Branch: refs/heads/staging-7.2
Home: https://github.com/qemu/qemu
Commit: 055b45334a146b570ada585a9baf9acbd0427309
https://github.com/qemu/qemu/commit/055b45334a146b570ada585a9baf9acbd0427309
Author: David Hubbard <[email protected]>
Date: 2025-09-17 (Wed, 17 Sep 2025)
Changed paths:
M hw/usb/hcd-ohci.c
M hw/usb/trace-events
Log Message:
-----------
hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT
This changes the ohci validation to not assert if invalid data is fed to the
ohci controller. The poc in https://bugs.launchpad.net/qemu/+bug/1907042 and
migrated to bug #303 does the following to feed it a SETUP pid (valid)
at an EndPt of 1 (invalid - all SETUP pids must be addressed to EndPt 0):
uint32_t MaxPacket = 64;
uint32_t TDFormat = 0;
uint32_t Skip = 0;
uint32_t Speed = 0;
uint32_t Direction = 0; /* #define OHCI_TD_DIR_SETUP 0 */
uint32_t EndPt = 1;
uint32_t FuncAddress = 0;
ed->attr = (MaxPacket << 16) | (TDFormat << 15) | (Skip << 14)
| (Speed << 13) | (Direction << 11) | (EndPt << 7)
| FuncAddress;
ed->tailp = /*TDQTailPntr= */ 0;
ed->headp = ((/*TDQHeadPntr= */ &td[0]) & 0xfffffff0)
| (/* ToggleCarry= */ 0 << 1);
ed->next_ed = (/* NextED= */ 0 & 0xfffffff0)
qemu-fuzz also caught the same issue in #1510. They are both fixed by this
patch.
With a tiny OS[1] that boots and executes the poc the repro shows the issue:
* OS that sends USB requests to a USB mass storage device
but sends a SETUP with EndPt = 1
* qemu 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.19)
* qemu HEAD (4e66a0854)
* Actual OHCI controller (hardware)
Command line:
qemu-system-x86_64 -m 20 \
-device pci-ohci,id=ohci \
-drive if=none,format=raw,id=d,file=testmbr.raw \
-device usb-storage,bus=ohci.0,drive=d \
--trace "usb_*" --trace "ohci_*" -D qemu.log
Results are:
qemu 6.2.0 | qemu HEAD | actual HW
------------+-----------+----------------
assertion | assertion | sets stall bit
The assertion message is:
> qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid ==
> USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
> Aborted (core dumped)
Tip: if the flags "-serial pty -serial stdio" are added to the command line
the poc outputs its USB requests like this:
> Free mem 2M ohci port0 conn FS
> setup { 80 6 0 1 0 0 8 0 }
> ED info=80000 { mps=8 en=0 d=0 } tail=c20920
> td0 c20880 nxt=c20960 f2000000 setup cbp=c20900 be=c20907 cbp=0
> be=c20907
> td1 c20960 nxt=c20980 f3140000 in cbp=c20908 be=c2090f cbp=0
> be=c2090f
> td2 c20980 nxt=c20920 f3080000 out cbp=0 be=0 cbp=0 be=0
> rx { 12 1 0 2 0 0 0 8 }
> setup { 0 5 1 0 0 0 0 0 } tx {}
> ED info=80000 { mps=8 en=0 d=0 } tail=c20880
> td0 c20920 nxt=c20960 f2000000 setup cbp=c20900 be=c20907 cbp=0
> be=c20907
> td1 c20960 nxt=c20880 f3100000 in cbp=0 be=0 cbp=0 be=0
> setup { 80 6 0 1 0 0 12 0 }
> ED info=80081 { mps=8 en=0 d=1 } tail=c20960
> td0 c20880 nxt=c209c0 f2000000 setup cbp=c20920 be=c20927
> td1 c209c0 nxt=c209e0 f3140000 in cbp=c20928 be=c20939
> td2 c209e0 nxt=c20960 f3080000 out cbp=0 be=0qemu-system-x86_64:
> ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid ==
> USB_TOKEN_OUT' failed.
> Aborted (core dumped)
[1] The OS disk image has been emailed to [email protected], [email protected],
and [email protected]:
* testBadSetup.img.xz
* sha256: 045b43f4396de02b149518358bf8025d5ba11091e86458875339fc649e6e5ac6
Signed-off-by: David Hubbard <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
[PMM: authorship and signed-off-by tag names fixed up as
per on-list agreement]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 3c3c233677d4f2fe5f35c5d6d6e9b53df48054f4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2f8da7ed9792eb70b8c31380ccee5257a11a9cf8
https://github.com/qemu/qemu/commit/2f8da7ed9792eb70b8c31380ccee5257a11a9cf8
Author: Alex Bennée <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M .gitmodules
Log Message:
-----------
.gitmodules: move u-boot mirrors to qemu-project-mirrors
To continue our GitLab Open Source Program license we need to pass an
automated license check for all repos under qemu-project. While U-Boot
is clearly GPLv2 rather than fight with the automated validation
script just move the mirror across to a separate project.
Signed-off-by: Alex Bennée <[email protected]>
Suggested-by: Daniel P. Berrangé <[email protected]>
Cc: [email protected]
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a11d1847d5ef8a7db58e6d4e44f36fec708f0981)
(Mjt: adjust context for 7.2.x)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9beb7e011e7b6f6451c10526ec76940fcd5aa9e4
https://github.com/qemu/qemu/commit/9beb7e011e7b6f6451c10526ec76940fcd5aa9e4
Author: Paolo Bonzini <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M tests/qtest/vhost-user-test.c
Log Message:
-----------
tests: vhost-user-test: release mutex on protocol violation
chr_read() is printing an error message and returning with s->data_mutex taken.
This can potentially cause a hang. Reported by Coverity.
Signed-off-by: Paolo Bonzini <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 3ee7f21ed292966f5cd3eb71aa06f8ffc0e5ae41)
(Mjt: pick this trivial focused change up for 7.2.x so that subsequent fixes in
this area applies cleanly)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b9579f1cebb9b091fb5e2c8ba2da2038cc9daa33
https://github.com/qemu/qemu/commit/b9579f1cebb9b091fb5e2c8ba2da2038cc9daa33
Author: Yuxue Liu <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M tests/qtest/vhost-user-test.c
Log Message:
-----------
vhost-user-test: no set non-blocking for cal fd less than 0.
In the scenario where vhost-user sets eventfd to -1,
qemu_chr_fe_get_msgfds retrieves fd as -1. When vhost_user_read
receives, it does not perform blocking operations on the descriptor
with fd=-1, so non-blocking operations should not be performed here
either.This is a normal use case. Calling g_unix_set_fd_nonblocking
at this point will cause the test to interrupt.
When vhost_user_write sets the call fd to -1, it sets the number of
fds to 0, so the fds obtained by qemu_chr_fe_get_msgfds will also
be 0.
Signed-off-by: Yuxue Liu <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit f72fc16910c8f44edf052f52672e0e63bbbc773c)
(Mjt: pick this trivial focused change up for 7.2.x so that subsequent
change(s) in this area apply cleanly)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: cdfff7682cfeba5c26c906c2bf53da1bb4faf986
https://github.com/qemu/qemu/commit/cdfff7682cfeba5c26c906c2bf53da1bb4faf986
Author: Markus Armbruster <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M tests/qtest/qos-test.c
M tests/qtest/vhost-user-test.c
Log Message:
-----------
Revert "tests/qtest: use qos_printf instead of g_test_message"
This reverts commit 30ea13e9d97dcbd4ea541ddf9e8857fa1d5cb30f.
Also rewrites qos_printf() calls added later.
"make check" prints many lines like
stdout: 138: UNKNOWN: # # qos_test running single test in subprocess
stdout: 139: UNKNOWN: # # set_protocol_features: 0x42
stdout: 140: UNKNOWN: # # set_owner: start of session
stdout: 141: UNKNOWN: # # vhost-user: un-handled message: 14
stdout: 142: UNKNOWN: # # vhost-user: un-handled message: 14
stdout: 143: UNKNOWN: # # set_vring(0)=enabled
stdout: 144: UNKNOWN: # # set_vring(1)=enabled
stdout: 145: UNKNOWN: # # set_vring(0)=enabled
stdout: 146: UNKNOWN: # # set_vring(1)=enabled
stdout: 147: UNKNOWN: # # set_vring(0)=enabled
stdout: 148: UNKNOWN: # # set_vring(1)=enabled
stdout: 149: UNKNOWN: # # set_vring(0)=enabled
stdout: 150: UNKNOWN: # # set_vring(1)=enabled
stdout: 151: UNKNOWN: # # set_vring(0)=enabled
stdout: 152: UNKNOWN: # # set_vring(1)=enabled
stdout: 153: UNKNOWN: # # set_vring_num: 0/256
stdout: 154: UNKNOWN: # # set_vring_addr:
0x7f9060000000/0x7f905ffff000/0x7f9060001000
Turns out this is qos-test, and the culprit is a commit meant to ease
debugging. Revert it until a better solution is found.
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
[Commit message clarified]
(cherry picked from commit c9a1ea9c52e6462ad5c7814f3abd65baa69dc4ce)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1e2fdfc71bc85ed489aafafd9f76430e2fc8ed18
https://github.com/qemu/qemu/commit/1e2fdfc71bc85ed489aafafd9f76430e2fc8ed18
Author: Fabiano Rosas <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M tests/qtest/fuzz-lsi53c895a-test.c
Log Message:
-----------
tests/qtest: Do not run lsi53c895a test if device is not present
The tests are built once for all the targets, so as long as one QEMU
binary is built with CONFIG_LSI_SCSI_PCI=y, this test will
run. However some binaries might not include the device. So check this
again in runtime.
Signed-off-by: Fabiano Rosas <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit dee66bc9691a0d5e8337c24b5cf303f46293df76)
(Mjt: pick this trivial focused fix up for 7.2.x so that subsequent change(s)
in this area apply cleanly)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: dd7f47e71b86f1b1fa88ef3148dca1d5533cf01c
https://github.com/qemu/qemu/commit/dd7f47e71b86f1b1fa88ef3148dca1d5533cf01c
Author: Richard W.M. Jones <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M tests/qtest/fuzz-lsi53c895a-test.c
M tests/qtest/rtl8139-test.c
Log Message:
-----------
tests: Ensure TAP version is printed before other messages
These two tests were failing with this error:
stderr:
TAP parsing error: version number must be on the first line
[...]
Unknown TAP version. The first line MUST be `TAP version <int>`. Assuming
version 12.
This can be fixed by ensuring we always call g_test_init first in the
body of main.
Thanks: Daniel Berrange, for diagnosing the problem
Signed-off-by: Richard W.M. Jones <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Tested-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Alexander Bulekov <[email protected]>
Reviewed-by: Darren Kenny <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit ae4b01b3497934849278b49f3dfd28420f75e300)
(Mjt: this fixes rtl3129 testing failure on 7.2.x)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 5279a162ffe91bb1168365b01226fa183ea0218e
https://github.com/qemu/qemu/commit/5279a162ffe91bb1168365b01226fa183ea0218e
Author: Stéphane Graber <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response
USB NICs have a "40:" prefix hardcoded for all MAC addresses when we
return the guest the MAC address if it queries the STRING_ETHADDR USB
string property. This doesn't match what we use for the
OID_802_3_PERMANENT_ADDRESS or OID_802_3_CURRENT_ADDRESS OIDs for
NDIS, or the MAC address we actually use in the QEMU networking code
to send/receive packets for this device, or the NIC info string we
print for users. In all those other places we directly use
s->conf.macaddr.a, which is the full thing the user asks for.
This overrides user-provided configuration and leads to an inconsistent
experience.
I couldn't find any documented reason (comment or git commits) for
this behavior. It seems like everyone is just expecting the MAC
address to be fully passed through to the guest, but it isn't.
This may have been a debugging hack that accidentally made it through
to the accepted patch: it has been in the code since it was originally
added back in 2008.
This is also particularly problematic as the "40:" prefix isn't a
reserved prefix for MAC addresses (IEEE OUI). There are a number of
valid allocations out there which use this prefix, meaning that QEMU
may be causing MAC address conflicts.
Cc: [email protected]
Fixes: 6c9f886ceae5b ("Add CDC-Ethernet usb NIC (original patch from Thomas
Sailer)"
Signed-off-by: Stéphane Graber <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2951
Reviewed-by: Daniel P. Berrangé <[email protected]>
[PMM: beef up commit message based on mailing list discussion]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit aaf042299acf83919862c7d7dd5fc36acf4e0671)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a1499a8a9426403af43ee6101ab48a2eb0953da3
https://github.com/qemu/qemu/commit/a1499a8a9426403af43ee6101ab48a2eb0953da3
Author: Michael Tokarev <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M tests/docker/dockerfiles/python.docker
Log Message:
-----------
use fedora:37 for python container instead of :latest
More recent fedora does not have our minimum python versions
anymore. Stick with the most common fedora version used in
7.2.x in other places, which is 37. This way, python tests
works again.
This is a 7.2-specific change, not aimed for the master branch.
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
Commit: df4052077556f2f1d83dc2bd2e6a05c0c192a2b0
https://github.com/qemu/qemu/commit/df4052077556f2f1d83dc2bd2e6a05c0c192a2b0
Author: Peter Delevoryas <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M python/qemu/machine/machine.py
M tests/avocado/avocado_qemu/__init__.py
Log Message:
-----------
python/machine: Fix AF_UNIX path too long on macOS
On macOS, private $TMPDIR's are the default. These $TMPDIR's are
generated from a user's unix UID and UUID [1], which can create a
relatively long path:
/var/folders/d7/rz20f6hd709c1ty8f6_6y_z40000gn/T/
QEMU's avocado tests create a temporary directory prefixed by
"avo_qemu_sock_", and create QMP sockets within _that_ as well.
The QMP socket is unnecessarily long, because a temporary directory
is created for every QEMUMachine object.
/avo_qemu_sock_uh3w_dgc/qemu-37331-10bacf110-monitor.sock
The path limit for unix sockets on macOS is 104: [2]
/*
* [XSI] Definitions for UNIX IPC domain.
*/
struct sockaddr_un {
unsigned char sun_len; /* sockaddr len including null */
sa_family_t sun_family; /* [XSI] AF_UNIX */
char sun_path[104]; /* [XSI] path name (gag) */
};
This results in avocado tests failing on macOS because the QMP unix
socket can't be created, because the path is too long:
ERROR| Failed to establish connection: OSError: AF_UNIX path too long
This change resolves by reducing the size of the socket directory prefix
and the suffix on the QMP and console socket names.
The result is paths like this:
pdel@pdel-mbp:/var/folders/d7/rz20f6hd709c1ty8f6_6y_z40000gn/T
$ tree qemu*
qemu_df4evjeq
qemu_jbxel3gy
qemu_ml9s_gg7
qemu_oc7h7f3u
qemu_oqb1yf97
├── 10a004050.con
└── 10a004050.qmp
[1]
https://apple.stackexchange.com/questions/353832/why-is-mac-osx-temp-directory-in-weird-path
[2] /Library/Developer/CommandLineTools/SDKs/MacOSX12.3.sdk/usr/include/sys/un.h
Signed-off-by: Peter Delevoryas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: John Snow <[email protected]>
(cherry picked from commit f9922937d173f50fe59fd1b20fadc445fb6b2564)
(Mjt: pick this simple fix for 7.2.x so subsequent changes applies cleanly)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6490f73fc057e093b66d381845bf20b0958da102
https://github.com/qemu/qemu/commit/6490f73fc057e093b66d381845bf20b0958da102
Author: Marc-André Lureau <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M python/qemu/qmp/protocol.py
Log Message:
-----------
python/qmp/protocol: add open_with_socket()
Instead of listening for incoming connections with a SocketAddr, add a
new method open_with_socket() that accepts an existing socket.
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-id: [email protected]
Signed-off-by: John Snow <[email protected]>
(cherry picked from commit a3cfea92e2030926e00a2519d299384ea648e36e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 68a48e69e5c092c6ea100cc6d2aa1d9518058100
https://github.com/qemu/qemu/commit/68a48e69e5c092c6ea100cc6d2aa1d9518058100
Author: Marc-André Lureau <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M python/qemu/qmp/legacy.py
Log Message:
-----------
python/qmp/legacy: make QEMUMonitorProtocol accept a socket
Teach QEMUMonitorProtocol to accept an exisiting socket.
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-id: [email protected]
Signed-off-by: John Snow <[email protected]>
(cherry picked from commit 603a3bad4b9a95b524dc8d6a41b1be4d5c5cacdf)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c7cb4f1e82002eada0a059eb16eb9fd8e260bb98
https://github.com/qemu/qemu/commit/c7cb4f1e82002eada0a059eb16eb9fd8e260bb98
Author: Marc-André Lureau <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M python/qemu/machine/machine.py
Log Message:
-----------
python/qemu/machine: use socketpair() for QMP by default
When no monitor address is given, establish the QMP communication through
a socketpair() (API is also supported on Windows since Python 3.5)
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-id: [email protected]
[Resolved conflicts, fixed typing error. --js]
Signed-off-by: John Snow <[email protected]>
(cherry picked from commit bd4c0ef409140bd1be393407c04005ac077d4574)
(Mjt: this fixes quite a few qemu iotests which was probably racing somewhere)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e1cbca064ebadfdead9d406baa866f80e418ccb7
https://github.com/qemu/qemu/commit/e1cbca064ebadfdead9d406baa866f80e418ccb7
Author: Xiaoyao Li <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M pc-bios/multiboot_dma.bin
M pc-bios/optionrom/multiboot.S
Log Message:
-----------
multiboot: Fix the split lock
While running the kvm-unit-tests on Intel platforms with "split lock
disable" feature, every test triggers a kernel warning of
x86/split lock detection: #AC: qemu-system-x86_64/373232 took a split_lock
trap at address: 0x1e3
Hack KVM by exiting to QEMU on split lock #AC, we get
KVM: exception 17 exit (error code 0x0)
EAX=00000001 EBX=00000000 ECX=00000014 EDX=0001fb80
ESI=00000000 EDI=000000a8 EBP=00000000 ESP=00006f10
EIP=000001e3 EFL=00010002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0900 00009000 0000ffff 00009300 DPL=0 DS16 [-WA]
CS =c000 000c0000 0000ffff 00009b00 DPL=0 CS16 [-RA]
SS =0000 00000000 0000ffff 00009300 DPL=0 DS16 [-WA]
DS =c000 000c0000 0000ffff 00009300 DPL=0 DS16 [-WA]
FS =0950 00009500 0000ffff 00009300 DPL=0 DS16 [-WA]
GS =06f2 00006f20 0000ffff 00009300 DPL=0 DS16 [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT= 000c02b4 00000027
IDT= 00000000 000003ff
CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000
DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000000
Code=89 16 08 00 65 66 0f 01 16 06 00 66 b8 01 00 00 00 0f 22 c0 <65> 66 ff 2e
00 00 b8 10 00 00 00 8e d0 8e d8 8e c0 8e e0 8e e8 66 b8 08 00 66 ba 10 05 66
And it matches with what disassembled from multiboo_dma.bin:
#objdump -b binary -m i386 -D pc-bios/multiboot_dma.bin
1d1: 08 00 or %al,(%eax)
1d3: 65 66 0f 01 16 lgdtw %gs:(%esi)
1d8: 06 push %es
1d9: 00 66 b8 add %ah,-0x48(%esi)
1dc: 01 00 add %eax,(%eax)
1de: 00 00 add %al,(%eax)
1e0: 0f 22 c0 mov %eax,%cr0
> 1e3: 65 66 ff 2e ljmpw *%gs:(%esi)
1e7: 00 00 add %al,(%eax)
1e9: b8 10 00 00 00 mov $0x10,%eax
1ee: 8e d0 mov %eax,%ss
1f0: 8e d8 mov %eax,%ds
1f2: 8e c0 mov %eax,%es
1f4: 8e e0 mov %eax,%fs
1f6: 8e e8 mov %eax,%gs
1f8: 66 b8 08 00 mov $0x8,%ax
1fc: 66 ba 10 05 mov $0x510,%dx
We can see that the instruction at 0x1e3 is a far jmp through the GDT.
However, the GDT is not 8 byte aligned, the base is 0xc02b4.
Intel processors follow the LOCK semantics to set the accessed flag of the
segment descriptor when loading a segment descriptor. If the the segment
descriptor crosses two cache line, it causes split lock.
Fix it by aligning the GDT on 8 bytes, so that segment descriptor cannot
span two cache lines.
Signed-off-by: Xiaoyao Li <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 4c8f69b94839f72314c69902312068d0b9b05a34)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6da5cadbdaa408dec8e001a0bfbd147598466f97
https://github.com/qemu/qemu/commit/6da5cadbdaa408dec8e001a0bfbd147598466f97
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M accel/tcg/tb-maint.c
Log Message:
-----------
accel/tcg: Properly unlink a TB linked to itself
When we remove dest from orig's links, we lose the link
that we rely on later to reset links. This can lead to
failure to release from spinlock with self-modifying code.
Cc: [email protected]
Reported-by: 李威威 <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Anton Johansson <[email protected]>
Tested-by: Anton Johansson <[email protected]>
(cherry picked from commit 03fe6659803f83690b8587d01f8ee56bb4be4b90)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 942285428fefeef1758b7e25207b86fde3d58bb4
https://github.com/qemu/qemu/commit/942285428fefeef1758b7e25207b86fde3d58bb4
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M tests/tcg/multiarch/Makefile.target
A tests/tcg/multiarch/tb-link.c
Log Message:
-----------
tests/tcg/multiarch: Add tb-link test
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit e13e1195db8af18e149065a59351ea85215645bb)
(Mjt: resolve context conflict in tests/tcg/multiarch/Makefile.target)
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/b26daad0c474...942285428fef
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
