Branch: refs/heads/stable-9.0
Home: https://github.com/qemu/qemu
Commit: 2cc14aac8b4bd7b694c3a70926e9a7f46e2e5405
https://github.com/qemu/qemu/commit/2cc14aac8b4bd7b694c3a70926e9a7f46e2e5405
Author: Fea.Wang <[email protected]>
Date: 2024-09-19 (Thu, 19 Sep 2024)
Changed paths:
M system/physmem.c
Log Message:
-----------
softmmu/physmem.c: Keep transaction attribute in address_space_map()
The follow-up transactions may use the data in the attribution, so keep
the value of attribution from the function parameter just as
flatview_translate() above.
Signed-off-by: Fea.Wang <[email protected]>
Cc: [email protected]
Fixes: f26404fbee ("Make address_space_map() take a MemTxAttrs argument")
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit d8d5ca40048b04750de5a0ae0b2b9f153a391951)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: context fix due to lack of
v9.1.0-134-g637b0aa13956 "softmmu: Support concurrent bounce buffers"
v9.0.0-564-g69e78f1b3484 "system/physmem: Per-AddressSpace bounce buffering")
Commit: d996783c4743adba032f41d1624d795180ee9ecb
https://github.com/qemu/qemu/commit/d996783c4743adba032f41d1624d795180ee9ecb
Author: Peter Maydell <[email protected]>
Date: 2024-09-20 (Fri, 20 Sep 2024)
Changed paths:
M target/arm/tcg/cpu64.c
Log Message:
-----------
target/arm: Correct ID_AA64ISAR1_EL1 value for neoverse-v1
The Neoverse-V1 TRM is a bit confused about the layout of the
ID_AA64ISAR1_EL1 register, and so its table 3-6 has the wrong value
for this ID register. Trust instead section 3.2.74's list of which
fields are set.
This means that we stop incorrectly reporting FEAT_XS as present, and
now report the presence of FEAT_BF16.
Cc: [email protected]
Reported-by: Marcin Juszkiewicz <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit 8676007eff04bb4e454bcdf92fab3f855bcc59b3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a85f57b6a9f01927a9c826bf5d0f237de0512215
https://github.com/qemu/qemu/commit/a85f57b6a9f01927a9c826bf5d0f237de0512215
Author: TANG Tiancheng <[email protected]>
Date: 2024-09-28 (Sat, 28 Sep 2024)
Changed paths:
M tcg/tcg-op-gvec.c
Log Message:
-----------
tcg: Fix iteration step in 32-bit gvec operation
The loop in the 32-bit case of the vector compare operation
was incorrectly incrementing by 8 bytes per iteration instead
of 4 bytes. This caused the function to process only half of
the intended elements.
Cc: [email protected]
Fixes: 9622c697d1 (tcg: Add gvec compare with immediate and scalar operand)
Signed-off-by: TANG Tiancheng <[email protected]>
Reviewed-by: Liu Zhiwei <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 9d8d5a5b9078a16b4c0862fe54248c5cc8435648)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9dc5eaff625c8731057313e95caae47e48609131
https://github.com/qemu/qemu/commit/9dc5eaff625c8731057313e95caae47e48609131
Author: Fabiano Rosas <[email protected]>
Date: 2024-09-28 (Sat, 28 Sep 2024)
Changed paths:
M target/ppc/translate/vsx-impl.c.inc
Log Message:
-----------
target/ppc: Fix lxvx/stxvx facility check
The XT check for the lxvx/stxvx instructions is currently
inverted. This was introduced during the move to decodetree.
>From the ISA:
Chapter 7. Vector-Scalar Extension Facility
Load VSX Vector Indexed X-form
lxvx XT,RA,RB
if TX=0 & MSR.VSX=0 then VSX_Unavailable()
if TX=1 & MSR.VEC=0 then Vector_Unavailable()
...
Let XT be the value 32×TX + T.
The code currently does the opposite:
if (paired || a->rt >= 32) {
REQUIRE_VSX(ctx);
} else {
REQUIRE_VECTOR(ctx);
}
This was already fixed for lxv/stxv at commit "2cc0e449d1 (target/ppc:
Fix lxv/stxv MSR facility check)", but the indexed forms were missed.
Cc: [email protected]
Fixes: 70426b5bb7 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Claudio Fontana <[email protected]>
Acked-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Fabiano Rosas <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 8bded2e73e80823a67f730140788a3c5e60bf4b5)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7859abfe34ae6a564f0474fed7a3b519305791ac
https://github.com/qemu/qemu/commit/7859abfe34ae6a564f0474fed7a3b519305791ac
Author: Mark Cave-Ayland <[email protected]>
Date: 2024-09-28 (Sat, 28 Sep 2024)
Changed paths:
M hw/mips/jazz.c
Log Message:
-----------
hw/mips/jazz: fix typo in in-built NIC alias
Commit e104edbb9d ("hw/mips/jazz: use qemu_find_nic_info()") contained a typo
in the NIC alias which caused initialisation of the in-built dp83932 NIC to fail
when using the normal -nic user,model=dp83932 command line.
Fixes: e104edbb9d ("hw/mips/jazz: use qemu_find_nic_info()")
Signed-off-by: Mark Cave-Ayland <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: David Woodhouse <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 2e4fdf566062c03456230fd8136b88c5c1e5c4bf)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 3731791fd7a6c4caa3aa9397c1bd75efb300e74b
https://github.com/qemu/qemu/commit/3731791fd7a6c4caa3aa9397c1bd75efb300e74b
Author: Fiona Ebner <[email protected]>
Date: 2024-10-01 (Tue, 01 Oct 2024)
Changed paths:
M block/copy-before-write.c
M block/reqlist.c
Log Message:
-----------
block/reqlist: allow adding overlapping requests
Allow overlapping request by removing the assert that made it
impossible. There are only two callers:
1. block_copy_task_create()
It already asserts the very same condition before calling
reqlist_init_req().
2. cbw_snapshot_read_lock()
There is no need to have read requests be non-overlapping in
copy-before-write when used for snapshot-access. In fact, there was no
protection against two callers of cbw_snapshot_read_lock() calling
reqlist_init_req() with overlapping ranges and this could lead to an
assertion failure [1].
In particular, with the reproducer script below [0], two
cbw_co_snapshot_block_status() callers could race, with the second
calling reqlist_init_req() before the first one finishes and removes
its conflicting request.
[0]:
> #!/bin/bash -e
> dd if=/dev/urandom of=/tmp/disk.raw bs=1M count=1024
> ./qemu-img create /tmp/fleecing.raw -f raw 1G
> (
> ./qemu-system-x86_64 --qmp stdio \
> --blockdev raw,node-name=node0,file.driver=file,file.filename=/tmp/disk.raw \
> --blockdev
> raw,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.raw \
> <<EOF
> {"execute": "qmp_capabilities"}
> {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write",
> "file": "node0", "target": "node1", "node-name": "node3" } }
> {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access",
> "file": "node3", "node-name": "snap0" } }
> {"execute": "nbd-server-start", "arguments": {"addr": { "type": "unix",
> "data": { "path": "/tmp/nbd.socket" } } } }
> {"execute": "block-export-add", "arguments": {"id": "exp0", "node-name":
> "snap0", "type": "nbd", "name": "exp0"}}
> EOF
> ) &
> sleep 5
> while true; do
> ./qemu-nbd -d /dev/nbd0
> ./qemu-nbd -c /dev/nbd0 nbd:unix:/tmp/nbd.socket:exportname=exp0 -f raw -r
> nbdinfo --map 'nbd+unix:///exp0?socket=/tmp/nbd.socket'
> done
[1]:
> #5 0x000071e5f0088eb2 in __GI___assert_fail (...) at ./assert/assert.c:101
> #6 0x0000615285438017 in reqlist_init_req (...) at ../block/reqlist.c:23
> #7 0x00006152853e2d98 in cbw_snapshot_read_lock (...) at
> ../block/copy-before-write.c:237
> #8 0x00006152853e3068 in cbw_co_snapshot_block_status (...) at
> ../block/copy-before-write.c:304
> #9 0x00006152853f4d22 in bdrv_co_snapshot_block_status (...) at
> ../block/io.c:3726
> #10 0x000061528543a63e in snapshot_access_co_block_status (...) at
> ../block/snapshot-access.c:48
> #11 0x00006152853f1a0a in bdrv_co_do_block_status (...) at ../block/io.c:2474
> #12 0x00006152853f2016 in bdrv_co_common_block_status_above (...) at
> ../block/io.c:2652
> #13 0x00006152853f22cf in bdrv_co_block_status_above (...) at
> ../block/io.c:2732
> #14 0x00006152853d9a86 in blk_co_block_status_above (...) at
> ../block/block-backend.c:1473
> #15 0x000061528538da6c in blockstatus_to_extents (...) at ../nbd/server.c:2374
> #16 0x000061528538deb1 in nbd_co_send_block_status (...) at
> ../nbd/server.c:2481
> #17 0x000061528538f424 in nbd_handle_request (...) at ../nbd/server.c:2978
> #18 0x000061528538f906 in nbd_trip (...) at ../nbd/server.c:3121
> #19 0x00006152855a7caf in coroutine_trampoline (...) at
> ../util/coroutine-ucontext.c:175
Cc: [email protected]
Suggested-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Signed-off-by: Fiona Ebner <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]>
(cherry picked from commit 6475155d519209c80fdda53e05130365aa769838)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: aa291cc29240ce7f44eee1f82a3aa6eae02308e8
https://github.com/qemu/qemu/commit/aa291cc29240ce7f44eee1f82a3aa6eae02308e8
Author: Ard Biesheuvel <[email protected]>
Date: 2024-10-02 (Wed, 02 Oct 2024)
Changed paths:
M target/arm/internals.h
M target/arm/ptw.c
Log Message:
-----------
target/arm: Avoid target_ulong for physical address lookups
target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermediate physical address when LPAE is being used.
Given that Linux may place leaf level user page tables in high memory
when built for LPAE, the kernel will crash with an external abort as
soon as it enters user space when running with more than ~3 GiB of
system RAM.
So replace target_ulong with vaddr in places where it may carry an
address value that is not representable in 32 bits.
Fixes: f3639a64f602ea ("target/arm: Use softmmu tlbs for page table walking")
Cc: [email protected]
Reported-by: Arnd Bergmann <[email protected]>
Tested-by: Arnd Bergmann <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Ard Biesheuvel <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 67d762e716a7127ecc114e9708254316dd521911)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 8ad609ab5f4ad74c82b9d67530946e4499b49acb
https://github.com/qemu/qemu/commit/8ad609ab5f4ad74c82b9d67530946e4499b49acb
Author: Alexander Bulekov <[email protected]>
Date: 2024-10-02 (Wed, 02 Oct 2024)
Changed paths:
M scripts/oss-fuzz/build.sh
Log Message:
-----------
fuzz: disable leak-detection for oss-fuzz builds
When we are building for OSS-Fuzz, we want to ensure that the fuzzer
targets are actually created, regardless of leaks. Leaks will be
detected by the subsequent tests of the individual fuzz-targets.
Signed-off-by: Alexander Bulekov <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 3e964275d65b92075249201c49b39dfb06d08ad4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 98228461a8f27f8c8bd527b921bb518668ba250d
https://github.com/qemu/qemu/commit/98228461a8f27f8c8bd527b921bb518668ba250d
Author: Alex Bennée <[email protected]>
Date: 2024-10-03 (Thu, 03 Oct 2024)
Changed paths:
M tests/docker/dockerfiles/debian-mips64el-cross.docker
M tests/lcitool/mappings.yml
M tests/lcitool/refresh
Log Message:
-----------
testing: bump mips64el cross to bookworm and fix package list
The mips64el cross setup is very broken for bullseye which has now
entered LTS support so is unlikely to be fixed. While we still can't
build the container with all packages for bookworm due to a single
missing dependency that will hopefully get fixed in due course. For
the sake of keeping the CI green we disable the problematic packages
via the lcitool's mappings.yml file.
See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081535
Signed-off-by: Alex Bennée <[email protected]>
[thuth: Disable the problematic packages via lcitool's mappings.yml]
Message-ID: <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit c60473d29254b79d9437eface8b342e84663ba66)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: context fix in tests/docker/dockerfiles/debian-mips64el-cross.docker)
Commit: 1836c60af237f6069f5d2e80ff937a9f0f8eec8a
https://github.com/qemu/qemu/commit/1836c60af237f6069f5d2e80ff937a9f0f8eec8a
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-04 (Fri, 04 Oct 2024)
Changed paths:
M ui/vnc.c
Log Message:
-----------
vnc: fix crash when no console attached
Since commit e99441a3793b5 ("ui/curses: Do not use console_select()")
qemu_text_console_put_keysym() no longer checks for NULL console
argument, which leads to a later crash:
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at
../ui/console-vc.c:332
332 } else if (s->echo && (keysym == '\r' || keysym == '\n')) {
(gdb) bt
#0 0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31)
at ../ui/console-vc.c:332
#1 0x00005555559e18e5 in qemu_text_console_put_keysym (s=<optimized out>,
keysym=<optimized out>) at ../ui/console.c:303
#2 0x00005555559f2e88 in do_key_event (vs=vs@entry=0x5555579045c0,
down=down@entry=1, keycode=keycode@entry=60, sym=sym@entry=65471) at
../ui/vnc.c:2034
#3 0x00005555559f845c in ext_key_event (vs=0x5555579045c0, down=1, sym=65471,
keycode=<optimized out>) at ../ui/vnc.c:2070
#4 protocol_client_msg (vs=0x5555579045c0, data=<optimized out>,
len=<optimized out>) at ../ui/vnc.c:2514
#5 0x00005555559f515c in vnc_client_read (vs=0x5555579045c0) at
../ui/vnc.c:1607
Fixes: e99441a3793b5 ("ui/curses: Do not use console_select()")
Fixes: https://issues.redhat.com/browse/RHEL-50529
Cc: [email protected]
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 0e60fc80938d9ce84274a36ddfaaa640bdef2be8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a706820672ab20ecd332889622d24ebf60cc58f9
https://github.com/qemu/qemu/commit/a706820672ab20ecd332889622d24ebf60cc58f9
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M linux-user/flatload.c
Log Message:
-----------
linux-user/flatload: Take mmap_lock in load_flt_binary()
load_flt_binary() calls load_flat_file() -> page_set_flags().
page_set_flags() must be called with the mmap_lock held,
otherwise it aborts:
$ qemu-arm -L stm32/lib/ stm32/bin/busybox
qemu-arm: ../accel/tcg/user-exec.c:505: page_set_flags: Assertion
`have_mmap_lock()' failed.
Aborted (core dumped)
Fix by taking the lock in load_flt_binary().
Fixes: fbd3c4cff6 ("linux-user/arm: Mark the commpage executable")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2525
Suggested-by: Richard Henderson <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a9ee641bd46f5462eeed183ac3c3760bddfc2600)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ff58fd29b490cadddd2f09166947df0bbad7e644
https://github.com/qemu/qemu/commit/ff58fd29b490cadddd2f09166947df0bbad7e644
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user: Fix parse_elf_properties GNU0_MAGIC check
Comparing a string of 4 bytes only works in little-endian.
Adjust bulk bswap to only apply to the note payload.
Perform swapping of the note header manually; the magic
is defined so that it does not need a runtime swap.
Fixes: 83f990eb5adb ("linux-user/elfload: Parse NT_GNU_PROPERTY_TYPE_0 notes")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2596
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
(cherry picked from commit 2884596f5f385b5712c356310dd4125a089888a8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: dd5a6b77f627193426e54a0a1a6c35a87f106db3
https://github.com/qemu/qemu/commit/dd5a6b77f627193426e54a0a1a6c35a87f106db3
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M tcg/ppc/tcg-target.c.inc
Log Message:
-----------
tcg/ppc: Use TCG_REG_TMP2 for scratch tcg_out_qemu_st
In the fallback when STDBRX is not available, avoid clobbering
TCG_REG_TMP1, which might be h.base, which is still in use.
Use TCG_REG_TMP2 instead.
Cc: [email protected]
Fixes: 01a112e2e9 ("tcg/ppc: Reorg tcg_out_tlb_read")
Signed-off-by: Richard Henderson <[email protected]>
Tested-By: Michael Tokarev <[email protected]>
(cherry picked from commit 4cabcb89b101942346aebff081aa1453e958fe7f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2c2721a2c2d08bc00f7d224fcae9014725641d8c
https://github.com/qemu/qemu/commit/2c2721a2c2d08bc00f7d224fcae9014725641d8c
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M tcg/ppc/tcg-target.c.inc
Log Message:
-----------
tcg/ppc: Use TCG_REG_TMP2 for scratch index in prepare_host_addr
In tcg_out_qemu_ldst_i128, we need a non-zero index register,
which we then use as a base register in several address modes.
Since we always have TCG_REG_TMP2 available, use that.
Cc: [email protected]
Fixes: 526cd4ec01f ("tcg/ppc: Support 128-bit load/store")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2597
Signed-off-by: Richard Henderson <[email protected]>
Tested-By: Michael Tokarev <[email protected]>
(cherry picked from commit 3213da7b9539581c6df95f8ced5b09d0b02d425f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 3b2a89a160affeec7317e498330ffb4b9d8324b0
https://github.com/qemu/qemu/commit/3b2a89a160affeec7317e498330ffb4b9d8324b0
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M target/m68k/translate.c
Log Message:
-----------
target/m68k: Always return a temporary from gen_lea_mode
Returning a raw areg does not preserve the value if the areg
is subsequently modified. Fixes, e.g. "jsr (sp)", where the
return address is pushed before the branch.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2483
Signed-off-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 352cc9f300d83ea48b8154bfd2ff985fece887d0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6e5f1429a2ec34e796c7b15a48fd3af22337cc2b
https://github.com/qemu/qemu/commit/6e5f1429a2ec34e796c7b15a48fd3af22337cc2b
Author: Alexandra Diupina <[email protected]>
Date: 2024-10-15 (Tue, 15 Oct 2024)
Changed paths:
M hw/intc/arm_gicv3_cpuif.c
Log Message:
-----------
hw/intc/arm_gicv3_cpuif: Add cast to match the documentation
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved.
Add an explicit cast to match the documentation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: [email protected]
Fixes: c3f21b065a ("hw/intc/arm_gicv3_cpuif: Support vLPIs")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 3db74afec3ca87f81fbdf5918ed1e21d837fbfab)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c385420aaffcf2ee9a2ac11dd8a4be04e5d3d24a
https://github.com/qemu/qemu/commit/c385420aaffcf2ee9a2ac11dd8a4be04e5d3d24a
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-16 (Wed, 16 Oct 2024)
Changed paths:
M hw/audio/hda-codec.c
Log Message:
-----------
hw/audio/hda: free timer on exit
Fixes: 280c1e1cd ("audio/hda: create millisecond timers that handle IO")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit f27206ceedbe2efae37c8d143c5eb2db05251508)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 63b32ce87e6c3e71719a6a9f6f4089059c45f487
https://github.com/qemu/qemu/commit/63b32ce87e6c3e71719a6a9f6f4089059c45f487
Author: Marc-André Lureau <[email protected]>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M ui/dbus-listener.c
Log Message:
-----------
ui/dbus: fix leak on message filtering
A filter function that wants to drop a message should return NULL, in
which case it must also unref the message itself.
Fixes: fa88b85de ("ui/dbus: filter out pending messages when scanout")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 244d52ff736fefc3dd364ed091720aa896af306d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0ba0827f214f5257b2ceb8a7e26ccb0793bdcebb
https://github.com/qemu/qemu/commit/0ba0827f214f5257b2ceb8a7e26ccb0793bdcebb
Author: Marc-André Lureau <[email protected]>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M hw/display/virtio-gpu.c
M include/ui/qemu-pixman.h
M ui/console.c
M ui/qemu-pixman.c
Log Message:
-----------
ui/win32: fix potential use-after-free with dbus shared memory
DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.
Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.
Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: d60890820c1c184da52d18d05eabf0e244ee2c24
https://github.com/qemu/qemu/commit/d60890820c1c184da52d18d05eabf0e244ee2c24
Author: Marc-André Lureau <[email protected]>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M ui/dbus-listener.c
Log Message:
-----------
ui/dbus: fix filtering all update messages
Filtering pending messages when a new scanout is given shouldn't discard
pending cursor changes, for example.
Since filtering happens in a different thread, use atomic set/get.
Fixes: fa88b85dea ("ui/dbus: filter out pending messages when scanout")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit cf59889781297a5618f1735a5f31402caa806b42)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b5f6122f676c6b83249c6e5bf3c6229d131dae40
https://github.com/qemu/qemu/commit/b5f6122f676c6b83249c6e5bf3c6229d131dae40
Author: Paolo Bonzini <[email protected]>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M tcg/s390x/tcg-target.c.inc
Log Message:
-----------
tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE
32-bit TSTEQ and TSTNE is subject to the same constraints as
for 64-bit, but setcond_i32 and negsetcond_i32 were incorrectly
using TCG_CT_CONST ("i") instead of TCG_CT_CONST_CMP ("C").
Adjust the constraint and make tcg_target_const_match use the
same sequence as tgen_cmp2: first check if the constant is a
valid operand for TSTEQ/TSTNE, then accept everything for 32-bit
non-test comparisons, finally check if the constant is a valid
operand for 64-bit non-test comparisons.
Reported-by: Philippe Mathieu-Daudé <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 615586cb356811e46c2e5f85c36db4b93f8381cd)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: fde43f4b8f30a44e1d73a4f2615cd5ea4c8db9af
https://github.com/qemu/qemu/commit/fde43f4b8f30a44e1d73a4f2615cd5ea4c8db9af
Author: Peter Xu <[email protected]>
Date: 2024-11-08 (Fri, 08 Nov 2024)
Changed paths:
M accel/kvm/kvm-all.c
M accel/kvm/trace-events
M include/sysemu/kvm_int.h
Log Message:
-----------
KVM: Dynamic sized kvm memslots array
Zhiyi reported an infinite loop issue in VFIO use case. The cause of that
was a separate discussion, however during that I found a regression of
dirty sync slowness when profiling.
Each KVMMemoryListerner maintains an array of kvm memslots. Currently it's
statically allocated to be the max supported by the kernel. However after
Linux commit 4fc096a99e ("KVM: Raise the maximum number of user memslots"),
the max supported memslots reported now grows to some number large enough
so that it may not be wise to always statically allocate with the max
reported.
What's worse, QEMU kvm code still walks all the allocated memslots entries
to do any form of lookups. It can drastically slow down all memslot
operations because each of such loop can run over 32K times on the new
kernels.
Fix this issue by making the memslots to be allocated dynamically.
Here the initial size was set to 16 because it should cover the basic VM
usages, so that the hope is the majority VM use case may not even need to
grow at all (e.g. if one starts a VM with ./qemu-system-x86_64 by default
it'll consume 9 memslots), however not too large to waste memory.
There can also be even better way to address this, but so far this is the
simplest and should be already better even than before we grow the max
supported memslots. For example, in the case of above issue when VFIO was
attached on a 32GB system, there are only ~10 memslots used. So it could
be good enough as of now.
In the above VFIO context, measurement shows that the precopy dirty sync
shrinked from ~86ms to ~3ms after this patch applied. It should also apply
to any KVM enabled VM even without VFIO.
NOTE: we don't have a FIXES tag for this patch because there's no real
commit that regressed this in QEMU. Such behavior existed for a long time,
but only start to be a problem when the kernel reports very large
nr_slots_max value. However that's pretty common now (the kernel change
was merged in 2021) so we attached cc:stable because we'll want this change
to be backported to stable branches.
Cc: qemu-stable <[email protected]>
Reported-by: Zhiyi Guo <[email protected]>
Tested-by: Zhiyi Guo <[email protected]>
Signed-off-by: Peter Xu <[email protected]>
Acked-by: David Hildenbrand <[email protected]>
Reviewed-by: Fabiano Rosas <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 5504a8126115d173687b37e657312a8ffe29fc0c)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: context fixup in accel/kvm/trace-events)
Commit: 06f97633a65efa8ec44d38093e9e186bc3eba034
https://github.com/qemu/qemu/commit/06f97633a65efa8ec44d38093e9e186bc3eba034
Author: Stefan Berger <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M tests/qtest/tpm-tests.c
Log Message:
-----------
tests: Wait for migration completion on destination QEMU to avoid failures
Rather than waiting for the completion of migration on the source side,
wait for it on the destination QEMU side to avoid accessing the TPM TIS
memory mapped registers before QEMU could restore their state. This
error condition could be triggered on busy systems where the destination
QEMU did not have enough time to restore the TIS state while the test case
was already reading its registers. The test case was for example reading
the STS register and received an unexpected value (0xffffffff), which
lead to a segmentation fault later on due to trying to read 0xffff bytes
from the TIS into a buffer.
Cc: <[email protected]>
Reported-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Stefan Berger <[email protected]>
(cherry picked from commit d9280ea3174700170d39c4cdd3f587f260757711)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: bb511406c0794d855a93ef157100f871e530790f
https://github.com/qemu/qemu/commit/bb511406c0794d855a93ef157100f871e530790f
Author: Thomas Huth <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/sh4/r2d.c
Log Message:
-----------
Revert "hw/sh4/r2d: Realize IDE controller before accessing it"
This reverts commit 3c5f86a22686ef475a8259c0d8ee714f61c770c9.
Changing the order here caused a regression with the "tuxrun"
kernels (from https://storage.tuxboot.com/20230331/) - ATA commands
fail with a "ata1: lost interrupt (Status 0x58)" message.
Apparently we need to wire the interrupt here first before
realizing the device, so revert the change to the original
behavior.
Reported-by: Guenter Roeck <[email protected]>
Acked-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 68ad89b75ad2bb5f38abea815a50ec17a142565a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 15bdc1d47709ba48447bf75d3d5b387911df30a0
https://github.com/qemu/qemu/commit/15bdc1d47709ba48447bf75d3d5b387911df30a0
Author: Peter Maydell <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M tests/qemu-iotests/211.out
Log Message:
-----------
tests/qemu-iotests/211.out: Update to expect MapEntry 'compressed' field
In commit 52b10c9c0c68e90f in 2023 the QAPI MapEntry struct was
updated to add a 'compressed' field. That commit updated a number
of iotest expected-output files, but missed 211, which is vdi
specific. The result is that
./check -vdi
and more specifically
./check -vdi 211
fails because the expected and actual output don't match.
Update the reference output.
Cc: [email protected]
Fixes: 52b10c9c0c68e90f ("qemu-img: map: report compressed data blocks")
Signed-off-by: Peter Maydell <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Kevin Wolf <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
(cherry picked from commit d60bd080e783107cb876a6f16561fe03f9dcbca7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 21af1db1d09675528d783fa4822538b1c2d7d8f6
https://github.com/qemu/qemu/commit/21af1db1d09675528d783fa4822538b1c2d7d8f6
Author: Kevin Wolf <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M block/raw-format.c
Log Message:
-----------
raw-format: Fix error message for invalid offset/size
s->offset and s->size are only set at the end of the function and still
contain the old values when formatting the error message. Print the
parameters with the new values that we actually checked instead.
Fixes: 500e2434207d ('raw-format: Split raw_read_options()')
Signed-off-by: Kevin Wolf <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Hanna Czenczek <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
(cherry picked from commit 04bbc3ee52b32ac465547bb40c1f090a1b8f315a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b045678f1d15d56e08451e1980c6998dedf01f57
https://github.com/qemu/qemu/commit/b045678f1d15d56e08451e1980c6998dedf01f57
Author: Richard Henderson <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M tcg/tcg.c
Log Message:
-----------
tcg: Reset data_gen_ptr correctly
This pointer needs to be reset after overflow just like
code_buf and code_ptr.
Cc: [email protected]
Fixes: 57a269469db ("tcg: Infrastructure for managing constant pools")
Acked-by: Alistair Francis <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: LIU Zhiwei <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a7cfd751fb269de4a93bf1658cb13911c7ac77cc)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 58dc0a07a2b76078f7f4106d648c8ce2c563a8bc
https://github.com/qemu/qemu/commit/58dc0a07a2b76078f7f4106d648c8ce2c563a8bc
Author: Alexander Graf <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/i386/tcg/sysemu/excp_helper.c
Log Message:
-----------
target/i386: Walk NPT in guest real mode
When translating virtual to physical address with a guest CPU that
supports nested paging (NPT), we need to perform every page table walk
access indirectly through the NPT, which we correctly do.
However, we treat real mode (no page table walk) special: In that case,
we currently just skip any walks and translate VA -> PA. With NPT
enabled, we also need to then perform NPT walk to do GVA -> GPA -> HPA
which we fail to do so far.
The net result of that is that TCG VMs with NPT enabled that execute
real mode code (like SeaBIOS) end up with GPA==HPA mappings which means
the guest accesses host code and data. This typically shows as failure
to boot guests.
This patch changes the page walk logic for NPT enabled guests so that we
always perform a GVA -> GPA translation and then skip any logic that
requires an actual PTE.
That way, all remaining logic to walk the NPT stays and we successfully
walk the NPT in real mode.
Cc: [email protected]
Fixes: fe441054bb3f0 ("target-i386: Add NPT support")
Signed-off-by: Alexander Graf <[email protected]>
Reported-by: Eduard Vlad <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit b56617bbcb473c25815d1bf475e326f84563b1de)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 88442869cf709f885a9c09fad00b96f802d58ffe
https://github.com/qemu/qemu/commit/88442869cf709f885a9c09fad00b96f802d58ffe
Author: Richard Henderson <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/i386/tcg/sysemu/excp_helper.c
Log Message:
-----------
target/i386: Use probe_access_full_mmu in ptw_translate
The probe_access_full_mmu function was designed for this purpose,
and does not report the memory operation event to plugins.
Cc: [email protected]
Fixes: 6d03226b422 ("plugins: force slow path when plugins instrument memory
ops")
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 115ade42d50144c15b74368d32dc734ea277d853)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: d9fd399d59800f44b6684d109cd4b7240f386f55
https://github.com/qemu/qemu/commit/d9fd399d59800f44b6684d109cd4b7240f386f55
Author: Ilya Leoshkevich <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Emulate /proc/self/maps under mmap_lock
If one thread modifies the mappings and another thread prints them,
a situation may occur that the printer thread sees a guest mapping
without a corresponding host mapping, leading to a crash in
open_self_maps_2().
Cc: [email protected]
Fixes: 7b7a3366e142 ("linux-user: Use walk_memory_regions for open_self_maps")
Signed-off-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Laurent Vivier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit bbd5630a75e70a0f1bcf04de74c94aa94a145628)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: context fix in linux-user/syscall.c due to missing
v9.0.0-421-g59272469bd13
"user: Use get_task_state() helper")
Commit: 8fe8cd6d8bf3c147b13282655d542298c9185b9f
https://github.com/qemu/qemu/commit/8fe8cd6d8bf3c147b13282655d542298c9185b9f
Author: Ilya Leoshkevich <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M linux-user/ppc/signal.c
Log Message:
-----------
linux-user/ppc: Fix sigmask endianness issue in sigreturn
do_setcontext() copies the target sigmask without endianness handling
and then uses target_to_host_sigset_internal(), which expects a
byte-swapped one. Use target_to_host_sigset() instead.
Fixes: bcd4933a23f1 ("linux-user: ppc signal handling")
Signed-off-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 8704132805cf7a3259d1c5a073b3c2b92afa2616)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 05f7fd01e2a91104f7c79515f1f7f3a563dcdbe6
https://github.com/qemu/qemu/commit/05f7fd01e2a91104f7c79515f1f7f3a563dcdbe6
Author: Yao Zi <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user/riscv: Fix definition of RISCV_HWPROBE_EXT_ZVFHMIN
Current definition yields a negative 32bits value, messing up hwprobe
result when Zvfhmin extension presents. Replace it by using a 1ULL bit
shift value as done in kernel upstream.
Link:
https://github.com/torvalds/linux/commit/5ea6764d9095e234b024054f75ebbccc4f0eb146
Fixes: a3432cf227 ("linux-user/riscv: Sync hwprobe keys with Linux")
Cc: [email protected]
Signed-off-by: Yao Zi <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 310df7a9fe400f32cde8a7edf80daad12cd9cf02)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f5a27139422b6c31ba6f8b7c8f23934f295d692e
https://github.com/qemu/qemu/commit/f5a27139422b6c31ba6f8b7c8f23934f295d692e
Author: Avihai Horon <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/vfio/migration.c
Log Message:
-----------
vfio/migration: Report only stop-copy size in vfio_state_pending_exact()
vfio_state_pending_exact() is used to update migration core how much
device data is left for the device migration. Currently, the sum of
pre-copy and stop-copy sizes of the VFIO device are reported.
The pre-copy size is obtained via the VFIO_MIG_GET_PRECOPY_INFO ioctl,
which returns the amount of device data available to be transferred
while the device is in the PRE_COPY states.
The stop-copy size is obtained via the VFIO_DEVICE_FEATURE_MIG_DATA_SIZE
ioctl, which returns the total amount of device data left to be
transferred in order to complete the device migration.
According to the above, current implementation is wrong -- it reports
extra overlapping data because pre-copy size is already contained in
stop-copy size. Fix it by reporting only stop-copy size.
Fixes: eda7362af959 ("vfio/migration: Add VFIO migration pre-copy support")
Signed-off-by: Avihai Horon <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
(cherry picked from commit 3b5948f808e3b99aedfa0aff45cffbe8b7ec07ed)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b3ca5c00c48f610a9b11c7c5810b0d79bbfaafe8
https://github.com/qemu/qemu/commit/b3ca5c00c48f610a9b11c7c5810b0d79bbfaafe8
Author: Alex Bennée <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M .gitlab-ci.d/check-dco.py
M .gitlab-ci.d/check-patch.py
Log Message:
-----------
gitlab: make check-[dco|patch] a little more verbose
When git fails the rather terse backtrace only indicates it failed
without some useful context. Add some to make the log a little more
useful.
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 97f116f9c6fd127b6ed2953993fa9fb05e82f450)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2810eccc22f2e101da7dbecdeec4b58bce467b63
https://github.com/qemu/qemu/commit/2810eccc22f2e101da7dbecdeec4b58bce467b63
Author: Pierrick Bouvier <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M tests/docker/dockerfiles/debian-loongarch-cross.docker
Log Message:
-----------
dockerfiles: fix default targets for debian-loongarch-cross
fix system target name, and remove --disable-system (which deactivates
system target).
Found using: make docker-test-build@debian-loongarch-cross V=1
Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 24be5341fbeea341cca38b59d4c0928a8cf5fac1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e0c51649d0fb8b5a2810b144251402b8019bacb5
https://github.com/qemu/qemu/commit/e0c51649d0fb8b5a2810b144251402b8019bacb5
Author: Stefan Weil <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M net/colo-compare.c
Log Message:
-----------
Fix calculation of minimum in colo_compare_tcp
GitHub's CodeQL reports a critical error which is fixed by using the MIN macro:
Unsigned difference expression compared to zero
Signed-off-by: Stefan Weil <[email protected]>
Cc: [email protected]
Reviewed-by: Zhang Chen <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit e29bc931e1699a98959680f6776b48673825762b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 534b1cccc377845942bdfdf77dbdca70a4c27107
https://github.com/qemu/qemu/commit/534b1cccc377845942bdfdf77dbdca70a4c27107
Author: Daniel P. Berrangé <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M meson.build
M net/meson.build
Log Message:
-----------
net: fix build when libbpf is disabled, but libxdp is enabled
The net/af-xdp.c code is enabled when the libxdp library is present,
however, it also has direct API calls to bpf_xdp_query_id &
bpf_xdp_detach which are provided by the libbpf library.
As a result if building with --disable-libbpf, but libxdp gets
auto-detected, we'll fail to link QEMU
/usr/bin/ld: libcommon.a.p/net_af-xdp.c.o: undefined reference to symbol
'bpf_xdp_query_id@@LIBBPF_0.7.0'
There are two bugs here
* Since we have direct libbpf API calls, when building
net/af-xdp.c, we must tell meson that libbpf is a
dependancy, so that we directly link to it, rather
than relying on indirect linkage.
* When must skip probing for libxdp at all, when libbpf
is not found, raising an error if --enable-libxdp was
given explicitly.
Fixes: cb039ef3d9e3112da01e1ecd9b136ac9809ef733
Signed-off-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit 1f37280b37dbf85f36748f359a9f8802c8fe7ccd)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f08ff67c4e756ac5f5a0875328c50c5f9015ab9f
https://github.com/qemu/qemu/commit/f08ff67c4e756ac5f5a0875328c50c5f9015ab9f
Author: Bernhard Beschow <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M net/tap-win32.c
Log Message:
-----------
net/tap-win32: Fix gcc 14 format truncation errors
The patch fixes the following errors generated by GCC 14.2:
../src/net/tap-win32.c:343:19: error: '%s' directive output may be truncated
writing up to 255 bytes into a region of size 176 [-Werror=format-truncation=]
343 | "%s\\%s\\Connection",
| ^~
344 | NETWORK_CONNECTIONS_KEY, enum_name);
| ~~~~~~~~~
../src/net/tap-win32.c:341:9: note: 'snprintf' output between 92 and 347 bytes
into a destination of size 256
341 | snprintf(connection_string,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
342 | sizeof(connection_string),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
343 | "%s\\%s\\Connection",
| ~~~~~~~~~~~~~~~~~~~~~
344 | NETWORK_CONNECTIONS_KEY, enum_name);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/net/tap-win32.c:242:58: error: '%s' directive output may be truncated
writing up to 255 bytes into a region of size 178 [-Werror=format-truncation=]
242 | snprintf (unit_string, sizeof(unit_string), "%s\\%s",
| ^~
243 | ADAPTER_KEY, enum_name);
| ~~~~~~~~~
../src/net/tap-win32.c:242:9: note: 'snprintf' output between 79 and 334 bytes
into a destination of size 256
242 | snprintf (unit_string, sizeof(unit_string), "%s\\%s",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
243 | ADAPTER_KEY, enum_name);
| ~~~~~~~~~~~~~~~~~~~~~~~
../src/net/tap-win32.c:620:52: error: '%s' directive output may be truncated
writing up to 255 bytes into a region of size 245 [-Werror=format-truncation=]
620 | snprintf (device_path, sizeof(device_path), "%s%s%s",
| ^~
621 | USERMODEDEVICEDIR,
622 | device_guid,
| ~~~~~~~~~~~
../src/net/tap-win32.c:620:5: note: 'snprintf' output between 16 and 271 bytes
into a destination of size 256
620 | snprintf (device_path, sizeof(device_path), "%s%s%s",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
621 | USERMODEDEVICEDIR,
| ~~~~~~~~~~~~~~~~~~
622 | device_guid,
| ~~~~~~~~~~~~
623 | TAPSUFFIX);
| ~~~~~~~~~~
Signed-off-by: Bernhard Beschow <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2607
Cc: [email protected]
Reviewed-by: Michael Tokarev <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit 75fe36b4e8a994cdf9fd6eb601f49e96b1bc791d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2ca240692ccc79cd84af963bb6f00e677859c6bb
https://github.com/qemu/qemu/commit/2ca240692ccc79cd84af963bb6f00e677859c6bb
Author: Peter Maydell <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/arm/internals.h
Log Message:
-----------
target/arm: Don't assert in regime_is_user() for E10 mmuidx values
In regime_is_user() we assert if we're passed an ARMMMUIdx_E10_*
mmuidx value. This used to make sense because we only used this
function in ptw.c and would never use it on this kind of stage 1+2
mmuidx, only for an individual stage 1 or stage 2 mmuidx.
However, when we implemented FEAT_E0PD we added a callsite in
aa64_va_parameters(), which means this can now be called for
stage 1+2 mmuidx values if the guest sets the TCG_ELX.{E0PD0,E0PD1}
bits to enable use of the feature. This will then result in
an assertion failure later, for instance on a TLBI operation:
#6 0x00007ffff6d0e70f in g_assertion_message_expr
(domain=0x0, file=0x55555676eeba "../../target/arm/internals.h", line=978,
func=0x555556771d48 <__func__.5> "regime_is_user", expr=<optimised out>)
at ../../../glib/gtestutils.c:3279
#7 0x0000555555f286d2 in regime_is_user (env=0x555557f2fe00,
mmu_idx=ARMMMUIdx_E10_0) at ../../target/arm/internals.h:978
#8 0x0000555555f3e31c in aa64_va_parameters (env=0x555557f2fe00,
va=18446744073709551615, mmu_idx=ARMMMUIdx_E10_0, data=true, el1_is_aa32=false)
at ../../target/arm/helper.c:12048
#9 0x0000555555f3163b in tlbi_aa64_get_range (env=0x555557f2fe00,
mmuidx=ARMMMUIdx_E10_0, value=106721347371041) at ../../target/arm/helper.c:5214
#10 0x0000555555f317e8 in do_rvae_write (env=0x555557f2fe00,
value=106721347371041, idxmap=21, synced=true) at ../../target/arm/helper.c:5260
#11 0x0000555555f31925 in tlbi_aa64_rvae1is_write (env=0x555557f2fe00,
ri=0x555557fbeae0, value=106721347371041) at ../../target/arm/helper.c:5302
#12 0x0000555556036f8f in helper_set_cp_reg64 (env=0x555557f2fe00,
rip=0x555557fbeae0, value=106721347371041) at
../../target/arm/tcg/op_helper.c:965
Since we do know whether these mmuidx values are for usermode
or not, we can easily make regime_is_user() handle them:
ARMMMUIdx_E10_0 is user, and the other two are not.
Cc: [email protected]
Fixes: e4c93e44ab103f ("target/arm: Implement FEAT_E0PD")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Message-id: [email protected]
(cherry picked from commit 1505b651fdbd9af59a4a90876a62ae7ea2d4cd39)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ddf98aa53c9f4971c1d80dddcf5a2d97718e92c1
https://github.com/qemu/qemu/commit/ddf98aa53c9f4971c1d80dddcf5a2d97718e92c1
Author: Evgenii Prokopiev <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/riscv/csr.c
Log Message:
-----------
target/riscv/csr.c: Fix an access to VXSAT
The register VXSAT should be RW only to the first bit.
The remaining bits should be 0.
The RISC-V Instruction Set Manual Volume I: Unprivileged Architecture
The vxsat CSR has a single read-write least-significant bit (vxsat[0])
that indicates if a fixed-point instruction has had to saturate an output
value to fit into a destination format. Bits vxsat[XLEN-1:1]
should be written as zeros.
Signed-off-by: Evgenii Prokopiev <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 5a60026cad4e9dba929cab4f63229e4b9110cf0a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c2773e521d508f4a2a38eccf2dec1ebfc0f9ff57
https://github.com/qemu/qemu/commit/c2773e521d508f4a2a38eccf2dec1ebfc0f9ff57
Author: TANG Tiancheng <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/riscv/cpu.h
Log Message:
-----------
target/riscv: Correct SXL return value for RV32 in RV64 QEMU
Ensure that riscv_cpu_sxl returns MXL_RV32 when runningRV32 in an
RV64 QEMU.
Signed-off-by: TANG Tiancheng <[email protected]>
Fixes: 05e6ca5e156 ("target/riscv: Ignore reserved bits in PTE for RV64")
Reviewed-by: Liu Zhiwei <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 929e4277c128772bad41cc795995f754cb9991af)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 665754811d0ee65f2a17ad964d4287369fd01be0
https://github.com/qemu/qemu/commit/665754811d0ee65f2a17ad964d4287369fd01be0
Author: Sergey Makarov <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/intc/sifive_plic.c
Log Message:
-----------
hw/intc: Don't clear pending bits on IRQ lowering
According to PLIC specification (chapter 5), there
is only one case, when interrupt is claimed. Fix
PLIC controller to match this behavior.
Signed-off-by: Sergey Makarov <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit a84be2baa9eca8bc500f866ad943b8f63dc99adf)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: d827e1a8d51640929650bc89c23906e9c467687b
https://github.com/qemu/qemu/commit/d827e1a8d51640929650bc89c23906e9c467687b
Author: Rob Bradford <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/riscv/cpu.c
Log Message:
-----------
target/riscv: Set vtype.vill on CPU reset
The RISC-V unprivileged specification "31.3.11. State of Vector
Extension at Reset" has a note that recommends vtype.vill be set on
reset as part of ensuring that the vector extension have a consistent
state at reset.
This change now makes QEMU consistent with Spike which sets vtype.vill
on reset.
Signed-off-by: Rob Bradford <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit f8c1f36a2e3dab4935e7c5690e578ac71765766b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 51bb79af8fd7c5bb7b64ec1b82750d234e7cfec1
https://github.com/qemu/qemu/commit/51bb79af8fd7c5bb7b64ec1b82750d234e7cfec1
Author: Yong-Xuan Wang <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/intc/riscv_aplic.c
Log Message:
-----------
hw/intc/riscv_aplic: Check and update pending when write sourcecfg
The section 4.5.2 of the RISC-V AIA specification says that any write
to a sourcecfg register of an APLIC might (or might not) cause the
corresponding interrupt-pending bit to be set to one if the rectified
input value is high (= 1) under the new source mode.
If an interrupt is asserted before the driver configs its interrupt
type to APLIC, it's pending bit will not be set except a relevant
write to a setip or setipnum register. When we write the interrupt
type to sourcecfg register, if the APLIC device doesn't check
rectified input value and update the pending bit, this interrupt
might never becomes pending.
For APLIC.m, we can manully set pending by setip or setipnum
registers in driver. But for APLIC.w, the pending status totally
depends on the rectified input value, we can't control the pending
status via mmio registers. In this case, hw should check and update
pending status for us when writing sourcecfg registers.
Update QEMU emulation to handle "pre-existing" interrupts.
Signed-off-by: Yong-Xuan Wang <[email protected]>
Acked-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 2ae6cca1d3389801ee72fc5e58c52573218f3514)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 68ff27472b64f8ef0e00a7140696951c83f2e43b
https://github.com/qemu/qemu/commit/68ff27472b64f8ef0e00a7140696951c83f2e43b
Author: Daniel Henrique Barboza <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/riscv/kvm/kvm-cpu.c
Log Message:
-----------
target/riscv/kvm: set 'aia_mode' to default in error path
When failing to set the selected AIA mode, 'aia_mode' is left untouched.
This means that 'aia_mode' will not reflect the actual AIA mode,
retrieved in 'default_aia_mode',
This is benign for now, but it will impact QMP query commands that will
expose the 'aia_mode' value, retrieving the wrong value.
Set 'aia_mode' to 'default_aia_mode' if we fail to change the AIA mode
in KVM.
While we're at it, rework the log/warning messages to be a bit less
verbose. Instead of:
KVM AIA: default mode is emul
qemu-system-riscv64: warning: KVM AIA: failed to set KVM AIA mode
We can use a single warning message:
qemu-system-riscv64: warning: KVM AIA: failed to set KVM AIA mode 'auto', using
default host mode 'emul'
Signed-off-by: Daniel Henrique Barboza <[email protected]>
Acked-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit d201a127e164b1683df5e7c93c6d42a74122db99)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f0bca4576c5dbe58063c2d79e6100961696d9c27
https://github.com/qemu/qemu/commit/f0bca4576c5dbe58063c2d79e6100961696d9c27
Author: Daniel Henrique Barboza <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/riscv/kvm/kvm-cpu.c
Log Message:
-----------
target/riscv/kvm: clarify how 'riscv-aia' default works
We do not have control in the default 'riscv-aia' default value. We can
try to set it to a specific value, in this case 'auto', but there's no
guarantee that the host will accept it.
Couple with this we're always doing a 'qemu_log' to inform whether we're
ended up using the host default or if we managed to set the AIA mode to
the QEMU default we wanted to set.
Change the 'riscv-aia' description to better reflect how the option
works, and remove the two informative 'qemu_log' that are now unneeded:
if no message shows, riscv-aia was set to the default or uset-set value.
Signed-off-by: Daniel Henrique Barboza <[email protected]>
Acked-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit fd16cfb2995e9196b579d8885145c4247dfa6058)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1eb81dfac96be1b47b9efbcaec7e2dd08c3e0a2e
https://github.com/qemu/qemu/commit/1eb81dfac96be1b47b9efbcaec7e2dd08c3e0a2e
Author: Anton Blanchard <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/riscv/vector_helper.c
Log Message:
-----------
target/riscv: Fix vcompress with rvv_ta_all_1s
vcompress packs vl or less fields into vd, so the tail starts after the
last packed field. This could be more clearly expressed in the ISA,
but for now this thread helps to explain it:
https://github.com/riscv/riscv-v-spec/issues/796
Signed-off-by: Anton Blanchard <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit c128d39edeff337220fc536a3e935bcba01ecb49)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6cfa03eaec0e1b46768644b6509de1a6dd872114
https://github.com/qemu/qemu/commit/6cfa03eaec0e1b46768644b6509de1a6dd872114
Author: Ilya Leoshkevich <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/ppc/translate.c
Log Message:
-----------
target/ppc: Set ctx->opcode for decode_insn32()
divdu (without a dot) sometimes updates cr0, even though it shouldn't.
The reason is that gen_op_arith_divd() checks Rc(ctx->opcode), which is
not initialized. This field is initialized only for instructions that
go through decode_legacy(), and not decodetree.
There already was a similar issue fixed in commit 86e6202a57b1
("target/ppc: Make divw[u] handler method decodetree compatible.").
It's not immediately clear what else may access the uninitialized
ctx->opcode, so instead of playing whack-a-mole and changing the check
to compute_rc0, simply initialize ctx->opcode.
Cc: [email protected]
Fixes: 99082815f17f ("target/ppc: Add infrastructure for prefixed insns")
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Ilya Leoshkevich <[email protected]>
Signed-off-by: Nicholas Piggin <[email protected]>
(cherry picked from commit c9b8a13a8841e0e23901e57e24ea98eeef16cf91)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: d10fbfc7dee5f24cbad33f1aab64941b16efd586
https://github.com/qemu/qemu/commit/d10fbfc7dee5f24cbad33f1aab64941b16efd586
Author: Nicholas Piggin <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/ppc/misc_helper.c
Log Message:
-----------
target/ppc: Fix mtDPDES targeting SMT siblings
A typo in the loop over SMT threads to set irq level for doorbells
when storing to DPDES meant everything was aimed at the CPU executing
the instruction.
Cc: [email protected]
Fixes: d24e80b2ae ("target/ppc: Add msgsnd/p and DPDES SMT support")
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Nicholas Piggin <[email protected]>
(cherry picked from commit 0324d236d2918c18a9ad4a1081b1083965a1433b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6edb85f828a4980413c2fe510093358815d12002
https://github.com/qemu/qemu/commit/6edb85f828a4980413c2fe510093358815d12002
Author: Nicholas Piggin <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/intc/spapr_xive_kvm.c
M hw/intc/xive.c
M include/hw/ppc/xive.h
Log Message:
-----------
ppc/xive: Fix ESB length overflow on 32-bit hosts
The length of this region can be > 32-bits, which overflows size_t on
32-bit hosts. Change to uint64_t.
Signed-off-by: Nicholas Piggin <[email protected]>
(cherry picked from commit 07f2770503e24889720028ddf9ef54788ddf3b6d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b81022f69e931d8721b567116b0c59960b15f2d3
https://github.com/qemu/qemu/commit/b81022f69e931d8721b567116b0c59960b15f2d3
Author: Jonathan Cameron <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/acpi/acpi_generic_initiator.c
Log Message:
-----------
hw/acpi: Fix ordering of BDF in Generic Initiator PCI Device Handle.
The ordering in ACPI specification [1] has bus number in the lowest byte.
As ACPI tables are little endian this is the reverse of the ordering
used by PCI_BUILD_BDF(). As a minimal fix split the QEMU BDF up
into bus and devfn and write them as single bytes in the correct
order.
[1] ACPI Spec 6.3, Table 5.80
Fixes: 0a5b5acdf2d8 ("hw/acpi: Implement the SRAT GI affinity structure")
Reviewed-by: Igor Mammedov <[email protected]>
Tested-by: "Huang, Ying" <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 16c687d84574a1139a6475c33e3b9191f7932ac0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 64bcf5ff5796a8f461fe10d4b31de63e1588205c
https://github.com/qemu/qemu/commit/64bcf5ff5796a8f461fe10d4b31de63e1588205c
Author: Peter Maydell <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/arm/cpu.h
M target/arm/helper.c
M target/arm/internals.h
M target/arm/ptw.c
M target/arm/tcg/hflags.c
M target/arm/tcg/translate-a64.c
M target/arm/tcg/translate.c
M target/arm/tcg/translate.h
Log Message:
-----------
Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"
This reverts commit 4c2c0474693229c1f533239bb983495c5427784d.
(2b5c04d82eb2378d3cb00b2d3057db99530d13e6 in stable-9.0 series)
This commit tried to fix a problem with our usage of MMU indexes when
EL3 is AArch32, using what it described as a "more complicated
approach" where we share the same MMU index values for Secure PL1&0
and NonSecure PL1&0. In theory this should work, but the change
didn't account for (at least) two things:
(1) The design change means we need to flush the TLBs at any point
where the CPU state flips from one to the other. We already flush
the TLB when SCR.NS is changed, but we don't flush the TLB when we
take an exception from NS PL1&0 into Mon or when we return from Mon
to NS PL1&0, and the commit didn't add any code to do that.
(2) The ATS12NS* address translate instructions allow Mon code (which
is Secure) to do a stage 1+2 page table walk for NS. I thought this
was OK because do_ats_write() does a page table walk which doesn't
use the TLBs, so because it can pass both the MMU index and also an
ARMSecuritySpace argument we can tell the table walk that we want NS
stage1+2, not S. But that means that all the code within the ptw
that needs to find e.g. the regime EL cannot do so only with an
mmu_idx -- all these functions like regime_sctlr(), regime_el(), etc
would need to pass both an mmu_idx and the security_space, so they
can tell whether this is a translation regime controlled by EL1 or
EL3 (and so whether to look at SCTLR.S or SCTLR.NS, etc).
In particular, because regime_el() wasn't updated to look at the
ARMSecuritySpace it would return 1 even when the CPU was in Monitor
mode (and the controlling EL is 3). This meant that page table walks
in Monitor mode would look at the wrong SCTLR, TCR, etc and would
generally fault when they should not.
Rather than trying to make the complicated changes needed to rescue
the design of 4c2c04746932, we revert it in order to instead take the
route that that commit describes as "the most straightforward" fix,
where we add new MMU indexes EL30_0, EL30_3, EL30_3_PAN to correspond
to "Secure PL1&0 at PL0", "Secure PL1&0 at PL1", and "Secure PL1&0 at
PL1 with PAN".
This revert will re-expose the "spurious alignment faults in
Secure PL0" issue #2326; we'll fix it again in the next commit.
Cc: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Tested-by: Thomas Huth <[email protected]>
Message-id: [email protected]
Reviewed-by: Richard Henderson <[email protected]>
(cherry picked from commit 056c5c90c171c4895b407af0cf3d198e1d44b40f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4a18d8f28acb67139d01a2b7666adf0abc0b78fe
https://github.com/qemu/qemu/commit/4a18d8f28acb67139d01a2b7666adf0abc0b78fe
Author: Peter Maydell <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/arm/cpu.h
M target/arm/helper.c
M target/arm/internals.h
M target/arm/ptw.c
M target/arm/tcg/op_helper.c
M target/arm/tcg/translate.c
Log Message:
-----------
target/arm: Add new MMU indexes for AArch32 Secure PL1&0
Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure PL1&0 translation regime:
* code at EL3, which might be Mon, or SVC, or any of the
other privileged modes (PL1)
* code at EL0 (Secure PL0)
This is different from when EL3 is AArch64, in which case EL3 is its
own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
have their own regime.
We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
do anything special about Secure PL0, which meant it used the same
ARMMMUIdx_EL10_0 that NonSecure PL0 does. This resulted in a bug
where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
controlling register when in Secure PL0, which meant we were
spuriously generating alignment faults because we were looking at the
wrong SCTLR control bits.
The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
we wouldn't honour the PAN bit for Secure PL1, because there's no
equivalent _PAN mmu index for it.
Fix this by adding two new MMU indexes:
* ARMMMUIdx_E30_0 is for Secure PL0
* ARMMMUIdx_E30_3_PAN is for Secure PL1 when PAN is enabled
The existing ARMMMUIdx_E3 is used to mean "Secure PL1 without PAN"
(and would be named ARMMMUIdx_E30_3 in an AArch32-centric scheme).
These extra two indexes bring us up to the maximum of 16 that the
core code can currently support.
This commit:
* adds the new MMU index handling to the various places
where we deal in MMU index values
* adds assertions that we aren't AArch32 EL3 in a couple of
places that currently use the E10 indexes, to document why
they don't also need to handle the E30 indexes
* documents in a comment why regime_has_2_ranges() doesn't need
updating
Notes for backporting: this commit depends on the preceding revert of
4c2c04746932; that revert and this commit should probably be
backported to everywhere that we originally backported 4c2c04746932.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2588
Signed-off-by: Peter Maydell <[email protected]>
Tested-by: Thomas Huth <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit efbe180ad2ed75d4cc64dfc6fb46a015eef713d1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 01fab01a730b1be17c7e3e593b8909f5d053d65a
https://github.com/qemu/qemu/commit/01fab01a730b1be17c7e3e593b8909f5d053d65a
Author: Peter Maydell <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M target/arm/tcg/vec_helper.c
Log Message:
-----------
target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed)
Our implementation of the indexed version of SVE SDOT/UDOT/USDOT got
the calculation of the inner loop terminator wrong. Although we
correctly account for the element size when we calculate the
terminator for the first iteration:
intptr_t segend = MIN(16 / sizeof(TYPED), opr_sz_n);
we don't do that when we move it forward after the first inner loop
completes. The intention is that we process the vector in 128-bit
segments, which for a 64-bit element size should mean (1, 2), (3, 4),
(5, 6), etc. This bug meant that we would iterate (1, 2), (3, 4, 5,
6), (7, 8, 9, 10) etc and apply the wrong indexed element to some of
the operations, and also index off the end of the vector.
You don't see this bug if the vector length is small enough that we
don't need to iterate the outer loop, i.e. if it is only 128 bits,
or if it is the 64-bit special case from AA32/AA64 AdvSIMD. If the
vector length is 256 bits then we calculate the right results for the
elements in the vector but do index off the end of the vector. Vector
lengths greater than 256 bits see wrong answers. The instructions
that produce 32-bit results behave correctly.
Fix the recalculation of 'segend' for subsequent iterations, and
restore a version of the comment that was lost in the refactor of
commit 7020ffd656a5 that explains why we only need to clamp segend to
opr_sz_n for the first iteration, not the later ones.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2595
Fixes: 7020ffd656a5 ("target/arm: Macroize helper_gvec_{s,u}dot_idx_{b,h}")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit e6b2fa1b81ac6b05c4397237c846a295a9857920)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 361eed7eb1d9541da2c39448bd6dcca8fba2da2c
https://github.com/qemu/qemu/commit/361eed7eb1d9541da2c39448bd6dcca8fba2da2c
Author: Hanna Czenczek <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M migration/vmstate.c
Log Message:
-----------
migration: Ensure vmstate_save() sets errp
migration/savevm.c contains some calls to vmstate_save() that are
followed by migrate_set_error() if the integer return value indicates an
error. migrate_set_error() requires that the `Error *` object passed to
it is set. Therefore, vmstate_save() is assumed to always set *errp on
error.
Right now, that assumption is not met: vmstate_save_state_v() (called
internally by vmstate_save()) will not set *errp if
vmstate_subsection_save() or vmsd->post_save() fail. Fix that by adding
an *errp parameter to vmstate_subsection_save(), and by generating a
generic error in case post_save() fails (as is already done for
pre_save()).
Without this patch, qemu will crash after vmstate_subsection_save() or
post_save() have failed inside of a vmstate_save() call (unless
migrate_set_error() then happen to discard the new error because
s->error is already set). This happens e.g. when receiving the state
from a virtio-fs back-end (virtiofsd) fails.
Signed-off-by: Hanna Czenczek <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 37dfcba1a04989830c706f9cbc00450e5d3a7447)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1bb5f8d82b6ed9142f38b21f8e2241226b367f6b
https://github.com/qemu/qemu/commit/1bb5f8d82b6ed9142f38b21f8e2241226b367f6b
Author: Klaus Jensen <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: fix handling of over-committed queues
If a host chooses to use the SQHD "hint" in the CQE to know if there is
room in the submission queue for additional commands, it may result in a
situation where there are not enough internal resources (struct
NvmeRequest) available to process the command. For a lack of a better
term, the host may "over-commit" the device (i.e., it may have more
inflight commands than the queue size).
For example, assume a queue with N entries. The host submits N commands
and all are picked up for processing, advancing the head and emptying
the queue. Regardless of which of these N commands complete first, the
SQHD field of that CQE will indicate to the host that the queue is
empty, which allows the host to issue N commands again. However, if the
device has not posted CQEs for all the previous commands yet, the device
will have less than N resources available to process the commands, so
queue processing is suspended.
And here lies an 11 year latent bug. In the absense of any additional
tail updates on the submission queue, we never schedule the processing
bottom-half again unless we observe a head update on an associated full
completion queue. This has been sufficient to handle N-to-1 SQ/CQ setups
(in the absense of over-commit of course). Incidentially, that "kick all
associated SQs" mechanism can now be killed since we now just schedule
queue processing when we return a processing resource to a non-empty
submission queue, which happens to cover both edge cases. However, we
must retain kicking the CQ if it was previously full.
So, apparently, no previous driver tested with hw/nvme has ever used
SQHD (e.g., neither the Linux NVMe driver or SPDK uses it). But then OSv
shows up with the driver that actually does. I salute you.
Fixes: f3c507adcd7b ("NVMe: Initial commit for new storage interface")
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2388
Reported-by: Waldemar Kozaczuk <[email protected]>
Reviewed-by: Keith Busch <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>
(cherry picked from commit 9529aa6bb4d18763f5b4704cb4198bd25cbbee31)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 5f590d437ca0fb1eb98fa3315e2fcbf0e13110d2
https://github.com/qemu/qemu/commit/5f590d437ca0fb1eb98fa3315e2fcbf0e13110d2
Author: Christian Schoenebeck <[email protected]>
Date: 2024-11-10 (Sun, 10 Nov 2024)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: fix crash on 'Treaddir' request
A bad (broken or malicious) 9p client (guest) could cause QEMU host to
crash by sending a 9p 'Treaddir' request with a numeric file ID (FID) that
was previously opened for a file instead of an expected directory:
#0 0x0000762aff8f4919 in __GI___rewinddir (dirp=0xf) at
../sysdeps/unix/sysv/linux/rewinddir.c:29
#1 0x0000557b7625fb40 in do_readdir_many (pdu=0x557bb67d2eb0,
fidp=0x557bb67955b0, entries=0x762afe9fff58, offset=0, maxsize=131072,
dostat=<optimized out>) at ../hw/9pfs/codir.c:101
#2 v9fs_co_readdir_many (pdu=pdu@entry=0x557bb67d2eb0,
fidp=fidp@entry=0x557bb67955b0, entries=entries@entry=0x762afe9fff58,
offset=0, maxsize=131072, dostat=false) at ../hw/9pfs/codir.c:226
#3 0x0000557b7625c1f9 in v9fs_do_readdir (pdu=0x557bb67d2eb0,
fidp=0x557bb67955b0, offset=<optimized out>,
max_count=<optimized out>) at ../hw/9pfs/9p.c:2488
#4 v9fs_readdir (opaque=0x557bb67d2eb0) at ../hw/9pfs/9p.c:2602
That's because V9fsFidOpenState was declared as union type. So the
same memory region is used for either an open POSIX file handle (int),
or a POSIX DIR* pointer, etc., so 9p server incorrectly used the
previously opened (valid) POSIX file handle (0xf) as DIR* pointer,
eventually causing a crash in glibc's rewinddir() function.
Root cause was therefore a missing check in 9p server's 'Treaddir'
request handler, which must ensure that the client supplied FID was
really opened as directory stream before trying to access the
aforementioned union and its DIR* member.
Cc: [email protected]
Fixes: d62dbb51f7 ("virtio-9p: Add fidtype so that we can do type ...")
Reported-by: Akihiro Suda <[email protected]>
Tested-by: Akihiro Suda <[email protected]>
Signed-off-by: Christian Schoenebeck <[email protected]>
Reviewed-by: Greg Kurz <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 042b4ebfd2298ae01553844124f27d651cdb1071)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1a629dc2f20ab8a4e619cb12d69284d8641c4e56
https://github.com/qemu/qemu/commit/1a629dc2f20ab8a4e619cb12d69284d8641c4e56
Author: Alexander Graf <[email protected]>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M target/i386/cpu.h
M target/i386/tcg/seg_helper.c
M target/i386/tcg/sysemu/excp_helper.c
Log Message:
-----------
target/i386: Fix legacy page table walk
Commit b56617bbcb4 ("target/i386: Walk NPT in guest real mode") added
logic to run the page table walker even in real mode if we are in NPT
mode. That function then determined whether real mode or paging is
active based on whether the pg_mode variable was 0.
Unfortunately pg_mode is 0 in two situations:
1) Paging is disabled (real mode)
2) Paging is in 2-level paging mode (32bit without PAE)
That means the walker now assumed that 2-level paging mode was real
mode, breaking NetBSD as well as Windows XP.
To fix that, this patch adds a new PG flag to pg_mode which indicates
whether paging is active at all and uses that to determine whether we
are in real mode or not.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2654
Fixes: b56617bbcb4 ("target/i386: Walk NPT in guest real mode")
Fixes: 58dc0a07a2b (commit b56617bbcb4 in stable-9.0.x series)
Signed-off-by: Alexander Graf <[email protected]>
Reported-by: Mark Cave-Ayland <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 8fa11a4df344f58375eb26b3b65004345f21ef37)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7ca2aa5f5388fbcaea11c4e09ab4d53ff6c34b83
https://github.com/qemu/qemu/commit/7ca2aa5f5388fbcaea11c4e09ab4d53ff6c34b83
Author: Peter Maydell <[email protected]>
Date: 2024-11-13 (Wed, 13 Nov 2024)
Changed paths:
M hw/i386/pc.c
Log Message:
-----------
hw/i386/pc: Don't try to init PCI NICs if there is no PCI bus
The 'isapc' machine type has no PCI bus, but pc_nic_init() still
calls pci_init_nic_devices() passing it a NULL bus pointer. This
causes the clang sanitizer to complain:
$ ./build/clang/qemu-system-i386 -M isapc
../../hw/pci/pci.c:1866:39: runtime error: member access within null pointer of
type 'PCIBus' (aka 'struct PCIBus')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../../hw/pci/pci.c:1866:39 in
This is because pci_init_nic_devices() does
&bus->qbus
which is undefined behaviour on a NULL pointer even though we're not
actually dereferencing the pointer. (We don't actually crash as
a result, so if you aren't running a sanitizer build then there
are no user-visible effects.)
Make pc_nic_init() avoid trying to initialize PCI NICs on a non-PCI
system.
Cc: [email protected]
Fixes: 8d39f9ba14d64 ("hw/i386/pc: use qemu_get_nic_info() and
pci_init_nic_devices()")
Signed-off-by: Peter Maydell <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit bd0e501e1a4813fa36a4cf9842aaf430323a03c3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b8fb4b2633fa848aa7def0f5149a4257d69f982b
https://github.com/qemu/qemu/commit/b8fb4b2633fa848aa7def0f5149a4257d69f982b
Author: Helge Deller <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Fix setreuid and setregid to use direct syscalls
The commit fd6f7798ac30 ("linux-user: Use direct syscalls for setuid(),
etc") added direct syscall wrappers for setuid(), setgid(), etc since the
system calls have different semantics than the libc functions.
Add and use the corresponding wrappers for setreuid and setregid which
were missed in that commit.
This fixes the build of the debian package of the uid_wrapper library
(https://cwrap.org/uid_wrapper.html) when running linux-user.
Cc: [email protected]
Signed-off-by: Helge Deller <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Ilya Leoshkevich <[email protected]>
Message-ID: <Zyo2jMKqq8hG8Pkz@p100>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 8491026a08b417b2d4070f7c373dcb43134c5312)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 589adaa11d857ea46a1cdcf631bb7b687920f3af
https://github.com/qemu/qemu/commit/589adaa11d857ea46a1cdcf631bb7b687920f3af
Author: Richard Henderson <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M target/arm/tcg/sve_helper.c
Log Message:
-----------
target/arm: Drop user-only special case in sve_stN_r
This path is reachable with plugins enabled, and provoked
with run-plugin-catch-syscalls-with-libinline.so.
Cc: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit f27550804688da43c6e0d87b2f9e143adbf76271)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0d87dad07e9d4d95270bb680b326ce17eadb83ec
https://github.com/qemu/qemu/commit/0d87dad07e9d4d95270bb680b326ce17eadb83ec
Author: Richard Henderson <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M accel/tcg/user-exec.c
Log Message:
-----------
accel/tcg: Fix user-only probe_access_internal plugin check
The acc_flag check for write should have been against PAGE_WRITE_ORG,
not PAGE_WRITE. But it is better to combine two acc_flag checks
to a single check against access_type. This matches the system code
in cputlb.c.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2647
Signed-off-by: Richard Henderson <[email protected]>
Message-Id: [email protected]
Reviewed-by: Alex Bennée <[email protected]>
(cherry picked from commit 2a339fee450638b512c5122281cb5ab49331cfb8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 85694e44816b8ee1729c774796d3fd9d3968388c
https://github.com/qemu/qemu/commit/85694e44816b8ee1729c774796d3fd9d3968388c
Author: Ilya Leoshkevich <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user: Tolerate CONFIG_LSM_MMAP_MIN_ADDR
Running qemu-i386 on a system running with SELinux in enforcing mode
(more precisely: s390x trixie container on Fedora 40) fails with:
qemu-i386: tests/tcg/i386-linux-user/sigreturn-sigmask: Unable to find a
guest_base to satisfy all guest address mapping requirements
00000000-ffffffff
The reason is that main() determines mmap_min_addr from
/proc/sys/vm/mmap_min_addr, but SELinux additionally defines
CONFIG_LSM_MMAP_MIN_ADDR, which is normally larger: 32K or 64K, but,
in general, can be anything. There is no portable way to query its
value: /boot/config, /proc/config and /proc/config.gz are distro- and
environment-specific.
Once the identity map fails, the magnitude of guest_base does not
matter, so fix by starting the search from 1M or 1G.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2598
Suggested-by: Richard Henderson <[email protected]>
Signed-off-by: Ilya Leoshkevich <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit fb7f3572b111ffb6c2dd2c7f6c5b4dc57dd8a3f5)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9451f88fab477a152ccae8c68d4472be4f9677dc
https://github.com/qemu/qemu/commit/9451f88fab477a152ccae8c68d4472be4f9677dc
Author: Richard Henderson <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M linux-user/arm/Makefile.vdso
M linux-user/arm/vdso-be.so
M linux-user/arm/vdso-le.so
Log Message:
-----------
linux-user/arm: Reduce vdso alignment to 4k
Reduce vdso alignment to minimum page size.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit f7150b2151398c9274686d06c2c1e24618aa4cd6)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b6d20a7346c2984af6d56fffa24017fff20c6e48
https://github.com/qemu/qemu/commit/b6d20a7346c2984af6d56fffa24017fff20c6e48
Author: Richard Henderson <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M linux-user/arm/Makefile.vdso
M linux-user/arm/meson.build
R linux-user/arm/vdso-be.so
A linux-user/arm/vdso-be32.so
A linux-user/arm/vdso-be8.so
M linux-user/elfload.c
Log Message:
-----------
linux-user/arm: Select vdso for be8 and be32 modes
In be8 mode, instructions are little-endian.
In be32 mode, instructions are big-endian.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2333
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 95c9e2209cc09453cfd49e91321df254ccbf466f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 20654224c55a2688859b15f3100dd8d68fb50eee
https://github.com/qemu/qemu/commit/20654224c55a2688859b15f3100dd8d68fb50eee
Author: Peter Maydell <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M tcg/tcg-op-gvec.c
Log Message:
-----------
tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()
In simd_desc() we create a SIMD descriptor from various pieces
including an arbitrary data value from the caller. We try to
sanitize these to make sure everything will fit: the 'data' value
needs to fit in the SIMD_DATA_BITS (== 22) sized field. However we
do that sanitizing with:
tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));
This works for the case where the data is supposed to be considered
as a signed integer (which can then be returned via simd_data()).
However, some callers want to treat the data value as unsigned.
Specifically, for the Arm SVE operations, make_svemte_desc()
assembles a data value as a collection of fields, and it needs to use
all 22 bits. Currently if MTE is enabled then its MTEDESC SIZEM1
field may have the most significant bit set, and then it will trip
this assertion.
Loosen the assertion so that we only check that the data value will
fit into the field in some way, either as a signed or as an unsigned
value. This means we will fail to detect some kinds of bug in the
callers, but we won't spuriously assert for intentional use of the
data field as unsigned.
Cc: [email protected]
Fixes: db432672dc50e ("tcg: Add generic vector expanders")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2601
Signed-off-by: Peter Maydell <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 8377e3fb854d126ba10e61cb6b60885af8443ad4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: fe1f8cfad3a5f8a3f1e99bb4e89c9ed71780ee2a
https://github.com/qemu/qemu/commit/fe1f8cfad3a5f8a3f1e99bb4e89c9ed71780ee2a
Author: Pierrick Bouvier <[email protected]>
Date: 2024-11-17 (Sun, 17 Nov 2024)
Changed paths:
M target/i386/tcg/sysemu/excp_helper.c
Log Message:
-----------
target/i386: fix hang when using slow path for ptw_setl
When instrumenting memory accesses for plugin, we force memory accesses
to use the slow path for mmu [1]. This create a situation where we end
up calling ptw_setl_slow. This was fixed recently in [2] but the issue
still could appear out of plugins use case.
Since this function gets called during a cpu_exec, start_exclusive then
hangs. This exclusive section was introduced initially for security
reasons [3].
I suspect this code path was never triggered, because ptw_setl_slow
would always be called transitively from cpu_exec, resulting in a hang.
[1]
https://gitlab.com/qemu-project/qemu/-/commit/6d03226b42247b68ab2f0b3663e0f624335a4055
[2]
https://gitlab.com/qemu-project/qemu/-/commit/115ade42d50144c15b74368d32dc734ea277d853
[2]
https://gitlab.com/qemu-project/qemu/-/commit/88442869cf709f885a9c09fad00b96f802d58ffe
in 9.0.x series
[3] https://gitlab.com/qemu-project/qemu/-/issues/279
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2566
Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 7ba055b49b74c4d2f4a338c5198485bdff373fb1)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: mention [2] in 9.0.x series)
Commit: f7840ef5fd43f9f5c1aefee90af310118346325f
https://github.com/qemu/qemu/commit/f7840ef5fd43f9f5c1aefee90af310118346325f
Author: Alex Bennée <[email protected]>
Date: 2024-11-18 (Mon, 18 Nov 2024)
Changed paths:
M contrib/plugins/lockstep.c
Log Message:
-----------
contrib/plugins: add compat for g_memdup2
We were premature if bumping this because some of our builds are still
on older glibs. Just copy the compat handler for now and we can remove
it later.
Fixes: ee293103b0 (plugins: update lockstep to use g_memdup2)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2161
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 44e794896759236885f6d30d1f6b9b8b76355d52)
Signed-off-by: Michael Tokarev <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2681 in 9.0.x
Commit: 219ab45b91b55073288b00391c75aed136d3394f
https://github.com/qemu/qemu/commit/219ab45b91b55073288b00391c75aed136d3394f
Author: Thomas Huth <[email protected]>
Date: 2024-11-18 (Mon, 18 Nov 2024)
Changed paths:
M include/hw/misc/mos6522.h
Log Message:
-----------
hw/misc/mos6522: Fix bad class definition of the MOS6522 device
When compiling QEMU with --enable-cfi, the "q800" m68k machine
currently crashes very early, when the q800_machine_init() function
tries to wire the interrupts of the "via1" device.
This happens because TYPE_MOS6522_Q800_VIA1 is supposed to be a
proper SysBus device, but its parent (TYPE_MOS6522) has a mistake
in its class definition where it is only derived from DeviceClass,
and not from SysBusDeviceClass, so we end up in funny memory access
issues here. Using the right class hierarchy for the MOS6522 device
fixes the problem.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2675
Signed-off-by: Thomas Huth <[email protected]>
Fixes: 51f233ec92 ("misc: introduce new mos6522 VIA device")
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit c3d7c18b0d616cf7fb3c1f325503e1462307209d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1debb955f63bd7e0e60e280c240cf5a90a871f11
https://github.com/qemu/qemu/commit/1debb955f63bd7e0e60e280c240cf5a90a871f11
Author: Paolo Bonzini <[email protected]>
Date: 2024-11-18 (Mon, 18 Nov 2024)
Changed paths:
M hw/audio/hda-codec.c
Log Message:
-----------
hw/audio/hda: fix memory leak on audio setup
When SET_STREAM_FORMAT is called, the st->buft timer is overwritten, thus
causing a memory leak. This was originally fixed in commit 816139ae6a5
("hw/audio/hda: fix memory leak on audio setup", 2024-11-14) but that
caused the audio to break in SPICE.
Fortunately, a simpler fix is possible. The timer only needs to be
reset, because the callback is always the same (st->output is set at
realize time in hda_audio_init); call to timer_new_ns overkill. Replace
it with timer_del and only initialize the timer once; for simplicity,
do it even if use_timer is false.
An even simpler fix would be to free the old time in hda_audio_setup().
However, it seems better to place the initialization of the timer close
to that of st->ouput.
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 626b39006d2f9b1378a04cb88a2187bb852cb055)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 3c271647b0357d860cfbb9dfb110febcea512d55
https://github.com/qemu/qemu/commit/3c271647b0357d860cfbb9dfb110febcea512d55
Author: Guenter Roeck <[email protected]>
Date: 2024-11-18 (Mon, 18 Nov 2024)
Changed paths:
M hw/usb/dev-hub.c
Log Message:
-----------
usb-hub: Fix handling port power control messages
The ClearPortFeature control message fails for PORT_POWER because there
is no break; at the end of the case statement, causing it to fall through
to the failure handler. Add the missing break; to solve the problem.
Fixes: 1cc403eb21 ("usb-hub: emulate per port power switching")
Signed-off-by: Guenter Roeck <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit b2cc69997924b651c0c6f4037782e25f2e438715)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a17976b04f2117e1bab64358f873b36fe4561520
https://github.com/qemu/qemu/commit/a17976b04f2117e1bab64358f873b36fe4561520
Author: Michael Tokarev <[email protected]>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 9.0.4 release
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/6a54d5cf55b4...a17976b04f21
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
