Branch: refs/heads/staging-7.2
Home: https://github.com/qemu/qemu
Commit: 4002b76c1cf14101ac5cbdcce936330234a9de8f
https://github.com/qemu/qemu/commit/4002b76c1cf14101ac5cbdcce936330234a9de8f
Author: Zhuojia Shen <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M target/arm/helper.c
M tests/tcg/aarch64/Makefile.target
M tests/tcg/aarch64/sysregs.c
Log Message:
-----------
target/arm: align exposed ID registers with Linux
In CPUID registers exposed to userspace, some registers were missing
and some fields were not exposed. This patch aligns exposed ID
registers and their fields with what the upstream kernel currently
exposes.
Specifically, the following new ID registers/fields are exposed to
userspace:
ID_AA64PFR1_EL1.BT: bits 3-0
ID_AA64PFR1_EL1.MTE: bits 11-8
ID_AA64PFR1_EL1.SME: bits 27-24
ID_AA64ZFR0_EL1.SVEver: bits 3-0
ID_AA64ZFR0_EL1.AES: bits 7-4
ID_AA64ZFR0_EL1.BitPerm: bits 19-16
ID_AA64ZFR0_EL1.BF16: bits 23-20
ID_AA64ZFR0_EL1.SHA3: bits 35-32
ID_AA64ZFR0_EL1.SM4: bits 43-40
ID_AA64ZFR0_EL1.I8MM: bits 47-44
ID_AA64ZFR0_EL1.F32MM: bits 55-52
ID_AA64ZFR0_EL1.F64MM: bits 59-56
ID_AA64SMFR0_EL1.F32F32: bit 32
ID_AA64SMFR0_EL1.B16F32: bit 34
ID_AA64SMFR0_EL1.F16F32: bit 35
ID_AA64SMFR0_EL1.I8I32: bits 39-36
ID_AA64SMFR0_EL1.F64F64: bit 48
ID_AA64SMFR0_EL1.I16I64: bits 55-52
ID_AA64SMFR0_EL1.FA64: bit 63
ID_AA64MMFR0_EL1.ECV: bits 63-60
ID_AA64MMFR1_EL1.AFP: bits 47-44
ID_AA64MMFR2_EL1.AT: bits 35-32
ID_AA64ISAR0_EL1.RNDR: bits 63-60
ID_AA64ISAR1_EL1.FRINTTS: bits 35-32
ID_AA64ISAR1_EL1.BF16: bits 47-44
ID_AA64ISAR1_EL1.DGH: bits 51-48
ID_AA64ISAR1_EL1.I8MM: bits 55-52
ID_AA64ISAR2_EL1.WFxT: bits 3-0
ID_AA64ISAR2_EL1.RPRES: bits 7-4
ID_AA64ISAR2_EL1.GPA3: bits 11-8
ID_AA64ISAR2_EL1.APA3: bits 15-12
The code is also refactored to use symbolic names for ID register fields
for better readability and maintainability.
The test case in tests/tcg/aarch64/sysregs.c is also updated to match
the intended behavior.
Signed-off-by: Zhuojia Shen <[email protected]>
Message-id:
ds7pr12mb6309fb585e10772928f14271ac...@ds7pr12mb6309.namprd12.prod.outlook.com
Reviewed-by: Peter Maydell <[email protected]>
[PMM: use Sn_n_Cn_Cn_n syntax to work with older assemblers
that don't recognize id_aa64isar2_el1 and id_aa64mmfr2_el1]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit bc6bd20ee3538347afb750c4bd06edca4a922897)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: pick this for v8.0.0-2361-g1f51573f79
"target/arm: Fix SME full tile indexing")
Commit: 13cf40e5946359a80d3003853ade223ad42a7301
https://github.com/qemu/qemu/commit/13cf40e5946359a80d3003853ade223ad42a7301
Author: Peter Maydell <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M tests/tcg/aarch64/Makefile.target
M tests/tcg/aarch64/sysregs.c
Log Message:
-----------
tests/tcg/aarch64/sysregs.c: Use S syntax for id_aa64zfr0_el1 and
id_aa64smfr0_el1
Some assemblers will complain about attempts to access
id_aa64zfr0_el1 and id_aa64smfr0_el1 by name if the test
binary isn't built for the right processor type:
/tmp/ccASXpLo.s:782: Error: selected processor does not support system
register name 'id_aa64zfr0_el1'
/tmp/ccASXpLo.s:829: Error: selected processor does not support system
register name 'id_aa64smfr0_el1'
However, these registers are in the ID space and are guaranteed to
read-as-zero on older CPUs, so the access is both safe and sensible.
Switch to using the S syntax, as we already do for ID_AA64ISAR2_EL1
and ID_AA64MMFR2_EL1. This allows us to drop the HAS_ARMV9_SME check
and the makefile machinery to adjust the CFLAGS for this test, so we
don't rely on having a sufficiently new compiler to be able to check
these registers.
This means we're actually testing the SME ID register: no released
GCC yet recognizes -march=armv9-a+sme, so that was always skipped.
It also avoids a future problem if we try to switch the "do we have
SME support in the toolchain" check from "in the compiler" to "in the
assembler" (at which point we would otherwise run into the above
errors).
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 3dc2afeab2964b54848715b913b6c605f36be3e1)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: pick this for v8.0.0-2361-g1f51573f79
"target/arm: Fix SME full tile indexing")
Commit: 518c3dfdfbdacb1e750e4b584977afcb6c1850d5
https://github.com/qemu/qemu/commit/518c3dfdfbdacb1e750e4b584977afcb6c1850d5
Author: Richard Henderson <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M target/arm/translate-sme.c
M tests/tcg/aarch64/Makefile.target
A tests/tcg/aarch64/sme-outprod1.c
Log Message:
-----------
target/arm: Fix SME full tile indexing
For the outer product set of insns, which take an entire matrix
tile as output, the argument is not a combined tile+column.
Therefore using get_tile_rowcol was incorrect, as we extracted
the tile number from itself.
The test case relies only on assembler support for SME, since
no release of GCC recognizes -march=armv9-a+sme yet.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1620
Signed-off-by: Richard Henderson <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
[PMM: dropped now-unneeded changes to sysregs CFLAGS]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 1f51573f7925b80e79a29f87c7d9d6ead60960c0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ce252563f2b47df1464f787aee6c8ee1f14b6e0b
https://github.com/qemu/qemu/commit/ce252563f2b47df1464f787aee6c8ee1f14b6e0b
Author: Peter Maydell <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/rtc/sun4v-rtc.c
M include/hw/rtc/sun4v-rtc.h
Log Message:
-----------
hw/rtc/sun4v-rtc: Relicense to GPLv2-or-later
The sun4v RTC device model added under commit a0e893039cf2ce0 in 2016
was unfortunately added with a license of GPL-v3-or-later, which is
not compatible with other QEMU code which has a GPL-v2-only license.
Relicense the code in the .c and the .h file to GPL-v2-or-later,
to make it compatible with the rest of QEMU.
Cc: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Signed-off-by: Paolo Bonzini (for Red Hat) <[email protected]>
Signed-off-by: Artyom Tarasenko <[email protected]>
Signed-off-by: Markus Armbruster <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
Acked-by: Alex Bennée <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit fd7f95f23d6fe485332c1d4b489eb719fcb7c225)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e55ec34d3e459f1d0b77b1f7239be91638b57bd9
https://github.com/qemu/qemu/commit/e55ec34d3e459f1d0b77b1f7239be91638b57bd9
Author: Dmitrii Gavrilov <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M softmmu/qdev-monitor.c
Log Message:
-----------
system/qdev-monitor: move drain_call_rcu call under if (!dev) in
qmp_device_add()
Original goal of addition of drain_call_rcu to qmp_device_add was to cover
the failure case of qdev_device_add. It seems call of drain_call_rcu was
misplaced in 7bed89958bfbf40df what led to waiting for pending RCU callbacks
under happy path too. What led to overall performance degradation of
qmp_device_add.
In this patch call of drain_call_rcu moved under handling of failure of
qdev_device_add.
Signed-off-by: Dmitrii Gavrilov <[email protected]>
Message-ID: <[email protected]>
Fixes: 7bed89958bf ("device_core: use drain_call_rcu in in qmp_device_add",
2020-10-12)
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 012b170173bcaa14b9bc26209e0813311ac78489)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c57a6fca394b595405347e099d6c76bff8b493c0
https://github.com/qemu/qemu/commit/c57a6fca394b595405347e099d6c76bff8b493c0
Author: Sven Schnelle <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/scsi/lsi53c895a.c
Log Message:
-----------
hw/scsi/lsi53c895a: stop script on phase mismatch
Netbsd isn't happy with qemu lsi53c895a emulation:
cd0(esiop0:0:2:0): command with tag id 0 reset
esiop0: autoconfiguration error: phase mismatch without command
esiop0: autoconfiguration error: unhandled scsi interrupt, sist=0x80 sstat1=0x0
DSA=0x23a64b1 DSP=0x50
This is because lsi_bad_phase() triggers a phase mismatch, which
stops SCRIPT processing. However, after returning to
lsi_command_complete(), SCRIPT is restarted with lsi_resume_script().
Fix this by adding a return value to lsi_bad_phase(), and only resume
script processing when lsi_bad_phase() didn't trigger a host interrupt.
Signed-off-by: Sven Schnelle <[email protected]>
Tested-by: Helge Deller <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit a9198b3132d81a6bfc9fdbf6f3d3a514c2864674)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 275436de62f0a8a346989926ed719a1600d37f4a
https://github.com/qemu/qemu/commit/275436de62f0a8a346989926ed719a1600d37f4a
Author: Sven Schnelle <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/scsi/lsi53c895a.c
Log Message:
-----------
hw/scsi/lsi53c895a: add missing decrement of reentrancy counter
When the maximum count of SCRIPTS instructions is reached, the code
stops execution and returns, but fails to decrement the reentrancy
counter. This effectively renders the SCSI controller unusable
because on next entry the reentrancy counter is still above the limit.
This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS
loops.
Fixes: b987718bbb ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
controller (CVE-2023-0330)")
Signed-off-by: Sven Schnelle <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Tested-by: Helge Deller <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 8b09b7fe47082c69295a0fc0cc01b041b6385025)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: eeb56991763cc0121971944060c63c1b0e2479da
https://github.com/qemu/qemu/commit/eeb56991763cc0121971944060c63c1b0e2479da
Author: Sven Schnelle <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/scsi/lsi53c895a.c
M hw/scsi/trace-events
Log Message:
-----------
hw/scsi/lsi53c895a: add timer to scripts processing
HP-UX 10.20 seems to make the lsi53c895a spinning on a memory location
under certain circumstances. As the SCSI controller and CPU are not
running at the same time this loop will never finish. After some
time, the check loop interrupts with a unexpected device disconnect.
This works, but is slow because the kernel resets the scsi controller.
Instead of signaling UDC, start a timer and exit the loop. Until the
timer fires, the CPU can process instructions which might changes the
memory location.
The limit of instructions is also reduced because scripts running on
the SCSI processor are usually very short. This keeps the time until
the loop is exit short.
Suggested-by: Peter Maydell <[email protected]>
Signed-off-by: Sven Schnelle <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 9876359990dd4c8a48de65cf5e1c3d13e96a7f4e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f1efd85486a1427ee10ba0a82d246d99f1368632
https://github.com/qemu/qemu/commit/f1efd85486a1427ee10ba0a82d246d99f1368632
Author: Michael Tokarev <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M scripts/make-release
Log Message:
-----------
make-release: switch to .xz format by default
For a long time, we provide two compression formats in the
download area, .bz2 and .xz. There's absolutely no reason
to provide two in parallel, .xz compresses better, and all
the links we use points to .xz. Downstream distributions
mostly use .xz too.
For the release maintenance providing two formats is definitely
extra burden too.
Signed-off-by: Michael Tokarev <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Stefan Hajnoczi <[email protected]>
(cherry picked from commit 9bc9e95119445d7a430b0fc8b7daf22a3612bbd3)
Commit: df052d6c1c13247de89b14d7e5193966afbd414e
https://github.com/qemu/qemu/commit/df052d6c1c13247de89b14d7e5193966afbd414e
Author: Laurent Vivier <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/net/e1000e_core.c
M hw/net/e1000e_core.h
Log Message:
-----------
e1000e: fix link state on resume
On resume e1000e_vm_state_change() always calls e1000e_autoneg_resume()
that sets link_down to false, and thus activates the link even
if we have disabled it.
The problem can be reproduced starting qemu in paused state (-S) and
then set the link to down. When we resume the machine the link appears
to be up.
Reproducer:
# qemu-system-x86_64 ... -device e1000e,netdev=netdev0,id=net0 -S
{"execute": "qmp_capabilities" }
{"execute": "set_link", "arguments": {"name": "net0", "up": false}}
{"execute": "cont" }
To fix the problem, merge the content of e1000e_vm_state_change()
into e1000e_core_post_load() as e1000 does.
Buglink: https://issues.redhat.com/browse/RHEL-21867
Fixes: 6f3fbe4ed06a ("net: Introduce e1000e device emulation")
Suggested-by: Akihiko Odaki <[email protected]>
Signed-off-by: Laurent Vivier <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit 4cadf10234989861398e19f3bb441d3861f3bb7c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: edb47553b06db9cfe7501bcdcb28e6235ff71b20
https://github.com/qemu/qemu/commit/edb47553b06db9cfe7501bcdcb28e6235ff71b20
Author: Nick Briggs <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/net/pcnet.c
Log Message:
-----------
Avoid unaligned fetch in ladr_match()
There is no guarantee that the PCNetState is allocated such that
csr[8] is allocated on an 8-byte boundary. Since not all hosts are
capable of unaligned fetches the 16-bit elements need to be fetched
individually to avoid a potential fault. Closes issue #2143
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2143
Signed-off-by: Nick Briggs <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit 6a5287ce80470bb8df95901d73ee779a64e70c3a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ba6e007b889b08482c65acfa6b5bca8375917b5e
https://github.com/qemu/qemu/commit/ba6e007b889b08482c65acfa6b5bca8375917b5e
Author: Peng Fan <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/i386/xen/xen-mapcache.c
Log Message:
-----------
xen: Drop out of coroutine context xen_invalidate_map_cache_entry
xen_invalidate_map_cache_entry is not expected to run in a
coroutine. Without this, there is crash:
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
threadid=<optimized out>) at pthread_kill.c:78
at /usr/src/debug/glibc/2.38+git-r0/sysdeps/posix/raise.c:26
fmt=0xffff9e1ca8a8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0xaaaae0d25740 "!qemu_in_coroutine()",
file=file@entry=0xaaaae0d301a8 "../qemu-xen-dir-remote/block/graph-lock.c",
line=line@entry=260,
function=function@entry=0xaaaae0e522c0 <__PRETTY_FUNCTION__.3>
"bdrv_graph_rdlock_main_loop") at assert.c:92
assertion=assertion@entry=0xaaaae0d25740 "!qemu_in_coroutine()",
file=file@entry=0xaaaae0d301a8 "../qemu-xen-dir-remote/block/graph-lock.c",
line=line@entry=260,
function=function@entry=0xaaaae0e522c0 <__PRETTY_FUNCTION__.3>
"bdrv_graph_rdlock_main_loop") at assert.c:101
at ../qemu-xen-dir-remote/block/graph-lock.c:260
at
/home/Freenix/work/sw-stash/xen/upstream/tools/qemu-xen-dir-remote/include/block/graph-lock.h:259
host=host@entry=0xffff742c8000, size=size@entry=2097152)
at ../qemu-xen-dir-remote/block/io.c:3362
host=0xffff742c8000, size=2097152)
at ../qemu-xen-dir-remote/block/block-backend.c:2859
host=<optimized out>, size=<optimized out>, max_size=<optimized out>)
at ../qemu-xen-dir-remote/block/block-ram-registrar.c:33
size=2097152, max_size=2097152)
at ../qemu-xen-dir-remote/hw/core/numa.c:883
buffer=buffer@entry=0xffff743c5000 "")
at ../qemu-xen-dir-remote/hw/xen/xen-mapcache.c:475
buffer=buffer@entry=0xffff743c5000 "")
at ../qemu-xen-dir-remote/hw/xen/xen-mapcache.c:487
as=as@entry=0xaaaae1ca3ae8 <address_space_memory>, buffer=0xffff743c5000,
len=<optimized out>, is_write=is_write@entry=true,
access_len=access_len@entry=32768)
at ../qemu-xen-dir-remote/system/physmem.c:3199
dir=DMA_DIRECTION_FROM_DEVICE, len=<optimized out>,
buffer=<optimized out>, as=0xaaaae1ca3ae8 <address_space_memory>)
at
/home/Freenix/work/sw-stash/xen/upstream/tools/qemu-xen-dir-remote/include/sysemu/dma.h:236
elem=elem@entry=0xaaaaf620aa30, len=len@entry=32769)
at ../qemu-xen-dir-remote/hw/virtio/virtio.c:758
elem=elem@entry=0xaaaaf620aa30, len=len@entry=32769, idx=idx@entry=0)
at ../qemu-xen-dir-remote/hw/virtio/virtio.c:919
elem=elem@entry=0xaaaaf620aa30, len=32769)
at ../qemu-xen-dir-remote/hw/virtio/virtio.c:994
req=req@entry=0xaaaaf620aa30, status=status@entry=0 '\000')
at ../qemu-xen-dir-remote/hw/block/virtio-blk.c:67
ret=0) at ../qemu-xen-dir-remote/hw/block/virtio-blk.c:136
at ../qemu-xen-dir-remote/block/block-backend.c:1559
--Type <RET> for more, q to quit, c to continue without paging--
at ../qemu-xen-dir-remote/block/block-backend.c:1614
i1=<optimized out>) at ../qemu-xen-dir-remote/util/coroutine-ucontext.c:177
at ../sysdeps/unix/sysv/linux/aarch64/setcontext.S:123
Signed-off-by: Peng Fan <[email protected]>
Reviewed-by: Stefano Stabellini <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Anthony PERARD <[email protected]>
(cherry picked from commit 9253d83062268209533df4b29859e5b51a2dc324)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: remove coroutine_mixed_fn annotation missing in 7.2)
Commit: eb1477cc89d082ad353c1be3a22a7cf8010b695a
https://github.com/qemu/qemu/commit/eb1477cc89d082ad353c1be3a22a7cf8010b695a
Author: Klaus Jensen <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: clean up confusing use of errp/local_err
Remove an unnecessary local Error value in nvme_realize(). In the
process, change nvme_check_constraints() to return a bool.
Reviewed-by: Markus Armbruster <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>
(cherry picked from commit 784fd35387e9e6b42e3f365ddf44263eb25de8f7)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: needed for v8.2.0-2319-gfa905f65c5
"hw/nvme: add machine compatibility parameter to enable msix exclusive bar")
Commit: b616f9f6e1b7c0aa13f39349760c25c8f1cf7ebb
https://github.com/qemu/qemu/commit/b616f9f6e1b7c0aa13f39349760c25c8f1cf7ebb
Author: Klaus Jensen <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: cleanup error reporting in nvme_init_pci()
Replace the local Error variable with errp and ERRP_GUARD() and change
the return value to bool.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>
(cherry picked from commit 973f76cf7743545a5d8a0a8bfdfe2cd02aa3e238)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: needed for v8.2.0-2319-gfa905f65c5
"hw/nvme: add machine compatibility parameter to enable msix exclusive bar")
Commit: 37f6af013ad4495ef126395e8ed96058ce30acd7
https://github.com/qemu/qemu/commit/37f6af013ad4495ef126395e8ed96058ce30acd7
Author: Minwoo Im <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: separate 'serial' property for VFs
Currently, when a VF is created, it uses the 'params' object of the PF
as it is. In other words, the 'params.serial' string memory area is also
shared. In this situation, if the VF is removed from the system, the
PF's 'params.serial' object is released with object_finalize() followed
by object_property_del_all() which release the memory for 'serial'
property. If that happens, the next VF created will inherit a serial
from a corrupted memory area.
If this happens, an error will occur when comparing subsys->serial and
n->params.serial in the nvme_subsys_register_ctrl() function.
Cc: [email protected]
Fixes: 44c2c09488db ("hw/nvme: Add support for SR-IOV")
Signed-off-by: Minwoo Im <[email protected]>
Reviewed-by: Klaus Jensen <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>
(cherry picked from commit 4f0a4a3d5854824e5c5eccf353d4a1f4f749a29d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ab93112a6f23e6e0c831200c8924479e3c31c070
https://github.com/qemu/qemu/commit/ab93112a6f23e6e0c831200c8924479e3c31c070
Author: Klaus Jensen <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: generalize the mbar size helper
Generalize the mbar size helper such that it can handle cases where the
MSI-X table and PBA are expected to be in an exclusive bar.
Cc: [email protected]
Reviewed-by: Jesper Wendel Devantier <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>
(cherry picked from commit ee7bda4d38cda3eaf114c850a723dd12e23d3abc)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 11838d7d6b94d01955749b093ed8136a5a1cf81f
https://github.com/qemu/qemu/commit/11838d7d6b94d01955749b093ed8136a5a1cf81f
Author: Klaus Jensen <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/core/machine.c
M hw/nvme/ctrl.c
M hw/nvme/nvme.h
Log Message:
-----------
hw/nvme: add machine compatibility parameter to enable msix exclusive bar
Commit 1901b4967c3f ("hw/block/nvme: move msix table and pba to BAR 0")
moved the MSI-X table and PBA to BAR 0 to make room for enabling CMR and
PMR at the same time. As reported by Julien Grall in #2184, this breaks
migration through system hibernation.
Add a machine compatibility parameter and set it on machines pre 6.0 to
enable the old behavior automatically, restoring the hibernation
migration support.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2184
Fixes: 1901b4967c3f ("hw/block/nvme: move msix table and pba to BAR 0")
Reported-by: Julien Grall [email protected]
Tested-by: Julien Grall [email protected]
Reviewed-by: Jesper Wendel Devantier <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>
(cherry picked from commit fa905f65c5549703279f68c253914799b10ada47)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f30fb80ee24021bf20209b7b330fbd25ca383b84
https://github.com/qemu/qemu/commit/f30fb80ee24021bf20209b7b330fbd25ca383b84
Author: Akihiko Odaki <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/pci/pcie_sriov.c
M include/hw/pci/pcie_sriov.h
Log Message:
-----------
pcie: Introduce pcie_sriov_num_vfs
igb can use this function to change its behavior depending on the
number of virtual functions currently enabled.
Signed-off-by: Gal Hammer <[email protected]>
Signed-off-by: Marcel Apfelbaum <[email protected]>
Signed-off-by: Akihiko Odaki <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit 31180dbdca2859ae9841939f85158908453ea01d)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: needed for v8.2.0-2290-g91bb64a8d2
"hw/nvme: Use pcie_sriov_num_vfs()" (CVE-2024-26328))
Commit: 83e05c74223d6b7ddb31314cafa599b90023dfac
https://github.com/qemu/qemu/commit/83e05c74223d6b7ddb31314cafa599b90023dfac
Author: Akihiko Odaki <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: Use pcie_sriov_num_vfs()
nvme_sriov_pre_write_ctrl() used to directly inspect SR-IOV
configurations to know the number of VFs being disabled due to SR-IOV
configuration writes, but the logic was flawed and resulted in
out-of-bound memory access.
It assumed PCI_SRIOV_NUM_VF always has the number of currently enabled
VFs, but it actually doesn't in the following cases:
- PCI_SRIOV_NUM_VF has been set but PCI_SRIOV_CTRL_VFE has never been.
- PCI_SRIOV_NUM_VF was written after PCI_SRIOV_CTRL_VFE was set.
- VFs were only partially enabled because of realization failure.
It is a responsibility of pcie_sriov to interpret SR-IOV configurations
and pcie_sriov does it correctly, so use pcie_sriov_num_vfs(), which it
provides, to get the number of enabled VFs before and after SR-IOV
configuration writes.
Cc: [email protected]
Fixes: CVE-2024-26328
Fixes: 11871f53ef8e ("hw/nvme: Add support for the Virtualization Management
command")
Suggested-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Akihiko Odaki <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 91bb64a8d2014fda33a81fcf0fce37340f0d3b0c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f36c8e1b2502eacc85c80a66ae1e9ac5e1219d72
https://github.com/qemu/qemu/commit/f36c8e1b2502eacc85c80a66ae1e9ac5e1219d72
Author: Akihiko Odaki <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/pci/pcie_sriov.c
Log Message:
-----------
pcie_sriov: Validate NumVFs
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.
Cc: [email protected]
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization
(SR/IOV)")
Signed-off-by: Akihiko Odaki <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
Reviewed-by: Sriram Yagnaraman <[email protected]>
(cherry picked from commit 6081b4243cd64dff1b2cf5b0c215c71e9d7e753b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f90ce5281bd114b9348b78b253bd5e6d0437adc9
https://github.com/qemu/qemu/commit/f90ce5281bd114b9348b78b253bd5e6d0437adc9
Author: Jonathan Cameron <[email protected]>
Date: 2024-03-13 (Wed, 13 Mar 2024)
Changed paths:
M hw/acpi/hmat.c
Log Message:
-----------
hmat acpi: Fix out of bounds access due to missing use of indirection
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.
Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.
Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth
Information Structure(s)")
Signed-off-by: Jonathan Cameron <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 74e2845c5f95b0c139c79233ddb65bb17f2dd679)
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/0e181b6153ca...f90ce5281bd1
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
