Update QEMU to v9.1.1 #89

The vcek-disabled property of the sev-snp-guest object is misspelled vcek-required (which I suppose would use the opposite polarity) in the call to object_class_property_add_bool(). Fix it. Reported-by: Zixi Chen <[email protected]> Reviewed-by: Pankaj Gupta <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]>

This fixes LeakSanitizer warnings. Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]>

The QIOChannelFile object already has its reference decremented by g_autoptr. Trying to unref an extra time causes: ERROR:../qom/object.c:1241:object_unref: assertion failed: (obj->ref > 0) Fixes: a701c03 ("migration: Drop reference to QIOChannel if file seeking fails") Fixes: 6d32796 ("migration: Fix file migration with fdset") Reported-by: Jim Fehlig <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]>

…on fails When a channel fails to create, the code currently just returns. This is wrong for two reasons: 1) Channel n+1 will not get to initialize it's semaphores, leading to an assert when terminate_threads tries to post to it: qemu-system-x86_64: ../util/qemu-thread-posix.c:92: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed. 2) (theoretical) If channel n-1 already started creation it will defeat the purpose of the channels_created logic which is in place to avoid migrate_fd_cleanup() to run while channels are still being created. This cannot really happen today because the current failure cases for multifd_new_send_channel_create() are all synchronous, resulting from qio_channel_file_new_path() getting a bad filename. This would hit all channels equally. But I don't want to set a trap for future people, so have all channels try to create (even if failing), and only fail after the channels_created semaphore has been posted. While here, remove the error_report_err call. There's one already at migrate_fd_cleanup later on. Cc: [email protected] Reported-by: Jim Fehlig <[email protected]> Fixes: b7b03eb ("migration/multifd: Add outgoing QIOChannelFile support") Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]>

Changed val from uint64_t to a pointer to uint64_t in hvf_sysreg_read, but didn't change its usage in hvf_sysreg_read_cp call. Fixes: e9e6401 ("hvf: arm: Raise an exception for sysreg by default") Reported-by: Richard Henderson <[email protected]> Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

…osas/qemu into staging Migration pull request - Akihiko Odaki's fix for a memory leak on ppc migration - Fabiano's fix for asserts during multifd error handling # -----BEGIN PGP SIGNATURE----- # # iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmas698QHGZhcm9zYXNA # c3VzZS5kZQAKCRDHmNx0G+wxnQYFEACNaJderA8VNnyAKyAFD5hCWeZnpZj3UfvO # l/3CLKBx2WPu+IAMQ+32b8Hpy5v1r4HRkicn0FId86dnbWflqAZJ0wilnPDrzbNG # oJ9IgDCPobdNCI1JgGVGCddOwraKKRo6/7e7TE5ME3MPV4AZRHs0LGfYPVxGD/5L # gbV1Zun9SvMk7u/SjE0j8ZG/L3N2rA23Ns/aNfN7KFRLWBccpJ6vKs0q9v6SQnMQ # iAAypK3d0szCBiuD8iiawPgh6K6pwA7OZ+SmtyGanK2gfNvdJ9YZArbxM3yzqUmJ # IAYvxXO/xy/cwdGELsjr0lrUFSH15PeQlSUKQ0WEVMv3/okd88jZv7xbyAZy2u5v # QZXmvb4QMH3wJUZ2rGG+DuZoZIiTL20PPnujxO/kvbhmXjsp4TuDJbKkwW7nvP2Y # ISuHCBsHcskScu0TSoZ0Fj3sSBXHV5Qw0jZiP37lgjf4eXgJzkadAUh3DCuUI62O # lqtFxFpBODdKtYfSYR+ThZXhicZx9DOxJHJBU8bXbBi3iGpVZl9O8ywgGi8wpQzh # cAJk9GbXp/77N94sexzTUHK9ttE00VQUvl8rad+HfZUsBE9E8MsW0zzUaZ8VAH3c # wzjg1S08rS48c5Ju5PO8iY2Oi5apxdGy9SOyEdpxs+ZE37GbwjoY1Q7C2U+jj72E # q4/z0NKuWw== # =1iRF # -----END PGP SIGNATURE----- # gpg: Signature made Sat 03 Aug 2024 12:23:27 AM AEST # gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D # gpg: issuer "[email protected]" # gpg: Good signature from "Fabiano Rosas <[email protected]>" [unknown] # gpg: aka "Fabiano Almeida Rosas <[email protected]>" [unknown] # gpg: WARNING: The key's User ID is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D * tag 'migration-20240802-pull-request' of https://gitlab.com/farosas/qemu: migration/multifd: Fix multifd_send_setup cleanup when channel creation fails migration: Fix cleanup of iochannel in file migration migration: Free removed SaveStateEntry Signed-off-by: Richard Henderson <[email protected]>

Analyzing qemu-produced core dumps of multi-threaded apps runs into: (gdb) info threads [...] 21 Thread 0x3ff83cc0740 (LWP 9295) warning: Couldn't find general-purpose registers in core file. <unavailable> in ?? () The reason is that all pr_pid values are the same, because the same TaskState is used for all CPUs when generating NT_PRSTATUS notes. Fix by using TaskStates associated with individual CPUs. Cc: [email protected] Fixes: 243c470 ("linux-user/elfload: Write corefile elf header in one block") Signed-off-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Move close_all_open_fds() in oslib-posix, rename it qemu_close_all_open_fds() and export it. Signed-off-by: Clément Léger <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

In order to make it cleaner, split qemu_close_all_open_fd() logic into multiple subfunctions (close with close_range(), with /proc/self/fd and fallback). Signed-off-by: Clément Léger <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The same code is used twice to actually close all open file descriptors after forking. Factorize it in a single place. Signed-off-by: Clément Léger <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

In order for this function to be usable by tap.c code, add a list of file descriptors that should not be closed. Signed-off-by: Clément Léger <[email protected]> Message-ID: <[email protected]> [rth: Use max_fd in qemu_close_all_open_fd_close_range] Signed-off-by: Richard Henderson <[email protected]>

Instead of using a slow implementation to close all open fd after forking, use qemu_close_all_open_fd(). Signed-off-by: Clément Léger <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

…o staging linux-user/elfload: Fix pr_pid values in core files util: Add qemu_close_all_open_fd net/tap: Use qemu_close_all_open_fd # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmawHSsdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV8mhQgAlNjO1eeeQmgJvKpk # BwXx7NnXi9d8UZCA5EASK9SQVJC3eYIlMayX9byPmZZ6XJaOBRzgIzm612HkKLYn # yIqmLb0UhUTT+VKW7Kob/wGslB/PJWSKQ3dvZFaaLMfB6L3BtpwUAFFU5hwkODU/ # TS4qici1W+eW7hInNSH5dgA68UGPcfDBEo4ITW91DbTSZRNz9RP4b2Ak+Wgv30Ux # 2yEVsP6rBqBSxglbafcywWbYs5sX3EvSUJo4mVm8Ku4zriAf87Y9Da3irpZ4WYgi # 02f+/GGAv9kiGbf9jPrQTD0O8tmp4Z6JMWxEOfMsCj+KCT2fHSSqcBHTU3RN0guB # uaxx6w== # =U5cs # -----END PGP SIGNATURE----- # gpg: Signature made Mon 05 Aug 2024 10:30:35 AM AEST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-misc-20240805' of https://gitlab.com/rth7680/qemu: net/tap: Use qemu_close_all_open_fd() qemu/osdep: Add excluded fd parameter to qemu_close_all_open_fd() net/tap: Factorize fd closing after forking qemu/osdep: Split qemu_close_all_open_fd() and add fallback qemu/osdep: Move close_all_open_fds() to oslib-posix linux-user/elfload: Fix pr_pid values in core files Signed-off-by: Richard Henderson <[email protected]>

Sweep the entire documentation again. Last done in commit 209e64d (qapi: Refill doc comments to conform to current conventions). To check the generated documentation does not change, I compared the generated HTML before and after this commit with "wdiff -3". Finds no differences. Comparing with diff is not useful, as the reflown paragraphs are visible there. Signed-off-by: Markus Armbruster <[email protected]> Message-ID: <[email protected]> [Straightforward conflict with commit 442110b resolved]

Fixes higher-half address parsing for QMP commands `[p]memsave`. Signed-off-by: Josh Junon <[email protected]> Message-ID: <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> [Subject tweaked, and one PRId64 updated to PRIu64] Signed-off-by: Markus Armbruster <[email protected]>

With normal SIB, index == 4 indicates no index. With VSIB, there is no exception for VR4/VR12. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2474 Signed-off-by: Richard Henderson <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]>

…to staging QAPI patches patches for 2024-08-05 # -----BEGIN PGP SIGNATURE----- # # iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmawhYUSHGFybWJydUBy # ZWRoYXQuY29tAAoJEDhwtADrkYZT5j4P/i9dh0Y8sS5qJqvEZzKWFlIkXWjYpUFW # FThfHyz5J2MilabQUeTxF0yhM40pciGu9ULXqwhzKNAXoAZwfH4VhSkT1E01pwDE # 9RRCOvtRHM5YDExMUn+8vfsHfpTBcfqB6EAO6eteIQ+2dMsDv2wtsrWLx3uXMjHn # 5VfxdKPVmQndcnrQDEAm8WhUpS9qVyJz5SqXuZ2Ku14X+EWyUc5ZGFEawgN63iIG # fDqP5AwsHBPXUGtldlrbubrvBJVgNzAMwL/vizZR04L/30q6V/3ThyqaOyVuKibQ # r1B2hebow00+Ie2nZRz1awCapnpuefk1Ll6KMHI5MD4kfmZiXBDhPeh2RnnyCBaK # RudigAFff2kho7Z814JSJccGKBczkniXiDRb+rOeTBbE+wWEAfrlhf7YFlwqqQv7 # 4ZfeMdv3B5bIq8RUTRUbzlf/BTx3Lao9koa/c6x/x42Gwhwc2Z8F9nuQLPfxPMC/ # MbL8+dDGNF0NiZdLUbSVATLNC5zXxkAVy2D1O8GjZfQSmHK6SeyJGEyUjrEY6AxA # FiaJ4PduCAi+aieV7bpx0tkKVKs7hHkwbIDJcPw38GwAgXc0/tuLxAornTQ4il7y # MIUysqtEoFryFzt7Uf510vG7URzFhHpJNsMAXeHErK53Fw1+VDpXQ7ImK56Huzy2 # lH6IAh+582Sq # =D9S5 # -----END PGP SIGNATURE----- # gpg: Signature made Mon 05 Aug 2024 05:55:49 PM AEST # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "[email protected]" # gpg: Good signature from "Markus Armbruster <[email protected]>" [full] # gpg: aka "Markus Armbruster <[email protected]>" [full] * tag 'pull-qapi-2024-08-05' of https://repo.or.cz/qemu/armbru: qmp: Fix higher half vaddrs for [p]memsave qapi: Refill doc comments to conform to conventions Signed-off-by: Richard Henderson <[email protected]>

* target/i386: SEV: fix incorrect property name * target/i386: tcg: fix VSIB decode with XMM/YMM{4,12} # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmawwjoUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroO+kgf/SIOaF14Ozw6w33zddDiuK969ouNR # 00hC17p0acVl3KwmbXBJp2CXtc4TcZwLEg6y2KrActEVg2CaFFjGx9wJUnTGOL/D # 3Nhp3ipsExv+rFQuQvV9k/BeAVG0G9YoTZtQJVQvLPL/LYJ76h2JlVamjr9rsuKy # hsVeHX6Xl6ad6mtM1hSFBonJzfGK08rKQPTnALfB0raFLmSHWleg9Xzs0r1YiuO2 # SsGVr0NF369pZA2U0Y/tcw0RIRIikXfVYTX5+o9H6RzEqbqaOh3j9upLYSWym6LN # cedTxjNFJdxZReR/VE1kAys3s2pE8k+yiQIBGzfwo4fN6hukJZGCtwrVmw== # =2tkB # -----END PGP SIGNATURE----- # gpg: Signature made Mon 05 Aug 2024 10:14:50 PM AEST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "[email protected]" # gpg: Good signature from "Paolo Bonzini <[email protected]>" [full] # gpg: aka "Paolo Bonzini <[email protected]>" [full] * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: target/i386: Fix VSIB decode target/i386: SEV: fix mismatch in vcek-disabled property name Signed-off-by: Richard Henderson <[email protected]>

Compressed encodings also applies to zama16b. riscv/riscv-isa-manual#1557 Suggested-by: Alistair Francis <[email protected]> Signed-off-by: LIU Zhiwei <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

Zama16b loads and stores of no more than MXLEN bits defined in the F, D, and Q extensions. Signed-off-by: LIU Zhiwei <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

According to the risc-v specification: "FLD and FSD are only guaranteed to execute atomically if the effective address is naturally aligned and XLEN≥64." We currently implement fld as MO_ATOM_IFALIGN when XLEN < 64, which does not violate the rules. But it will hide some problems. So relax it to MO_ATOM_NONE. Signed-off-by: LIU Zhiwei <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

Coverity complained about the possible out-of-bounds access with counter_virt/counter_virt_prev because these two arrays are accessed with privilege mode. However, these two arrays are accessed only when virt is enabled. Thus, the privilege mode can't be M mode. Add the asserts anyways to detect any wrong usage of these arrays in the future. Suggested-by: Peter Maydell <[email protected]> Signed-off-by: Atish Patra <[email protected]> Fixes: Coverity CID 1558459 Fixes: Coverity CID 1558462 Reviewed-by: Alistair Francis <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

A new minor version of OpenSBI was just released after our bump to OpenSBI 1.5. It contains significant bug fixes that it's worth doing a new update for QEMU 9.1. Submodule roms/opensbi 455de672dd..43cace6c36: > lib: sbi: check result of pmp_get() in is_pmp_entry_mapped() > lib: sbi: fwft: fix incorrect size passed to sbi_zalloc() > lib: sbi: dbtr: fix potential NULL pointer dereferences > include: Adjust Sscofpmf mhpmevent mask for upper 8 bits > lib: sbi_hsm: Save/restore menvcfg only when it exists Signed-off-by: Daniel Henrique Barboza <[email protected]> Message-ID: <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

…tair23/qemu into staging RISC-V PR for 9.1 * roms/opensbi: update to v1.5.1 * target/riscv: Add asserts for out-of-bound access * Remove redundant insn length check for zama16b # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmaxwTwACgkQr3yVEwxT # gBOpoQ/9EoGHvGZtd3Zio/51G+tiNok/H+LJGZxGOPl5xc12efhJk15nN/JwVCFp # zETriTjQ8UUlx+/xvpoQhQbfNm+MtCSl+xyNcPsjAgE6le8MTn38zjroGhUI0JEB # AuIp9FfwRx4z7nEpuzO8cYdl2Suw5Nh8gi/+0SSrX1vXLY44Ma7UZdM8BjvkGbZp # TWSqetj236bMoBqSHIk4OddVFbAPlnCQZRo6fwslsjzV6y12PVQw/FgVKKmN7J9k # qtBoGSuqwFgMnXgxvJXqFmOQYAipgLONRRBaQEj/sGf09UTR/MppMz8CKilAPAYy # 9+UT0/5t+GUUpmbBN2ijWJEgYC9Ev4USIzfGe03XJSWA8uDEyTpJbnbGKDKotfrC # /qmx2y4Lb4I/3AkJiKgHW32fNeTMURQvzs+ws8frwebWAmH8zwBVbj0EbbceH5M/ # SavAuDivbU4MLdSNKpp5yvB/pkREzCE7pwbjOr0skSLrCiT/S+t9tryt7p+iHxQl # 1xhMbOYFPcbxq7mJvLurtkzn8fl4o1j93tBcq1BcBvRE5O3Odn5VJpje29BYPDpk # AG82CEeUJ2N+ZVzcV/rYhJaz8WZ7ck+I/j9cK1UtMsp57zmm2awp+mMwyShpAmP3 # MPMHwROJrue9V3z4qdaimNfpaB0p9NCOl9A95J70A/59Q2vO32k= # =bjWM # -----END PGP SIGNATURE----- # gpg: Signature made Tue 06 Aug 2024 04:22:52 PM AEST # gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013 # gpg: Good signature from "Alistair Francis <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013 * tag 'pull-riscv-to-apply-20240806-2' of https://github.com/alistair23/qemu: roms/opensbi: Update to v1.5.1 target/riscv: Add asserts for out-of-bound access target/riscv: Relax fld alignment requirement target/riscv: Add MXLEN check for F/D/Q applies to zama16b target/riscv: Remove redundant insn length check for zama16b Signed-off-by: Richard Henderson <[email protected]>

We'll have to add LoongsonIPIClass in few commits, so rename LoongsonIPI as LoongsonIPIState for clarity. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

In preparation to extract common IPI code in few commits, extract loongson_ipi_common_realize(). Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Introduce LOONGSON_IPI_COMMON stubs, QDev parent of LOONGSON_IPI. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

It is easier to manage one array of MMIO MR rather than one per vCPU. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Move the IPICore structure and corresponding common fields of LoongsonIPICommonState to "hw/intc/loongson_ipi_common.h". Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

In order to get LoongsonIPICommonClass in send_ipi_data() in the next commit, propagate LoongsonIPICommonState. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Allow Loongson IPI implementations to have their own get_iocsr_as() handler. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Allow Loongson IPI implementations to have their own cpu_by_arch_id() handler. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

In order to access loongson_ipi_core_read/write helpers from loongson_ipi_common.c in the next commit, make their prototype declaration public. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Move the common code from loongson_ipi.c to loongson_ipi_common.c, call parent_realize() instead of loongson_ipi_common_realize() in loongson_ipi_realize(). Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Loongarch IPI is added here, it inherits from class TYPE_LOONGSON_IPI_COMMON, and two interfaces get_iocsr_as() and cpu_by_arch_id() are added for Loongarch 3A5000 machine. It can be used when ipi is emulated in userspace with KVM mode. Signed-off-by: Bibo Mao <[email protected]> [PMD: Rebased and simplified] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Loongarch IPI inherits from class LoongsonIPICommonClass, and it only contains Loongarch 3A5000 virt machine specific interfaces, rather than mix different machine implementations together. Signed-off-by: Bibo Mao <[email protected]> [PMD: Rebased] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

Now than LoongArch target can use the TYPE_LOONGARCH_IPI model, restrict TYPE_LOONGSON_IPI to MIPS. Signed-off-by: Bibo Mao <[email protected]> [PMD: Extracted from bigger commit, added commit description] Co-Developed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Tested-by: Bibo Mao <[email protected]> Acked-by: Song Gao <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Jiaxun Yang <[email protected]> Tested-by: Jiaxun Yang <[email protected]> Message-Id: <[email protected]>

On error the DAT lines are left unmodified to their previous states. QEMU returns 0x00 for convenience. Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

Guest should not try to read the DAT lines from invalid command state. If it still insists to do so, return a dummy value. Cc: [email protected] Fixes: e2dec2e ("hw/sd/sdcard: Remove default case in read/write on DAT lines") Reported-by: Zheyu Ma <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2454 Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

We neglected to clear the @data_count index on ADMA error, allowing to trigger assertion in sdhci_read_dataport() or sdhci_write_dataport(). Cc: [email protected] Fixes: d7dfca0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Zheyu Ma <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2455 Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

In pflash_write() Coverity points out that we can decrement the unsigned pfl->counter below zero, which makes it wrap around. In fact this is harmless, because if pfl->counter is 0 at this point we also increment pfl->wcycle to 3, and the wcycle == 3 handling doesn't look at counter; the only way back into code which looks at the counter value is via wcycle == 1, which will reinitialize the counter. But it's arguably a little clearer to break early in the "counter == 0" if(), to avoid the decrement-below-zero. Resolves: Coverity CID 1547611 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

In ide_atapi_cmd_reply_end() we calculate a 16-bit size, and then assign its two halves to s->lcyl and s->hcyl like this: s->lcyl = size; s->hcyl = size >> 8; Coverity warns that the first line here can overflow the 8-bit s->lcyl variable. This is true, and in this case we're deliberately only after the low 8 bits of the value. The code is clearer to both humans and Coverity if we're explicit that we only wanted the low 8 bits, though. Resolves: Coverity CID 1547621 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

…hing Coverity complains about an overflow in isa_fdc_get_drive_max_chs() that can happen if the loop over fd_formats never finds a match, because we initialize *maxc to 0 and then at the end of the function decrement it. This can't ever actually happen because fd_formats has at least one entry for each FloppyDriveType, so we must at least once find a match and update *maxc, *maxh and *maxs. Assert that we did find a match, which should keep Coverity happy and will also detect possible bugs in the data in fd_formats. Resolves: Coverity CID 1547663 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Coverity notes that the code at the end of the loop in bmdma_prepare_buf() is unreachable. This is because in commit 9fbf0fa ("ide: remove hardcoded 2GiB transactional limit") we removed the only codepath in the loop which could "break" out of it, but didn't notice that this meant we should also remove the code at the end of the loop. Remove the dead code. Resolves: Coverity CID 1547772 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> [PMD: Break and return once at EOF] Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

If the user tries to use the virtio-gpu-gl device but the display backend doesn't have OpenGL support enabled, we currently print a rather uninformative error message: $ qemu-system-aarch64 -M virt -device virtio-gpu-gl qemu-system-aarch64: -device virtio-gpu-gl: opengl is not available Since OpenGL is not enabled on display frontends by default, users are quite likely to run into this. Improve the error message to be more specific and to suggest to the user a path forward. Note that the case of "user tried to enable OpenGL but the display backend doesn't handle it" is caught elsewhere first, so we can assume that isn't the problem: $ qemu-system-aarch64 -M virt -device virtio-gpu-gl -display curses,gl=on qemu-system-aarch64: OpenGL is not supported by the display (Use of error_append_hint() requires us to add an ERRP_GUARD() to the function, as noted in include/qapi/error.h.) With this commit we now produce the hopefully more helpful error: $ ./build/x86/qemu-system-aarch64 -M virt -device virtio-gpu-gl qemu-system-aarch64: -device virtio-gpu-gl: The display backend does not have OpenGL support enabled It can be enabled with '-display BACKEND,gl=on' where BACKEND is the name of the display backend to use. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2443 Signed-off-by: Peter Maydell <[email protected]> Acked-by: Marc-André Lureau <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Expand the OpenGL related error messages we produce for various "OpenGL not present/not supported" cases, to hopefully guide the user towards how to fix things. Now if the user tries to enable GL on a backend that doesn't support it the error message is a bit more precise: $ qemu-system-aarch64 -M virt -device virtio-gpu-gl -display curses,gl=on qemu-system-aarch64: OpenGL is not supported by display backend 'curses' Signed-off-by: Peter Maydell <[email protected]> Acked-by: Marc-André Lureau <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> [AJB: Improved error report message] Reviewed-by: Alex Bennée <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

…ions Currently '-display help' only prints the available backends. Some of those backends support suboptions (e.g. '-display gtk,gl=on'). Mention that in the help output, and point the user to where they might be able to find more information about the suboptions. The new output looks like this: $ qemu-system-aarch64 -display help Available display backend types: none gtk sdl egl-headless curses spice-app dbus Some display backends support suboptions, which can be set with -display backend,option=value,option=value... For a short list of the suboptions for each display, see the top-level -help output; more detail is in the documentation. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Acked-by: Marc-André Lureau <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

When booting Linux we see: PCI host bridge to bus 0000:00 pci_bus 0000:00: root bus resource [mem 0x10000000-0x17ffffff] pci_bus 0000:00: root bus resource [io 0x1000-0x1fffff] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] pci 0000:00:00.0: [11ab:4620] type 00 class 0x060000 pci 0000:00:00.0: [Firmware Bug]: reg 0x14: invalid BAR (can't size) pci 0000:00:00.0: [Firmware Bug]: reg 0x18: invalid BAR (can't size) pci 0000:00:00.0: [Firmware Bug]: reg 0x1c: invalid BAR (can't size) pci 0000:00:00.0: [Firmware Bug]: reg 0x20: invalid BAR (can't size) pci 0000:00:00.0: [Firmware Bug]: reg 0x24: invalid BAR (can't size) This is due to missing base address register write mask. Add it to get: PCI host bridge to bus 0000:00 pci_bus 0000:00: root bus resource [mem 0x10000000-0x17ffffff] pci_bus 0000:00: root bus resource [io 0x1000-0x1fffff] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff] pci 0000:00:00.0: [11ab:4620] type 00 class 0x060000 pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x00000fff pref] pci 0000:00:00.0: reg 0x14: [mem 0x01000000-0x01000fff pref] pci 0000:00:00.0: reg 0x18: [mem 0x1c000000-0x1c000fff] pci 0000:00:00.0: reg 0x1c: [mem 0x1f000000-0x1f000fff] pci 0000:00:00.0: reg 0x20: [mem 0x1be00000-0x1be00fff] pci 0000:00:00.0: reg 0x24: [io 0x14000000-0x14000fff] Since this device is only used by MIPS machines which aren't versioned, we don't need to update migration compat machinery. Mention the datasheet referenced. Remove the "Malta assumptions ahead" comment since the reset values from the datasheet are used. Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: BALATON Zoltan <[email protected]> Message-Id: <[email protected]>

Reset config values in the device RESET phase, not only once when the device is realized, because otherwise the device can use unknown values at reset. Since we are adding a new reset method, use the preferred Resettable API (for a simple leaf device reset, a DeviceClass::reset method and a ResettableClass::reset_hold method are essentially identical). Reported-by: Michael S. Tsirkin <[email protected]> Reviewed-by: BALATON Zoltan <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]>

Add the missing devices 1b36:000c (PCIe root port) and 1b36:000e (PCIe-to-PCI bridge). Signed-off-by: George Matsumura <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

This fixes the markup of the PCI and PCIe Expander Bridge entries to be consistent with the rest of the file. Signed-off-by: George Matsumura <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

…taging Misc HW & UI patches - Replace Loongson IPI with LoongArch IPI on LoongArch Virt machine (Bibo) - SD card: Do not abort when reading DAT lines on invalid cmd state (Phil) - SDHCI: Reset @data_count index on invalid ADMA transfers (Phil) - Don't decrement PFlash counter below 0 (Peter) - Explicit a 8bit truncate on IDE ATAPI (Peter) - Silent Coverity warning in ISA FDC (Peter) - Remove dead code in PCI IDE bmdma_prepare_buf (Peter) - Improve OpenGL and related display error messages (Peter) - Set PCI base address register write mask on GC64120 host bridge (Phil) - List PCIe Root Port and PCIe-to-PCI bridge in QEMU PCI IDs list (George) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmayMloACgkQ4+MsLN6t # wN6SFQ//S0WvrFNsCeHphsbPETNwHL72j2XdX9xnt9UJZoBhFitOTCzo/EpNQHJe # dFxCAfef9Nc9WDumyWsb7hE6IGjn/wPpVUnOnoWZZAilA6LK01J0mxgDXNRUf8ES # iRo5x1Zd3oNBcKA9oqCuALkapXYypKCwSlRgvc42ekdYXHG95pFbJv9MmWIYy6Vn # 0+hBWv3+Xegv7oFH4UsbjY844vsFcjupvrEm10bcH/zeYhEWVvXRylyfAQS8ww+U # TYWj9g1i+Cfz+QxKyXovlS21ogieckiTYlr4yM7Ze7fD3Tyj5Q3KRfjC9tD0HoNb # hjTSojfzk9m93/c5nASL7ChbjisJWqewH5J0eVLSMkqDRUsbFbsryJ4bDXIQNSYD # HTko32P5obrDQO6l8rr6zuk1Y8lKBd0cY4fGlynXzsitp7duAqWJeMbD0s0duASW # pqGITK/F/hKHJC6RVDaiFoyGHEa+wm4K6YqfwSFy0EOb5qYq0/d0MAEzTXPB1K1S # mFMF6+Yk7ZfOnYwSDTDGf5hnmSvSLLdY+Ne94g9gLvuIRWCvc5rrjfBzAbnOfeif # EMpFbofkMys5p7kxGUZhkJpRQiRjB11fZl9bplyhjGpPgQrq+E/j0G3Uc7jtkOUO # sjB/4iA7RFvCe47EWqN3WR+rf462EGk2MD+Ebxd9FLsiciFvk1Y= # =jOxG # -----END PGP SIGNATURE----- # gpg: Signature made Wed 07 Aug 2024 12:25:30 AM AEST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <[email protected]>" [full] * tag 'hw-misc-20240806' of https://github.com/philmd/qemu: (28 commits) docs/specs/pci-ids: Fix markup docs/specs/pci-ids: Add missing devices hw/pci-host/gt64120: Reset config registers during RESET phase hw/pci-host/gt64120: Set PCI base address register write mask ui/console: Note in '-display help' that some backends support suboptions system/vl.c: Expand OpenGL related errors hw/display/virtio-gpu: Improve "opengl is not available" error message hw/ide/pci: Remove dead code from bmdma_prepare_buf() hw/block/fdc-isa: Assert that isa_fdc_get_drive_max_chs() found something hw/ide/atapi: Be explicit that assigning to s->lcyl truncates hw/block/pflash_cfi01: Don't decrement pfl->counter below 0 hw/sd/sdhci: Reset @data_count index on invalid ADMA transfers hw/sd/sdcard: Do not abort when reading DAT lines on invalid cmd state hw/sd/sdcard: Explicit dummy byte value hw/intc/loongson_ipi: Restrict to MIPS hw/loongarch/virt: Replace Loongson IPI with LoongArch IPI hw/intc/loongarch_ipi: Add loongarch IPI support hw/intc/loongson_ipi: Move common code to loongson_ipi_common.c hw/intc/loongson_ipi: Expose loongson_ipi_core_read/write helpers hw/intc/loongson_ipi: Add LoongsonIPICommonClass::cpu_by_arch_id handler ... Signed-off-by: Richard Henderson <[email protected]>

@name

BlockdevSnapshotInternal is the arguments type of command blockdev-snapshot-internal-sync. Its doc comment contains this note: # .. note:: In a transaction, if @name is empty or any snapshot matching # @name exists, the operation will fail. Only some image formats # support it; for example, qcow2, and rbd. "In a transaction" is misleading, and "if @name is empty or any snapshot matching @name exists, the operation will fail" is redundant with the command's Errors documentation. Drop. The remainder is fine. Move it to the command's doc comment, where it is more prominently visible, with a slight rephrasing for clarity. Signed-off-by: Markus Armbruster <[email protected]> Message-ID: <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

The graph lock needs to be held when calling bdrv_co_pdiscard(). Fix block_copy_task_entry() to take it for the call. WITH_GRAPH_RDLOCK_GUARD() was implemented in a weak way because of limitations in clang's Thread Safety Analysis at the time, so that it only asserts that the lock is held (which allows calling functions that require the lock), but we never deal with the unlocking (so even after the scope of the guard, the compiler assumes that the lock is still held). This is why the compiler didn't catch this locking error. Signed-off-by: Kevin Wolf <[email protected]> Message-ID: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

Upstream clang 18 (and backports to clang 17 in Fedora and RHEL) implemented support for __attribute__((cleanup())) in its Thread Safety Analysis, so we can now actually have a proper implementation of WITH_GRAPH_RDLOCK_GUARD() that understands when we acquire and when we release the lock. -Wthread-safety is now only enabled if the compiler is new enough to understand this pattern. In theory, we could have used some #ifdefs to keep the existing basic checks on old compilers, but as long as someone runs a newer compiler (and our CI does), we will catch locking problems, so it's probably not worth keeping multiple implementations for this. The implementation can't use g_autoptr any more because the glib macros define wrapper functions that don't have the right TSA attributes, so the compiler would complain about them. Just use the cleanup attribute directly instead. Signed-off-by: Kevin Wolf <[email protected]> Message-ID: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Manos Pitsidianakis <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

In some error cases, scsi_block_sgio_complete() never calls the passed callback, but directly completes the request. This leads to bugs because its error paths are not exact copies of what the callback would normally do. In preparation to fix this, allow passing positive return values to the callbacks that represent the status code that should be used to complete the request. scsi_handle_rw_error() already handles positive values for its ret parameter because scsi_block_sgio_complete() calls directly into it. Signed-off-by: Kevin Wolf <[email protected]> Acked-by: Paolo Bonzini <[email protected]> Message-ID: <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

Instead of calling into scsi_handle_rw_error() directly from scsi_block_sgio_complete() and skipping the normal callback, go through the normal cleanup path by calling the callback with a positive error value. The important difference here is not only that the code path is cleaner, but that the callbacks set r->req.aiocb = NULL. If we skip setting this and the error action is BLOCK_ERROR_ACTION_STOP, resuming the VM runs into an assertion failure in scsi_read_data() or scsi_write_data() because the dangling aiocb pointer is unexpected. Fixes: a108557 ("scsi: inline sg_io_sense_from_errno() into the callers.") Buglink: https://issues.redhat.com/browse/RHEL-50000 Signed-off-by: Kevin Wolf <[email protected]> Acked-by: Paolo Bonzini <[email protected]> Message-ID: <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

scsi_block_sgio_complete() has surprising behaviour in that there are error cases in which it directly completes the request and never calls the passed callback. In the current state of the code, this doesn't seem to result in bugs, but with future code changes, we must be careful to never rely on the callback doing some cleanup until this code smell is fixed. For now, just add warnings to make people aware of the trap. Signed-off-by: Kevin Wolf <[email protected]> Acked-by: Paolo Bonzini <[email protected]> Message-ID: <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

In the case of scsi-block, RESERVATION_CONFLICT is not a backend error, but indicates that the guest tried to make a request that it isn't allowed to execute. Pass the error to the guest so that it can decide what to do with it. Without this, if we stop the VM in response to a RESERVATION_CONFLICT (as is the default policy in management software such as oVirt or KubeVirt), it can happen that the VM cannot be resumed any more because every attempt to resume it immediately runs into the same error and stops the VM again. One case that expects RESERVATION_CONFLICT errors to be visible in the guest is running the validation tests in Windows 2019's Failover Cluster Manager, which intentionally tries to execute invalid requests to see if they are properly rejected. Buglink: https://issues.redhat.com/browse/RHEL-50000 Signed-off-by: Kevin Wolf <[email protected]> Acked-by: Paolo Bonzini <[email protected]> Message-ID: <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

Before this commit, the behavior when calling `commit_one_file` for example with `offset=0x2000` (second cluster), what will happen is that we won't fetch the next cluster from the fat, and instead use the first cluster for the read operation. This is due to off-by-one error here, where `i=0x2000 !< offset=0x2000`, thus not fetching the next cluster. Signed-off-by: Amjad Alsharafi <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Tested-by: Kevin Wolf <[email protected]> Message-ID: <b97c1e1f1bc2f776061ae914f95d799d124fcd73.1721470238.git.amjadsharafi10@gmail.com> Signed-off-by: Kevin Wolf <[email protected]>

The field is marked as "the offset in the file (in clusters)", but it was being used like this `cluster_size*(nums)+mapping->info.file.offset`, which is incorrect. Signed-off-by: Amjad Alsharafi <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Message-ID: <72f19a7903886dda1aa78bcae0e17702ee939262.1721470238.git.amjadsharafi10@gmail.com> Signed-off-by: Kevin Wolf <[email protected]>

How this `abort` was intended to check for was: - if the `mapping->first_mapping_index` is not the same as `first_mapping_index`, which **should** happen only in one case, when we are handling the first mapping, in that case `mapping->first_mapping_index == -1`, in all other cases, the other mappings after the first should have the condition `true`. - From above, we know that this is the first mapping, so if the offset is not `0`, then abort, since this is an invalid state. The issue was that `first_mapping_index` is not set if we are checking from the middle, the variable `first_mapping_index` is only set if we passed through the check `cluster_was_modified` with the first mapping, and in the same function call we checked the other mappings. One approach is to go into the loop even if `cluster_was_modified` is not true so that we will be able to set `first_mapping_index` for the first mapping, but since `first_mapping_index` is only used here, another approach is to just check manually for the `mapping->first_mapping_index != -1` since we know that this is the value for the only entry where `offset == 0` (i.e. first mapping). Signed-off-by: Amjad Alsharafi <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Message-ID: <b0fbca3ee208c565885838f6a7deeaeb23f4f9c2.1721470238.git.amjadsharafi10@gmail.com> Signed-off-by: Kevin Wolf <[email protected]>

When reading with `read_cluster` we get the `mapping` with `find_mapping_for_cluster` and then we call `open_file` for this mapping. The issue appear when its the same file, but a second cluster that is not immediately after it, imagine clusters `500 -> 503`, this will give us 2 mappings one has the range `500..501` and another `503..504`, both point to the same file, but different offsets. When we don't open the file since the path is the same, we won't assign `s->current_mapping` and thus accessing way out of bound of the file. From our example above, after `open_file` (that didn't open anything) we will get the offset into the file with `s->cluster_size*(cluster_num-s->current_mapping->begin)`, which will give us `0x2000 * (504-500)`, which is out of bound for this mapping and will produce some issues. Signed-off-by: Amjad Alsharafi <[email protected]> Message-ID: <1f3ea115779abab62ba32c788073cdc99f9ad5dd.1721470238.git.amjadsharafi10@gmail.com> [kwolf: Simplified the patch based on Amjad's analysis and input] Signed-off-by: Kevin Wolf <[email protected]>

Added several tests to verify the implementation of the vvfat driver. We needed a way to interact with it, so created a basic `fat16.py` driver that handled writing correct sectors for us. Added `vvfat` to the non-generic formats, as its not a normal image format. Signed-off-by: Amjad Alsharafi <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Tested-by: Kevin Wolf <[email protected]> Message-ID: <bb8149c945301aefbdf470a0924c07f69f9c087d.1721470238.git.amjadsharafi10@gmail.com> [kwolf: Made mypy and pylint happy to unbreak 297] Signed-off-by: Kevin Wolf <[email protected]>

Apparently 'qemu-img info' doesn't report the backing file format field for qed (as it does for qcow2): $ qemu-img create -f qed base.qed 1M && qemu-img create -f qed -b base.qed -F qed top.qed 1M $ qemu-img create -f qcow2 base.qcow2 1M && qemu-img create -f qcow2 -b base.qcow2 -F qcow2 top.qcow2 1M $ qemu-img info top.qed | grep 'backing file format' $ qemu-img info top.qcow2 | grep 'backing file format' backing file format: qcow2 This leads to the 024 test failure with -qed. Let's just filter the field out and exclude it from the output. This is a fixup for the commit f93e65e ("iotests/{024, 271}: add testcases for qemu-img rebase"). Reported-by: Thomas Huth <[email protected]> Signed-off-by: Andrey Drobyshev <[email protected]> Message-ID: <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]>

Block layer patches - scsi-block: Fix error handling with r/werror=stop - Depend on newer clang for TSA, make WITH_GRAPH_RDLOCK_GUARD() fully checked, fix block-copy to add missing lock - vvfat: Fix write bugs for large files and add iotests - Clean up blockdev-snapshot-internal-sync doc - Fix iotests 024 for qed # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmayag4RHGt3b2xmQHJl # ZGhhdC5jb20ACgkQfwmycsiPL9Y0yhAArDpKYNsOmJerL/abIetchJ84suuR2MHZ # iziAsTXk1iiSNYrAfXyiGhMsovvApluW1bojB80XLjaWFeN76zCRq0bnYVhv/xeX # bQddC4JyWkcYGmdASiFpvQ7+p37jBh+OebmxsF557s4uM6b0/QN1xnOyyjBpyJbB # aBTNgUYaTXmD6RD8h9SscnroNqhckuv6+zm0SX2Z4wRTF2uEmVWdL2yz2I3P8G7W # dhVfgOCYQmW0cSfTueBQJClaUoHyJeibd4TzHR12hFAKIYobXMGfcE3AhfpBvO3t # 0SEQ5MUx3zasGVENSJA6UnzVnpHl8HRtdDIFhSWb6yZJJ6RPPGynj7UVvFOK1SXM # iXzj1kcYzFO/AFO3JxkSr6IHZdzZr4e5wtuFbw8Je6Ai0P5prc53jBDovtbAT0Wt # +dAP7cnntYLDcAIsJqGUdr2FJfSOh9gApH/I3kF3scDwLRpb6OlWJ60T5b98VcR4 # +J67AXuGN7OXtYEU6GupZpWTQ/nZQ63egrCfJlqL67QduuF1YvcgOo2+TdAwDYkf # 8nU7AEUgzWox8EcTkof/BXYYabOjn0D6/1+aLc7J7vGGlnKVyQMK9Kn5MRBzkyb3 # iWOtuv8aoNfnxtuMnpwe/Uf2hhOGi8IldnoP2+Yb9urWnFQ3Jbbmnv8Ga7mDQmRs # ue4gDS51MCc= # =ouBM # -----END PGP SIGNATURE----- # gpg: Signature made Wed 07 Aug 2024 04:23:10 AM AEST # gpg: using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6 # gpg: issuer "[email protected]" # gpg: Good signature from "Kevin Wolf <[email protected]>" [full] * tag 'for-upstream' of https://repo.or.cz/qemu/kevin: iotests/024: exclude 'backing file format' field from the output iotests: Add `vvfat` tests vvfat: Fix reading files with non-continuous clusters vvfat: Fix wrong checks for cluster mappings invariant vvfat: Fix usage of `info.file.offset` vvfat: Fix bug in writing to middle of file scsi-disk: Always report RESERVATION_CONFLICT to guest scsi-disk: Add warning comments that host_status errors take a shortcut scsi-block: Don't skip callback for sgio error status/driver_status scsi-disk: Use positive return value for status in dma_readv/writev block/graph-lock: Make WITH_GRAPH_RDLOCK_GUARD() fully checked block-copy: Fix missing graph lock qapi-block-core: Clean up blockdev-snapshot-internal-sync doc Signed-off-by: Richard Henderson <[email protected]>

Ensure the code structure is the same for matching constraints and emitting code, lest we allow constants that cannot be trivially tested. Cc: [email protected] Fixes: ad788ae ("tcg/ppc: Support TCG_COND_TST{EQ,NE}") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2487 Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]>

… staging tcg/ppc: Sync tcg_out_test and constraints # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmaz/agdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV8bcAf/Y4QlUfZSmTl+68Ia # gls2oHU1Oc085Pk78jq5vi2ctHBmcazHelc8XvGlZKR+JbJFUy6SaHT16ySfyYx3 # Qy7rP5t2AJPUEo8jVA+Y5tfboU6Q42ta8twJhAzcDjjtSEs6SNIhCL3NvRlQ5yMN # uss2c+lj4tGZ0eeONFzoWoqIrScGp9bJt03hz8y7i5/ebK9A2muUYxg3AyF8wfnG # HhYDJ0Yg2Sfm1GXjuo0tzGX/CrHEt5T0Os5Z1vtaULXw+NZrHigWtjIUmc+3o664 # DgwmomG7kLzRJM/N2vtUMln9lAZVci/SrOKGtilokeAtuIJ7n3whWI0UErFQzj5m # HMUDpw== # =EmcK # -----END PGP SIGNATURE----- # gpg: Signature made Thu 08 Aug 2024 09:05:12 AM AEST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-tcg-20240808' of https://gitlab.com/rth7680/qemu: tcg/ppc: Sync tcg_out_test and constraints Signed-off-by: Richard Henderson <[email protected]>

The implementation for these instructions handles -0 as an invalid float point value, whereas the Hexagon hardware considers it the same as +0 (which is valid). Let's fix that and add a regression test. Signed-off-by: Matheus Tavares Bernardino <[email protected]> Reviewed-by: Brian Cain <[email protected]> Reviewed-by: Taylor Simpson <[email protected]> Signed-off-by: Brian Cain <[email protected]>

hexagon-core.xml only exposes register p3_0 which is an alias that aggregates the predicate registers. It is more convenient for users to interact directly with the predicate registers. Tested with lldb downloaded from this location https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.4/clang+llvm-18.1.4-x86_64-linux-gnu-ubuntu-18.04.tar.xz BEFORE: (lldb) reg read p3_0 p3_0 = 0x00000000 (lldb) reg read p0 error: Invalid register name 'p0'. (lldb) reg write p1 0xf error: Register not found for 'p1'. AFTER: (lldb) reg read p3_0 p3_0 = 0x00000000 (lldb) reg read p0 p0 = 0x00 (lldb) reg read -s 1 Predicate Registers: p0 = 0x00 p1 = 0x00 p2 = 0x00 p3 = 0x00 (lldb) reg write p1 0xf (lldb) reg read p3_0 p3_0 = 0x00000f00 (lldb) reg write p3_0 0xff00ff00 (lldb) reg read -s 1 Predicate Registers: p0 = 0x00 p1 = 0xff p2 = 0x00 p3 = 0xff Signed-off-by: Taylor Simpson <[email protected]> Reviewed-by: Brian Cain <[email protected]> Reviewed-by: Matheus Tavares Bernardino <[email protected]> Message-Id: <[email protected]> Signed-off-by: Brian Cain <[email protected]>

The self assignment is clearly useless, and @1.last_column does not have to be set for an expression with only a single token, so remove it. Reported-by: Peter Maydell <[email protected]> Signed-off-by: Anton Johansson <[email protected]> Reviewed-by: Brian Cain <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Brian Cain <[email protected]>

Add my git tree for hexagon. Note that the branch is "hex-next" and not "hex.next" as had been used previously. But I'll keep the "hex.next" branch in sync with "hex-next" until this commit lands to avoid confusion. Signed-off-by: Brian Cain <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Philippe Mathieu-Daudé <[email protected]>

For now, v66 behavior is the same as other CPUs. Signed-off-by: Brian Cain <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Taylor Simpson <[email protected]>

Define a hexagon_cpu_properties list to match the idiom used by other targets. Signed-off-by: Brian Cain <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Taylor Simpson <[email protected]>

…aging Hexagon updates: lldb preds, v66 CPU, F2_conv* fix # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEEPWaq5HRZSCTIjOD4GlSvuOVkbDIFAma0PggACgkQGlSvuOVk # bDK5wxAAnFin9dlEeoy4N0HOhF4l3+t0P47w0JhceL0ZXpyOb+aLDoVBaXCPSvys # MOHUbBqDgtGoAE4GxfLvsPvaAE3HnvCwRQQmscALHKLB2M3ntb9uIDhxoodi+ehY # X8fJ3+EqlKqRdp2fhOMf1hEvRn9SN2fXZ9uF9FvP2rZimrZdYC2Wc4wc8gQH4mlz # DOibUNbRhitndpAZJaSoCPwGcse//39EG9fwR8PAsGoQf6g6abmwtvuh3HFOrSLD # jYqX9wNfbilbntD1Mhsn9mbP/62fmgO/HO92PvSaShWkA6lOrdRm5q3EbZQA7qgM # 95brcDqInj7pC0bLJ1fb1HwHq2QPUuGX+zuMB9finTn/87hu6uR2yf790UAQILKE # w93FzenC+OeHJ9YytfCJMbKjW/L7eAamx0qkd+qazD1+bNERF8zBkzVfJs1u4K4A # EbSKlW3wtlXDDm78Oz6Rk+Oq8Hz4AC6N9XSS/zhV8lrzcfyrgIdaTrr2/jYHpinh # vENT19WSZBMthEKcsZc959igMFvM4GXUfob+3GIx8WlT0dt59fQZ8zRbizzDlKzp # uK+Lwyds+UjgCUaDwdy9YGB1WaF14imDo79yho7EDCkDDjskMASCZxGmDgB939US # 0ZBIU7gqqXBpzuMNF8yyCgowD61oRBwf9eVUyqS6B6hscbikSpo= # =mizO # -----END PGP SIGNATURE----- # gpg: Signature made Thu 08 Aug 2024 01:39:52 PM AEST # gpg: using RSA key 3D66AAE474594824C88CE0F81A54AFB8E5646C32 # gpg: Good signature from "Brian Cain (QUIC) <[email protected]>" [unknown] # gpg: aka "Brian Cain <[email protected]>" [unknown] # gpg: aka "Brian Cain (QuIC) <[email protected]>" [unknown] # gpg: aka "Brian Cain (CAF) <[email protected]>" [unknown] # gpg: aka "bcain" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6350 20F9 67A7 7164 79EF 49E0 175C 464E 541B 6D47 # Subkey fingerprint: 3D66 AAE4 7459 4824 C88C E0F8 1A54 AFB8 E564 6C32 * tag 'pull-hex-20240807' of https://github.com/quic/qemu: target/hexagon: switch to dc set_props() list target/hexagon: define a v66 CPU MAINTAINERS: Add my hexagon git tree target/hexagon/idef-parser: Remove self-assignment Hexagon: lldb read/write predicate registers p0/p1/p2/p3 Hexagon: fix F2_conv_* instructions for negative zero Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

Touch up a comment with the wrong type name, and an over-long line, both noticed while working on upcoming patches. Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]>

Upcoming patches to fix a CVE need to track an opaque pointer passed in by the owner of a client object, as well as request for a time limit on how fast negotiation must complete. Prepare for that by changing the signature of nbd_client_new() and adding an accessor to get at the opaque pointer, although for now the two servers (qemu-nbd.c and blockdev-nbd.c) do not change behavior even though they pass in a new default timeout value. Suggested-by: Vladimir Sementsov-Ogievskiy <[email protected]> Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> [eblake: s/LIMIT/MAX_SECS/ as suggested by Dan] Signed-off-by: Eric Blake <[email protected]>

Allowing an unlimited number of clients to any web service is a recipe for a rudimentary denial of service attack: the client merely needs to open lots of sockets without closing them, until qemu no longer has any more fds available to allocate. For qemu-nbd, we default to allowing only 1 connection unless more are explicitly asked for (-e or --shared); this was historically picked as a nice default (without an explicit -t, a non-persistent qemu-nbd goes away after a client disconnects, without needing any additional follow-up commands), and we are not going to change that interface now (besides, someday we want to point people towards qemu-storage-daemon instead of qemu-nbd). But for qemu proper, and the newer qemu-storage-daemon, the QMP nbd-server-start command has historically had a default of unlimited number of connections, in part because unlike qemu-nbd it is inherently persistent until nbd-server-stop. Allowing multiple client sockets is particularly useful for clients that can take advantage of MULTI_CONN (creating parallel sockets to increase throughput), although known clients that do so (such as libnbd's nbdcopy) typically use only 8 or 16 connections (the benefits of scaling diminish once more sockets are competing for kernel attention). Picking a number large enough for typical use cases, but not unlimited, makes it slightly harder for a malicious client to perform a denial of service merely by opening lots of connections withot progressing through the handshake. This change does not eliminate CVE-2024-7409 on its own, but reduces the chance for fd exhaustion or unlimited memory usage as an attack surface. On the other hand, by itself, it makes it more obvious that with a finite limit, we have the problem of an unauthenticated client holding 100 fds opened as a way to block out a legitimate client from being able to connect; thus, later patches will further add timeouts to reject clients that are not making progress. This is an INTENTIONAL change in behavior, and will break any client of nbd-server-start that was not passing an explicit max-connections parameter, yet expects more than 100 simultaneous connections. We are not aware of any such client (as stated above, most clients aware of MULTI_CONN get by just fine on 8 or 16 connections, and probably cope with later connections failing by relying on the earlier connections; libvirt has not yet been passing max-connections, but generally creates NBD servers with the intent for a single client for the sake of live storage migration; meanwhile, the KubeSAN project anticipates a large cluster sharing multiple clients [up to 8 per node, and up to 100 nodes in a cluster], but it currently uses qemu-nbd with an explicit --shared=0 rather than qemu-storage-daemon with nbd-server-start). We considered using a deprecation period (declare that omitting max-parameters is deprecated, and make it mandatory in 3 releases - then we don't need to pick an arbitrary default); that has zero risk of breaking any apps that accidentally depended on more than 100 connections, and where such breakage might not be noticed under unit testing but only under the larger loads of production usage. But it does not close the denial-of-service hole until far into the future, and requires all apps to change to add the parameter even if 100 was good enough. It also has a drawback that any app (like libvirt) that is accidentally relying on an unlimited default should seriously consider their own CVE now, at which point they are going to change to pass explicit max-connections sooner than waiting for 3 qemu releases. Finally, if our changed default breaks an app, that app can always pass in an explicit max-parameters with a larger value. It is also intentional that the HMP interface to nbd-server-start is not changed to expose max-connections (any client needing to fine-tune things should be using QMP). Suggested-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> [ericb: Expand commit message to summarize Dan's argument for why we break corner-case back-compat behavior without a deprecation period] Signed-off-by: Eric Blake <[email protected]>

A client that opens a socket but does not negotiate is merely hogging qemu's resources (an open fd and a small amount of memory); and a malicious client that can access the port where NBD is listening can attempt a denial of service attack by intentionally opening and abandoning lots of unfinished connections. The previous patch put a default bound on the number of such ongoing connections, but once that limit is hit, no more clients can connect (including legitimate ones). The solution is to insist that clients complete handshake within a reasonable time limit, defaulting to 10 seconds. A client that has not successfully completed NBD_OPT_GO by then (including the case of where the client didn't know TLS credentials to even reach the point of NBD_OPT_GO) is wasting our time and does not deserve to stay connected. Later patches will allow fine-tuning the limit away from the default value (including disabling it for doing integration testing of the handshake process itself). Note that this patch in isolation actually makes it more likely to see qemu SEGV after nbd-server-stop, as any client socket still connected when the server shuts down will now be closed after 10 seconds rather than at the client's whims. That will be addressed in the next patch. For a demo of this patch in action: $ qemu-nbd -f raw -r -t -e 10 file & $ nbdsh --opt-mode -c ' H = list() for i in range(20): print(i) H.insert(i, nbd.NBD()) H[i].set_opt_mode(True) H[i].connect_uri("nbd://localhost") ' $ kill $! where later connections get to start progressing once earlier ones are forcefully dropped for taking too long, rather than hanging. Suggested-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> [eblake: rebase to changes earlier in series, reduce scope of timer] Signed-off-by: Eric Blake <[email protected]>

A malicious client can attempt to connect to an NBD server, and then intentionally delay progress in the handshake, including if it does not know the TLS secrets. Although the previous two patches reduce this behavior by capping the default max-connections parameter and killing slow clients, they did not eliminate the possibility of a client waiting to close the socket until after the QMP nbd-server-stop command is executed, at which point qemu would SEGV when trying to dereference the NULL nbd_server global which is no longer present. This amounts to a denial of service attack. Worse, if another NBD server is started before the malicious client disconnects, I cannot rule out additional adverse effects when the old client interferes with the connection count of the new server (although the most likely is a crash due to an assertion failure when checking nbd_server->connections > 0). For environments without this patch, the CVE can be mitigated by ensuring (such as via a firewall) that only trusted clients can connect to an NBD server. Note that using frameworks like libvirt that ensure that TLS is used and that nbd-server-stop is not executed while any trusted clients are still connected will only help if there is also no possibility for an untrusted client to open a connection but then stall on the NBD handshake. Given the previous patches, it would be possible to guarantee that no clients remain connected by having nbd-server-stop sleep for longer than the default handshake deadline before finally freeing the global nbd_server object, but that could make QMP non-responsive for a long time. So intead, this patch fixes the problem by tracking all client sockets opened while the server is running, and forcefully closing any such sockets remaining without a completed handshake at the time of nbd-server-stop, then waiting until the coroutines servicing those sockets notice the state change. nbd-server-stop now has a second AIO_WAIT_WHILE_UNLOCKED (the first is indirectly through the blk_exp_close_all_type() that disconnects all clients that completed handshakes), but forced socket shutdown is enough to progress the coroutines and quickly tear down all clients before the server is freed, thus finally fixing the CVE. This patch relies heavily on the fact that nbd/server.c guarantees that it only calls nbd_blockdev_client_closed() from the main loop (see the assertion in nbd_client_put() and the hoops used in nbd_client_put_nonzero() to achieve that); if we did not have that guarantee, we would also need a mutex protecting our accesses of the list of connections to survive re-entrancy from independent iothreads. Although I did not actually try to test old builds, it looks like this problem has existed since at least commit 862172f (v2.12.0, 2017) - even back when that patch started using a QIONetListener to handle listening on multiple sockets, nbd_server_free() was already unaware that the nbd_blockdev_client_closed callback can be reached later by a client thread that has not completed handshakes (and therefore the client's socket never got added to the list closed in nbd_export_close_all), despite that patch intentionally tearing down the QIONetListener to prevent new clients. Reported-by: Alexander Ivanov <[email protected]> Fixes: CVE-2024-7409 CC: [email protected] Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]>

… staging NBD patches for 2024-08-08 - plug CVE-2024-7409, a DoS attack exploiting nbd-server-stop # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEccLMIrHEYCkn0vOqp6FrSiUnQ2oFAma1PVEACgkQp6FrSiUn # Q2qdHQf/dMydqNcPYnwEI238APyljpNvHNq6p9TYb0l5aVWisXHRlhFWM117hH7T # Aq2KUgS5ppiEpw8mxa6/OaDa74VpMGyEPgn9w6o7T1xjVBVzpMxOKp5wFa8uICLj # mFMYXtj9i0Rb+z0iZ+X+CqIV2Wy/FyV00Wr9T4HW94IV/9EK1sWvZvfyGWyxYyBZ # XKTQV1Co3HYX8gfq7E88SgS064DnHjtRy2no4lwNFkBbVQCSbqwbK63TRPi7kEyC # DmSLdHCdsD7Ev9kMZ6uNJS5T/9t7hjO5mWJckLt/cXOjHgL7GkoisLH8/nGjVkyc # 3SUGjMn4TlzqMU99STRP+a48TLCVhA== # =kDut # -----END PGP SIGNATURE----- # gpg: Signature made Fri 09 Aug 2024 07:49:05 AM AEST # gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A # gpg: Good signature from "Eric Blake <[email protected]>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <[email protected]>" [full] # gpg: aka "[jpeg image of size 6874]" [full] * tag 'pull-nbd-2024-08-08' of https://repo.or.cz/qemu/ericb: nbd/server: CVE-2024-7409: Close stray clients at server-stop nbd/server: CVE-2024-7409: Drop non-negotiating clients nbd/server: CVE-2024-7409: Cap default max-connections to 100 nbd/server: Plumb in new args to nbd_client_add() nbd: Minor style and typo fixes Signed-off-by: Richard Henderson <[email protected]>

With pcrel, we cannot check the guarded page bit at translation time, as different mappings of the same physical page may or may not have the GP bit set. Instead, add a couple of helpers to check the page at runtime, after all other filters that might obviate the need for the check. The set_btype_for_br call must be moved after the gen_a64_set_pc call to ensure the current pc can still be computed. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

In commit bb71846 we added some macro magic to avoid variable-shadowing when using some of our more complicated macros. One of the internal components of this is a macro named MAKE_IDENTFIER. Fix the typo in its name: it should be MAKE_IDENTIFIER. Commit created with sed -i -e 's/MAKE_IDENTFIER/MAKE_IDENTIFIER/g' include/qemu/*.h include/qapi/qmp/qobject.h Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected]

Convert the rocker.txt specification document to rST format. We make extensive use of the :: marker to introduce a literal block for all the tables and ASCII art, rather than trying to convert the tables to rST table syntax. This produces a valid rST document without needing a huge diff. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected]

Convert nbd.txt to rST format. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-id: [email protected]

Convert parallels.txt to rST format. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-id: [email protected]

Convert prl-xml.txt to rST format. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-id: [email protected]

Fix some minor grammar nits in the prl-xml documentation. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-id: [email protected]

Add in the missing space in the section header. Fixes: 1084159 ("qapi: deprecate drive-backup", v6.2.0) Signed-off-by: Eric Blake <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

Oops, don't *delete* the model option when checking for 'help'. Fixes: 64f75f5 ("net: Reinstate '-net nic, model=help' output as documented in man page") Reported-by: Hans <[email protected]> Signed-off-by: David Woodhouse <[email protected]> Cc: [email protected] Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Jason Wang <[email protected]>

… staging # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAma5uNkACgkQ7wSWWzmN # YhFpLwf+J9+cBWKUze7FZkxNHU78GJ/b+oVQfLYPnrCRrVKoyTr9yiKfMDS8qf5/ # tPd+xFABwcHb8UL3EeAe9w5aB0QCqqdmZMFRkWuaZ7HEbZkYNt9cJck5iMdNaPBm # cKiFRLb8FDVA3aegCcsBqnwCxgFW+3P3rrnHQz1C+GQAOm7FER+HiFnYucjrrLSM # SaXZYIH/LPqL01gbZcbixQkhgL5XFWUToFXQEYECGS07uZZ1WSJkxIP6WZDchJ4+ # vYO8/fWXVdrjvDirraZQRYnurWQGpTUk0Ocn2R8MaJsF8TK031MrMRJ3YP9zXp4n # wMe0BZO/YG5oi2gFrJpYL2AZqh2MgQ== # =DhS+ # -----END PGP SIGNATURE----- # gpg: Signature made Mon 12 Aug 2024 05:25:13 PM AEST # gpg: using RSA key 215D46F48246689EC77F3562EF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * tag 'net-pull-request' of https://github.com/jasowang/qemu: net: Fix '-net nic,model=' for non-help arguments Signed-off-by: Richard Henderson <[email protected]>

The real period is zero when both period and period_frac are zero. Check the method ptimer_set_freq, if freq is larger than 1000 MHz, the period is zero, but the period_frac is not, in this case, the ptimer will work but the current code incorrectly recognizes that the ptimer is disabled. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2306 Signed-off-by: JianZhou Yue <[email protected]> Message-id: 3DA024AEA8B57545AF1B3CAA37077D0FB75E82C8@SHASXM03.verisilicon.com Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

Having magic numbers inside the code is not a good idea, as it is error-prone. So, instead, create a macro with the number definition. Link: https://lore.kernel.org/qemu-devel/CAFEAcA-PYnZ-32MRX+PgvzhnoAV80zBKMYg61j2f=oHaGfwSsg@mail.gmail.com/ Signed-off-by: Mauro Carvalho Chehab <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]> Reviewed-by: Igor Mammedov <[email protected]> Message-id: ef0e7f5fca6cd94eda415ecee670c3028c671b74.1723121692.git.mchehab+huawei@kernel.org Suggested-by: Peter Maydell <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]> Reviewed-by: Igor Mammedov <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

libblkio supports BLKIO_REQ_FUA with write zeros requests only since version 1.4.0, so let's inform the block layer that the blkio driver supports it only in this case. Otherwise we can have runtime errors as reported in https://issues.redhat.com/browse/RHEL-32878 Fixes: fd66dbd ("blkio: add libblkio block driver") Cc: [email protected] Buglink: https://issues.redhat.com/browse/RHEL-32878 Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

…/pmaydell/qemu-arm into staging * Fix BTI versus CF_PCREL * include: Fix typo in name of MAKE_IDENTFIER macro * docs: Various txt-to-rST conversions * hw/core/ptimer: fix timer zero period condition for freq > 1GHz * arm/virt: place power button pin number on a define # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAma5+4wZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3pX3D/9UVutdg5TsB9N8y5mPaVSn # Yx0awBgxK5SHWeVgQJBkSdqh6LiGhhukR3VHfNanDELq24s0uLqLW86thgj+iB0H # 51rnVHJtWtT9mIt0Qq9BlXX8+j0th6hELy/z+/aYdrWI1pmKsGYgF1gRh1vXrg+I # 0s/S7kZY5CNDBbTXoBNtJfbZRe8fzyy5gUqc/tnw6Qonp8XM1OeG6sg/qF0KwzbB # 8R7IvnY7gaBWm3daXqrFoxYuR+9i6F8uaFflOm+CarKQc9foH6KEzmfLAYLfGkFZ # 2ZVHg3uC4k4OicyrpYcWsgumNTzOj8RTI4kV7M8NAj5TXCr+0pO6lnhlAKVGTWiL # nJrW62dN56w8NVOzcy0tB0xqTHnKIxioGZyU4RDVKHjD/Fy0x7LX7KVmaBEZgyxJ # oA4zY4KOrCNFsXQlqZgx38v/1hshnIYFN7V5AmfGEfbbKpBznKBQKmuyJ9VwSfGT # jLwlwU4VMJPsj2Rs70seEl6obgyZicAXIAbqPgtMsvt3H2kKI2jtsNPFka3WaY62 # 0jOEbbFrsKV1//ZExBZdFhqBH/CoiZMvM4jsq1Y/oxAxIWtGv5dmJJsAA3w33YE4 # kNWXfHKAAhydZKeQloMgeOdLliP5UiCfF1FltwAWkLo59GV3TkjwagDU8+pWs9OF # plOKWaKDUzkHq6G197uaBA== # =ftoZ # -----END PGP SIGNATURE----- # gpg: Signature made Mon 12 Aug 2024 10:09:48 PM AEST # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "[email protected]" # gpg: Good signature from "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [unknown] * tag 'pull-target-arm-20240812' of https://git.linaro.org/people/pmaydell/qemu-arm: arm/virt: place power button pin number on a define hw/core/ptimer: fix timer zero period condition for freq > 1GHz docs: Typo fix in live disk backup docs/interop/prl-xml.rst: Fix minor grammar nits docs/interop/prl-xml.txt: Convert to rST docs/interop/parallels.txt: Convert to rST docs/interop/nbd.txt: Convert to rST docs/specs/rocker.txt: Convert to rST include: Fix typo in name of MAKE_IDENTFIER macro target/arm: Fix BTI versus CF_PCREL Signed-off-by: Richard Henderson <[email protected]>

…to staging Pull request Fix for hosts with an older libblkio. # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAma6MIoACgkQnKSrs4Gr # c8i+7gf/Q1vTYE9U1ksbmASQGVJSyCfZlKB0fNxgsGgdnhcIF2uipSxNiDTVVAgn # rKfMXCvFrPQ7cjbKiiHe4Aj9GqjI6nY6vimnuxqxq9FCd1+RiGGZWDRBfS+6ZQjg # 815BFB7tkc7ejoL5plMk95XHM+2uHHV0xvK/zelrZ5VOeWdot0yUgL1QLMpAvzMQ # dY3pwarG8txlnTrMuE+Ig03hjkPf0Z6aK6kdaI5xn9G6O1+799NYXpjqKNtDbisc # Sf9iq5hmbfASECBBUJH9iWrLdgnieADPebRbOAmDpUsM1bGV6UW9KHUE7zC0h394 # jz8fSjMOjY03rDQjOpzV1wtR8zwpDw== # =Asvz # -----END PGP SIGNATURE----- # gpg: Signature made Tue 13 Aug 2024 01:55:54 AM AEST # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [full] # gpg: aka "Stefan Hajnoczi <[email protected]>" [full] * tag 'block-pull-request' of https://gitlab.com/stefanha/qemu: block/blkio: use FUA flag on write zeroes only if supported Signed-off-by: Richard Henderson <[email protected]>

When cross compiling QEMU configured with --static, I've been getting configure errors like the following: Build-time dependency glib-2.0 found: NO ../target/hexagon/meson.build:303:15: ERROR: Dependency lookup for glib-2.0 with method 'pkgconfig' failed: Could not generate libs for glib-2.0: Package libpcre2-8 was not found in the pkg-config search path. Perhaps you should add the directory containing `libpcre2-8.pc' to the PKG_CONFIG_PATH environment variable Package 'libpcre2-8', required by 'glib-2.0', not found This happens because --static sets the prefer_static Meson option, but my build machine doesn't have a static libpcre2. I don't think it makes sense to insist that native dependencies are static, just because I want the non-native QEMU binaries to be static. Signed-off-by: Alyssa Ross <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>

Cc: [email protected] Fixes: b3e22b2 ("target/i386: add core of new i386 decoder") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2495 Signed-off-by: Richard Henderson <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>

Rather that enumerating the types that can produce MMX operands, examine the unit. No functional change. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>

This commit adds validation checks for the MCOPRE and MCOSEL values in the rcc_update_cfgr_register function. If the MCOPRE value exceeds 0b100 or the MCOSEL value exceeds 0b111, an error is logged and the corresponding clock mux is disabled. This helps in identifying and handling invalid configurations in the RCC registers. Reproducer: cat << EOF | qemu-system-aarch64 -display \ none -machine accel=qtest, -m 512M -machine b-l475e-iot01a -qtest \ stdio writeq 0x40021008 0xffffffff EOF Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2356 Signed-off-by: Zheyu Ma <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

AdvSIMD instructions are supposed to zero bits beyond 128. Affects SSHLL, USHLL, SSHLL2, USHLL2. Cc: [email protected] Signed-off-by: Richard Henderson <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

We have a long comment describing the Arm architectural translation regimes and how we map them to QEMU MMU indexes. This comment has got a bit out of date: * FEAT_SEL2 allows Secure EL2 and corresponding new regimes * FEAT_RME introduces Realm state and its translation regimes * We now model the Cortex-R52 so that is no longer a hypothetical * We separated Secure Stage 2 and NonSecure Stage 2 MMU indexes * We have an MMU index per physical address spacea Add the missing pieces so that the list of architectural translation regimes matches the Arm ARM, and the list and count of QEMU MMU indexes in the comment matches the enum. Signed-off-by: Peter Maydell <[email protected]> Tested-by: Bernhard Beschow <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected]

Our current usage of MMU indexes when EL3 is AArch32 is confused. Architecturally, when EL3 is AArch32, all Secure code runs under the Secure PL1&0 translation regime: * code at EL3, which might be Mon, or SVC, or any of the other privileged modes (PL1) * code at EL0 (Secure PL0) This is different from when EL3 is AArch64, in which case EL3 is its own translation regime, and EL1 and EL0 (whether AArch32 or AArch64) have their own regime. We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't do anything special about Secure PL0, which meant it used the same ARMMMUIdx_EL10_0 that NonSecure PL0 does. This resulted in a bug where arm_sctlr() incorrectly picked the NonSecure SCTLR as the controlling register when in Secure PL0, which meant we were spuriously generating alignment faults because we were looking at the wrong SCTLR control bits. The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that we wouldn't honour the PAN bit for Secure PL1, because there's no equivalent _PAN mmu index for it. We could fix this in one of two ways: * The most straightforward is to add new MMU indexes EL30_0, EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0", "Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN". This matches how we use indexes for the AArch64 regimes, and preserves propirties like being able to determine the privilege level from an MMU index without any other information. However it would add two MMU indexes (we can share one with ARMMMUIdx_EL3), and we are already using 14 of the 16 the core TLB code permits. * The more complicated approach is the one we take here. We use the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0 than we do for NonSecure PL1&0. This saves on MMU indexes, but means we need to check in some places whether we're in the Secure PL1&0 regime or not before we interpret an MMU index. The changes in this commit were created by auditing all the places where we use specific ARMMMUIdx_ values, and checking whether they needed to be changed to handle the new index value usage. Note for potential stable backports: taking also the previous (comment-change-only) commit might make the backport easier. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326 Signed-off-by: Peter Maydell <[email protected]> Tested-by: Bernhard Beschow <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected]

The mmx assert would fire without the fix for #2495. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>

Set local_err to NULL after it has been freed in error_report_err(). This avoids triggering assert(*errp == NULL) failure in error_setv() when local_err is reused in the loop. Signed-off-by: Alexander Ivanov <[email protected]> Reviewed-by: Claudio Fontana <[email protected]> Reviewed-by: Denis V. Lunev <[email protected]> Link: https://lore.kernel.org/r/[email protected] [Do the same by moving the declaration instead. - Paolo] Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]>

Reported-by: bovirus <https://gitlab.com/bovirus> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2451 Signed-off-by: Paolo Bonzini <[email protected]>

…/pmaydell/qemu-arm into staging target-arm queue: * hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values * target/arm: Clear high SVE elements in handle_vec_simd_wshli * target/arm: Fix usage of MMU indexes when EL3 is AArch32 # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAma7eSIZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3gbJEACHhZAvP4f1vic8DNGPw8Yr # v+pRQON+vF+PDBSyNkYCRL5Gy1P257Aujw1ed2dpoDhMemC/co67W2zdzToCvDd5 # XZxlHb/iUCTeZbA/Zp66ZADlvVOdvvQL8EHbd4mSBEZp9rvPSmxatx4I5jstLiAV # 5HimP+AjjGMfklMu+RelW7A7WDRJ0h7F4PwXCA8tLeHPH5XHSkweGYt3OVfSlUAs # +RKiltByC/quujLHxrQcVtLZON1KKiB0P8VPRcaR1QIFARiR1IfLvzhKVpqyOlnV # 3a+ZILtCJE1YEM+h7Aunz/l9MQ0DZe5DzbIdKOQ7NUkerlhq81kriPp67yLv25lk # zgqkHGGDEnIGpSXdmbXTNLcGlH+5O+fWl2RMzYrSFJqvwyRu9egLLi6E0xaNCRvY # gdb6CGPhhu21C1o5Nax0CiaZe3vzzRvC5QsIJ0yww6y7VaGFVt/XRaKBdLHB97nZ # t/9ifa3fmhVEW6pQEy8VdAeFoxIT2lJ2xJgBdMwpZCJlCxB8xKU/rZfrXKS/UUqV # 9Klbcfrx1WFT7zrAWS0Ig7nPttJ+XgjYfgHI3q2e80F6xRmAmaAjnbtVRS+L3It9 # eZ4SmuzurWipRLpdmxdOX1IXdZD9rJMzk9IUIZoklctlR/D+75Iuy0N7gY8G2dbp # fmh38lEQZ0IC90VmNtWltw== # =So/3 # -----END PGP SIGNATURE----- # gpg: Signature made Wed 14 Aug 2024 01:17:54 AM AEST # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "[email protected]" # gpg: Good signature from "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [unknown] * tag 'pull-target-arm-20240813' of https://git.linaro.org/people/pmaydell/qemu-arm: target/arm: Fix usage of MMU indexes when EL3 is AArch32 target/arm: Update translation regime comment for new features target/arm: Clear high SVE elements in handle_vec_simd_wshli hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values Signed-off-by: Richard Henderson <[email protected]>

* fix --static compilation of hexagon * fix incorrect application of REX to MMX operands * fix crash on module load * update Italian translation # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAma7kZ4UHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroOy7QgAriuxfgw3Yvu9UPPfEZT5V9p5XfDf # LceO3C6OABIkFoGSO8WK5dWfQy3oYbrwEXX/l/PW1lUc2DFrSUo9YtIfjelRkxoC # 0EAAbV5A+xCLYmujFqBSe/6usRj82uKjSET1KK1aCam7ONZLNZf2yb4OwdShvLSN # MPgtBOrwznR1qh3KJtLB6YSRC0Rie1hOxbXFpx1AklXYnIiqUdMjXOHSjs+Amva0 # VczuqwjtVdNDTPqbZlCXatPtZ8nwYeEOD2jOqgjAoEwwabZ1fFGDCNXlqEDLSdTm # Cc+IZPYU5a8+tVfH0DYEMgMSkRhDUqVZ/076L+pRi+Q8ClxWV8fKsf5qKw== # =jJtu # -----END PGP SIGNATURE----- # gpg: Signature made Wed 14 Aug 2024 03:02:22 AM AEST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "[email protected]" # gpg: Good signature from "Paolo Bonzini <[email protected]>" [full] # gpg: aka "Paolo Bonzini <[email protected]>" [full] * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: po: update Italian translation module: Prevent crash by resetting local_err in module_load_qom_all() target/i386: Assert MMX and XMM registers in range target/i386: Use unit not type in decode_modrm target/i386: Do not apply REX to MMX operands target/hexagon: don't look for static glib Signed-off-by: Richard Henderson <[email protected]>

Snapshot of the stat utime and stime for each thread, taken before and after the pause, must be stored in separate locations Signed-off-by: Anthony Harivel <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>

* fix RAPL computations # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAma83sIUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroO4OAf/SCiETP35wStOQ1MDfQoW9BUltlyS # 0bHJ9fiVPUs8iVXoUOY83P33dBYLpkAutmdw38pxD9JDH99wM5e4Etgks1GxLjtj # aDWMyxskguVKxR0iT92jcM7kFZKYqzssIoXrPFq7cC4LYw9t5wOEUnPxRXBphlao # 1lLdkJlDzHsU/K+VSAdB81T/Og+E6BpcBZTLD9EONUvcqHSiGp65omNf+dPporkO # U2egOFqcbhH6+jdQoRwBeXvGnIny8nHLVyOEbZWygeZqfo2PWR5PQ3DqOR7sj5RT # w9DIxtkpMdHWT1D/+8etDnb3XWYRnZNLhK5B3w4HpZUcBecyxmcXj6nxXA== # =Uvzx # -----END PGP SIGNATURE----- # gpg: Signature made Thu 15 Aug 2024 02:43:46 AM AEST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "[email protected]" # gpg: Good signature from "Paolo Bonzini <[email protected]>" [full] # gpg: aka "Paolo Bonzini <[email protected]>" [full] * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: target/i386: Fix arguments for vmsr_read_thread_stat() Signed-off-by: Richard Henderson <[email protected]>

Do not pass guest_base to the host mmap instead of zero hint. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2353 Signed-off-by: Richard Henderson <[email protected]>

…staging linux-user: Preserve NULL hit in target_mmap subroutines # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAma9VDodHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/d+Af7B51RZ0KQGrOO/psY # UQZBYOa7WDLuv3cRdhPhXsRxs4bQtc4suF+2mrKQ5ODS6gh2SRJqMFqmlNvzF1QP # k0D7qia3pfzsQ2YZjWq0ccZC0WSEbvABConulNydZR2tSORLXZSPmj8h0bWQjDnO # fGVY0I1DdRCWjpfcy12PDo7F+uNKYacQUcrkPl9XvBJe8Ev9vCWqgGMU/rINKFSF # +Z3YNpcF8tqeGvp72/Kr20XHtlX7XGz4OLgsBjnG897UVRV1UMdIRP7fd7Y9BJaZ # YgCAjfJrgEWvUd5ICQvkX03xOfZ1Nx3iRS7rIgPJxdN0svgzPGQyrqi9O9TUsFWD # 0eJdeQ== # =nOnV # -----END PGP SIGNATURE----- # gpg: Signature made Thu 15 Aug 2024 11:04:58 AM AEST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-lu-20240815' of https://gitlab.com/rth7680/qemu: linux-user: Preserve NULL hit in target_mmap subroutines Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

Found on debian stable. ../target/s390x/tcg/translate.c: In function ‘get_mem_index’: ../target/s390x/tcg/translate.c:398:1: error: control reaches end of non-void function [-Werror=return-type] 398 | } Signed-off-by: Pierrick Bouvier <[email protected]> Acked-by: Ilya Leoshkevich <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

…) on MSYS2 Since quite a while MSYS2 now supports Clang as a compiler, too. Unfortunately, this compiler is lacking the __attribute__((gcc_struct)) that we need for compiling on Windows. But since the compiler is available now, some people started to use it to compile QEMU on MSYS2, apparently ignoring the compiler warnings (see for example the ticket at https://gitlab.com/qemu-project/qemu/-/issues/2476 ). These builds are likely broken in a couple of spots, so let's make sure that we rather bail out early in the configuration phase instead of allowing the build to succeed with warnings. Message-ID: <[email protected]> Tested-by: Stefan Weil <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

Commit 9b45cc9 added many cases of skipUnless for the sake of organizing flaky tests. But, Python decorators *must* follow what they decorate, so the newlines added should *not* exist there. Signed-off-by: Cleber Rosa <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Tested-by: Marcin Juszkiewicz <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

The gtk-vnc package is used by the vnc-display-test qtest program. Technically only gvnc is needed, but since we already pull in the gtk3 dep, it is harmless to depend on gtk-vnc. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

Refresh with the newly added gtk-vnc package Signed-off-by: Daniel P. Berrangé <[email protected]> Message-ID: <[email protected]> [thuth: fixed conflicts in .gitlab-ci.d/cirrus/*.vars] Signed-off-by: Thomas Huth <[email protected]>

…into staging * Fix a potential build warning in the s390x target code * Check for the availability of __attribute__((gcc_struct)) on MSYS2 * Fix skipUnless decorators in Avocado tests * Add missing gtk-vnc package to the CI jobs # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAma+/YURHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbXdGhAAm5Dnm2y5WA3Cq4oFlFNvSbX41z9TKNoj # PbxeQdw2y+zMZ2C1KQX032uA2lL047SjuEv6ONLchWkQk8Dv8xukWlUXZjMr0zWi # HeVSpzGGJ2y8WzO+eN3sL1TDxs4Lhv3Wer/PZ8XFcIbZi3TWsYIJOxJ3sU7JLOOx # t6BJiBh52UKVmQ0XruZ/YPBQJVHJMqcbRI+GTGCfVTsFXDAXnn4dOpA60q6/JA1i # 1rUDSAjTY7y5rkon7PSP+JQindbD5i1IwUSG0b8jLFV5t9+DOX1Ot8l0DWSjOStP # 0GigoVtOuohv0fv5dZjaaZlynbkWzZqSaUiaRcp6Ksl4RUzYFvk9ViWrOT2Dp3H1 # G4OEk8XDOI74VpzCoxWDjNHkRFCNf+EcbbKrq0UW7JeBbQo8cW7a6SpHA2HhRO0D # ycg+BST3uEuIeU6oSZRwDfywJopWJawsqb3zEWLL3sn4ghCdYouNfVf5n24HaZpA # 1K0zQpNtNR1lv6LDWRehheC3KzKHARgFfOHrvBnuyTwxDtxboI3NfrPEZOPwZsZS # fkDWBG762ECbY6BLH1f/fqB3051qZnbau/i13f7WSl3nH/x52yz0UQFFHkVs2ljJ # eRj2tOA7moxSkpXB0f+prIk7ewv5+6BOO2zdzUz+xmloHHOIDjwwfzWppSuD2bRq # XVhd19De6Tg= # =Z9dn # -----END PGP SIGNATURE----- # gpg: Signature made Fri 16 Aug 2024 05:19:33 PM AEST # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "[email protected]" # gpg: Good signature from "Thomas Huth <[email protected]>" [full] # gpg: aka "Thomas Huth <[email protected]>" [full] # gpg: aka "Thomas Huth <[email protected]>" [unknown] # gpg: aka "Thomas Huth <[email protected]>" [full] * tag 'pull-request-2024-08-16' of https://gitlab.com/thuth/qemu: ci: refresh package lists with lcitool ci: add gtk-vnc to the deps tests/avocado: apply proper skipUnless decorator meson.build: Check for the availability of __attribute__((gcc_struct)) on MSYS2 target/s390x: fix build warning (gcc-12 -fsanitize=thread) Signed-off-by: Richard Henderson <[email protected]>

We disabled all RX tests on commit 9b45cc9 ("docs/devel: rationalise unstable gitlab tests under FLAKY_TESTS") for being flaky. However I don't recall the U-Boot test to fail (the problematic line checking the 'version' string is already commented out), and I'm running this test reliably, so re-enable it. Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Yoshinori Sato <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

If we add additional deps for meson we need to ensure we trigger a reconfigure to make sure everything is set up. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

GDB_HAS_MTE must only be set if GDB supports the aarch64 arch, so the test if "aarch64" string is present must be against GDB-related '$gdb_arches' variable and not against '$arch' variable. Signed-off-by: Gustavo Romero <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

$gdb_version is now used in more than one conditional case and its usage in such cases may increase in the future. Therefore, avoid using shell parameter expansion when using it by setting gdb_version to its final form. Signed-off-by: Gustavo Romero <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

The test gdbstub/test-mte.py requires a GDB version that supports the qIsAddressTagged packet. According to GDB NEWS [0], this packet was first made available in the GDB 15.1 release, not in 15.0, so this commit fixes it in configure. [0] https://www.sourceware.org/gdb/news/ Signed-off-by: Gustavo Romero <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2477 Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

If a file imported from Linux is touched, emit a warning and suggest using scripts/update-linux-headers.sh. Also check that updating imported files from Linux are not mixed with other changes, in which case emit an error. Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Cornelia Huck <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

When we are using TCG plugin memory callbacks probe_access_internal will return TLB_MMIO to force the slow path for memory access. This results in probe_access returning NULL but the x86 access_ptr function happily accepts an empty haddr resulting in segfault hilarity. Check for an empty haddr to prevent the segfault and enable plugins to track all the memory operations for the x86 save/restore helpers. As we also want to run the slow path when instrumenting *-user we should also not have the short cutting test_ptr macro. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2489 Fixes: 6d03226 (plugins: force slow path when plugins instrument memory ops) Reviewed-by: Alexandre Iooss <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

Since commit 0082475 the plugin symbol list is unconditionally added to the linker flags, leading to a build failure: Undefined symbols for architecture arm64: "_qemu_plugin_entry_code", referenced from: <initial-undefines> ... ld: symbol(s) not found for architecture arm64 clang: error: linker command failed with exit code 1 (use -v to see invocation) ninja: build stopped: subcommand failed. Fix by restricting the whole meson file to the --enable-plugins configure argument. Fixes: 0082475 ("meson: merge plugin_ldflags into emulator_link_args") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2476 Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Acked-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

The v12 format support for replay-dump has a few issues still. This fixes async decoding; adds event, shutdown, and end decoding; fixes audio in / out events, fixes checkpoint checking of following async events. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

Sort decoder functions to be ascending in order of event number, same as the decoder tables. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

This runs replay-dump.py after recording a trace, and fails the test if the script fails. replay-dump.py is modified to exit with non-zero if an error is encountered while parsing, to support this. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Pavel Dovgalyuk <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> gitlab with this change v5: Update timeout to 180s because x86 was just exceeding 120s in Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

When replaying a trace, it is possible to go from shutdown to running with a reverse-debugging step. This can be useful if the problem being debugged triggers a reset or shutdown. This can be tested by making a recording of a machine that shuts down, then using -action shutdown=pause when replaying it. Continuing to the end of the trace then reverse-stepping in gdb crashes due to invalid runstate transition. Just permitting the transition seems to be all that's necessary for reverse-debugging to work well in such a state. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Pavel Dovgalyuk <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

This reverts commit 1f881ea. That commit causes reverse_debugging.py test failures, and does not seem to solve the root cause of the problem x86-64 still hangs in record/replay tests. The problem with short-cutting the iowait that was taken during record phase is that related events will not get consumed at the same points (e.g., reading the clock). A hang with zero icount always seems to be a symptom of an earlier problem that has caused the recording to become out of synch with the execution and consumption of events by replay. Acked-by: Alex Bennée <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

The x86-64 pc machine is flaky with record/replay, but q35 is more stable. Add a q35 test to replay_kernel.py. Reviewed-by: Alex Bennée <[email protected]> Tested-by: Alex Bennée <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

chardev events to a muxed device don't get recorded because e.g., qemu_chr_be_write() checks whether the base device has the record flag set. This can be seen when replaying a trace that has characters typed into the console, an examination of the log shows they are not recorded. Setting QEMU_CHAR_FEATURE_REPLAY on the base chardev fixes the problem. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

…state The regular qemu_bh_schedule() calls result in non-deterministic execution of the bh in record-replay mode, which causes replay failure. Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Pavel Dovgalyuk <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

Receive coalescing is visible to the target machine, so its timers should use virtual time like other timers in virtio-net, to be compatible with record-replay. Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Acked-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

An error path missed setting *errp, which can cause a NULL deref. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

Fix the misspellings of "overriden" also in code comments. Signed-off-by: Stefan Weil <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Xu <[email protected]> Reviewed-by: Eric Auger <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

Reflect recent changes on API (inline ops) and new plugins. Signed-off-by: Pierrick Bouvier <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]>

A deadlock can be created if a new vcpu (a) triggers a scoreboard reallocation, and another vcpu (b) wants to create a new scoreboard at the same time. In this case, (a) holds the plugin lock, and starts an exclusive section, waiting for (b). But at the same time, (b) is waiting for plugin lock. The solution is to drop the lock before entering the exclusive section. This bug can be easily reproduced by creating a callback for any tb exec, that allocates a new scoreboard. In this case, as soon as we reach more than 16 vcpus, the deadlock occurs. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2344 Signed-off-by: Pierrick Bouvier <[email protected]> Message-Id: <[email protected]> [AJB: tweak var position to meet coding style] Signed-off-by: Alex Bennée <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

…squad/qemu into staging Some fixes for 9.1-rc3 (build, replay, docs, plugins) - re-enable gdbsim-r5f562n8 test - ensure updates to python deps re-trigger configure - tweak configure detection of GDB MTE support - make checkpatch emit more warnings on updating headers - allow i386 access_ptr to force slow path for plugins - fixe some replay regressions - update the replay-dump tool - better handle muxed chardev during replay - clean up TCG plugins docs to mention scoreboards - fix plugin scoreboard race condition # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAma/UJcACgkQ+9DbCVqe # KkT51gf/buOo0leJnBkYDTPWOOsDupW/nUUqOlTStvpKGEVNZgmxH0V4ffdCNO8E # P4xQpD8WrpFKZHu2zE7EmXJ6/wkSp2BeSPcZ8lhld8jKNY3ksBlsCwb26/D9WsWK # /JaqAegdg3fwCgbcQ057dRlKJV2ojjWD/JqPWa5G9AIlSqiHEfvcTj9t33BpJKXC # xV7Yt1TZExkfkCAny54Sx4O6oiDhvSgJmWCUGIVE2W39+g3jUKf2tvbggR5MEIH3 # fJ/F2vmcnllmK21awiRa9/WVZ55+Cbgj6PlLf/Qh6rhzooTMy+x0G+5BkNtZwNCs # 8qFu8vFkuJM9YwDw9btaz3b+nG8Mzg== # =HUN1 # -----END PGP SIGNATURE----- # gpg: Signature made Fri 16 Aug 2024 11:13:59 PM AEST # gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44 # gpg: Good signature from "Alex Bennée (Master Work Key) <[email protected]>" [full] * tag 'pull-maintainer-9.1-rc3-160824-1' of https://gitlab.com/stsquad/qemu: (21 commits) plugins: fix race condition with scoreboards docs/devel: update tcg-plugins page docs: Fix some typos (found by typos) and grammar issues savevm: Fix load_snapshot error path crash virtio-net: Use virtual time for RSC timers virtio-net: Use replay_schedule_bh_event for bhs that affect machine state chardev: set record/replay on the base device of a muxed device tests/avocado: replay_kernel.py add x86-64 q35 machine test Revert "replay: stop us hanging in rr_wait_io_event" replay: allow runstate shutdown->running when replaying trace tests/avocado: excercise scripts/replay-dump.py in replay tests scripts/replay-dump.py: rejig decoders in event number order scripts/replay-dump.py: Update to current rr record format buildsys: Fix building without plugins on Darwin target/i386: allow access_ptr to force slow path on failed probe scripts/checkpatch: more checks on files imported from Linux configure: Fix GDB version detection for GDB_HAS_MTE configure: Avoid use of param. expansion when using gdb_version configure: Fix arch detection for GDB_HAS_MTE Makefile: trigger re-configure on updated pythondeps ... Signed-off-by: Richard Henderson <[email protected]>

This reverts commit f42cdf2. Linux does not properly handle '#msi-cells=<0>' when searching for MSI controllers for PCI devices which results in the devices being unable to use MSIs. A patch for Linux has been sent[1] but until it, or something like it, is merged and in distro kernels we should stop adding the property. It's harmless to stop adding it since the absence of the property and a value of zero for the property mean the same thing according to the DT binding definition. Link: https://lore.kernel.org/all/[email protected]/ # 1 Signed-off-by: Andrew Jones <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

…tair23/qemu into staging RISC-V PR for 9.1 This reverts a commit adding `#msi-cells=<0>` to the virt machine as that commit results in PCI devices unable to us MSIs. Even though it's a kernel bug, we don't want to break existing users. * Revert adding #msi-cells to virt machine # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmbCzDEACgkQr3yVEwxT # gBP2Jw/+Phcb9tw8vv3kHyjXaH5JuqMvRvE0DZi3Zub9cdwIygXEC8/o0q4Szh+4 # FGZbxSsQ6XdfOW87qY66kTlM8yxVJf2RoQcQ27QTs0kCM3TR/1nzRbc2wWPMYRmH # FvOL926Nr+ysxtVd84HZc82GwQpEIG1qdWpy5VECMZXW8mtOTQjgltKuiH9Jl+ZX # N0uqWc4/lp+x+UIZqS9b76AiZ8l1G5nRFdXgmKKU7J8iVeWLRRzV1NRu+cZP4WEv # kjpMODdedScEcvqb122SVTTJcpdvhuB+bWH6mITajbt2G4YxsNYJ9594nef/sKBH # hf3oSfXUnwDqTldnrkFonO9OhdO3ZCdtqw5Lzi1E/D2zny2CnMMIAcs8hbenVGkW # NW0J/z84J+X1qf5gmt07l2BlUhBooCS8TJsbO8PX/lR2iCL/BxuKHEjxCnCZ6f5z # 3FxhqO3Shk9FnfAsTxtY00RLmRo4t+ESTsBsZPiSXB3EmCo/BmgR/0Grm7UKZbbL # /9lzUHyUYj09Mvk7IJc4KGjihfQ9TwjNdlmq2MlRHWdVT09+Bu7DRhHvNzuVYMb9 # 1iktWv4Fnit6Xe6rPOvNXF5ilmUu2fm3p6z2ogG8cRbPHPPQ7NLx8BQSqPvBHdfx # KIV6f1xBJSSQcTdIq/ySnN1SF1h2YVPLIlv1Aap3kN/J71kkpLY= # =C6id # -----END PGP SIGNATURE----- # gpg: Signature made Mon 19 Aug 2024 02:38:09 PM AEST # gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013 # gpg: Good signature from "Alistair Francis <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013 * tag 'pull-riscv-to-apply-20240819-1' of https://github.com/alistair23/qemu: Revert "hw/riscv/virt.c: imsics DT: add '#msi-cells'" Signed-off-by: Richard Henderson <[email protected]>

Link: https://lore.kernel.org/qemu-devel/[email protected]/ Suggested-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Jiaxun Yang <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

>>> CID 1547264: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "ipi" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. Resolves: Coverity CID 1547264 Link: https://lore.kernel.org/qemu-devel/[email protected]/ Signed-off-by: Jiaxun Yang <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

processor-family and processor-id can be assigned independently. Add missing brackets. Fixes: b5831d7 ("smbios: add processor-family option") Signed-off-by: Heinrich Schuchardt <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

In order to simplify the next commit, pass the PTE size as MemOp. Rename: native_shift -> native_op directory_shift -> directory_mop leaf_shift -> leaf_mop Suggested-by: Richard Henderson <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]>

When refactoring page_table_walk_refill() in commit 4e999bf we missed the indirect call to cpu_mmu_index() in get_pte(): page_table_walk_refill() -> get_pte() -> cpu_ld[lq]_code() -> cpu_mmu_index() Since we don't mask anymore the modes in hflags, cpu_mmu_index() can return UM or SM, while we only expect KM or ERL. Fix by propagating ptw_mmu_idx to get_pte(), and use the cpu_ld/st_code_mmu() API with the correct MemOpIdx. Reported-by: Thomas Petazzoni <[email protected]> Reported-by: Waldemar Brodkorb <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2470 Fixes: 4e999bf ("target/mips: Pass ptw_mmu_idx down from mips_cpu_tlb_fill") Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]>

PTE is not CODE so load it as normal DATA access. Fixes: 074cfcb ("Implement hardware page table walker for MIPS32") Suggested-by: Richard Henderson <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]>

In axidma_class_init() we accidentally used a comma at the end of a statement rather than a semicolon. This has no ill effects, but it's obviously not intended and it means that Coccinelle scripts for instance will fail to match on the two statements. Use a semicolon instead. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Directly invoking the DeviceClass::reset method is a bad idea, because if the device is using three-phase reset then it relies on transitional reset machinery which is likely to disappear at some point. Reset the device in the standard way, by calling device_cold_reset(). Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

R5900 emulation was removed in commit 823f289. Remove it from ELF parsing in order to avoid: $ qemu-mipsn32 ./test5900 qemu-mipsn32: unable to find CPU model 'R5900' This reverts commit 4d9e5a0. Fixes: 823f289 ("target/mips: Disable R5900 support") Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

The Octeon68XX CPU is available since commit 9a6046a ("target/mips: introduce Cavium Octeon CPU model"). Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1722 Reported-by: Johnathan Hữu Trí <[email protected]> Suggested-by: Richard Henderson <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

Cc: YunQiang Su <[email protected]> Reported-by: Jiaxun Yang <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

_console_interaction reads data from the console even when there is only an input string to send, and no output data to wait on. This can cause lines to be missed by wait_for_console_pattern calls that follows an exec_command. Fix this by not reading the console if there is no pattern to wait for. This solves occasional hangs in ppc_hv_tests.py, usually when run on KVM hosts that are fast enough to output important lines quickly enough to be consumed by exec_command, so they get missed by subsequent wait for pattern calls. Signed-off-by: Nicholas Piggin <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

…interaction Now that exec_command doesn't incorrectly consume console output, and guest time is set correctly, ppc_hv_tests.py is working more reliably. Try marking it non-flaky. Signed-off-by: Nicholas Piggin <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Found on debian stable. ../contrib/plugins/execlog.c: In function ‘vcpu_tb_trans’: ../contrib/plugins/execlog.c:236:22: error: declaration of ‘n’ shadows a previous local [-Werror=shadow=local] 236 | for (int n = 0; n < all_reg_names->len; n++) { | ^ ../contrib/plugins/execlog.c:184:12: note: shadowed declaration is here 184 | size_t n = qemu_plugin_tb_n_insns(tb); | Signed-off-by: Pierrick Bouvier <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Prior to sparcv9, the same encoding was STDFQ. Cc: [email protected] Fixes: 06c060d ("target/sparc: Move simple fp load/store to decodetree") Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

The machine calls serial_hds_isa_init() which is provided by serial-isa.c, guarded by SERIAL_ISA. Signed-off-by: Bernhard Beschow <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

The code which translates vmport=auto to on/off is currently separate for each PC machine variant, while being functionally equivalent. This moves the translation into a shared initialization function, while also tightening the enum assertion. Signed-off-by: Kamil Szczęk <[email protected]> Reviewed-by: Bernhard Beschow <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <v8pz1uwgIYWkidgZK-o8H-qJvnSyl0641XVmNO43Qls307AA3QRPuad_py6xGe0JAxB6yDEe76oZ8tau_n-2Y6sJBCKzCujNbEUUFhd-ahI=@szczek.dev> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Since commit 4ccd5fe ('pc: add option to disable PS/2 mouse/keyboard'), the vmport will not be created unless the i8042 PS/2 controller is enabled. To avoid confusion, let's fail if vmport was explicitly requested, but the i8042 controller is disabled. This also changes the behavior of vmport=auto to take i8042 controller availability into account. Signed-off-by: Kamil Szczęk <[email protected]> Reviewed-by: Bernhard Beschow <[email protected]> Message-ID: <0MS3y5E-hHqODIhiuFxmCnIrXd612JIGq31UuMsz4KGCKZ_wWuF-PHGKTRSGS0nWaPEddOdF4YOczHdgorulECPo792OhWov7O9BBF6UMX4=@szczek.dev> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

When the creds->username property is set we allocate memory for it in qcrypto_tls_creds_psk_prop_set_username(), but we never free this when the QCryptoTLSCredsPSK is destroyed. Free the memory in finalize. This fixes a LeakSanitizer complaint in migration-test: $ (cd build/asan; ASAN_OPTIONS="fast_unwind_on_malloc=0" QTEST_QEMU_BINARY=./qemu-system-x86_64 ./tests/qtest/migration-test --tap -k -p /x86_64/migration/precopy/unix/tls/psk) ================================================================= ==3867512==ERROR: LeakSanitizer: detected memory leaks Direct leak of 5 byte(s) in 1 object(s) allocated from: #0 0x5624e5c99dee in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218edee) (BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3) #1 0x7fb199ae9738 in g_malloc debian/build/deb/../../../glib/gmem.c:128:13 #2 0x7fb199afe583 in g_strdup debian/build/deb/../../../glib/gstrfuncs.c:361:17 #3 0x5624e82ea919 in qcrypto_tls_creds_psk_prop_set_username /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../crypto/tlscredspsk.c:255:23 #4 0x5624e812c6b5 in property_set_str /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:2277:5 #5 0x5624e8125ce5 in object_property_set /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:1463:5 #6 0x5624e8136e7c in object_set_properties_from_qdict /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:55:14 #7 0x5624e81372d2 in user_creatable_add_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:112:5 #8 0x5624e8137964 in user_creatable_add_qapi /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:157:11 #9 0x5624e891ba3c in qmp_object_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/qom-qmp-cmds.c:227:5 #10 0x5624e8af9118 in qmp_marshal_object_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qapi/qapi-commands-qom.c:337:5 #11 0x5624e8bd1d49 in do_qmp_dispatch_bh /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qapi/qmp-dispatch.c:128:5 #12 0x5624e8cb2531 in aio_bh_call /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:171:5 #13 0x5624e8cb340c in aio_bh_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:218:13 #14 0x5624e8c0be98 in aio_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/aio-posix.c:423:5 #15 0x5624e8cba3ce in aio_ctx_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:360:5 #16 0x7fb199ae0d3a in g_main_dispatch debian/build/deb/../../../glib/gmain.c:3419:28 #17 0x7fb199ae0d3a in g_main_context_dispatch debian/build/deb/../../../glib/gmain.c:4137:7 #18 0x5624e8cbe1d9 in glib_pollfds_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:287:9 #19 0x5624e8cbcb13 in os_host_main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:310:5 #20 0x5624e8cbc6dc in main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:589:11 #21 0x5624e6f3f917 in qemu_main_loop /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/runstate.c:801:9 #22 0x5624e893379c in qemu_default_main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:37:14 #23 0x5624e89337e7 in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:48:12 #24 0x7fb197972d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #25 0x7fb197972e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #26 0x5624e5c16fa4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4) (BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3) SUMMARY: AddressSanitizer: 5 byte(s) leaked in 1 allocation(s). Cc: [email protected] Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

…taging Various fixes - Null pointer dereference in IPI IOCSR (Jiaxun) - Correct '-smbios type=4' in man page (Heinrich) - Use correct MMU index in MIPS get_pte (Phil) - Reset MPQEMU remote message using device_cold_reset (Peter) - Update linux-user MIPS CPU list (Phil) - Do not let exec_command read console if no pattern to wait for (Nick) - Remove shadowed declaration warning (Pierrick) - Restrict STQF opcode to SPARC V9 (Richard) - Add missing Kconfig dependency for POWERNV ISA serial port (Bernhard) - Do not allow vmport device without i8042 PS/2 controller (Kamil) - Fix QCryptoTLSCredsPSK leak (Peter) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmbDzAsACgkQ4+MsLN6t # wN7SvBAAwM0Frtg4ZKDZQu8XgMjLq1xVoSWjC3YJZKTpyGap5gO+7StvHg0sf9iB # YyGqocCO+qdj9a7pTSasfGDyufpwoIZkOqkwGUWKBos76cOcHWt4e/gkl9O65Lf1 # VVKX4/xdY+a5w2eVAAdWWrYdaPWkKLm0ZZXKoeSIvN4R9A41j7J4kANhE2SweczF # NnTt2gBnSlpRzghlVWPJKhnq+aYbvLeR7ApdNGUJDpSI1ZTh9gH1GtZFwBN7aeDo # PvDucoui0EmuyHTVdOYOH3zihTfzKlNZECcT3Y6/6i8y5p7jLHyINHHexsKw6T56 # i5RidJMPTfM0EO6LU1GvUN5FzZy24zXOf298Fe/GMYczQsOznQd4+aFHYPb3d4hZ # 8Vc1wB1s8XF5WGj+7bchBAUdynUnbwUqfMOb2pMXLIm21pSDnOTVgmYMnp1Kt4AA # 9WbHiS6tUJf/HjQsep8BBNGUiVSsUPDNNhL8QN43u2C0NgNRPgtRuIV+ytgVXS1G # 2t1QiRX0lX4ACHmw88agUCU3OhorumuDOpoitQK5jn2VutT7TqbGgibkQMFSgn9E # Xwrmtlf7nYU9MVgXYJjH2bBh7wbOmQCqbHniEj0targkxccAMJoswG4vtKsP9zkd # tBs6qMiZ8qSj5eoq8JBRF8bF4tONmboPZjRlboACJ0kTD5wCElA= # =lPMG # -----END PGP SIGNATURE----- # gpg: Signature made Tue 20 Aug 2024 08:49:47 AM AEST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <[email protected]>" [full] * tag 'hw-misc-20240820' of https://github.com/philmd/qemu: crypto/tlscredspsk: Free username on finalize hw/i386/pc: Ensure vmport prerequisites are fulfilled hw/i386/pc: Unify vmport=auto handling hw/ppc/Kconfig: Add missing SERIAL_ISA dependency to POWERNV machine target/sparc: Restrict STQF to sparcv9 contrib/plugins/execlog: Fix shadowed declaration warning tests/avocado: Mark ppc_hv_tests.py as non-flaky after fixed console interaction tests/avocado: exec_command should not consume console output linux-user/mips: Select Loongson CPU for Loongson binaries linux-user/mips: Select MIPS64R2-generic for Rel2 binaries linux-user/mips: Select Octeon68XX CPU for Octeon binaries linux-user/mips: Do not try to use removed R5900 CPU hw/remote/message.c: Don't directly invoke DeviceClass:reset hw/dma/xilinx_axidma: Use semicolon at end of statement, not comma target/mips: Load PTE as DATA target/mips: Use correct MMU index in get_pte() target/mips: Pass page table entry size as MemOp to get_pte() qemu-options.hx: correct formatting -smbios type=4 hw/mips/loongson3_virt: Fix condition of IPI IOCSR connection hw/mips/loongson3_virt: Store core_iocsr into LoongsonMachineState Signed-off-by: Richard Henderson <[email protected]>

Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the NVMe emulation that leaks contents of an uninitialized heap buffer if subsystem and FDP emulation are enabled. Cc: [email protected] Reported-by: Yutaro Shimizu <[email protected]> Signed-off-by: Klaus Jensen <[email protected]>

… into staging hw/nvme late fix # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmbEHsUACgkQTeGvMW1P # DenlQgf/dzz4B5pzdD0HsjNVNulxygAJEnYitiF/50LRj564hQDoisNYPvHeKMA7 # wfk8jSSimTM6YkETksiR2DvnXlZ3wXn/HAhqE15GSW8vtRK2/RO9vNn51gyoFvl3 # z/Wm8ahoFaNpygQQkQMIJ9QHVD3GheZH4OxMhqI1523+s7dGcUNetoZiyoBAdJ6m # 7KOa/zUTPBmvpKMOEa25Ss+nZIPp9eFuCwQxhToV0gEuJFHolRZYv7GA4UjnodvJ # HrBrbsB8W4vh65FmC7WLAG9XFvNMgC0h8qtzWyKhNcxf478E7FckLvnAzSZExitj # fJzrSJV0bJHlQEM2q0yHYpL0urh5XA== # =ZeRF # -----END PGP SIGNATURE----- # gpg: Signature made Tue 20 Aug 2024 02:42:45 PM AEST # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <[email protected]>" [unknown] # gpg: aka "Klaus Jensen <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu: hw/nvme: fix leak of uninitialized memory in io_mgmt_recv Signed-off-by: Richard Henderson <[email protected]>

VIRTIO_NET_F_RSC_EXT is implemented in the rx data path, which vhost implements, so vhost needs to support the feature if it is ever to be enabled with vhost. The feature must be disabled otherwise. Fixes: 2974e91 ("virtio-net: support RSC v4/v6 tcp traffic for Windows HCK") Reported-by: Jason Wang <[email protected]> Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> Acked-by: Jason Wang <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

Commit 9b60834 ("virtio-snd: check for invalid param shift operands") tries to prevent invalid parameters specified by the guest. However, the code is not correct. Change the code so that the parameters format and rate, which are a bit numbers, are compared with the bit size of the data type. Fixes: 9b60834 ("virtio-snd: check for invalid param shift operands") Signed-off-by: Volker Rümelin <[email protected]> Message-Id: <[email protected]> Reviewed-by: Manos Pitsidianakis <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

The crash was reported in MAC OS and NixOS, here is the link for this bug https://gitlab.com/qemu-project/qemu/-/issues/2334 https://gitlab.com/qemu-project/qemu/-/issues/2321 In this bug, they are using the virtio_input device. The guest notifier was not supported for this device, The function virtio_pci_set_guest_notifiers() was not called, and the vector_irqfd was not initialized. So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier() The function virtio_pci_get_notifier() can be used in various devices. It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation, the vector_irqfd being NULL is acceptable. We can allow the device continue to boot If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK is set, it means that the function set_guest_notifiers was not called before the driver started. This indicates that the device is not using the notifier. At this point, we will let the check fail. This fix is verified in vyatta,MacOS,NixOS,fedora system. The bt tree for this bug is: Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7c817be006c0 (LWP 1269146)] kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817 817 if (irqfd->users == 0) { (gdb) thread apply all bt ... Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"): 0 kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817 1 kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893 2 0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497 3 0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573 4 0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528 5 0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713 6 0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743 7 flatview_write () at ../qemu-9.0.0/system/physmem.c:2774 8 0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894 9 0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904 10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917 11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50 12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541 13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6 14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6 Fixes: 2ce6cff ("virtio-pci: fix use of a released vector") Cc: [email protected] Signed-off-by: Cindy Lu <[email protected]> Message-Id: <[email protected]> Acked-by: Jason Wang <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

…st/qemu into staging virtio: regression fixes 3 small patches to make sure we don't ship regressions. Signed-off-by: Michael S. Tsirkin <[email protected]> # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmbEdw8PHG1zdEByZWRo # YXQuY29tAAoJECgfDbjSjVRp0dsIAKTzhmBR3IviFQVo223RgcDfthxoKejTB5tv # EhGVUi4ddrViIIHsKFZ0pTHXnRcwHpPRokg6GrbqNhrAM6K7ptP8pkEK1DDkbGtq # HaeceK55nNZ/wM1O5xHpRLVc2WtxmBrliDTFHGB2HjURO/kpjoHqWbE6Sn4GILc1 # EYU2T3Wn1UFgj+H4L7yF4SzmQSmyzq+7Tml6Z2GzpsatdwCoFQz2nA28piCnRMCq # lusMo2YdE6js9JS/h+zMqgKValuCyuU7S7ZbSO2dvYQwt/hgk07BegBrdsAENNh6 # 0IWRHrojwAg+4U6ULzbrBG6/hW2A8Q5065D8Nf9Bjy4eAU7QSbU= # =K6xx # -----END PGP SIGNATURE----- # gpg: Signature made Tue 20 Aug 2024 08:59:27 PM AEST # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "[email protected]" # gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [undefined] # gpg: aka "Michael S. Tsirkin <[email protected]>" [undefined] # gpg: WARNING: The key's User ID is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: virtio-pci: Fix the use of an uninitialized irqfd hw/audio/virtio-snd: fix invalid param check vhost: Add VIRTIO_NET_F_RSC_EXT to vhost feature bits Signed-off-by: Richard Henderson <[email protected]>

In multifd_recv_setup() we allocate (among other things) * a MultiFDRecvData struct to multifd_recv_state::data * a MultiFDRecvData struct to each multfd_recv_state->params[i].data (Then during execution we might swap these pointers around.) But in multifd_recv_cleanup() we free multifd_recv_state->data in multifd_recv_cleanup_state() but we don't ever free the multifd_recv_state->params[i].data. This results in a memory leak reported by LeakSanitizer: (cd build/asan && \ ASAN_OPTIONS="fast_unwind_on_malloc=0:strip_path_prefix=/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../" \ QTEST_QEMU_BINARY=./qemu-system-x86_64 \ ./tests/qtest/migration-test --tap -k -p /x86_64/migration/multifd/file/mapped-ram ) [...] Direct leak of 72 byte(s) in 3 object(s) allocated from: #0 0x561cc0afcfd8 in __interceptor_calloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218efd8) (BuildId: be72e086d4e47b172b0a72779972213fd9916466) #1 0x7f89d37acc50 in g_malloc0 debian/build/deb/../../../glib/gmem.c:161:13 #2 0x561cc1e9c83c in multifd_recv_setup migration/multifd.c:1606:19 #3 0x561cc1e68618 in migration_ioc_process_incoming migration/migration.c:972:9 #4 0x561cc1e3ac59 in migration_channel_process_incoming migration/channel.c:45:9 #5 0x561cc1e4fa0b in file_accept_incoming_migration migration/file.c:132:5 #6 0x561cc30f2c0c in qio_channel_fd_source_dispatch io/channel-watch.c:84:12 #7 0x7f89d37a3c43 in g_main_dispatch debian/build/deb/../../../glib/gmain.c:3419:28 #8 0x7f89d37a3c43 in g_main_context_dispatch debian/build/deb/../../../glib/gmain.c:4137:7 #9 0x561cc3b21659 in glib_pollfds_poll util/main-loop.c:287:9 #10 0x561cc3b1ff93 in os_host_main_loop_wait util/main-loop.c:310:5 #11 0x561cc3b1fb5c in main_loop_wait util/main-loop.c:589:11 #12 0x561cc1da2917 in qemu_main_loop system/runstate.c:801:9 #13 0x561cc3796c1c in qemu_default_main system/main.c:37:14 #14 0x561cc3796c67 in main system/main.c:48:12 #15 0x7f89d163bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #16 0x7f89d163be3f in __libc_start_main csu/../csu/libc-start.c:392:3 #17 0x561cc0a79fa4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4) (BuildId: be72e086d4e47b172b0a72779972213fd9916466) Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 0x561cc0afcfd8 in __interceptor_calloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218efd8) (BuildId: be72e086d4e47b172b0a72779972213fd9916466) #1 0x7f89d37acc50 in g_malloc0 debian/build/deb/../../../glib/gmem.c:161:13 #2 0x561cc1e9bed9 in multifd_recv_setup migration/multifd.c:1588:32 #3 0x561cc1e68618 in migration_ioc_process_incoming migration/migration.c:972:9 #4 0x561cc1e3ac59 in migration_channel_process_incoming migration/channel.c:45:9 #5 0x561cc1e4fa0b in file_accept_incoming_migration migration/file.c:132:5 #6 0x561cc30f2c0c in qio_channel_fd_source_dispatch io/channel-watch.c:84:12 #7 0x7f89d37a3c43 in g_main_dispatch debian/build/deb/../../../glib/gmain.c:3419:28 #8 0x7f89d37a3c43 in g_main_context_dispatch debian/build/deb/../../../glib/gmain.c:4137:7 #9 0x561cc3b21659 in glib_pollfds_poll util/main-loop.c:287:9 #10 0x561cc3b1ff93 in os_host_main_loop_wait util/main-loop.c:310:5 #11 0x561cc3b1fb5c in main_loop_wait util/main-loop.c:589:11 #12 0x561cc1da2917 in qemu_main_loop system/runstate.c:801:9 #13 0x561cc3796c1c in qemu_default_main system/main.c:37:14 #14 0x561cc3796c67 in main system/main.c:48:12 #15 0x7f89d163bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #16 0x7f89d163be3f in __libc_start_main csu/../csu/libc-start.c:392:3 #17 0x561cc0a79fa4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4) (BuildId: be72e086d4e47b172b0a72779972213fd9916466) SUMMARY: AddressSanitizer: 96 byte(s) leaked in 4 allocation(s). Free the params[i].data too. Cc: [email protected] Fixes: d117ed0 ("migration/multifd: Allow receiving pages without packets") Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Fabiano Rosas <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]>

…osas/qemu into staging Migration pull request - Peter's fix for a leak in multifd recv side # -----BEGIN PGP SIGNATURE----- # # iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmbEzJcQHGZhcm9zYXNA # c3VzZS5kZQAKCRDHmNx0G+wxnVc4D/9WJ5AhBxgyYvjRD/X3rKryL1oz7C5/WI8i # M4Q0Mo+JFeuFjSGvAOrOU8qbI2SdOyFFpvBItmvRgyfFePaFVJrsuD4trHj7s2a+ # 6QwXAR7z5emhUFOneb7AaFDDruKGJ/dRsLK6C5ukJQm162l8vqc+YExmx/snQwFY # M0KusPfdv/M2JjFiN+XCJM7Yrqosajju+Kyc3KwLzXCEyXGmKBN5O+DzxGU5iXG8 # CqrSllJpjiQyTp297LLjKZCDpIk+U/BlA3XXhF7kuCAFjCB1NORuHVn47Ka9EuwV # iffEYw9i7ZiJXF9XdKrXRE5tj92tl+RIcgF6LLILdIuvfUa5IZ624ZjHxvQTNSEi # dwWI1RSX/XbXYloz4hJ/3rdxtkS+2IzjP5bN8q+x3XkT37Qb7dm76ePwCLxxZ/nq # 45DSQlgtZGsB+eH5Ac8v/5hLkxqKVg1zFa7W/J445Ckwv4GQyLCKP6hJInrkjYPJ # qBKTj1Q+cmWfoUpYiVA90eUHHnQqkOehvYutFo4GZ3/vsQOJ7QNIJChBnsDaKwXF # 9soKEbQhgj3YuBrZd8CsSR6ugPw6u111Y3Kw5ZssfbOf2703/R1GmB1YZBBUvyNm # KEjLeOz2/IBUvNVTqO7OXfHbayjzA26Gi0T/roOmdOItg/GQ4T8/FhPOfVoKuCOr # 6BCeefzxoQ== # =CPa0 # -----END PGP SIGNATURE----- # gpg: Signature made Wed 21 Aug 2024 03:04:23 AM AEST # gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D # gpg: issuer "[email protected]" # gpg: Good signature from "Fabiano Rosas <[email protected]>" [unknown] # gpg: aka "Fabiano Almeida Rosas <[email protected]>" [unknown] # gpg: WARNING: The key's User ID is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D * tag 'migration-20240820-pull-request' of https://gitlab.com/farosas/qemu: migration/multifd: Free MultiFDRecvParams::data Signed-off-by: Richard Henderson <[email protected]>

In particular, if an image has a large bss, we can hit EOF before reading all host_len bytes of the mapping. Create a helper, mmap_pread to handle the job for both the larger block in mmap_h_gt_g itself, as well as the smaller block in mmap_frag. Cc: [email protected] Fixes: eb5027a ("linux-user: Split out mmap_h_gt_g") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2504 Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]>

In particular, if an image has a large bss, we can hit EOF before reading all bytes of the mapping. Mirror the similar change to linux-user. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]>

Split out the TCG_COND_TSTEQ logic from gen_prepare_eflags_z, and use it for CC_OP_BMILG* as well. Prepare for requiring both zero and non-zero senses. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

BLSI has inverted semantics for C as compared to the other two BMI1 instructions, BLSMSK and BLSR. Introduce CC_OP_BLSI* for this purpose. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2175 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]>

The two limit_max variables represent size - 1, just like the encoding in the GDT, thus the 'old' access was off by one. Access the minimal size of the new tss: the complete tss contains the iopb, which may be a larger block than the access api expects, and irrelevant because the iopb is not accessed during the switch itself. Fixes: 8b13106 ("target/i386/tcg: use X86Access for TSS access") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2511 Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Pierrick Bouvier <[email protected]>

…o staging target/i386: Fix carry flag for BLSI target/i386: Fix tss access size in switch_tss_ra linux-user: Handle short reads in mmap_h_gt_g bsd-user: Handle short reads in mmap_h_gt_g # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmbFTzUdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/9+Qf9GiXgmZU51Rk9LaNz # zlaUPIJy/ER+lCpkaeIqMzJ3EysuWa5tZFOrg21rqmfMr19AIuPSRmCFXuwkF6s+ # DnCiToloM/EvczmVQALE/KhOOm0dwvoAwSFBFTCPfg/IKjb9OcOWHGJVSgFV/1u6 # vrTqUc6xny6QhMjTuVWziE/VAH0V9wRjToii2qN9k/5e2oF1hzDGjHx7T9d//4j5 # hbRyzH0luexvob7JCpxHDELlarkoyR5a7cJQHTj0VTfmR5g6yEMLn+z7ocBcUF09 # pJzcRu2BHUYjzQgV6wqdj5aw8N26c+e8pm1XIA8S1CwBnLRnkuuCKKD7I0tdYvFA # VgDntQ== # =XyeR # -----END PGP SIGNATURE----- # gpg: Signature made Wed 21 Aug 2024 12:21:41 PM AEST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-misc-20240821' of https://gitlab.com/rth7680/qemu: target/i386: Fix tss access size in switch_tss_ra target/i386: Fix carry flag for BLSI target/i386: Split out gen_prepare_val_nz bsd-user: Handle short reads in mmap_h_gt_g linux-user: Handle short reads in mmap_h_gt_g Signed-off-by: Richard Henderson <[email protected]>

The size of lowram should be "gap" instead of the whole node. This is failing kernel's sanity check: [ 0.000000] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0xffffffff] [ 0.000000] ACPI: SRAT: Node 0 PXM 0 [mem 0x80000000-0x16fffffff] [ 0.000000] ACPI: SRAT: Node 1 PXM 1 [mem 0x170000000-0x26fffffff] [ 0.000000] Warning: node 0 [mem 0x00000000-0xffffffff] overlaps with itself [mem 0x80000000-0x16fffffff] Fixes: fc10001 ("hw/loongarch: Refine acpi srat table for numa memory") Signed-off-by: Jiaxun Yang <[email protected]> Reviewed-by: Bibo Mao <[email protected]> Signed-off-by: Song Gao <[email protected]>

…into staging Fix for 9.1 # -----BEGIN PGP SIGNATURE----- # # iLMEAAEKAB0WIQS4/x2g0v3LLaCcbCxAov/yOSY+3wUCZsVYjgAKCRBAov/yOSY+ # 306ZA/9/DFdJB5WbVtv8ZNaRKT2jj6N9o5YlLbO1HsdMGpJbDWNJAIrOIdfBCYzF # oEvjuYItBI9DXcSUE748ucBkct/x4WkBwfL5mxfTRXOhvx3iKFeC2ZKyKPtsciRO # QE4UDmrFbQ9IrW33Vw0+CRMlN/U8xBO7lPDfbk2MA7fM74ns8A== # =EbRt # -----END PGP SIGNATURE----- # gpg: Signature made Wed 21 Aug 2024 01:01:34 PM AEST # gpg: using RSA key B8FF1DA0D2FDCB2DA09C6C2C40A2FFF239263EDF # gpg: Good signature from "Song Gao <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: B8FF 1DA0 D2FD CB2D A09C 6C2C 40A2 FFF2 3926 3EDF * tag 'pull-loongarch-20240821' of https://gitlab.com/gaosong/qemu: hw/loongarch: Fix length for lowram in ACPI SRAT Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

…arsed Cosmetic: add comments in x86_load_linux() pointing to the kernel documentation so that users can better understand the code. CC: [email protected] Signed-off-by: Ani Sinha <[email protected]> Reviewed-by: Zhao Liu <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]>

In commit 412d294 we tried to improve the error message printed when the machine type is unknown, but we used the wrong variable, resulting in: $ ./build/x86/qemu-system-aarch64 -M bang qemu-system-aarch64: unsupported machine type: "(null)" Use -machine help to list supported machines Use the right variable, so we produce more helpful output: $ ./build/x86/qemu-system-aarch64 -M bang qemu-system-aarch64: unsupported machine type: "bang" Use -machine help to list supported machines Note that we must move the qdict_del() to below the error_setg(), because machine_type points into the value of that qdict entry, and deleting it will make the pointer invalid. Cc: [email protected] Fixes: 412d294 ("vl.c: select_machine(): add selected machine type to error message") Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]>

fix vhost_user_gpu_chr_read() where `size` was incorrectly passed to `msg->flags`. Fixes: 267f664 ("hw/display: add vhost-user-vga & gpu-pci") Signed-off-by: Haoran Zhang <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]>

…o staging trivial patches for 2024-08-23 # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmbImVIACgkQcBtPaxpp # PllP3wf/TaYAQs0HkQRQ62/2wqnfABpZYft/g6EhHveZ/04pJ/eNIIiVqqUg4DGs # i8fENABRlRPoeK5HtGVhHYbOg6tzje7MR0qdSmWaKb2R5pPqkLHZ6NTtQlINLpOb # O8Nh1c5/qDW/pDPCWVLkEMTqKhtGfINr0pHSlTfOr0W9FrU1I6srvr6AZtrTORlL # 5b79j5IZGQSj5zR3ViuKyEPdA5NRSeTOewg8WCKGSxZGk4OlVPevrEAGOyQReOuN # HTfNi8KQH/pPzl6+f+THkgKmYYfUAlPvzkJDndV9vcPFLPI8ZncZ1o1Kmog6UERc # s5J2vTcir/ReEukApRRsZkKHLAoYdQ== # =Srl8 # -----END PGP SIGNATURE----- # gpg: Signature made Sat 24 Aug 2024 12:14:42 AM AEST # gpg: using RSA key 7B73BAD68BE7A2C289314B22701B4F6B1A693E59 # gpg: Good signature from "Michael Tokarev <[email protected]>" [full] # gpg: aka "Michael Tokarev <[email protected]>" [full] # gpg: aka "Michael Tokarev <[email protected]>" [full] * tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu: hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read() system/vl.c: Print machine name, not "(null)", for unknown machine types hw/x86: add a couple of comments explaining how the kernel image is parsed Signed-off-by: Richard Henderson <[email protected]>

Long due upgrade, see [1]: In GitLab Runner 13.2 a translation for step_script to build_script was added to the custom executor. In 14.0 the build_script stage will be replaced with step_script. We are using GitLab 17 [2]! This removes the following warning: WARNING: Starting with version 17.0 the 'build_script' stage will be replaced with 'step_script': https://gitlab.com/groups/gitlab-org/-/epics/6112 [1] https://about.gitlab.com/releases/2021/05/22/gitlab-13-12-released/#remove-translation-from-stepscript-to-buildscript-in-custom-executor [2] https://about.gitlab.com/releases/2024/05/16/gitlab-17-0-released/ Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

The qtests are broken since a while in the MSYS2 job in the gitlab-CI, likely due to some changes in the MSYS2 environment. So far nobody has neither a clue what's going wrong here, nor an idea how to fix this (in fact most QEMU developers even don't have a Windows environment available for properly analyzing this problem), so we should disable the qtests here for the time being to get at least test coverage again for the remaining tests that are run here. Since we already get compile-test coverage for the system emulation in the cross-win64-system job, and since the MSYS2 job is one of the longest running jobs in our CI (it takes more than 1 hour to complete), let's seize the opportunity and also cut the run time by disabling the system emulation completely here, including the libraries that are only useful for system emulation. In case somebody ever figures out the failure of the qtests on MSYS2, we can revert this patch to get everything back. Suggested-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

A test run may create boot files several times. Delete the previous boot file before creating a new one. Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

…into staging * Disable the broken qtests in the MSYS2 CI job * Replace deprecated keyword in the Cirrus-CI scripts * Fix a simple leak in the migration-test qtest # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmbMTQ4RHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbWLcA//eRd0MWEZNsDO712KKf6PErd+zY9pI5Wg # 0Vc74ggY1HkID2blsnqmPWgjlgsXoEC0HaDSfvKkF9F64Wmqv1EciYsTCVOqJFAw # WPzUhdchLKSIgIDR/W8GFJgUZ7kaK5pk5PNZBJK5/3Febrd/TQK0hGcWHRqQoelY # moNDuSs2T49wSk1ODbNAkMXJ1xl/nBp6+rCM6ao6dSyHc5wbwEMv954XciyA4Sfy # 3lRwH33CED3wyNFxebqYBiEpF+UVGy1aK9TeSIgjQJ06lS458sm7flozZ+BQD3u9 # wRdtlPi/YTQKbzru0dsIDqzq//M3OfxAcnVZ6R8ThNN6vaj99PdgGCEuy/QWVCth # MKy0CiqtF/RDTgA8I6JPlNOFhS0bq4jXzDbGfZwQJpU5ZyYlSZnWc1I87BV8TdzJ # TNT+rej15NwcsYzr1N4o83FRfJz7snFJjV9fxU49SixNQbl+UKfcZMuwgqpa6NaH # LqL7ocI3QL4TUFk1wqlzQZ9H8iIrCQQCE2Tu7PFgRsfGw7y38Csq101NL/6ABElN # chMTjTHubmi6+VEy4E2t1jpXd1kjoZWTigCFyLet3zIgZQAlz9RELEyYGO9r5h3f # T1KmkC10ANknd3DTNV3WH51WSlDonVHWycQUq1pvdr2HBLsVsekxIIWM8HZCK7aj # 9abyOkdKcpE= # =EjoS # -----END PGP SIGNATURE----- # gpg: Signature made Mon 26 Aug 2024 07:38:22 PM AEST # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "[email protected]" # gpg: Good signature from "Thomas Huth <[email protected]>" [full] # gpg: aka "Thomas Huth <[email protected]>" [full] # gpg: aka "Thomas Huth <[email protected]>" [unknown] # gpg: aka "Thomas Huth <[email protected]>" [full] * tag 'pull-request-2024-08-26' of https://gitlab.com/thuth/qemu: tests/qtest: Delete previous boot file .gitlab-ci.d/windows.yml: Disable the qtests in the MSYS2 job gitlab-ci: Replace build_script -> step_script in Cirrus jobs Signed-off-by: Richard Henderson <[email protected]>

Commit 3e7ef73 plugged the use-after-free of the global nbd_server object, but overlooked a use-after-free of nbd_server->listener. Although this race is harder to hit, notice that our shutdown path first drops the reference count of nbd_server->listener, then triggers actions that can result in a pending client reaching the nbd_blockdev_client_closed() callback, which in turn calls qio_net_listener_set_client_func on a potentially stale object. If we know we don't want any more clients to connect, and have already told the listener socket to shut down, then we should not be trying to update the listener socket's associated function. Reproducer: > #!/usr/bin/python3 > > import os > from threading import Thread > > def start_stop(): > while 1: > os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start", +"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'') > os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'') > > def nbd_list(): > while 1: > os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock') > > def test(): > sst = Thread(target=start_stop) > sst.start() > nlt = Thread(target=nbd_list) > nlt.start() > > sst.join() > nlt.join() > > test() Fixes: CVE-2024-7409 Fixes: 3e7ef73 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop") CC: [email protected] Reported-by: Andrey Drobyshev <[email protected]> Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]>

… staging NBD patches for 2024-08-26 - One more patch for CVE-2024-7409 (use-after-free on nbd-server-stop) # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEccLMIrHEYCkn0vOqp6FrSiUnQ2oFAmbMh9MACgkQp6FrSiUn # Q2ovfAf/TyHYtJUwSAQ3dgn4PlTym4FqN8CXa+EJQR9xSLJ5jAX3QgLBieUiIT31 # AFr9W6eqWNz4NksbeoHdwZVqUlkGJFsfiyTOK93k4/fYQdTbqSHPwo2FYlOXqdJB # bZN10zEvd7YRMrxTjGyPxNFCm2iIMZy8uEerOrY9hV1PVULHg6u3Pu8a6El4BK8k # k5S0SwluTkUkBLbqtEC6fHjdfFFr/dC8IB11Ly8FdxKHixIaUTVsZ20guNM0Q5Ca # kU2em2PcroDq3B0x3linD3xh3pVmlHdb4H+9runmGPnpJj5wjPL35aDzlU7GCT3B # kEGX5VzOJOJUXoHVyYrvJCD4I7YgMw== # =ZDYx # -----END PGP SIGNATURE----- # gpg: Signature made Mon 26 Aug 2024 11:49:07 PM AEST # gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A # gpg: Good signature from "Eric Blake <[email protected]>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <[email protected]>" [full] # gpg: aka "[jpeg image of size 6874]" [full] * tag 'pull-nbd-2024-08-26' of https://repo.or.cz/qemu/ericb: nbd/server: CVE-2024-7409: Avoid use-after-free when closing server Signed-off-by: Richard Henderson <[email protected]>

Freeform sections with titles are currently generating a TOC entry for the first paragraph in the section after the header, which is not what we want. (Easiest to observe directly in the QMP reference manual's "Introduction" section.) When freeform sections are parsed, we create both a section header *and* an empty, title-less section. This causes some problems with sphinx's post-parse tree transforms, see also 2664f31 - this is a similar issue: Sphinx doesn't like section-less titles and it also doesn't like title-less sections. Modify qapidoc.py to parse text directly into the preceding section title as child nodes, eliminating the section duplication. This removes the extra text from the TOC. Only very, very lightly tested: "it looks right at a glance" ™️. I am still in the process of rewriting qapidoc, so I didn't give it much deeper thought. Reported-by: Markus Armbruster <[email protected]> Signed-off-by: John Snow <[email protected]> Message-ID: <[email protected]>

…to staging QAPI patches patches for 2024-08-27 # -----BEGIN PGP SIGNATURE----- # # iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmbNnv8SHGFybWJydUBy # ZWRoYXQuY29tAAoJEDhwtADrkYZTnfsP+gNO5z7mSHypAD/oGIfYD+HnBrpMK1bL # WIOH9hLiHEZmMH978WBuKH0Ry8mhEoSNi0jQBB67IzGD4qItSYOSUEfsNBL/VpOG # lfR8hIt/akdXshrAXB7zJ0D0phnXh93asUIjNpSQkItYxHkO+OphDBPU+anQy2oi # 71F8z1GSb8DP6rGgcSA7UXq0WUUERdLMrDz8++UAO2hQq9tvQvfNdRh3kTHWZMIP # urha0Qo6HEGsucQboLaBdJVDdJpkr+offr13CpOrNMFLxZWsnXnsJb3ym+svL4JV # 8jLp+QAcfomwvaWpNMlFBlgXoHMDkl8T0qhhp598aGdloc6iv9lHipeQOmi541QD # O/j6sEU4uQ6W3LjPodg/nfHhAyxJ/fI9dKbCVLcSLWHCXbc/yvV623EEWasJIFNE # lRykAWcZlUvX7UwKfkmqPUutZu1IFhPhSYKOdvw8NZ/llqUOgHcPA50q6wGdkMWC # wPlhkijo7VGOJf1XJqA9xWuUYikCoBg5mLituzyaCBYlkOv2QBLnj0Yogi2dv79L # x/tn5/2vDW6tlerCfvF/q5piwXzkDp7KS3i1YRuxnWvbD+b8VAjb7y/7QETpVWXU # 7fWDIWm5Op7c5KBcj5i/NbI8/guVnvBWsVWXtrJZU9E8vqivC7v93riFOUx3y/Qr # oBnbTwGgdilh # =GPSn # -----END PGP SIGNATURE----- # gpg: Signature made Tue 27 Aug 2024 07:40:15 PM AEST # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "[email protected]" # gpg: Good signature from "Markus Armbruster <[email protected]>" [full] # gpg: aka "Markus Armbruster <[email protected]>" [full] * tag 'pull-qapi-2024-08-27' of https://repo.or.cz/qemu/armbru: docs/sphinx: fix extra stuff in TOC after freeform QMP sections Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

While adding hppa64 support, the psw_v variable got extended from 32 to 64 bits. So, when packaging the PSW-V bit from the psw_v variable for interrupt processing, check bit 31 instead the 63th (sign) bit. This fixes a hard to find Linux kernel boot issue where the loss of the PSW-V bit due to an ITLB interruption in the middle of a series of ds/addc instructions (from the divU milicode library) generated the wrong division result and thus triggered a Linux kernel crash. Link: https://lore.kernel.org/lkml/[email protected]/ Reported-by: Guenter Roeck <[email protected]> Signed-off-by: Helge Deller <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Tested-by: Guenter Roeck <[email protected]> Fixes: 931adff ("target/hppa: Update cpu_hppa_get/put_psw for hppa64") Cc: [email protected] # v8.2+ (cherry picked from commit ead5078cf1a5f11d16e3e8462154c859620bcc7e) Signed-off-by: Michael Tokarev <[email protected]>

Error reporting from gnutls was improved by: commit 57941c9 Author: Daniel P. Berrangé <[email protected]> Date: Fri Mar 15 14:07:58 2024 +0000 crypto: push error reporting into TLS session I/O APIs This has the effect of changing the output from one of the NBD tests. Reported-by: Thomas Huth <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 48b8583698d96d6290726400789fcd51c55691b1) Signed-off-by: Michael Tokarev <[email protected]>

CPU time accounting in the kernel has been demonstrated to have a sawtooth pattern[1][2]. This can cause the getrusage system call to not be as accurate as we are expecting, which can cause this calculation to stall. The kernel discussions shows that this inaccuracy happens when CPU time gets big enough, so this patch changes qcrypto_pbkdf2_count_iters to run in a fresh thread to avoid this inaccuracy. It also adds a sanity check to fail the process if CPU time is not accounted. [1] https://lore.kernel.org/lkml/159231011694.16989.16351419333851309713.tip-bot2@tip-bot2/ [2] https://lore.kernel.org/lkml/[email protected]/t/#m1c7f2fdc0ea742776a70fd1aa2a2e414c437f534 Resolves: #2398 Signed-off-by: Tiago Pasqualini <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit c72cab5ad9f849bbcfcf4be7952b8b8946cc626e) Signed-off-by: Michael Tokarev <[email protected]>

Both gnutls and gcrypt can be configured to exclude support for certain algorithms via a runtime check against system crypto policies. Thus it is not sufficient to have a compile time test for hash support in their pbkdf implementations. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit e6c09ea4f9e5f8af92a6453642b84b9efd52892f) Signed-off-by: Michael Tokarev <[email protected]>

Fixes: Coverity CID 1546884 Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]> (cherry picked from commit 586ac2c67d707c2588766c5195d94fa553cc25af) Signed-off-by: Michael Tokarev <[email protected]>

As debian-11 transitions to LTS we are starting to have problems building the image. While we could update to a later Debian building a 32 bit QEMU without modern floating point is niche host amongst the few remaining 32 bit hosts we regularly build for. For now we still have armhf-debian-cross-container which is currently built from the more recent debian-12. Reviewed-by: Pierrick Bouvier <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit d0068b746a0a8cd4bb148527a0d199b130cd5288) Signed-off-by: Michael Tokarev <[email protected]>

Whatever issues there were which stopped these being updates when the rest were have now been resolved. However mips64el continues to be broken so don't update it here. Reviewed-by: Pierrick Bouvier <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 19d2111059c87d3f58349f27b9be9dee81fc1681) Signed-off-by: Michael Tokarev <[email protected]>

Running "make distclean" in the build tree currently fails since this tries to run the "distclean" target in the contrib/plugins/ folder, too, but the Makefile there is missing this target. Thus add 'distclean' there to fix this issue. And to avoid regressions with "make distclean", add this command to one of the build jobs, too. Message-ID: <[email protected]> Reviewed-by: Pierrick Bouvier <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 1231bc7d12c373e445171dda9e7e5146eee7da55) Signed-off-by: Michael Tokarev <[email protected]>

Currently, the guest may write to the device configuration space, whereas the virtio sound device specification in chapter 5.14.4 clearly states that the fields in the device configuration space are driver-read-only. Remove the set_config function from the virtio_snd class. This also prevents a heap buffer overflow. See QEMU issue #2296. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2296 Signed-off-by: Volker Rümelin <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> (cherry picked from commit 7fc6611cad3e9627b23ce83e550b668abba6c886) Signed-off-by: Michael Tokarev <[email protected]>

On GICv2 and later, level triggered interrupts are pending when either the interrupt line is asserted or the interrupt was made pending by a GICD_ISPENDRn write. Making a level triggered interrupt pending by software persists until either the interrupt is acknowledged or cleared by writing GICD_ICPENDRn. As long as the interrupt line is asserted, the interrupt is pending in any case. This logic is transparently implemented in gic_test_pending() for GICv1 and GICv2. The function combines the "pending" irq_state flag (used for edge triggered interrupts and software requests) and the line status (tracked in the "level" field). However, we also incorrectly set the pending flag on a guest write to GICD_ISENABLERn if the line of a level triggered interrupt was asserted. This keeps the interrupt pending even if the line is de-asserted after some time. This incorrect logic is a leftover of the initial 11MPCore GIC implementation. That handles things slightly differently to the architected GICv1 and GICv2. The 11MPCore TRM does not give a lot of detail on the corner cases of its GIC's behaviour, and historically we have not wanted to investigate exactly what it does in reality, so QEMU's GIC model takes the approach of "retain our existing behaviour for 11MPCore, and implement the architectural standard for later GIC revisions". On that basis, commit 8d99999 in 2013 is where we added the "level-triggered interrupt with the line asserted" handling to gic_test_pending(), and we deliberately kept the old behaviour of gic_test_pending() for REV_11MPCORE. That commit should have added the "only if 11MPCore" condition to the setting of the pending bit on writes to GICD_ISENABLERn, but forgot it. Add the missing "if REV_11MPCORE" condition, so that our behaviour on GICv1 and GICv2 matches the GIC architecture requirements. Cc: [email protected] Fixes: 8d99999 ("arm_gic: Fix GIC pending behavior") Signed-off-by: Jan Klötzke <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> [PMM: expanded comment a little and converted to coding-style form; expanded commit message with the historical backstory] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 110684c9a69a02cbabfbddcd3afa921826ad565c) Signed-off-by: Michael Tokarev <[email protected]>

Before 176e378 (ui/sdl2: OpenGL window context) SDL_CreateRenderer was called unconditionally setting the swap interval to 0. Since SDL_CreateRenderer is now no longer called when OpenGL is enabled, the swap interval is no longer set explicitly and vsync handling depends on the environment settings which may lead to a performance regression with virgl as reported in https://gitlab.com/qemu-project/qemu/-/issues/2565 Restore the old vsync handling by explicitly calling SDL_GL_SetSwapInterval if OpenGL is enabled. Fixes: 176e378 (ui/sdl2: OpenGL window context) Closes: https://gitlab.com/qemu-project/qemu/-/issues/2565 Signed-off-by: Gert Wollny <[email protected]> Acked-by: Marc-André Lureau <[email protected]> Message-ID: <01020191e05ce6df-84da6386-62c2-4ce8-840e-ad216ac253dd-000000@eu-west-1.amazonses.com> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit ae23cd00170baaa2777eb1ee87b70f472dbb3c44) Signed-off-by: Michael Tokarev <[email protected]>

This fixes: commit e28112d Author: Daniel P. Berrangé <[email protected]> Date: Thu Jun 8 17:40:16 2023 +0100 gitlab: stable staging branches publish containers in a separate tag Due to a copy+paste mistake, that commit included "QEMU_JOB_SKIPPED" in the final rule that was meant to be a 'catch all' for staging branches. As a result stable branches are still splattering dockers from the primary development branch. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Tested-by: Michael Tokarev <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 8d5ab746b1e6668ffb0378820b25665b385c8573) Signed-off-by: Michael Tokarev <[email protected]>

When DMA memory can't be directly accessed, as is the case when running the device model in a separate process without shareable DMA file descriptors, bounce buffering is used. It is not uncommon for device models to request mapping of several DMA regions at the same time. Examples include: * net devices, e.g. when transmitting a packet that is split across several TX descriptors (observed with igb) * USB host controllers, when handling a packet with multiple data TRBs (observed with xhci) Previously, qemu only provided a single bounce buffer per AddressSpace and would fail DMA map requests while the buffer was already in use. In turn, this would cause DMA failures that ultimately manifest as hardware errors from the guest perspective. This change allocates DMA bounce buffers dynamically instead of supporting only a single buffer. Thus, multiple DMA mappings work correctly also when RAM can't be mmap()-ed. The total bounce buffer allocation size is limited individually for each AddressSpace. The default limit is 4096 bytes, matching the previous maximum buffer size. A new x-max-bounce-buffer-size parameter is provided to configure the limit for PCI devices. Signed-off-by: Mattias Nissler <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Acked-by: Peter Xu <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 637b0aa139565cb82a7b9269e62214f87082635c) Signed-off-by: Michael Tokarev <[email protected]>

As reported by Peter, we might be leaking memory when removing the highest RAMBlock (in the weird ram_addr_t space), and adding a new one. We will fail to realize that we already allocated bitmaps for more dirty memory blocks, and effectively discard the pointers to them. Fix it by getting rid of last_ram_page() and by remembering the number of dirty memory blocks that have been allocated already. While at it, let's use "unsigned int" for the number of blocks, which should be sufficient until we reach ~32 exabytes. Looks like this leak was introduced as we switched from using a single bitmap_zero_extend() to allocating multiple bitmaps: bitmap_zero_extend() relies on g_renew() which should have taken care of this. Resolves: https://lkml.kernel.org/r/CAFEAcA-k7a+VObGAfCFNygQNfCKL=AfX6A4kScq=VSSK0peqPg@mail.gmail.com Reported-by: Peter Maydell <[email protected]> Fixes: 5b82b70 ("memory: RCU ram_list.dirty_memory[] for safe RAM hotplug") Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Peter Xu <[email protected]> Tested-by: Peter Maydell <[email protected]> Cc: [email protected] Cc: Stefan Hajnoczi <[email protected]> Cc: Paolo Bonzini <[email protected]> Cc: Peter Xu <[email protected]> Cc: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: David Hildenbrand <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit b84f06c2bee727b3870b4eeccbe3a45c5aea14c1) Signed-off-by: Michael Tokarev <[email protected]>

The follow-up transactions may use the data in the attribution, so keep the value of attribution from the function parameter just as flatview_translate() above. Signed-off-by: Fea.Wang <[email protected]> Cc: [email protected] Fixes: f26404f ("Make address_space_map() take a MemTxAttrs argument") Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit d8d5ca40048b04750de5a0ae0b2b9f153a391951) Signed-off-by: Michael Tokarev <[email protected]>

These were passing a NULL buffer pointer unconditionally, which happens to behave in a mostly benign way (except for the chance of an excess memory region unref and a bounce buffer leak). Per the function comment, this was never meant to be accepted though, and triggers an assertion with the "softmmu: Support concurrent bounce buffers" change. Given that the code in question never sets up any mappings, just remove the unnecessary dma_memory_unmap calls along with the DBDMA_io struct fields that are now entirely unused. Signed-off-by: Mattias Nissler <[email protected]> Message-Id: <[email protected]> Fixes: be1e343 ("macio: switch over to new byte-aligned DMA helpers") Reviewed-by: Mark Cave-Ayland <[email protected]> Tested-by: Mark Cave-Ayland <[email protected]> Signed-off-by: Mark Cave-Ayland <[email protected]> (cherry picked from commit 2d0a071e625d7234e8c5623b7e7bf445e1bef72c) Signed-off-by: Michael Tokarev <[email protected]>

Fix a segmentation fault in multifd when rb->receivedmap is cleared too early. After commit 5ef7e26 ("migration/multifd: solve zero page causing multiple page faults"), multifd started using the rb->receivedmap bitmap, which belongs to ram.c and is initialized and *freed* from the ram SaveVMHandlers. Multifd threads are live until migration_incoming_state_destroy(), which is called after qemu_loadvm_state_cleanup(), leading to a crash when accessing rb->receivedmap. process_incoming_migration_co() ... qemu_loadvm_state() multifd_nocomp_recv() qemu_loadvm_state_cleanup() ramblock_recv_bitmap_set_offset() rb->receivedmap = NULL set_bit_atomic(..., rb->receivedmap) ... migration_incoming_state_destroy() multifd_recv_cleanup() multifd_recv_terminate_threads(NULL) Move the loadvm cleanup into migration_incoming_state_destroy(), after multifd_recv_cleanup() to ensure multifd threads have already exited when rb->receivedmap is cleared. Adjust the postcopy listen thread comment to indicate that we still want to skip the cpu synchronization. CC: [email protected] Fixes: 5ef7e26 ("migration/multifd: solve zero page causing multiple page faults") Signed-off-by: Fabiano Rosas <[email protected]> Link: https://lore.kernel.org/r/[email protected] [peterx: added comment in migration_incoming_state_destroy()] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 4ce56229087860805877075ddb29dd44578365a9) Signed-off-by: Michael Tokarev <[email protected]>

SW modifying USART_CR1 TE bit should cuase HW to respond by altering USART_ISR TEACK bit, and likewise for RE and REACK bit. This resolves some but not all issues necessary for the official STM USART HAL driver to function as is. Fixes: 87b77e6 ("hw/char/stm32l4x5_usart: Enable serial read and write") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2540 Signed-off-by: Jacob Abrams <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 6cce0dcc6f7aaaeb7f17577776da510b04f67c99) Signed-off-by: Michael Tokarev <[email protected]>

The Neoverse-V1 TRM is a bit confused about the layout of the ID_AA64ISAR1_EL1 register, and so its table 3-6 has the wrong value for this ID register. Trust instead section 3.2.74's list of which fields are set. This means that we stop incorrectly reporting FEAT_XS as present, and now report the presence of FEAT_BF16. Cc: [email protected] Reported-by: Marcin Juszkiewicz <[email protected]> Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected] (cherry picked from commit 8676007eff04bb4e454bcdf92fab3f855bcc59b3) Signed-off-by: Michael Tokarev <[email protected]>

The linux-user hppa target crashes randomly for me since commit 081a0ed ("target/hppa: Do not mask in copy_iaoq_entry"). That commit dropped the masking of the IAOQ addresses while copying them from other registers and instead keeps them with all 64 bits up until the full gva is formed with the help of hppa_form_gva_psw(). So, when running in linux-user mode on an emulated 64-bit CPU, we need to mask to a 32-bit address space at the very end in hppa_form_gva_psw() if the PSW-W flag isn't set (which is the case for linux-user on hppa). Fixes: 081a0ed ("target/hppa: Do not mask in copy_iaoq_entry") Cc: [email protected] # v9.1+ Signed-off-by: Helge Deller <[email protected]> Reviewed-by: Richard Henderson <[email protected]> (cherry picked from commit d33d3adb573794903380e03e767e06470514cefe) Signed-off-by: Michael Tokarev <[email protected]>

In vmstate_tlbemb a cut-and-paste error meant we gave this vmstate subsection the same "cpu/tlb6xx" name as the vmstate_tlb6xx subsection. This breaks migration load for any CPU using the TLB_EMB CPU type, because when we see the "tlb6xx" name in the incoming data we try to interpret it as a vmstate_tlb6xx subsection, which it isn't the right format for: $ qemu-system-ppc -drive if=none,format=qcow2,file=/home/petmay01/test-images/virt/dummy.qcow2 -monitor stdio -M bamboo QEMU 9.0.92 monitor - type 'help' for more information (qemu) savevm foo (qemu) loadvm foo Missing section footer for cpu Error: Error -22 while loading VM state Correct the incorrect vmstate section name. Since migration for these CPU types was completely broken before, we don't need to care that this is a migration compatibility break. This affects the PPC 405, 440, 460 and e200 CPU families. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2522 Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Arman Nabiev <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]> (cherry picked from commit 203beb6f047467a4abfc8267c234393cea3f471c) Signed-off-by: Michael Tokarev <[email protected]>

The send_cleanup() hook should free the p->iov that was allocated at send_setup(). This was missed because the UADK code is conditional on the presence of the accelerator, so it's not tested by default. Fixes: 819dd20 ("migration/multifd: Add UADK initialization") Reported-by: Peter Xu <[email protected]> Reviewed-by: Peter Xu <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]> (cherry picked from commit 405e352d28c24991cacfdebccf67d56c4795cf6e) Signed-off-by: Michael Tokarev <[email protected]>

The description about virt machine type is removed by mistake, add new description here. Here is output result with command "./qemu-system-loongarch64 -M help" Supported machines are: none empty machine virt QEMU LoongArch Virtual Machine (default) x-remote Experimental remote machine Without the patch, it shows as follows: Supported machines are: none empty machine virt (null) (default) x-remote Experimental remote machine Fixes: ef2f114(hw/loongarch/virt: Replace Loongson IPI with LoongArch IPI) Signed-off-by: Bibo Mao <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 4265b4f358436252ef36164566f316458f1df671) Signed-off-by: Michael Tokarev <[email protected]>

The loop in the 32-bit case of the vector compare operation was incorrectly incrementing by 8 bytes per iteration instead of 4 bytes. This caused the function to process only half of the intended elements. Cc: [email protected] Fixes: 9622c69 (tcg: Add gvec compare with immediate and scalar operand) Signed-off-by: TANG Tiancheng <[email protected]> Reviewed-by: Liu Zhiwei <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit 9d8d5a5b9078a16b4c0862fe54248c5cc8435648) Signed-off-by: Michael Tokarev <[email protected]>

The XT check for the lxvx/stxvx instructions is currently inverted. This was introduced during the move to decodetree. >From the ISA: Chapter 7. Vector-Scalar Extension Facility Load VSX Vector Indexed X-form lxvx XT,RA,RB if TX=0 & MSR.VSX=0 then VSX_Unavailable() if TX=1 & MSR.VEC=0 then Vector_Unavailable() ... Let XT be the value 32×TX + T. The code currently does the opposite: if (paired || a->rt >= 32) { REQUIRE_VSX(ctx); } else { REQUIRE_VECTOR(ctx); } This was already fixed for lxv/stxv at commit "2cc0e449d1 (target/ppc: Fix lxv/stxv MSR facility check)", but the indexed forms were missed. Cc: [email protected] Fixes: 70426b5 ("target/ppc: moved stxvx and lxvx from legacy to decodtree") Signed-off-by: Fabiano Rosas <[email protected]> Reviewed-by: Claudio Fontana <[email protected]> Acked-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Fabiano Rosas <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 8bded2e73e80823a67f730140788a3c5e60bf4b5) Signed-off-by: Michael Tokarev <[email protected]>

Commit e104edb ("hw/mips/jazz: use qemu_find_nic_info()") contained a typo in the NIC alias which caused initialisation of the in-built dp83932 NIC to fail when using the normal -nic user,model=dp83932 command line. Fixes: e104edb ("hw/mips/jazz: use qemu_find_nic_info()") Signed-off-by: Mark Cave-Ayland <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: David Woodhouse <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 2e4fdf566062c03456230fd8136b88c5c1e5c4bf) Signed-off-by: Michael Tokarev <[email protected]>

When we shut down a guest we disable the timers. However this can cause deadlock if the guest has queued some async work that is trying to advance system time and spins forever trying to wind time forward. Pay attention to the return code and bail early if we can't wind time forward. Reported-by: Elisha Hollander <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Reviewed-by: Pierrick Bouvier <[email protected]> Message-Id: <[email protected]> (cherry picked from commit bc02be4508d8753d1f6071b77d10f4661587df6f) Signed-off-by: Michael Tokarev <[email protected]>

Allow overlapping request by removing the assert that made it impossible. There are only two callers: 1. block_copy_task_create() It already asserts the very same condition before calling reqlist_init_req(). 2. cbw_snapshot_read_lock() There is no need to have read requests be non-overlapping in copy-before-write when used for snapshot-access. In fact, there was no protection against two callers of cbw_snapshot_read_lock() calling reqlist_init_req() with overlapping ranges and this could lead to an assertion failure [1]. In particular, with the reproducer script below [0], two cbw_co_snapshot_block_status() callers could race, with the second calling reqlist_init_req() before the first one finishes and removes its conflicting request. [0]: > #!/bin/bash -e > dd if=/dev/urandom of=/tmp/disk.raw bs=1M count=1024 > ./qemu-img create /tmp/fleecing.raw -f raw 1G > ( > ./qemu-system-x86_64 --qmp stdio \ > --blockdev raw,node-name=node0,file.driver=file,file.filename=/tmp/disk.raw \ > --blockdev raw,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.raw \ > <<EOF > {"execute": "qmp_capabilities"} > {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write", "file": "node0", "target": "node1", "node-name": "node3" } } > {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access", "file": "node3", "node-name": "snap0" } } > {"execute": "nbd-server-start", "arguments": {"addr": { "type": "unix", "data": { "path": "/tmp/nbd.socket" } } } } > {"execute": "block-export-add", "arguments": {"id": "exp0", "node-name": "snap0", "type": "nbd", "name": "exp0"}} > EOF > ) & > sleep 5 > while true; do > ./qemu-nbd -d /dev/nbd0 > ./qemu-nbd -c /dev/nbd0 nbd:unix:/tmp/nbd.socket:exportname=exp0 -f raw -r > nbdinfo --map 'nbd+unix:///exp0?socket=/tmp/nbd.socket' > done [1]: > #5 0x000071e5f0088eb2 in __GI___assert_fail (...) at ./assert/assert.c:101 > #6 0x0000615285438017 in reqlist_init_req (...) at ../block/reqlist.c:23 > #7 0x00006152853e2d98 in cbw_snapshot_read_lock (...) at ../block/copy-before-write.c:237 > #8 0x00006152853e3068 in cbw_co_snapshot_block_status (...) at ../block/copy-before-write.c:304 > #9 0x00006152853f4d22 in bdrv_co_snapshot_block_status (...) at ../block/io.c:3726 > #10 0x000061528543a63e in snapshot_access_co_block_status (...) at ../block/snapshot-access.c:48 > #11 0x00006152853f1a0a in bdrv_co_do_block_status (...) at ../block/io.c:2474 > #12 0x00006152853f2016 in bdrv_co_common_block_status_above (...) at ../block/io.c:2652 > #13 0x00006152853f22cf in bdrv_co_block_status_above (...) at ../block/io.c:2732 > #14 0x00006152853d9a86 in blk_co_block_status_above (...) at ../block/block-backend.c:1473 > #15 0x000061528538da6c in blockstatus_to_extents (...) at ../nbd/server.c:2374 > #16 0x000061528538deb1 in nbd_co_send_block_status (...) at ../nbd/server.c:2481 > #17 0x000061528538f424 in nbd_handle_request (...) at ../nbd/server.c:2978 > #18 0x000061528538f906 in nbd_trip (...) at ../nbd/server.c:3121 > #19 0x00006152855a7caf in coroutine_trampoline (...) at ../util/coroutine-ucontext.c:175 Cc: [email protected] Suggested-by: Vladimir Sementsov-Ogievskiy <[email protected]> Signed-off-by: Fiona Ebner <[email protected]> Message-Id: <[email protected]> Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]> Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]> (cherry picked from commit 6475155d519209c80fdda53e05130365aa769838) Signed-off-by: Michael Tokarev <[email protected]>

target_ulong is typedef'ed as a 32-bit integer when building the qemu-system-arm target, and this is smaller than the size of an intermediate physical address when LPAE is being used. Given that Linux may place leaf level user page tables in high memory when built for LPAE, the kernel will crash with an external abort as soon as it enters user space when running with more than ~3 GiB of system RAM. So replace target_ulong with vaddr in places where it may carry an address value that is not representable in 32 bits. Fixes: f3639a6 ("target/arm: Use softmmu tlbs for page table walking") Cc: [email protected] Reported-by: Arnd Bergmann <[email protected]> Tested-by: Arnd Bergmann <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Ard Biesheuvel <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 67d762e716a7127ecc114e9708254316dd521911) Signed-off-by: Michael Tokarev <[email protected]>

The enable bits in the EXT_CSD_PART_CONFIG ext_csd register do *not* specify whether the boot partitions exist, but whether they are enabled for booting. Existence of the boot partitions is specified by a EXT_CSD_BOOT_MULT != 0. Currently, in the case of boot-partition-size=1M and boot-config=0, Linux detects boot partitions of 1M. But as sd_bootpart_offset always returns 0, all reads/writes are mapped to the same offset in the backing file. Fix this bug by calculating the offset independent of which partition is enabled for booting. This bug is unlikely to affect many users with QEMU's current set of boards, because only aspeed sets boot-partition-size, and it also sets boot-config to 8. So to run into this a user would have to manually mark the boot partition non-booting from within the guest. Cc: [email protected] Signed-off-by: Jan Luebbe <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> [PMM: added note to commit message about effects of bug] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 9601076b3b0bced7ed597d1470e3ff2f4e7177d6) Signed-off-by: Michael Tokarev <[email protected]>

The mips64el cross setup is very broken for bullseye which has now entered LTS support so is unlikely to be fixed. While we still can't build the container with all packages for bookworm due to a single missing dependency that will hopefully get fixed in due course. For the sake of keeping the CI green we disable the problematic packages via the lcitool's mappings.yml file. See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081535 Signed-off-by: Alex Bennée <[email protected]> [thuth: Disable the problematic packages via lcitool's mappings.yml] Message-ID: <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit c60473d29254b79d9437eface8b342e84663ba66) Signed-off-by: Michael Tokarev <[email protected]>

Since commit e99441a ("ui/curses: Do not use console_select()") qemu_text_console_put_keysym() no longer checks for NULL console argument, which leads to a later crash: Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332 332 } else if (s->echo && (keysym == '\r' || keysym == '\n')) { (gdb) bt #0 0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332 #1 0x00005555559e18e5 in qemu_text_console_put_keysym (s=<optimized out>, keysym=<optimized out>) at ../ui/console.c:303 #2 0x00005555559f2e88 in do_key_event (vs=vs@entry=0x5555579045c0, down=down@entry=1, keycode=keycode@entry=60, sym=sym@entry=65471) at ../ui/vnc.c:2034 #3 0x00005555559f845c in ext_key_event (vs=0x5555579045c0, down=1, sym=65471, keycode=<optimized out>) at ../ui/vnc.c:2070 #4 protocol_client_msg (vs=0x5555579045c0, data=<optimized out>, len=<optimized out>) at ../ui/vnc.c:2514 #5 0x00005555559f515c in vnc_client_read (vs=0x5555579045c0) at ../ui/vnc.c:1607 Fixes: e99441a ("ui/curses: Do not use console_select()") Fixes: https://issues.redhat.com/browse/RHEL-50529 Cc: [email protected] Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 0e60fc80938d9ce84274a36ddfaaa640bdef2be8) Signed-off-by: Michael Tokarev <[email protected]>

load_flt_binary() calls load_flat_file() -> page_set_flags(). page_set_flags() must be called with the mmap_lock held, otherwise it aborts: $ qemu-arm -L stm32/lib/ stm32/bin/busybox qemu-arm: ../accel/tcg/user-exec.c:505: page_set_flags: Assertion `have_mmap_lock()' failed. Aborted (core dumped) Fix by taking the lock in load_flt_binary(). Fixes: fbd3c4c ("linux-user/arm: Mark the commpage executable") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2525 Suggested-by: Richard Henderson <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit a9ee641bd46f5462eeed183ac3c3760bddfc2600) Signed-off-by: Michael Tokarev <[email protected]>

Comparing a string of 4 bytes only works in little-endian. Adjust bulk bswap to only apply to the note payload. Perform swapping of the note header manually; the magic is defined so that it does not need a runtime swap. Fixes: 83f990e ("linux-user/elfload: Parse NT_GNU_PROPERTY_TYPE_0 notes") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2596 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> (cherry picked from commit 2884596f5f385b5712c356310dd4125a089888a8) Signed-off-by: Michael Tokarev <[email protected]>

In the fallback when STDBRX is not available, avoid clobbering TCG_REG_TMP1, which might be h.base, which is still in use. Use TCG_REG_TMP2 instead. Cc: [email protected] Fixes: 01a112e ("tcg/ppc: Reorg tcg_out_tlb_read") Signed-off-by: Richard Henderson <[email protected]> Tested-By: Michael Tokarev <[email protected]> (cherry picked from commit 4cabcb89b101942346aebff081aa1453e958fe7f) Signed-off-by: Michael Tokarev <[email protected]>

In tcg_out_qemu_ldst_i128, we need a non-zero index register, which we then use as a base register in several address modes. Since we always have TCG_REG_TMP2 available, use that. Cc: [email protected] Fixes: 526cd4e ("tcg/ppc: Support 128-bit load/store") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2597 Signed-off-by: Richard Henderson <[email protected]> Tested-By: Michael Tokarev <[email protected]> (cherry picked from commit 3213da7b9539581c6df95f8ced5b09d0b02d425f) Signed-off-by: Michael Tokarev <[email protected]>

Returning a raw areg does not preserve the value if the areg is subsequently modified. Fixes, e.g. "jsr (sp)", where the return address is pushed before the branch. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2483 Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit 352cc9f300d83ea48b8154bfd2ff985fece887d0) Signed-off-by: Michael Tokarev <[email protected]>

s/mbmi1/mbmi/ When configuring with -Dx86_version >= 3, meson step works, but compilation fails because option -mbmi1 is unknown. Signed-off-by: Pierrick Bouvier <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Tested-by: Alex Bennée <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: [email protected] Fixes: ef7d1ad ("meson: allow configuring the x86-64 baseline", 2024-06-28) Revieved-by: Michael Tokarev <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 461a9252e249adab5f0bae3b9634be77dd5be17e) Signed-off-by: Michael Tokarev <[email protected]>

Create a separate variable for compiler flags that enable specific instruction set extensions, so that they can be used with cc.compiles/cc.links. Note that -mfpmath=sse is a code generation option but it does not enable new instructions, therefore I did not make it part of qemu_isa_flags. Suggested-by: Pierrick Bouvier <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Tested-by: Alex Bennée <[email protected]> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 6ae8c5382b2396d394e135c2c6d3742d11c6d0c2) Signed-off-by: Michael Tokarev <[email protected]>

Moving -mcx16 out of CPU_CFLAGS caused the detection of ATOMIC128 to fail, because flags have to be specified by hand in cc.compiles and cc.links invocations (why oh why??). Ensure that these tests enable all the instruction set extensions that will be used to build the emulators. Fixes: c2bf2cc ("configure: move -mcx16 flag out of CPU_CFLAGS", 2024-05-24) Reported-by: Alex Bennée <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Tested-by: Alex Bennée <[email protected]> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 8db4e0f92e83fd80b6609439440b303ddded7ad8) Signed-off-by: Michael Tokarev <[email protected]>

The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit. When cast to uint64_t (for further bitwise OR), the 32 most significant bits will be filled with 1s. However, the documentation states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved. Add an explicit cast to match the documentation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: [email protected] Fixes: d2c0c6a ("hw/intc/arm_gicv3: Handle icv_nmiar1_read() for icc_nmiar1_read()") Signed-off-by: Alexandra Diupina <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit e0c0ea6eca4f210a52b9742817586cc97b1ee434) Signed-off-by: Michael Tokarev <[email protected]>

The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit. When cast to uint64_t (for further bitwise OR), the 32 most significant bits will be filled with 1s. However, the documentation states that the upper 32 bits of ICC_AP[0/1]R<n>_EL2 are reserved. Add an explicit cast to match the documentation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: [email protected] Fixes: 28cca59 ("hw/intc/arm_gicv3: Add NMI handling CPU interface registers") Signed-off-by: Alexandra Diupina <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 12dc8f6eca1ead876142fd3d6731cf3da1295f2a) Signed-off-by: Michael Tokarev <[email protected]>

The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit. When cast to uint64_t (for further bitwise OR), the 32 most significant bits will be filled with 1s. However, the documentation states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved. Add an explicit cast to match the documentation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: [email protected] Fixes: c3f21b0 ("hw/intc/arm_gicv3_cpuif: Support vLPIs") Signed-off-by: Alexandra Diupina <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 3db74afec3ca87f81fbdf5918ed1e21d837fbfab) Signed-off-by: Michael Tokarev <[email protected]>

In commit b88cfee we defined masks for the IBRD and FBRD integer and fractional baud rate divider registers, to prevent the guest from writing invalid values which could cause division-by-zero. Unfortunately we got the mask values the wrong way around: the FBRD register is six bits and the IBRD register is 16 bits, not vice-versa. You would only run into this bug if you programmed the UART to a baud rate of less than 9600, because for 9600 baud and above the IBRD value will fit into 6 bits, as per the table in https://developer.arm.com/documentation/ddi0183/g/programmers-model/register-descriptions/fractional-baud-rate-register--uartfbrd The only visible effects would be that the value read back from the register by the guest would be truncated, and we would print an incorrect baud rate in the debug logs. Cc: [email protected] Fixes: b88cfee ("hw/char/pl011: Avoid division-by-zero in pl011_get_baudrate()") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2610 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Gavin Shan <[email protected]> Message-id: [email protected] (cherry picked from commit cd247eae16ab1b9ce97fd34c000c1b883feeda45) Signed-off-by: Michael Tokarev <[email protected]>

Fixes: 280c1e1 ("audio/hda: create millisecond timers that handle IO") Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> (cherry picked from commit f27206ceedbe2efae37c8d143c5eb2db05251508) Signed-off-by: Michael Tokarev <[email protected]>

When SET_STREAM_FORMAT is called, we should clear the existing setup. Factor out common function to close a stream. Direct leak of 144 byte(s) in 3 object(s) allocated from: #0 0x7f91d38f7350 in calloc (/lib64/libasan.so.8+0xf7350) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a) #1 0x7f91d2ab7871 in g_malloc0 (/lib64/libglib-2.0.so.0+0x64871) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649) #2 0x562fa2f447ee in timer_new_full /home/elmarco/src/qemu/include/qemu/timer.h:538 #3 0x562fa2f4486f in timer_new /home/elmarco/src/qemu/include/qemu/timer.h:559 #4 0x562fa2f448a9 in timer_new_ns /home/elmarco/src/qemu/include/qemu/timer.h:577 #5 0x562fa2f47955 in hda_audio_setup ../hw/audio/hda-codec.c:490 #6 0x562fa2f4897e in hda_audio_command ../hw/audio/hda-codec.c:605 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> (cherry picked from commit 6d6e23361fc732e4fe36a8bc5873b85f264ed53a) Signed-off-by: Michael Tokarev <[email protected]>

A filter function that wants to drop a message should return NULL, in which case it must also unref the message itself. Fixes: fa88b85 ("ui/dbus: filter out pending messages when scanout") Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> (cherry picked from commit 244d52ff736fefc3dd364ed091720aa896af306d) Signed-off-by: Michael Tokarev <[email protected]>

DisplaySurface may be free before the pixman image is freed, since the image is refcounted and used by different objects, including pending dbus messages. Furthermore, setting the destroy function in create_displaysurface_from() isn't appropriate, as it may not be used, and may be overriden as in ramfb. Set the destroy function when the shared handle is set, use the HANDLE directly for destroy data, using a single common helper qemu_pixman_win32_image_destroy(). Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> (cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327) Signed-off-by: Michael Tokarev <[email protected]>

Filtering pending messages when a new scanout is given shouldn't discard pending cursor changes, for example. Since filtering happens in a different thread, use atomic set/get. Fixes: fa88b85 ("ui/dbus: filter out pending messages when scanout") Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> (cherry picked from commit cf59889781297a5618f1735a5f31402caa806b42) Signed-off-by: Michael Tokarev <[email protected]>

Signed-off-by: Michael Tokarev <[email protected]>

v9.1.1 release

Update QEMU to v9.1.1 #89

Update QEMU to v9.1.1 #89

Commits on Aug 2, 2024

Commits on Aug 4, 2024

Commits on Aug 5, 2024

Commits on Aug 6, 2024

Commits on Aug 7, 2024

Commits on Aug 8, 2024

Commits on Aug 9, 2024

Commits on Aug 12, 2024

Commits on Aug 13, 2024

Commits on Aug 14, 2024

Commits on Aug 15, 2024

Commits on Aug 16, 2024

Commits on Aug 17, 2024

Commits on Aug 19, 2024

Commits on Aug 20, 2024

Commits on Aug 21, 2024

Commits on Aug 22, 2024

Commits on Aug 23, 2024

Commits on Aug 26, 2024

Commits on Aug 27, 2024

Commits on Aug 28, 2024

Commits on Sep 3, 2024

Commits on Sep 5, 2024

Commits on Sep 11, 2024

Commits on Sep 25, 2024

Commits on Sep 26, 2024

Commits on Sep 28, 2024

Commits on Sep 30, 2024

Commits on Oct 1, 2024

Commits on Oct 2, 2024

Commits on Oct 3, 2024

Commits on Oct 4, 2024

Commits on Oct 10, 2024

Commits on Oct 14, 2024

Commits on Oct 15, 2024

Commits on Oct 16, 2024

Commits on Oct 18, 2024

Commits on Oct 25, 2024