | linux-user/mips: fix abort on integer overflow QEMU mips userspace emulation crashes with "qemu: unhandled CPU exception 0x15 - aborting" when one of the integer arithmetic instructions detects an overflow. This patch fixes it so that it delivers SIGFPE with FPE_INTOVF instead. Cc: qemu-stable@nongnu.org Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Message-Id: <3ef979a8-3ee1-eb2d-71f7-d788ff88dd11@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 6fad9b4bb91dcc824f9c00a36ee843883b58313b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| f5358bc | Fabiano Rosas | 09 October 2023, 18:43:25 UTC | migration: Fix analyze-migration read operation signedness The migration code uses unsigned values for 16, 32 and 64-bit operations. Fix the script to do the same. This was causing an issue when parsing the migration stream generated on the ppc64 target because one of instance_ids was larger than the 32bit signed maximum: Traceback (most recent call last): File "/home/fabiano/kvm/qemu/build/scripts/analyze-migration.py", line 658, in <module> dump.read(dump_memory = args.memory) File "/home/fabiano/kvm/qemu/build/scripts/analyze-migration.py", line 592, in read classdesc = self.section_classes[section_key] KeyError: ('spapr_iommu', -2147483648) Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> Message-ID: <20231009184326.15777-6-farosas@suse.de> (cherry picked from commit caea03279e11dfcb0e5a567b81fe7f02ee80af02) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| 06c9bf0 | Yuval Shaia | 01 March 2023, 14:29:26 UTC | hw/pvrdma: Protect against buggy or malicious guest driver Guest driver allocates and initialize page tables to be used as a ring of descriptors for CQ and async events. The page table that represents the ring, along with the number of pages in the page table is passed to the device. Currently our device supports only one page table for a ring. Let's make sure that the number of page table entries the driver reports, do not exceeds the one page table size. Reported-by: Soul Chen <soulchen8650@gmail.com> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> Fixes: CVE-2023-1544 Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| 0c049ea | Alvin Chang | 07 September 2023, 08:45:00 UTC | disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14 Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name(). Signed-off-by: Alvin Chang <alvinga@andestech.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-ID: <20230907084500.328-1-alvinga@andestech.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit cffa9954908830276c93b430681f66cc0e599aef) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| c19fd37 | Volker Rümelin | 17 September 2023, 06:58:06 UTC | hw/audio/es1370: reset current sample counter Reset the current sample counter when writing the Channel Sample Count Register. The Linux ens1370 driver and the AROS sb128 driver expect the current sample counter counts down from sample count to 0 after a write to the Channel Sample Count Register. Currently the current sample counter starts from 0 after a reset or the last count when the counter was stopped. The current sample counter is used to raise an interrupt whenever a complete buffer was transferred. When the counter starts with a value lower than the reload value, the interrupt triggeres before the buffer was completly transferred. This may lead to corrupted audio streams. Tested-by: Rene Engel <ReneEngel80@emailn.de> Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Message-Id: <20230917065813.6692-1-vr_qemu@t-online.de> (cherry picked from commit 00e3b29d065f3b88bb3726afbd5c73f8b2bff1b4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| 77d36ba | Peter Xu | 05 September 2023, 16:23:32 UTC | migration/qmp: Fix crash on setting tls-authz with null QEMU will crash if anyone tries to set tls-authz (which is a type StrOrNull) with 'null' value. Fix it in the easy way by converting it to qstring just like the other two tls parameters. Cc: qemu-stable@nongnu.org # v4.0+ Fixes: d2f1d29b95 ("migration: add support for a "tls-authz" migration parameter") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Peter Xu <peterx@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> Message-ID: <20230905162335.235619-2-peterx@redhat.com> (cherry picked from commit 86dec715a7339fc61c3bdb9715993b277b2089db) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: the function is in m/migration.c, not m/option.c; minor context tweak) | 21 October 2023, 11:05:14 UTC |
| 85c27e5 | Akihiko Odaki | 21 September 2023, 11:46:11 UTC | amd_iommu: Fix APIC address check An MSI from I/O APIC may not exactly equal to APIC_DEFAULT_ADDRESS. In fact, Windows 17763.3650 configures I/O APIC to set the dest_mode bit. Cover the range assigned to APIC. Fixes: 577c470f43 ("x86_iommu/amd: Prepare for interrupt remap support") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20230921114612.40671-1-akihiko.odaki@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 0114c4513095598cdf1cd8d7dacdfff757628121) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| 24d5b71 | Richard Henderson | 30 September 2023, 20:45:54 UTC | linux-user/hppa: Fix struct target_sigcontext layout Use abi_ullong not uint64_t so that the alignment of the field and therefore the layout of the struct is correct. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 33bc4fa78b06fc4e5fe22e5576811a97707e0cc6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 October 2023, 11:05:14 UTC |
| 5f2b560 | Thomas Huth | 16 August 2023, 21:07:43 UTC | chardev/char-pty: Avoid losing bytes when the other side just (re-)connected When starting a guest via libvirt with "virsh start --console ...", the first second of the console output is missing. This is especially annoying on s390x that only has a text console by default and no graphical output - if the bios fails to boot here, the information about what went wrong is completely lost. One part of the problem (there is also some things to be done on the libvirt side) is that QEMU only checks with a 1 second timer whether the other side of the pty is already connected, so the first second of the console output is always lost. This likely used to work better in the past, since the code once checked for a re-connection during write, but this has been removed in commit f8278c7d74 ("char-pty: remove the check for connection on write") to avoid some locking. To ease the situation here at least a little bit, let's check with g_poll() whether we could send out the data anyway, even if the connection has not been marked as "connected" yet. The file descriptor is marked as non-blocking anyway since commit fac6688a18 ("Do not hang on full PTY"), so this should not cause any trouble if the other side is not ready for receiving yet. With this patch applied, I can now successfully see the bios output of a s390x guest when running it with "virsh start --console" (with a patched version of virsh that fixes the remaining issues there, too). Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20230816210743.1319018-1-thuth@redhat.com> (cherry picked from commit 4f7689f0817a717d18cc8aca298990760f27a89b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: use TFR() instead of RETRY_ON_EINTR() before v7.2.0-538-g8b6aa69365) | 21 October 2023, 11:04:51 UTC |
| e12abe5 | Laszlo Ersek | 19 September 2023, 13:19:55 UTC | hw/display/ramfb: plug slight guest-triggerable leak on mode setting The fw_cfg DMA write callback in ramfb prepares a new display surface in QEMU; this new surface is put to use ("swapped in") upon the next display update. At that time, the old surface (if any) is released. If the guest triggers the fw_cfg DMA write callback at least twice between two adjacent display updates, then the second callback (and further such callbacks) will leak the previously prepared (but not yet swapped in) display surface. The issue can be shown by: (1) starting QEMU with "-trace displaysurface_free", and (2) running the following program in the guest UEFI shell: > #include <Library/ShellCEntryLib.h> // ShellAppMain() > #include <Library/UefiBootServicesTableLib.h> // gBS > #include <Protocol/GraphicsOutput.h> // EFI_GRAPHICS_OUTPUT_PROTOCOL > > INTN > EFIAPI > ShellAppMain ( > IN UINTN Argc, > IN CHAR16 **Argv > ) > { > EFI_STATUS Status; > VOID *Interface; > EFI_GRAPHICS_OUTPUT_PROTOCOL *Gop; > UINT32 Mode; > > Status = gBS->LocateProtocol ( > &gEfiGraphicsOutputProtocolGuid, > NULL, > &Interface > ); > if (EFI_ERROR (Status)) { > return 1; > } > > Gop = Interface; > > Mode = 1; > for ( ; ;) { > Status = Gop->SetMode (Gop, Mode); > if (EFI_ERROR (Status)) { > break; > } > > Mode = 1 - Mode; > } > > return 1; > } The symptom is then that: - only one trace message appears periodically, - the time between adjacent messages keeps increasing -- implying that some list structure (containing the leaked resources) keeps growing, - the "surface" pointer is ever different. > 18566@1695127471.449586:displaysurface_free surface=0x7f2fcc09a7c0 > 18566@1695127471.529559:displaysurface_free surface=0x7f2fcc9dac10 > 18566@1695127471.659812:displaysurface_free surface=0x7f2fcc441dd0 > 18566@1695127471.839669:displaysurface_free surface=0x7f2fcc0363d0 > 18566@1695127472.069674:displaysurface_free surface=0x7f2fcc413a80 > 18566@1695127472.349580:displaysurface_free surface=0x7f2fcc09cd00 > 18566@1695127472.679783:displaysurface_free surface=0x7f2fcc1395f0 > 18566@1695127473.059848:displaysurface_free surface=0x7f2fcc1cae50 > 18566@1695127473.489724:displaysurface_free surface=0x7f2fcc42fc50 > 18566@1695127473.969791:displaysurface_free surface=0x7f2fcc45dcc0 > 18566@1695127474.499708:displaysurface_free surface=0x7f2fcc70b9d0 > 18566@1695127475.079769:displaysurface_free surface=0x7f2fcc82acc0 > 18566@1695127475.709941:displaysurface_free surface=0x7f2fcc369c00 > 18566@1695127476.389619:displaysurface_free surface=0x7f2fcc32b910 > 18566@1695127477.119772:displaysurface_free surface=0x7f2fcc0d5a20 > 18566@1695127477.899517:displaysurface_free surface=0x7f2fcc086c40 > 18566@1695127478.729962:displaysurface_free surface=0x7f2fccc72020 > 18566@1695127479.609839:displaysurface_free surface=0x7f2fcc185160 > 18566@1695127480.539688:displaysurface_free surface=0x7f2fcc23a7e0 > 18566@1695127481.519759:displaysurface_free surface=0x7f2fcc3ec870 > 18566@1695127482.549930:displaysurface_free surface=0x7f2fcc634960 > 18566@1695127483.629661:displaysurface_free surface=0x7f2fcc26b140 > 18566@1695127484.759987:displaysurface_free surface=0x7f2fcc321700 > 18566@1695127485.940289:displaysurface_free surface=0x7f2fccaad100 We figured this wasn't a CVE-worthy problem, as only small amounts of memory were leaked (the framebuffer itself is mapped from guest RAM, QEMU only allocates administrative structures), plus libvirt restricts QEMU memory footprint anyway, thus the guest can only DoS itself. Plug the leak, by releasing the last prepared (not yet swapped in) display surface, if any, in the fw_cfg DMA write callback. Regarding the "reproducer", with the fix in place, the log is flooded with trace messages (one per fw_cfg write), *and* the trace message alternates between just two "surface" pointer values (i.e., nothing is leaked, the allocator flip-flops between two objects in effect). This issue appears to date back to the introducion of ramfb (995b30179bdc, "hw/display: add ramfb, a simple boot framebuffer living in guest ram", 2018-06-18). Cc: Gerd Hoffmann <kraxel@redhat.com> (maintainer:ramfb) Cc: qemu-stable@nongnu.org Fixes: 995b30179bdc Signed-off-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20230919131955.27223-1-lersek@redhat.com> (cherry picked from commit e0288a778473ebd35eac6cc1924faca7d477d241) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 05 October 2023, 05:44:37 UTC |
| 755cf29 | Paolo Bonzini | 29 August 2023, 16:28:33 UTC | target/i386: fix memory operand size for CVTPS2PD CVTPS2PD only loads a half-register for memory, unlike the other operations under 0x0F 0x5A. "Unpack" the group into separate emission functions instead of using gen_unary_fp_sse. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit abd41884c530aa025ada253bf1a5bd0c2b808219) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:58:16 UTC |
| 796468c | Paolo Bonzini | 29 August 2023, 16:25:46 UTC | target/i386: generalize operand size "ph" for use in CVTPS2PD CVTPS2PD only loads a half-register for memory, like CVTPH2PS. It can reuse the "ph" packed half-precision size to load a half-register, but rename it to "xh" because it is now a variation of "x" (it is not used only for half-precision values). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a48b26978a090fe1f3f3e54319902d4ab56a6b3a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:58:16 UTC |
| 327d65e | Ricky Zhou | 01 May 2023, 11:14:28 UTC | target/i386: Fix exception classes for MOVNTPS/MOVNTPD. Before this change, MOVNTPS and MOVNTPD were labeled as Exception Class 4 (only requiring alignment for legacy SSE instructions). This changes them to Exception Class 1 (always requiring memory alignment), as documented in the Intel manual. Message-Id: <20230501111428.95998-3-ricky@rzhou.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 8bf171c2d126aea6b60b818f1cee7e0e9eef0390) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:58:06 UTC |
| 72ef83b | Ricky Zhou | 01 May 2023, 11:14:27 UTC | target/i386: Fix exception classes for SSE/AVX instructions. Fix the exception classes for some SSE/AVX instructions to match what is documented in the Intel manual. These changes are expected to have no functional effect on the behavior that qemu implements (primarily >= 16-byte memory alignment checks). For instance, since qemu does not implement the AC flag, there is no difference in behavior between Exception Classes 4 and 5 for instructions where the SSE version only takes <16 byte memory operands. Message-Id: <20230501111428.95998-2-ricky@rzhou.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit cab529b0dc15746b270e87d77e1dd12c6216807c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:58:06 UTC |
| cebd957 | Ricky Zhou | 01 May 2023, 11:14:26 UTC | target/i386: Fix and add some comments next to SSE/AVX instructions. Adds some comments describing what instructions correspond to decoding table entries and fixes some existing comments which named the wrong instruction. Message-Id: <20230501111428.95998-1-ricky@rzhou.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit afa94dabc52b17e340975e158d5a816ec2b2de23) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:57:04 UTC |
| 91fa137 | Paolo Bonzini | 10 May 2023, 16:36:39 UTC | tests/tcg/i386: correct mask for VPERM2F128/VPERM2I128 The instructions also use bits 3 and 7 of their 8-byte immediate. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 9e65829699f901c62a612316a2897f4ad8a27049) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:56:26 UTC |
| c9a2d12 | Paolo Bonzini | 07 January 2023, 17:14:20 UTC | target/i386: fix operand size of unary SSE operations VRCPSS, VRSQRTSS and VCVTSx2Sx have a 32-bit or 64-bit memory operand, which is represented in the decoding tables by X86_VEX_REPScalar. Add it to the tables, and make validate_vex() handle the case of an instruction that is in exception type 4 without the REP prefix and exception type 5 with it; this is the cas of VRCP and VRSQRT. Reported-by: yongwoo <https://gitlab.com/yongwoo36> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1377 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 3d304620ec6c95f31db17acc132f42f243369299) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 04 October 2023, 14:41:04 UTC |
| 8da0da8 | Mark Cave-Ayland | 13 September 2023, 20:44:10 UTC | scsi-disk: ensure that FORMAT UNIT commands are terminated Otherwise when a FORMAT UNIT command is issued, the SCSI layer can become confused because it can find itself in the situation where it thinks there is still data to be transferred which can cause the next emulated SCSI command to fail. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Fixes: 6ab71761 ("scsi-disk: add FORMAT UNIT command") Tested-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230913204410.65650-4-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit be2b619a17345d007bcf9987a3e4afd1edea3e4f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 October 2023, 15:25:00 UTC |
| fa2f090 | Mark Cave-Ayland | 13 September 2023, 20:44:09 UTC | esp: restrict non-DMA transfer length to that of available data In the case where a SCSI layer transfer is incorrectly terminated, it is possible for a TI command to cause a SCSI buffer overflow due to the expected transfer data length being less than the available data in the FIFO. When this occurs the unsigned async_len variable underflows and becomes a large offset which writes past the end of the allocated SCSI buffer. Restrict the non-DMA transfer length to be the smallest of the expected transfer length and the available FIFO data to ensure that it is no longer possible for the SCSI buffer overflow to occur. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810 Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 October 2023, 15:25:00 UTC |
| 9b7feb8 | Mark Cave-Ayland | 13 September 2023, 20:44:08 UTC | esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux() The call to esp_dma_enable() was being made with the SYSBUS_ESP type instead of the ESP type. This meant that when GPIO 1 was being used to trigger a DMA request from an external DMA controller, the setting of ESPState's dma_enabled field would clobber unknown memory whilst the dma_cb callback pointer would typically return NULL so the DMA request would never start. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230913204410.65650-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit b86dc5cb0b4105fa8ad29e822ab5d21c589c5ec5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 03 October 2023, 15:24:12 UTC |
| ae0b40d | Fabiano Rosas | 26 September 2023, 19:25:02 UTC | optionrom: Remove build-id section Our linker script for optionroms specifies only the placement of the .text section, leaving the linker free to place the remaining sections at arbitrary places in the file. Since at least binutils 2.39, the .note.gnu.build-id section is now being placed at the start of the file, which causes label addresses to be shifted. For linuxboot_dma.bin that means that the PnP header (among others) will not be found when determining the type of ROM at optionrom_setup(): (0x1c is the label _pnph, where the magic "PnP" is) $ xxd /usr/share/qemu/linuxboot_dma.bin | grep "PnP" 00000010: 0000 0000 0000 0000 0000 1c00 2450 6e50 ............$PnP $ xxd pc-bios/optionrom/linuxboot_dma.bin | grep "PnP" 00000010: 0000 0000 0000 0000 0000 4c00 2450 6e50 ............$PnP ^bad Using a freshly built linuxboot_dma.bin ROM results in a broken boot: SeaBIOS (version rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org) Booting from Hard Disk... Boot failed: could not read the boot disk Booting from Floppy... Boot failed: could not read the boot disk No bootable device. We're not using the build-id section, so pass the --build-id=none option to the linker to remove it entirely. Note: In theory, this same issue could happen with any other section. The ideal solution would be to have all unused sections discarded in the linker script. However that would be a larger change, specially for the pvh rom which uses the .bss and COMMON sections so I'm addressing only the immediate issue here. Reported-by: Vasiliy Ulyanov <vulyanov@suse.de> Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230926192502.15986-1-farosas@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 35ed01ba5448208695ada5fa20a13c0a4689a1c1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (mjt: remove unrelated stable@vger) | 03 October 2023, 15:21:41 UTC |
| 9703799 | Paolo Bonzini | 25 September 2023, 11:05:58 UTC | ui/vnc: fix handling of VNC_FEATURE_XVP VNC_FEATURE_XVP was not shifted left before adding it to vs->features, so it was never enabled; but it was also checked the wrong way with a logical AND instead of vnc_has_feature. Fix both places. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 477b301000d665313217f65e3a368d2cb7769c42) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 28 September 2023, 04:34:34 UTC |
| 0732512 | Paolo Bonzini | 25 September 2023, 11:06:46 UTC | ui/vnc: fix debug output for invalid audio message The debug message was cut and pasted from the invalid audio format case, but the audio message is at bytes 2-3. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 0cb9c5880e6b8dedc4e20026ce859dd1ea9aac84) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 28 September 2023, 04:33:33 UTC |
| 66aa4b1 | Thomas Huth | 25 September 2023, 09:18:54 UTC | hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467] We are doing things like nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes with a division by 0 exception. Thus disallow block sizes of 256 bytes to avoid this situation. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 CVE: 2023-42467 Signed-off-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230925091854.49198-1-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 7cfcc79b0ab800959716738aff9419f53fc68c9c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 28 September 2023, 04:32:23 UTC |
| e6fdfb8 | Nicholas Piggin | 29 August 2023, 01:06:58 UTC | accel/tcg: mttcg remove false-negative halted assertion mttcg asserts that an execution ending with EXCP_HALTED must have cpu->halted. However between the event or instruction that sets cpu->halted and requests exit and the assertion here, an asynchronous event could clear cpu->halted. This leads to crashes running AIX on ppc/pseries because it uses H_CEDE/H_PROD hcalls, where H_CEDE sets self->halted = 1 and H_PROD sets other cpu->halted = 0 and kicks it. H_PROD could be turned into an interrupt to wake, but several other places in ppc, sparc, and semihosting follow what looks like a similar pattern setting halted = 0 directly. So remove this assertion. Reported-by: Ivan Warren <ivan@vmfacility.fr> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Message-Id: <20230829010658.8252-1-npiggin@gmail.com> [rth: Keep the case label and adjust the comment.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 0e5903436de712844b0e6cdd862b499c767e09e9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 27 September 2023, 18:39:52 UTC |
| c8d2fc2 | Peter Maydell | 12 September 2023, 14:04:23 UTC | target/arm: Don't skip MTE checks for LDRT/STRT at EL0 The LDRT/STRT "unprivileged load/store" instructions behave like normal ones if executed at EL0. We handle this correctly for the load/store semantics, but get the MTE checking wrong. We always look at s->mte_active[is_unpriv] to see whether we should be doing MTE checks, but in hflags.c when we set the TB flags that will be used to fill the mte_active[] array we only set the MTE0_ACTIVE bit if UNPRIV is true (i.e. we are not at EL0). This means that a LDRT at EL0 will see s->mte_active[1] as 0, and will not do MTE checks even when MTE is enabled. To avoid the translate-time code having to do an explicit check on s->unpriv to see if it is OK to index into the mte_active[] array, duplicate MTE_ACTIVE into MTE0_ACTIVE when UNPRIV is false. (This isn't a very serious bug because generally nobody executes LDRT/STRT at EL0, because they have no use there.) Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230912140434.1333369-2-peter.maydell@linaro.org (cherry picked from commit 903dbefc2b6918c10d12d9aafa0168cee8d287c7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: before v7.2.0-1636-g671efad16a this code was in target/arm/helper.c) | 25 September 2023, 20:43:49 UTC |
| 79f1134 | Li Zhijian | 04 September 2023, 13:28:03 UTC | hw/cxl: Fix CFMW config memory leak Allocate targets and targets[n] resources when all sanity checks are passed to avoid memory leaks. Cc: qemu-stable@nongnu.org Suggested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Fan Ni <fan.ni@samsung.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 7b165fa164022b756c2b001d0a1525f98199d3ac) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| 19bbe3a | Mikulas Patocka | 16 September 2023, 16:32:45 UTC | linux-user/hppa: lock both words of function descriptor The code in setup_rt_frame reads two words at haddr, but locks only one. This patch fixes it to lock both. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Helge Deller <deller@gmx.de> Cc: qemu-stable@nongnu.org Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 5b1270ef1477bb7f240c3bfe2cd8b0fe4721fd51) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| 96783cf | Mikulas Patocka | 16 September 2023, 13:49:42 UTC | linux-user/hppa: clear the PSW 'N' bit when delivering signals qemu-hppa may crash when delivering a signal. It can be demonstrated with this program. Compile the program with "hppa-linux-gnu-gcc -O2 signal.c" and run it with "qemu-hppa -one-insn-per-tb a.out". It reports that the address of the flag is 0xb4 and it crashes when attempting to touch it. #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <signal.h> sig_atomic_t flag; void sig(int n) { printf("&flag: %p\n", &flag); flag = 1; } int main(void) { struct sigaction sa; struct itimerval it; sa.sa_handler = sig; sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; if (sigaction(SIGALRM, &sa, NULL)) perror("sigaction"), exit(1); it.it_interval.tv_sec = 0; it.it_interval.tv_usec = 100; it.it_value.tv_sec = it.it_interval.tv_sec; it.it_value.tv_usec = it.it_interval.tv_usec; if (setitimer(ITIMER_REAL, &it, NULL)) perror("setitimer"), exit(1); while (1) { } } The reason for the crash is that the signal handling routine doesn't clear the 'N' flag in the PSW. If the signal interrupts a thread when the 'N' flag is set, the flag remains set at the beginning of the signal handler and the first instruction of the signal handler is skipped. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Helge Deller <deller@gmx.de> Cc: qemu-stable@nongnu.org Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 2529497cb6b298e732e8dbe5212da7925240b4f4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| 270bf79 | Nicholas Piggin | 08 August 2023, 04:19:51 UTC | hw/ppc: Always store the decrementer value When writing a value to the decrementer that raises an exception, the irq is raised, but the value is not stored so the store doesn't appear to have changed the register when it is read again. Always store the write value to the register. Fixes: e81a982aa53 ("PPC: Clean up DECR implementation") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit febb71d543a8f747b2f8aaf0182d0a385c6a02c3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| e916d29 | Nicholas Piggin | 30 May 2023, 13:12:13 UTC | target/ppc: Decrementer fix BookE semantics The decrementer store function has logic that short-cuts the timer if a very small value is stored (0, 1, or 2) and raises an interrupt directly. There are two problem with this on BookE. First is that BookE says a decrementer interrupt should not be raised on a store of 0, only of a decrement from 1. Second is that raising the irq directly will bypass the auto-reload logic in the booke decr timer function, breaking autoreload when 1 or 2 is stored. Fix this by removing that small-value special case. It makes this tricky logic even more difficult to reason about, and it hardly matters for performance. Cc: sdicaro@DDCI.com Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Message-Id: <20230530131214.373524-2-npiggin@gmail.com> Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> (cherry picked from commit 17dd1354c1d1aba9caf4af01e11aa7dbe128474f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| 8cfe6d2 | Nicholas Piggin | 08 August 2023, 04:19:50 UTC | target/ppc: Sign-extend large decrementer to 64-bits When storing a large decrementer value with the most significant implemented bit set, it is to be treated as a negative and sign extended. This isn't hit for book3s DEC because of another bug, fixing it in the next patch exposes this one and can cause additional problems, so fix this first. It can be hit with HDECR and other edge triggered types. Fixes: a8dafa52518 ("target/ppc: Implement large decrementer support for TCG") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> [ clg: removed extra cpu and pcc variables shadowing local variables ] Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit c8fbc6b9f2f3c732ee3307093c1c5c367eaa64ae) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| 5eadeee | Nicholas Piggin | 08 August 2023, 04:19:49 UTC | hw/ppc: Avoid decrementer rounding errors The decrementer register contains a relative time in timebase units. When writing to DECR this is converted and stored as an absolute value in nanosecond units, reading DECR converts back to relative timebase. The tb<->ns conversion of the relative part can cause rounding such that a value writen to the decrementer can read back a different, with time held constant. This is a particular problem for a deterministic icount and record-replay trace. Fix this by storing the absolute value in timebase units rather than nanoseconds. The math before: store: decr_next = now_ns + decr * ns_per_sec / tb_per_sec load: decr = (decr_next - now_ns) * tb_per_sec / ns_per_sec load(store): decr = decr * ns_per_sec / tb_per_sec * tb_per_sec / ns_per_sec After: store: decr_next = now_ns * tb_per_sec / ns_per_sec + decr load: decr = decr_next - now_ns * tb_per_sec / ns_per_sec load(store): decr = decr Fixes: 9fddaa0c0cab ("PowerPC merge: real time TB and decrementer - faster and simpler exception handling (Jocelyn Mayer)") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 8e0a5ac87800ccc6dd5013f89f27652f4480ab33) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| b9a0f11 | Nicholas Piggin | 08 August 2023, 04:19:48 UTC | hw/ppc: Round up the decrementer interval when converting to ns The rule of timers is typically that they should never expire before the timeout, but some time afterward. Rounding timer intervals up when doing conversion is the right thing to do. Under most circumstances it is impossible observe the decrementer interrupt before the dec register has triggered. However with icount timing, problems can arise. For example setting DEC to 0 can schedule the timer for now, causing it to fire before any more instructions have been executed and DEC is still 0. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit eab0888418ab44344864965193cf6cd194ab6858) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| ba8cc56 | Nicholas Piggin | 08 August 2023, 04:19:47 UTC | host-utils: Add muldiv64_round_up This will be used for converting time intervals in different base units to host units, for the purpose of scheduling timers to emulate target timers. Timers typically must not fire before their requested expiry time but may fire some time afterward, so rounding up is the right way to implement these. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> [ clg: renamed __muldiv64() to muldiv64_rounding() ] Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 47de6c4c287079744ceb96f606b3c0457addf380) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| b960bf3 | Nicholas Piggin | 08 August 2023, 04:19:46 UTC | hw/ppc: Introduce functions for conversion between timebase and nanoseconds These calculations are repeated several times, and they will become a little more complicated with subsequent changes. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 7798f5c576d898e7e10c4a2518f3f16411dedeb9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 25 September 2023, 20:43:49 UTC |
| 7be98a0 | Michael Tokarev | 21 September 2023, 16:23:47 UTC | Update version for 7.2.6 release Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 21 September 2023, 16:23:47 UTC |
| feb0d5a | Marc-André Lureau | 11 September 2023, 13:25:51 UTC | tpm: fix crash when FD >= 1024 and unnecessary errors due to EINTR Replace select() with poll() to fix a crash when QEMU has a large number of FDs. Also use RETRY_ON_EINTR to avoid unnecessary errors due to EINTR. Cc: qemu-stable@nongnu.org Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2020133 Fixes: 56a3c24ffc ("tpm: Probe for connected TPM 1.2 or TPM 2") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> (cherry picked from commit 8e32ddff69b6b4547cc00592ad816484e160817a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: use TFR() instead of RETRY_ON_EINTR() before v7.2.0-538-g8b6aa69365) | 13 September 2023, 20:13:45 UTC |
| 2021c2d | Janosch Frank | 23 August 2023, 14:22:15 UTC | s390x/ap: fix missing subsystem reset registration A subsystem reset contains a reset of AP resources which has been missing. Adding the AP bridge to the list of device types that need reset fixes this issue. Reviewed-by: Jason J. Herne <jjherne@linux.ibm.com> Reviewed-by: Tony Krowiak <akrowiak@linux.ibm.com> Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Fixes: a51b3153 ("s390x/ap: base Adjunct Processor (AP) object model") Message-ID: <20230823142219.1046522-2-seiden@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 297ec01f0b9864ea8209ca0ddc6643b4c0574bdb) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 18:57:05 UTC |
| d0f8b52 | Marc-André Lureau | 11 September 2023, 14:04:47 UTC | ui: fix crash when there are no active_console Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 812 return con->hw_ops->ui_info != NULL; (gdb) bt #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585 #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607 #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635 Fixes: https://issues.redhat.com/browse/RHEL-2600 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Albert Esteve <aesteve@redhat.com> (cherry picked from commit 48a35e12faf90a896c5aa4755812201e00d60316) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 18:56:29 UTC |
| 9eda3b6 | Stefan Berger | 13 July 2023, 17:19:55 UTC | hw/tpm: TIS on sysbus: Remove unsupport ppi command line option The ppi command line option for the TIS device on sysbus never worked and caused an immediate segfault. Remove support for it since it also needs support in the firmware and needs testing inside the VM. Reproducer with the ppi=on option passed: qemu-system-aarch64 \ -machine virt,gic-version=3 \ -m 4G \ -nographic -no-acpi \ -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ -tpmdev emulator,id=tpm0,chardev=chrtpm \ -device tpm-tis-device,tpmdev=tpm0,ppi=on [...] Segmentation fault (core dumped) Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Message-id: 20230713171955.149236-1-stefanb@linux.ibm.com (cherry picked from commit 4c46fe2ed492f35f411632c8b5a8442f322bc3f0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 09:21:22 UTC |
| b5fad36 | Leon Schuermann | 29 August 2023, 21:50:46 UTC | target/riscv/pmp.c: respect mseccfg.RLB for pmpaddrX changes When the rule-lock bypass (RLB) bit is set in the mseccfg CSR, the PMP configuration lock bits must not apply. While this behavior is implemented for the pmpcfgX CSRs, this bit is not respected for changes to the pmpaddrX CSRs. This patch ensures that pmpaddrX CSR writes work even on locked regions when the global rule-lock bypass is enabled. Signed-off-by: Leon Schuermann <leons@opentitan.org> Reviewed-by: Mayuresh Chitale <mchitale@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-ID: <20230829215046.1430463-1-leon@is.currently.online> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 4e3adce1244e1ca30ec05874c3eca14911dc0825) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 09:21:22 UTC |
| 7601c96 | Conor Dooley | 27 July 2023, 14:24:17 UTC | hw/riscv: virt: Fix riscv,pmu DT node path On a dtb dumped from the virt machine, dt-validate complains: soc: pmu: {'riscv,event-to-mhpmcounters': [[1, 1, 524281], [2, 2, 524284], [65561, 65561, 524280], [65563, 65563, 524280], [65569, 65569, 524280]], 'compatible': ['riscv,pmu']} should not be valid under {'type': 'object'} from schema $id: http://devicetree.org/schemas/simple-bus.yaml# That's pretty cryptic, but running the dtb back through dtc produces something a lot more reasonable: Warning (simple_bus_reg): /soc/pmu: missing or empty reg/ranges property Moving the riscv,pmu node out of the soc bus solves the problem. Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Acked-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Message-ID: <20230727-groom-decline-2c57ce42841c@spud> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 9ff31406312500053ecb5f92df01dd9ce52e635d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: context adjustment due to 568e0614d09 "hw/riscv/virt.c: rename MachineState 'mc' pointers to 'ms'") | 13 September 2023, 09:21:22 UTC |
| f44ffdc | LIU Zhiwei | 11 August 2023, 05:54:38 UTC | linux-user/riscv: Use abi type for target_ucontext We should not use types dependend on host arch for target_ucontext. This bug is found when run rv32 applications. Signed-off-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20230811055438.1945-1-zhiwei_liu@linux.alibaba.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit ae7d4d625cab49657b9fc2be09d895afb9bcdaf0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 09:21:22 UTC |
| d4a3464 | Jason Chien | 28 July 2023, 08:24:39 UTC | hw/intc: Make rtc variable names consistent The variables whose values are given by cpu_riscv_read_rtc() should be named "rtc". The variables whose value are given by cpu_riscv_read_rtc_raw() should be named "rtc_r". Signed-off-by: Jason Chien <jason.chien@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-ID: <20230728082502.26439-2-jason.chien@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit 9382a9eafccad8dc6a487ea3a8d2bed03dc35db9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 09:21:22 UTC |
| 6097d3c | Jason Chien | 28 July 2023, 08:24:38 UTC | hw/intc: Fix upper/lower mtime write calculation When writing the upper mtime, we should keep the original lower mtime whose value is given by cpu_riscv_read_rtc() instead of cpu_riscv_read_rtc_raw(). The same logic applies to writes to lower mtime. Signed-off-by: Jason Chien <jason.chien@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-ID: <20230728082502.26439-1-jason.chien@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit e0922b73baf00c4c19d4ad30d09bb94f7ffea0f4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | 13 September 2023, 09:21:22 UTC |
| ec0afe3 | Thomas Huth | 21 July 2023, 09:47:19 UTC | hw/char/riscv_htif: Fix printing of console characters on big endian hosts The character that should be printed is stored in the 64 bit "payload" variable. The code currently tries to print it by taking the address of the variable and passing this pointer to qemu_chr_fe_write(). However, this only works on little endian hosts where the least significant bits are stored on the lowest address. To do this in a portable way, we have to store the value in an uint8_t variable instead. Fixes: 5033606780 ("RISC-V HTIF Console") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Bin Meng <bmeng@tinylab.org> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20230721094720.902454-2-thuth@redhat.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit c255946e3df4d9660e4f468a456633c24393d468) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: edit to compensate for v7.2.0-805-g753ae97abc and v7.2.0-808-gdadee9e3ce) | 13 September 2023, 09:21:22 UTC |
