Branch: refs/heads/staging-8.2
Home: https://github.com/qemu/qemu
Commit: c04d40520738cd4bd3ab3dd26207d48b962e1d77
https://github.com/qemu/qemu/commit/c04d40520738cd4bd3ab3dd26207d48b962e1d77
Author: Peter Maydell <[email protected]>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: arm_reset_sve_state() should set FPSR, not FPCR
The pseudocode ResetSVEState() does:
FPSR = ZeroExtend(0x0800009f<31:0>, 64);
but QEMU's arm_reset_sve_state() called vfp_set_fpcr() by accident.
Before the advent of FEAT_AFP, this was only setting a collection of
RES0 bits, which vfp_set_fpsr() would then ignore, so the only effect
was that we didn't actually set the FPSR the way we are supposed to
do. Once FEAT_AFP is implemented, setting the bottom bits of FPSR
will change the floating point behaviour.
Call vfp_set_fpsr(), as we ought to.
(Note for stable backports: commit 7f2a01e7368f9 moved this function
from sme_helper.c to helper.c, but it had the same bug before the
move too.)
Cc: [email protected]
Fixes: f84734b87461 ("target/arm: Implement SMSTART, SMSTOP")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit 1edc3d43f20df0d04f8d00b906ba19fed37512a5)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1a762af2686a5553348fcbba2ecbf2cdc5a1caca
https://github.com/qemu/qemu/commit/1a762af2686a5553348fcbba2ecbf2cdc5a1caca
Author: Hongren Zheng <[email protected]>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
M hw/usb/canokey.c
M hw/usb/canokey.h
Log Message:
-----------
hw/usb/canokey: Fix buffer overflow for OUT packet
When USBPacket in OUT direction has larger payload
than the ep_out_buffer (of size 512), a buffer overflow
would occur.
It could be fixed by limiting the size of usb_packet_copy
to be at most buffer size. Further optimization gets rid
of the ep_out_buffer and directly uses ep_out as the target
buffer.
This is reported by a security researcher who artificially
constructed an OUT packet of size 2047. The report has gone
through the QEMU security process, and as this device is for
testing purpose and no deployment of it in virtualization
environment is observed, it is triaged not to be a security bug.
Cc: [email protected]
Fixes: d7d34918551dc48 ("hw/usb: Add CanoKey Implementation")
Reported-by: Juan Jose Lopez Jaimez <[email protected]>
Signed-off-by: Hongren Zheng <[email protected]>
Message-id: Z4TfMOrZz6IQYl_h@Sun
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 664280abddcb3cacc9c6204706bb739fcc1316f7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4afd17ebcc6a9412ba8009410e448a00af45f05b
https://github.com/qemu/qemu/commit/4afd17ebcc6a9412ba8009410e448a00af45f05b
Author: Steve Sistare <[email protected]>
Date: 2025-02-01 (Sat, 01 Feb 2025)
Changed paths:
M system/physmem.c
Log Message:
-----------
physmem: fix qemu_ram_alloc_from_fd size calculation
qemu_ram_alloc_from_fd allocates space if file_size == 0. If non-zero,
it uses the existing space and verifies it is large enough, but the
verification was broken when the offset parameter was introduced. As
a result, a file smaller than offset passes the verification and causes
errors later. Fix that, and update the error message to include offset.
Peter provides this concise reproducer:
$ touch ramfile
$ truncate -s 64M ramfile
$ ./qemu-system-x86_64 -object
memory-backend-file,mem-path=./ramfile,offset=128M,size=128M,id=mem1,prealloc=on
qemu-system-x86_64: qemu_prealloc_mem: preallocating memory failed: Bad
address
With the fix, the error message is:
qemu-system-x86_64: mem1 backing store size 0x4000000 is too small for 'size'
option 0x8000000 plus 'offset' option 0x8000000
Cc: [email protected]
Fixes: 4b870dc4d0c0 ("hostmem-file: add offset option")
Signed-off-by: Steve Sistare <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Acked-by: David Hildenbrand <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Fabiano Rosas <[email protected]>
(cherry picked from commit 719168fba7c3215cc996dcfd32a6e5e9c7b8eee0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: cbdb457d7981133e511eafa3296431871d84bea4
https://github.com/qemu/qemu/commit/cbdb457d7981133e511eafa3296431871d84bea4
Author: Ilya Leoshkevich <[email protected]>
Date: 2025-02-01 (Sat, 01 Feb 2025)
Changed paths:
M target/s390x/tcg/mem_helper.c
Log Message:
-----------
target/s390x: Fix MVC not always invalidating translation blocks
Node.js crashes in qemu-system-s390x with random SIGSEGVs / SIGILLs.
The v8 JIT used by Node.js can garbage collect and overwrite unused
code. Overwriting is performed by WritableJitAllocation::CopyCode(),
which ultimately calls memcpy(). For certain sizes, memcpy() uses the
MVC instruction.
QEMU implements MVC and other similar instructions using helpers. While
TCG store ops invalidate affected translation blocks automatically,
helpers must do this manually by calling probe_access_flags(). The MVC
helper does this using the access_prepare() -> access_prepare_nf() ->
s390_probe_access() -> probe_access_flags() call chain.
At the last step of this chain, the store size is replaced with 0. This
causes the probe_access_flags() -> notdirty_write() ->
tb_invalidate_phys_range_fast() chain to miss some translation blocks.
When this happens, QEMU executes a mix of old and new code. This
quickly leads to either a SIGSEGV or a SIGILL in case the old code
ends in the middle of a new instruction.
Fix by passing the true size.
Reported-by: Berthold Gunreben <[email protected]>
Cc: Sarah Kriesch <[email protected]>
Cc: [email protected]
Closes: https://bugzilla.opensuse.org/show_bug.cgi?id=1235709
Signed-off-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: David Hildenbrand <[email protected]>
Fixes: e2faabee78ff ("accel/tcg: Forward probe size on to notdirty_write")
Message-ID: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit e43ced8be18dda77c229ab09f85136a4d600d40d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 022ccee8f4cbbc2075c2ccb46010b6f405a73df1
https://github.com/qemu/qemu/commit/022ccee8f4cbbc2075c2ccb46010b6f405a73df1
Author: Dominik 'Disconnect3d' Czarnota <[email protected]>
Date: 2025-02-01 (Sat, 01 Feb 2025)
Changed paths:
M gdbstub/user-target.c
Log Message:
-----------
gdbstub/user-target: fix gdbserver int format (%d -> %x)
This commit fixes an incorrect format string for formatting integers
provided to GDB when debugging a target run in QEMU user mode.
The correct format is hexadecimal for both success and errno values,
some of which can be seen here [0].
[0]
https://github.com/bminor/binutils-gdb/blob/e65a355022d0dc6b5707310876a72b5693ec0aa5/gdbserver/hostio.cc#L196-L213
Signed-off-by: Dominik 'Disconnect3d' Czarnota <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Fixes: e282010b2e1e ("gdbstub: Add support for info proc mappings")
Cc: [email protected]
Reviewed-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 8b647bd352505234cab2acd2422aba183a1aa1fd)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f7580a03713067bef6bf357c5f156f8e4384c513
https://github.com/qemu/qemu/commit/f7580a03713067bef6bf357c5f156f8e4384c513
Author: Akihiko Odaki <[email protected]>
Date: 2025-02-01 (Sat, 01 Feb 2025)
Changed paths:
M hw/net/e1000e.c
M hw/net/igb.c
M hw/net/net_tx_pkt.c
M hw/net/virtio-net.c
M hw/net/vmxnet3.c
M include/net/net.h
M net/dump.c
M net/net.c
M net/netmap.c
M net/tap.c
Log Message:
-----------
tap: Remove qemu_using_vnet_hdr()
Since qemu_set_vnet_hdr_len() is always called when
qemu_using_vnet_hdr() is called, we can merge them and save some code.
For consistency, express that the virtio-net header is not in use by
returning 0 with qemu_get_vnet_hdr_len() instead of having a dedicated
function, qemu_get_using_vnet_hdr().
Signed-off-by: Akihiko Odaki <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
(cherry picked from commit 4b52d63249a508dd927222ffac1a868d38681fc5)
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/f262174fbbbe...f7580a037130
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
