Branch: refs/heads/staging-7.2
Home: https://github.com/qemu/qemu
Commit: 0f6b895992d00ec9794e72f9106d963033edc8f6
https://github.com/qemu/qemu/commit/0f6b895992d00ec9794e72f9106d963033edc8f6
Author: Khem Raj <[email protected]>
Date: 2025-02-11 (Tue, 11 Feb 2025)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Do not define struct sched_attr if libc headers do
glibc 2.41+ has added [1] definitions for sched_setattr and
sched_getattr functions and struct sched_attr. Therefore, it needs
to be checked for here as well before defining sched_attr, to avoid
a compilation failure.
Define sched_attr conditionally only when SCHED_ATTR_SIZE_VER0 is
not defined.
[1]
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=21571ca0d70302909cf72707b2a7736cf12190a0;hp=298bc488fdc047da37482f4003023cb9adef78f8
Signed-off-by: Khem Raj <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2799
Cc: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 27a8d899c7a100fd5aa040a8b993bb257687c393)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9d820b19b14d8cbef88763ee54ced8325431ba56
https://github.com/qemu/qemu/commit/9d820b19b14d8cbef88763ee54ced8325431ba56
Author: Volker Rümelin <[email protected]>
Date: 2025-02-16 (Sun, 16 Feb 2025)
Changed paths:
M ui/meson.build
M ui/sdl2.c
Log Message:
-----------
ui/sdl2: reenable the SDL2 Windows keyboard hook procedure
Windows only:
The libSDL2 Windows message loop needs the libSDL2 Windows low
level keyboard hook procedure to grab the left and right Windows
keys correctly. Reenable the SDL2 Windows keyboard hook procedure.
Since SDL2 2.30.4 the SDL2 keyboard hook procedure also filters
out the special left Control key event for every Alt Gr key event
on keyboards with an international layout. This means the QEMU low
level keyboard hook procedure is no longer needed. Remove the QEMU
Windows keyboard hook procedure.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2139
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2323
Signed-off-by: Volker Rümelin <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 4dafba778aa3e5f5fd3b2c6333afd7650dcf54e2)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: context fix in ui/sdl2.c and adaptation in ui/meson.build)
Commit: cf18084653afbf4ad66c728cba44841604b3da59
https://github.com/qemu/qemu/commit/cf18084653afbf4ad66c728cba44841604b3da59
Author: Peter Maydell <[email protected]>
Date: 2025-02-17 (Mon, 17 Feb 2025)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Ignore attempt to pop from empty RX fifo
The SMC91C111 includes an MMU Command register which permits
the guest to remove entries from the RX FIFO. The datasheet
does not specify what happens if the guest tries to do this
when the FIFO is already empty; there are no status registers
containing error bits which might be applicable.
Currently we don't guard at all against pop of an empty
RX FIFO, with the result that we allow the guest to drive
the rx_fifo_len index to negative values, which will cause
smc91c111_receive() to write to the rx_fifo[] array out of
bounds when we receive the next packet.
Instead ignore attempts to pop an empty RX FIFO.
Cc: [email protected]
Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 937df81af6757638a7f1908747560dd342947213)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6f6b0ccbc0f53d952cf272bd8099fbebd38d2b56
https://github.com/qemu/qemu/commit/6f6b0ccbc0f53d952cf272bd8099fbebd38d2b56
Author: Mikael Szreder <[email protected]>
Date: 2025-02-19 (Wed, 19 Feb 2025)
Changed paths:
M target/sparc/gdbstub.c
Log Message:
-----------
target/sparc: Fix gdbstub incorrectly handling registers f32-f62
The gdbstub implementation for the Sparc architecture would
incorrectly calculate the the floating point register offset.
This resulted in, for example, registers f32 and f34 to point to
the same value.
The issue was caused by the confusion between even register numbers
and even register indexes. For example, the register index of f32 is 64
and f34 is 65.
Cc: [email protected]
Fixes: 30038fd81808 ("target-sparc: Change fpr representation to doubles.")
Signed-off-by: Mikael Szreder <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 7a74e468089a58756b438d31a2a9a97f183780d7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a8c2a1b0e9311d88acd4987cfc26af99c6eed43b
https://github.com/qemu/qemu/commit/a8c2a1b0e9311d88acd4987cfc26af99c6eed43b
Author: Peter Maydell <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: Report correct syndrome for UNDEFINED CNTPS_*_EL1 from EL2 and NS
EL1
The access pseudocode for the CNTPS_TVAL_EL1, CNTPS_CTL_EL1 and
CNTPS_CVAL_EL1 secure timer registers says that they are UNDEFINED
from EL2 or NS EL1. We incorrectly return CP_ACCESS_TRAP from the
access function in these cases, which means that we report the wrong
syndrome value to the target EL.
Use CP_ACCESS_TRAP_UNCATEGORIZED, which reports the correct syndrome
value for an UNDEFINED instruction.
Cc: [email protected]
Fixes: b4d3978c2fd ("target-arm: Add the AArch64 view of the Secure physical
timer")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit b819fd6994243aee6f9613edbbacedce4f511c32)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b56f14da59f81100fbc0b15e348f241de7dbe29b
https://github.com/qemu/qemu/commit/b56f14da59f81100fbc0b15e348f241de7dbe29b
Author: Peter Maydell <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: Report correct syndrome for UNDEFINED S1E2 AT ops at EL3
The pseudocode for AT S1E2R and AT S1E2W says that they should be
UNDEFINED if executed at EL3 when EL2 is not enabled. We were
incorrectly using CP_ACCESS_TRAP and reporting the wrong exception
syndrome as a result. Use CP_ACCESS_TRAP_UNCATEGORIZED.
Cc: [email protected]
Fixes: 2a47df953202e1 ("target-arm: Wire up AArch64 EL2 and EL3 address
translation ops")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit ccda792945d650bce4609c8dbce8814a220df1bb)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 40f75d5c642bebff1a2703450178f185a63786b0
https://github.com/qemu/qemu/commit/40f75d5c642bebff1a2703450178f185a63786b0
Author: Peter Maydell <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: Report correct syndrome for UNDEFINED LOR sysregs when NS=0
The pseudocode for the accessors for the LOR sysregs says they
are UNDEFINED if SCR_EL3.NS is 0. We were reporting the wrong
syndrome value here; use CP_ACCESS_TRAP_UNCATEGORIZED.
Cc: [email protected]
Fixes: 2d7137c10faf ("target/arm: Implement the ARMv8.1-LOR extension")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit 707d478ed8f2da6f2327e5af780890c1fd9c371a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6f3415dd3e4d3cc126104ad0b2663dd49eab9734
https://github.com/qemu/qemu/commit/6f3415dd3e4d3cc126104ad0b2663dd49eab9734
Author: Peter Maydell <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M target/arm/cpu.h
M target/arm/helper.c
M target/arm/op_helper.c
Log Message:
-----------
target/arm: Make CP_ACCESS_TRAPs to AArch32 EL3 be Monitor traps
In system register access pseudocode the common pattern for
AArch32 registers with access traps to EL3 is:
at EL1 and EL2:
if HaveEL(EL3) && !ELUsingAArch32(EL3) && (SCR_EL3.TERR == 1) then
AArch64.AArch32SystemAccessTrap(EL3, 0x03);
elsif HaveEL(EL3) && ELUsingAArch32(EL3) && (SCR.TERR == 1) then
AArch32.TakeMonitorTrapException();
at EL3:
if (PSTATE.M != M32_Monitor) && (SCR.TERR == 1) then
AArch32.TakeMonitorTrapException();
(taking as an example the ERRIDR access pseudocode).
This implements the behaviour of (in this case) SCR.TERR that
"Accesses to the specified registers from modes other than Monitor
mode generate a Monitor Trap exception" and of SCR_EL3.TERR that
"Accesses of the specified Error Record registers at EL2 and EL1
are trapped to EL3, unless the instruction generates a higher
priority exception".
In QEMU we don't implement this pattern correctly in two ways:
* in access_check_cp_reg() we turn the CP_ACCESS_TRAP_EL3 into
an UNDEF, not a trap to Monitor mode
* in the access functions, we check trap bits like SCR.TERR
only when arm_current_el(env) < 3 -- this is correct for
AArch64 EL3, but misses the "trap non-Monitor-mode execution
at EL3 into Monitor mode" case for AArch32 EL3
In this commit we fix the first of these two issues, by
making access_check_cp_reg() handle CP_ACCESS_TRAP_EL3
as a Monitor trap. This is a kind of exception that we haven't
yet implemented(!), so we need a new EXCP_MON_TRAP for it.
This diverges from the pseudocode approach, where every access check
function explicitly checks for "if EL3 is AArch32" and takes a
monitor trap; if we wanted to be closer to the pseudocode we could
add a new CP_ACCESS_TRAP_MONITOR and make all the accessfns use it
when appropriate. But because there are no non-standard cases in the
pseudocode (i.e. where either it raises a Monitor trap that doesn't
correspond to an AArch64 SystemAccessTrap or where it raises a
SystemAccessTrap that doesn't correspond to a Monitor trap), handling
this all in one place seems less likely to result in future bugs
where we forgot again about this special case when writing an
accessor.
(The cc of stable here is because "hw/intc/arm_gicv3_cpuif: Don't
downgrade monitor traps for AArch32 EL3" which is also cc:stable
will implicitly use the new EXCP_MON_TRAP code path.)
Cc: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit 4cf4948651615181c5bc3d0e4a9f5c46be576bb2)
(Mjt: context fix due to missing
v9.0.0-151-gb36a32ead159 "target/arm: Add support for Non-maskable Interrupt",
v8.0.0-2011-g11b76fda0adc "target/arm: Implement GPC exceptions")
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 227eb7d2613b522ff0417341cad3bb5ced2e1cdb
https://github.com/qemu/qemu/commit/227eb7d2613b522ff0417341cad3bb5ced2e1cdb
Author: Peter Maydell <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M hw/intc/arm_gicv3_cpuif.c
Log Message:
-----------
hw/intc/arm_gicv3_cpuif: Don't downgrade monitor traps for AArch32 EL3
In the gicv3_{irq,fiq,irqfiq}_access() functions, there is a check
which downgrades a CP_ACCESS_TRAP_EL3 to CP_ACCESS_TRAP if EL3 is not
AArch64. This has been there since the GIC was first implemented,
but it isn't right: if we are trapping because of SCR.IRQ or SCR.FIQ
then we definitely want to be going to EL3 (doing
AArch32.TakeMonitorTrapException() in pseudocode terms). We might
want to not take a trap at all, but we don't ever want to go to the
default target EL, because that would mean, for instance, taking a
trap to Hyp mode if the trapped access was made from Hyp mode.
(This might have been an attempt to work around our failure to
properly implement Monitor Traps.)
Remove the bogus check.
Cc: [email protected]
Fixes: 359fbe65e01e ("hw/intc/arm_gicv3: Implement GICv3 CPU interface
registers")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit d04c6c3c000ab3e588a2b91641310aeea89408f7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7c49919a403e2accd33a3d61f5248ed47f7f142b
https://github.com/qemu/qemu/commit/7c49919a403e2accd33a3d61f5248ed47f7f142b
Author: Bernhard Beschow <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M hw/arm/Kconfig
M hw/usb/Kconfig
M hw/usb/meson.build
Log Message:
-----------
Kconfig: Extract CONFIG_USB_CHIPIDEA from CONFIG_IMX
TYPE_CHIPIDEA models an IP block which is also used in TYPE_ZYNQ_MACHINE which
itself is not an IMX device. CONFIG_ZYNQ selects CONFIG_USB_EHCI_SYSBUS while
TYPE_CHIPIDEA is a separate compilation unit, so only works by accident if
CONFIG_IMX is given. Fix that by extracting CONFIG_USB_CHIPIDEA from CONFIG_IMX.
cc: [email protected]
Fixes: 616ec12d0fcc "hw/arm/xilinx_zynq: Fix USB port instantiation"
Signed-off-by: Bernhard Beschow <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 464ce71a963b3dfc290cd59c3d1bfedf11c004df)
(Mjt: context fixup due to missing
v8.0.0-1939-gde6cd7599b51 "meson: Replace softmmu_ss -> system_ss",
v9.1.0-609-ge02491903d50 "hw/usb: Remove tusb6010 USB controller",
v9.2.0-1303-g1b326f278d05 "hw/pci-host/designware: Expose MSI IRQ")
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 85c22889a79d0c1b892bb6f1cf27e51448747586
https://github.com/qemu/qemu/commit/85c22889a79d0c1b892bb6f1cf27e51448747586
Author: Sairaj Kodilkar <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M hw/i386/amd_iommu.c
Log Message:
-----------
amd_iommu: Use correct DTE field for interrupt passthrough
Interrupt passthrough is determine by the bits 191,190,187-184.
These bits are part of the 3rd quad word (i.e. index 2) in DTE. Hence
replace dte[3] by dte[2].
Fixes: b44159fe0 ("x86_iommu/amd: Add interrupt remap support when VAPIC is not
enabled")
Signed-off-by: Sairaj Kodilkar <[email protected]>
Reviewed-by: Vasant Hegde <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 63dc0b8647391b372f3bb38ff1066f6b4a5e6ea1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4aecc7f074d63a6ee21f8da7b8f168ba1c9e1bff
https://github.com/qemu/qemu/commit/4aecc7f074d63a6ee21f8da7b8f168ba1c9e1bff
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M hw/i386/amd_iommu.c
Log Message:
-----------
hw/i386/amd_iommu: Explicit use of AMDVI_BASE_ADDR in amdvi_init
By accessing MemoryRegion internals, amdvi_init() gives the false
idea that the PCI BAR can be modified. However this isn't true
(at least the model isn't ready for that): the device is explicitly
maps at the BAR at the fixed AMDVI_BASE_ADDR address in
amdvi_sysbus_realize(). Since the SysBus API isn't designed to
remap regions, directly use the fixed address in amdvi_init().
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 6291a28645a0656477bc5962a81b181e6a99487c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: eb0e00dd6feb0bab6409e23729efd0769a5ef310
https://github.com/qemu/qemu/commit/eb0e00dd6feb0bab6409e23729efd0769a5ef310
Author: Sairaj Kodilkar <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M hw/i386/amd_iommu.c
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Use correct bitmask to set capability BAR
AMD IOMMU provides the base address of control registers through
IVRS table and PCI capability. Since this base address is of 64 bit,
use 32 bits mask (instead of 16 bits) to set BAR low and high.
Fixes: d29a09ca68 ("hw/i386: Introduce AMD IOMMU")
Signed-off-by: Sairaj Kodilkar <[email protected]>
Reviewed-by: Vasant Hegde <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 3684717b7407cc395dc9bf522e193dbc85293dee)
(Mjt: adjust for 7.2.x)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 069516364a3cc5fc0e3423e4860d260cb4914284
https://github.com/qemu/qemu/commit/069516364a3cc5fc0e3423e4860d260cb4914284
Author: Stefano Garzarella <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M backends/cryptodev-vhost.c
Log Message:
-----------
cryptodev/vhost: allocate CryptoDevBackendVhost using g_mem0()
The function `vhost_dev_init()` expects the `struct vhost_dev`
(passed as a parameter) to be fully initialized. This is important
because some parts of the code check whether `vhost_dev->config_ops`
is NULL to determine if it has been set (e.g. later via
`vhost_dev_set_config_notifier`).
To ensure this initialization, it’s better to allocate the entire
`CryptoDevBackendVhost` structure (which includes `vhost_dev`) using
`g_mem0()`, following the same approach used for other vhost devices,
such as in `vhost_net_init()`.
Fixes: 042cea274c ("cryptodev: add vhost-user as a new cryptodev backend")
Cc: [email protected]
Reported-by: [email protected]
Signed-off-by: Stefano Garzarella <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 83cb18ac4500f3a14067b19408705068647cb0c5)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9459dea71627e309ecb35d87a52fa71b55b713c0
https://github.com/qemu/qemu/commit/9459dea71627e309ecb35d87a52fa71b55b713c0
Author: Konstantin Shkolnyy <[email protected]>
Date: 2025-02-25 (Tue, 25 Feb 2025)
Changed paths:
M hw/virtio/vhost-shadow-virtqueue.c
Log Message:
-----------
vdpa: Fix endian bugs in shadow virtqueue
VDPA didn't work on a big-endian machine due to missing/incorrect
CPU<->LE data format conversions.
Signed-off-by: Konstantin Shkolnyy <[email protected]>
Message-Id: <[email protected]>
Fixes: 10857ec0ad ("vhost: Add VhostShadowVirtqueue")
Acked-by: Eugenio Pérez <[email protected]>
Tested-by: Lei Yang <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 50e9754149066dc91f58405d3378b589098cb408)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 5a8225df684628fdb065ab5276d70936d0c5bb08
https://github.com/qemu/qemu/commit/5a8225df684628fdb065ab5276d70936d0c5bb08
Author: Max Chou <[email protected]>
Date: 2025-03-06 (Thu, 06 Mar 2025)
Changed paths:
M target/riscv/vector_helper.c
Log Message:
-----------
target/riscv: rvv: Fix unexpected behavior of vector reduction instructions
when vl is 0
According to the Vector Reduction Operations section in the RISC-V "V"
Vector Extension spec,
"If vl=0, no operation is performed and the destination register is not
updated."
The vd should be updated when vl is larger than 0.
Fixes: fe5c9ab1fc ("target/riscv: vector single-width integer reduction
instructions")
Fixes: f714361ed7 ("target/riscv: rvv-1.0: implement vstart CSR")
Signed-off-by: Max Chou <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit ffd455963f230c7dc04965609d6675da687a5a78)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: fd5ef34c2e3c8e9b629ed1df08ebf8d76c253aec
https://github.com/qemu/qemu/commit/fd5ef34c2e3c8e9b629ed1df08ebf8d76c253aec
Author: Daniel Henrique Barboza <[email protected]>
Date: 2025-03-06 (Thu, 06 Mar 2025)
Changed paths:
M target/riscv/debug.c
Log Message:
-----------
target/riscv/debug.c: use wp size = 4 for 32-bit CPUs
The mcontrol select bit (19) is always zero, meaning our triggers will
always match virtual addresses. In this condition, if the user does not
specify a size for the trigger, the access size defaults to XLEN.
At this moment we're using def_size = 8 regardless of CPU XLEN. Use
def_size = 4 in case we're running 32 bits.
Fixes: 95799e36c1 ("target/riscv: Add initial support for the Sdtrig extension")
Signed-off-by: Daniel Henrique Barboza <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 3fba76e61caa46329afc399b3ecaaba70c8b0a4e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c22cb17701e6fee31aa3ea7311f22a7b8097765f
https://github.com/qemu/qemu/commit/c22cb17701e6fee31aa3ea7311f22a7b8097765f
Author: Daniel Henrique Barboza <[email protected]>
Date: 2025-03-06 (Thu, 06 Mar 2025)
Changed paths:
M target/riscv/cpu_helper.c
Log Message:
-----------
target/riscv: throw debug exception before page fault
In the RISC-V privileged ISA section 3.1.15 table 15, it is determined
that a debug exception that is triggered from a load/store has a higher
priority than a possible fault that this access might trigger.
This is not the case ATM as shown in [1]. Adding a breakpoint in an
address that deliberately will fault is causing a load page fault
instead of a debug exception. The reason is that we're throwing in the
page fault as soon as the fault occurs (end of riscv_cpu_tlb_fill(),
raise_mmu_exception()), not allowing the installed watchpoints to
trigger.
Call cpu_check_watchpoint() in the page fault path to search and execute
any watchpoints that might exist for the address, never returning back
to the fault path. If no watchpoints are found cpu_check_watchpoint()
will return and we'll fall-through the regular path to
raise_mmu_exception().
[1] https://gitlab.com/qemu-project/qemu/-/issues/2627
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2627
Signed-off-by: Daniel Henrique Barboza <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit c86edc547692d812d1dcc04220c38310be2c00c3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9d04f540cabeeef32881e5fb55323a3a2035d086
https://github.com/qemu/qemu/commit/9d04f540cabeeef32881e5fb55323a3a2035d086
Author: Rodrigo Dias Correa <[email protected]>
Date: 2025-03-06 (Thu, 06 Mar 2025)
Changed paths:
M hw/rtc/goldfish_rtc.c
Log Message:
-----------
goldfish_rtc: Fix tick_offset migration
Instead of migrating the raw tick_offset, goldfish_rtc migrates a
recalculated value based on QEMU_CLOCK_VIRTUAL. As QEMU_CLOCK_VIRTUAL
stands still across a save-and-restore cycle, the guest RTC becomes out
of sync with the host RTC when the VM is restored.
As described in the bug description, it looks like this calculation was
copied from pl031 RTC, which had its tick_offset migration fixed by
Commit 032cfe6a79c8 ("pl031: Correctly migrate state when using -rtc
clock=host").
Migrate the tick_offset directly, adding it as a version-dependent field
to VMState. Keep the old behavior when migrating from previous versions.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2033
Signed-off-by: Rodrigo Dias Correa <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 3521f9cadc29c7d68b73b325ddb46a7acebf6212)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 81533b65f7b1b40e685168c2688c590ba1c619a8
https://github.com/qemu/qemu/commit/81533b65f7b1b40e685168c2688c590ba1c619a8
Author: Denis Rastyogin <[email protected]>
Date: 2025-03-07 (Fri, 07 Mar 2025)
Changed paths:
M block/qed.c
Log Message:
-----------
block/qed: fix use-after-free by nullifying timer pointer after free
This error was discovered by fuzzing qemu-img.
In the QED block driver, the need_check_timer timer is freed in
bdrv_qed_detach_aio_context, but the pointer to the timer is not
set to NULL. This can lead to a use-after-free scenario
in bdrv_qed_drain_begin().
The need_check_timer pointer is set to NULL after freeing the timer.
Which helps catch this condition when checking in bdrv_qed_drain_begin().
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852
Signed-off-by: Denis Rastyogin <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>
(cherry picked from commit 2ad638a3d160923ef3dbf87c73944e6e44bdc724)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e1f7279abba107ba52b88d573b398b915fbfea95
https://github.com/qemu/qemu/commit/e1f7279abba107ba52b88d573b398b915fbfea95
Author: Patrick Venture <[email protected]>
Date: 2025-03-09 (Sun, 09 Mar 2025)
Changed paths:
M hw/gpio/npcm7xx_gpio.c
Log Message:
-----------
hw/gpio: npcm7xx: fixup out-of-bounds access
The reg isn't validated to be a possible register before
it's dereferenced for one case. The mmio space registered
for the gpio device is 4KiB but there aren't that many
registers in the struct.
Cc: [email protected]
Fixes: 526dbbe0874 ("hw/gpio: Add GPIO model for Nuvoton NPCM7xx")
Signed-off-by: Patrick Venture <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 3b2e22c0bbe2ce07123d93961d52f17644562cd7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a9b84da6cce827e976ef89b4f4e1d64f6efd8ba8
https://github.com/qemu/qemu/commit/a9b84da6cce827e976ef89b4f4e1d64f6efd8ba8
Author: Nicholas Piggin <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M hw/ppc/pnv_occ.c
Log Message:
-----------
ppc/pnv/occ: Fix common area sensor offsets
The commit to fix the OCC common area sensor mappings didn't update the
register offsets to match.
Before this change, skiboot reports:
[ 0.347100086,3] OCC: Chip 0 sensor data invalid
Afterward, there is no error and the sensor_groups directory appears
under /sys/firmware/opal/.
The SLW_IMAGE_BASE address looks like a workaround to intercept firmware
memory accesses, but that does not seem to be required now (and would
have been broken by the OCC common area region mapping change anyway).
So it can be removed.
Fixes: 3a1b70b66b5cb4 ("ppc/pnv: Fix OCC common area region mapping")
Signed-off-by: Nicholas Piggin <[email protected]>
(cherry picked from commit 29c041ca7f8d6910c894788482efff892789dcd2)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 877f6914cdd30612e1951e7596fa251ce10a11c8
https://github.com/qemu/qemu/commit/877f6914cdd30612e1951e7596fa251ce10a11c8
Author: Peter Maydell <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Sanitize packet numbers
The smc91c111 uses packet numbers as an index into its internal
s->data[][] array. Valid packet numbers are between 0 and 3, but
the code does not generally check this, and there are various
places where the guest can hand us an arbitrary packet number
and cause an out-of-bounds access to the data array.
Add validation of packet numbers. The datasheet is not very
helpful about how guest errors like this should be handled:
it says nothing on the subject, and none of the documented
error conditions are relevant. We choose to log the situation
with LOG_GUEST_ERROR and silently ignore the attempted operation.
In the places where we are about to access the data[][] array
using a packet number and we know the number is valid because
we got it from somewhere that has already validated, we add
an assert() to document that belief.
Cc: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 2fa3a5b9469615d06091cf473d172794148e1248)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 94823fc8b11b5c4109b46846e7c5f42efe8a2887
https://github.com/qemu/qemu/commit/94823fc8b11b5c4109b46846e7c5f42efe8a2887
Author: Peter Maydell <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Sanitize packet length on tx
When the smc91c111 transmits a packet, it must read a control byte
which is at the end of the data area and CRC. However, we don't
sanitize the length field in the packet buffer, so if the guest sets
the length field to something large we will try to read past the end
of the packet data buffer when we access the control byte.
As usual, the datasheet says nothing about the behaviour of the
hardware if the guest misprograms it in this way. It says only that
the maximum valid length is 2048 bytes. We choose to log the guest
error and silently drop the packet.
This requires us to factor out the "mark the tx packet as complete"
logic, so we can call it for this "drop packet" case as well as at
the end of the loop when we send a valid packet.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2742
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
[PMD: Update smc91c111_do_tx() as len > MAX_PACKET_SIZE]
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit aad6f264add3f2be72acb660816588fe09110069)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a54a7c64eb2c9f77b482d099e1e93ddbb4c59dd4
https://github.com/qemu/qemu/commit/a54a7c64eb2c9f77b482d099e1e93ddbb4c59dd4
Author: Peter Maydell <[email protected]>
Date: 2025-03-13 (Thu, 13 Mar 2025)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Don't allow data register access to overrun buffer
For accesses to the 91c111 data register, the address within the
packet's data frame is determined by a combination of the pointer
register and the offset used to access the data register, so that you
can access data at effectively wider than byte width. The pointer
register's pointer field is 11 bits wide, which is exactly the size
to index a 2048-byte data frame.
We weren't quite getting the logic right for ensuring that we end up
with a pointer value to use in the s->data[][] array that isn't out
of bounds:
* we correctly mask when getting the initial pointer value
* for the "autoincrement the pointer register" case, we
correctly mask after adding 1 so that the pointer register
wraps back around at the 2048 byte mark
* but for the non-autoincrement case where we have to add the
low 2 bits of the data register offset, we don't account
for the possibility that the pointer register is 0x7ff
and the addition should wrap
Fix this bug by factoring out the "get the p value to use as an array
index" into a function, making it use FIELD macro names rather than
hard-coded constants, and having a utility function that does "add a
value and wrap it" that we can use both for the "autoincrement" and
"add the offset bits" codepaths.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2758
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 700d3d6dd41de3bd3f1153e3cfe00b93f99b1441)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6369b3cdcedc2999b0856317e03b4a2dc291c80a
https://github.com/qemu/qemu/commit/6369b3cdcedc2999b0856317e03b4a2dc291c80a
Author: Kevin Wolf <[email protected]>
Date: 2025-03-14 (Fri, 14 Mar 2025)
Changed paths:
M block/snapshot.c
Log Message:
-----------
block: Zero block driver state before reopening
Block drivers assume in their .bdrv_open() implementation that their
state in bs->opaque has been zeroed; it is initially allocated with
g_malloc0() in bdrv_open_driver().
bdrv_snapshot_goto() needs to make sure that it is zeroed again before
calling drv->bdrv_open() to avoid that block drivers use stale values.
One symptom of this bug is VMDK running into a double free when the user
tries to apply an internal snapshot like 'qemu-img snapshot -a test
test.vmdk'. This should be a graceful error because VMDK doesn't support
internal snapshots.
==25507== Invalid free() / delete / delete[] / realloc()
==25507== at 0x484B347: realloc (vg_replace_malloc.c:1801)
==25507== by 0x54B592A: g_realloc (gmem.c:171)
==25507== by 0x1B221D: vmdk_add_extent (../block/vmdk.c:570)
==25507== by 0x1B1084: vmdk_open_sparse (../block/vmdk.c:1059)
==25507== by 0x1AF3D8: vmdk_open (../block/vmdk.c:1371)
==25507== by 0x1A2AE0: bdrv_snapshot_goto (../block/snapshot.c:299)
==25507== by 0x205C77: img_snapshot (../qemu-img.c:3500)
==25507== by 0x58FA087: (below main) (libc_start_call_main.h:58)
==25507== Address 0x832f3e0 is 0 bytes inside a block of size 272 free'd
==25507== at 0x4846B83: free (vg_replace_malloc.c:989)
==25507== by 0x54AEAC4: g_free (gmem.c:208)
==25507== by 0x1AF629: vmdk_close (../block/vmdk.c:2889)
==25507== by 0x1A2A9C: bdrv_snapshot_goto (../block/snapshot.c:290)
==25507== by 0x205C77: img_snapshot (../qemu-img.c:3500)
==25507== by 0x58FA087: (below main) (libc_start_call_main.h:58)
This error was discovered by fuzzing qemu-img.
Cc: [email protected]
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2853
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2851
Reported-by: Denis Rastyogin <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
(cherry picked from commit b75c5f9879166b86ed7c48b772fdcd0693e8a9a3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2881707299bfa5ac76c0460b66605e1ece8a5ba3
https://github.com/qemu/qemu/commit/2881707299bfa5ac76c0460b66605e1ece8a5ba3
Author: Greg Kurz <[email protected]>
Date: 2025-03-14 (Fri, 14 Mar 2025)
Changed paths:
M docs/devel/build-system.rst
M docs/devel/kconfig.rst
Log Message:
-----------
docs: Rename default-configs to configs
This was missed at the time.
Fixes: 812b31d3f91 ("configs: rename default-configs to configs and reorganise")
Signed-off-by: Greg Kurz <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 48170c2d865a5937092b1384421b01cd38113042)
(Mjt: context fix in docs/devel/kconfig.rst)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e87ced60a3aa9ce77dfff4ef38837bfad1a9a6eb
https://github.com/qemu/qemu/commit/e87ced60a3aa9ce77dfff4ef38837bfad1a9a6eb
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2025-03-15 (Sat, 15 Mar 2025)
Changed paths:
M ui/cocoa.m
Log Message:
-----------
ui/cocoa: Temporarily ignore annoying deprecated declaration warnings
These warnings are breaking some build configurations since 2 months
now (https://gitlab.com/qemu-project/qemu/-/issues/2575):
ui/cocoa.m:662:14: error: 'CVDisplayLinkCreateWithCGDisplay' is deprecated:
first deprecated in macOS 15.0 - use NSView.displayLink(target:selector:),
NSWindow.displayLink(target:selector:), or
NSScreen.displayLink(target:selector:) [-Werror,-Wdeprecated-declarations]
662 | if (!CVDisplayLinkCreateWithCGDisplay(display, &displayLink))
{
| ^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/CoreVideo.framework/Headers/CVDisplayLink.h:89:20:
note: 'CVDisplayLinkCreateWithCGDisplay' has been explicitly marked deprecated
here
89 | CV_EXPORT CVReturn CVDisplayLinkCreateWithCGDisplay(
| ^
ui/cocoa.m:663:29: error: 'CVDisplayLinkGetNominalOutputVideoRefreshPeriod'
is deprecated: first deprecated in macOS 15.0 - use
NSView.displayLink(target:selector:), NSWindow.displayLink(target:selector:),
or NSScreen.displayLink(target:selector:) [-Werror,-Wdeprecated-declarations]
663 | CVTime period =
CVDisplayLinkGetNominalOutputVideoRefreshPeriod(displayLink);
| ^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/CoreVideo.framework/Headers/CVDisplayLink.h:182:18:
note: 'CVDisplayLinkGetNominalOutputVideoRefreshPeriod' has been explicitly
marked deprecated here
182 | CV_EXPORT CVTime CVDisplayLinkGetNominalOutputVideoRefreshPeriod(
CVDisplayLinkRef CV_NONNULL displayLink );
| ^
ui/cocoa.m:664:13: error: 'CVDisplayLinkRelease' is deprecated: first
deprecated in macOS 15.0 - use NSView.displayLink(target:selector:),
NSWindow.displayLink(target:selector:), or
NSScreen.displayLink(target:selector:) [-Werror,-Wdeprecated-declarations]
664 | CVDisplayLinkRelease(displayLink);
| ^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/CoreVideo.framework/Headers/CVDisplayLink.h:249:16:
note: 'CVDisplayLinkRelease' has been explicitly marked deprecated here
249 | CV_EXPORT void CVDisplayLinkRelease( CV_RELEASES_ARGUMENT
CVDisplayLinkRef CV_NULLABLE displayLink );
| ^
3 errors generated.
For the next release, ignore the warnings using #pragma directives.
At least until we figure the correct new API usage.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Phil Dennis-Jordan <[email protected]>
Tested-by: Phil Dennis-Jordan <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 9cf6e41fe293dd56089faac94c36ff5cb3d96726)
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/044e1dd76bf5...e87ced60a3aa
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
