[Stable-9.0.3 18/69] target/loongarch: Fix helper_lddir() a CID INTEGER_OVERFLOW issue

eviewed-by: Richard Henderson Message-Id: <20240724015853.1317396-1-gaos...@loongson.cn> (cherry picked from commit a18ffbcf8b9fabfc6c850ebb1d3e40a21b885c67) Signed-off-by: Michael Tokarev diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c index 57f5308632..2

[Stable-9.0.3 19/69] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params()

olves: Coverity CID 1547605 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20240723150927.1396456-1-peter.mayd...@linaro.org Signed-off-by: Stefan Hajnoczi (cherry picked from commit 851495571d14fe2226c52b9d423f88a4f5460836) Signed-off-by: Michael Tokarev diff --

[Stable-9.0.3 36/69] migration/multifd: Fix multifd_send_setup cleanup when channel creation fails

614 ("migration/multifd: Add outgoing QIOChannelFile support") Reviewed-by: Peter Xu Signed-off-by: Fabiano Rosas (cherry picked from commit 0bd5b9284fa94a6242a0d27a46380d93e753488b) Signed-off-by: Michael Tokarev diff --git a/migration/multifd.c b/migration/multifd.c index 2802afe79d..

[Stable-9.0.3 27/69] target/arm: Avoid shifts by -1 in tszimm_shr() and tszimm_shl()

.org Resolves: Coverity CID 1547617, 1547694 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20240722172957.1041231-4-peter.mayd...@linaro.org (cherry picked from commit 76916dfa89e8900639c1055c07a295c06628a0bc) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/tran

[Stable-9.0.3 62/69] crypto/tlscredspsk: Free username on finalize

naro.org> Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit 87e012f29f2e47dcd8c385ff8bb8188f9e06d4ea) Signed-off-by: Michael Tokarev diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 546cad1c5a..0d6b71a37c 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk

[Stable-9.0.3 65/69] migration/multifd: Free MultiFDRecvParams::data

@nongnu.org Fixes: d117ed0699d41 ("migration/multifd: Allow receiving pages without packets") Signed-off-by: Peter Maydell Reviewed-by: Fabiano Rosas Signed-off-by: Fabiano Rosas (cherry picked from commit 4c107870e8b2ba3951ee0c46123f1c3b5d3a19d3) Signed-off-by: Michael Tokarev diff --git a

[Stable-9.0.3 52/69] hw/core/ptimer: fix timer zero period condition for freq > 1GHz

446e5e8b4515e9a7be69ef6a29852975289bb6f0) Signed-off-by: Michael Tokarev diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c index b1517592c6..1d8964d804 100644 --- a/hw/core/ptimer.c +++ b/hw/core/ptimer.c @@ -83,7 +83,7 @@ static void ptimer_reload(ptimer_state *s, int delta_adjust) delta = s->delta = s->

[Stable-9.0.3 46/69] nbd/server: Plumb in new args to nbd_client_add()

wed-by: Daniel P. Berrangé [eblake: s/LIMIT/MAX_SECS/ as suggested by Dan] Signed-off-by: Eric Blake (cherry picked from commit fb1c2aaa981e0a2fa6362c9985f1296b74f055ac) Signed-off-by: Michael Tokarev diff --git a/blockdev-nbd.c b/blockdev-nbd.c index 213012435f..267a1de903 100644 --- a/blockdev

[Stable-9.0.3 64/69] virtio-pci: Fix the use of an uninitialized irqfd

d ("virtio-pci: fix use of a released vector") Cc: qemu-sta...@nongnu.org Signed-off-by: Cindy Lu Message-Id: <20240806093715.65105-1-l...@redhat.com> Acked-by: Jason Wang Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit a8e63ff289d137197ad7

[Stable-9.0.3 58/69] module: Prevent crash by resetting local_err in module_load_qom_all()

: https://lore.kernel.org/r/20240809121340.992049-2-alexander.iva...@virtuozzo.com [Do the same by moving the declaration instead. - Paolo] Cc: qemu-sta...@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit 940d802b24e63650e0eacad3714e2ce171cba17c) Signed-off-by: Michael Tokarev

[Stable-9.0.3 50/69] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server

start() > > sst.join() > nlt.join() > > test() Fixes: CVE-2024-7409 Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop") CC: qemu-sta...@nongnu.org Reported-by: Andrey Drobyshev Signed-off-by: Eric Blake Message-ID: <20240822143617.

[Stable-9.0.3 32/69] target/arm: Handle denormals correctly for FMOPA (widening)

://gitlab.com/qemu-project/qemu/-/issues/2373 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson (cherry picked from commit 55f9f4ee018c5ccea81d8c8c586756d7711ae46f) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/helper-sme.h b/target/arm/tcg/helper-sme.h index 27eef49a11

[Stable-9.0.3 51/69] net: Fix '-net nic, model=' for non-help arguments

From: David Woodhouse Oops, don't *delete* the model option when checking for 'help'. Fixes: 64f75f57f9d2 ("net: Reinstate '-net nic, model=help' output as documented in man page") Reported-by: Hans Signed-off-by: David Woodhouse Cc: qemu-sta...@nong

[Stable-9.0.3 29/69] docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str

Maydell Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20240729120533.2486427-1-peter.mayd...@linaro.org> Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit 48e5b5f994bccf161dd88a67fdd819d4bfb400f1) Signed-off-by: Michael Tokarev diff --git a/docs/sphinx/depfile.py b/doc

[Stable-9.0.3 63/69] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv

picked from commit 6a22121c4f25b181e99479f65958ecde65da1c92) Signed-off-by: Michael Tokarev diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 652116085e..659332db0a 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -4302,7 +4302,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n

[Stable-9.0.3 39/69] tcg/ppc: Sync tcg_out_test and constraints

mu-project/qemu/-/issues/2487 Signed-off-by: Richard Henderson Message-Id: <44328324-af73-4439-9d2b-d414e0e13...@linaro.org> Reviewed-by: Philippe Mathieu-Daudé (cherry picked from commit 682a05280504d2fab32e16096b58d7ea068435c2) Signed-off-by: Michael Tokarev diff --git a/tcg/ppc/tcg-target

[Stable-9.0.3 60/69] linux-user: Preserve NULL hit in target_mmap subroutines

: Michael Tokarev diff --git a/linux-user/mmap.c b/linux-user/mmap.c index be3b9a68eb..2a11d921ab 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -559,9 +559,13 @@ static abi_long mmap_h_eq_g(abi_ulong start, abi_ulong len, int host_prot, int flags, int page_flags

[Stable-9.0.3 54/69] target/i386: Do not apply REX to MMX operands

linaro.org Signed-off-by: Paolo Bonzini (cherry picked from commit 416f2b16c02c618c0f233372ebfe343f9ee667d4) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc index 2ca874b59d..27e1666f5d 100644 --- a/target/i386/tcg/decode-new.c.inc ++

[Stable-9.0.3 37/69] linux-user/elfload: Fix pr_pid values in core files

evich Reviewed-by: Richard Henderson Message-ID: <20240801202340.21845-1-...@linux.ibm.com> Signed-off-by: Richard Henderson (cherry picked from commit 5b0c2742c839376b7e03c4654914aaec6a8a7b09) Signed-off-by: Michael Tokarev diff --git a/linux-user/elfload.c b/linux-user/elfload.c index 6

[Stable-9.0.3 67/69] Revert "replay: stop us hanging in rr_wait_io_event"

. Acked-by: Alex Bennée Signed-off-by: Nicholas Piggin Message-Id: <20240813050638.446172-6-npig...@gmail.com> Signed-off-by: Alex Bennée Message-Id: <20240813202329.1237572-14-alex.ben...@linaro.org> (cherry picked from commit 94962ff00d09674047aed896e87ba09736cd6941) Signed-off-by: Mic

[Stable-9.0.3 59/69] target/hexagon: don't look for static glib

f-by: Alyssa Ross Link: https://lore.kernel.org/r/20240805104921.4035256-1...@alyssa.is Signed-off-by: Paolo Bonzini (cherry picked from commit fe68cc0923ebfa0c12e4176f61ec9b363a07a73a) Signed-off-by: Michael Tokarev diff --git a/target/hexagon/meson.build b/target/hexagon/meson.build index fb480afc03..

[Stable-9.0.3 53/69] block/blkio: use FUA flag on write zeroes only if supported

m Signed-off-by: Stefan Hajnoczi (cherry picked from commit 547c4e50929ec6c091d9c16a7b280e829b12b463) Signed-off-by: Michael Tokarev diff --git a/block/blkio.c b/block/blkio.c index 882e1c297b..52ac94527f 100644 --- a/block/blkio.c +++ b/block/blkio.c @@ -899,8 +899,10 @@ static int blkio_file_open(B

[Stable-9.0.3 33/69] virtio-net: Ensure queue index fits with RSS

u Cc: qemu-sta...@nongnu.org Signed-off-by: Akihiko Odaki Reviewed-by: Michael S. Tsirkin Signed-off-by: Jason Wang (cherry picked from commit f1595ceb9aad36a6c1da95bcb77ab9509b38822d) Signed-off-by: Michael Tokarev Fixes: CVE-2024-6505 diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c i

[Stable-9.0.3 15/69] chardev/char-win-stdio.c: restore old console mode

the old console mode and set it back. Signed-off-by: Ziming Song Reviewed-by: Marc-André Lureau Message-ID: (cherry picked from commit 903cc9e1173e0778caa50871e8275c898770c690) Signed-off-by: Michael Tokarev diff --git a/chardev/char-win-stdio.c b/chardev/char-win-stdio.c index 1a18999e78

[Stable-9.0.3 61/69] target/sparc: Restrict STQF to sparcv9

2311.353234-2-richard.hender...@linaro.org> Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit 12d36294a2d978faf893101862118d1ac1815e85) Signed-off-by: Michael Tokarev diff --git a/target/sparc/insns.decode b/target/sparc/insns.decode index e2d8a07dc4..d2b29de084 100644 --- a/target/sparc/in

[Stable-9.0.3 41/69] vvfat: Fix bug in writing to middle of file

y-one error here, where `i=0x2000 !< offset=0x2000`, thus not fetching the next cluster. Signed-off-by: Amjad Alsharafi Reviewed-by: Kevin Wolf Tested-by: Kevin Wolf Message-ID: Signed-off-by: Kevin Wolf (cherry picked from commit b881cf00c99e03bc8a3648581f97736ff275b18b) Signed-off-by:

[Stable-9.0.3 14/69] target/i386: do not crash if microvm guest uses SGX CPUID leaves

ves: https://gitlab.com/qemu-project/qemu/-/issues/2142 Signed-off-by: Paolo Bonzini (cherry picked from commit 13be929aff804581b21e69087a9caf3698fd5c3c) Signed-off-by: Michael Tokarev diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c index de76397bcf..25b2055d65 100644 --- a/hw/i386/sgx.c +++ b/hw/i386/sgx.c

[Stable-9.0.3 43/69] vvfat: Fix wrong checks for cluster mappings invariant

ed-off-by: Amjad Alsharafi Reviewed-by: Kevin Wolf Message-ID: Signed-off-by: Kevin Wolf (cherry picked from commit f60a6f7e17bf2a2a0f0a08265ac9b077fce42858) Signed-off-by: Michael Tokarev diff --git a/block/vvfat.c b/block/vvfat.c index 247b232608..b63ac5d045 100644 --- a/block/vvfat.c ++

[Stable-9.0.3 66/69] linux-user: Handle short reads in mmap_h_gt_g

cked from commit a4ad4a9d98f7fbde806f07da21e69f39e134cdf1) Signed-off-by: Michael Tokarev diff --git a/linux-user/mmap.c b/linux-user/mmap.c index 2a11d921ab..9e94f36ba2 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c @@ -282,6 +282,40 @@ static int do_munmap(void *addr, size_t len) return

[Stable-9.0.3 68/69] hw/audio/virtio-snd: fix invalid param check

S. Tsirkin (cherry picked from commit 7d14471a121878602cb4e748c4707f9ab9a9e3e2) Signed-off-by: Michael Tokarev diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 2b80072b04..95f55a02f1 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -282,12 +282,12 @@ uint32_t

[Stable-9.0.3 40/69] hw/sd/sdhci: Reset @data_count index on invalid ADMA transfers

: Zheyu Ma Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2455 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson Message-Id: <20240730092138.32443-4-phi...@linaro.org> (cherry picked from commit ed5a159c3de48a581f46de4c8c02b4b295e6c52d) Signed-off-by: Michael Tokarev

[Stable-9.0.3 21/69] hw/virtio: Fix the de-initialization of vhost-user devices

f-by: Thomas Huth Message-Id: <20240618121958.88673-1-th...@redhat.com> Reviewed-by: Manos Pitsidianakis Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit d72479b11797c28893e1e3fc565497a9cae5ca16) Signed-off-by: Michael Tokarev diff --git

[Stable-9.0.3 22/69] target/rx: Use target_ulong for address in LI

83340193b991e7a974f117baa86a04db1fd835a9) Signed-off-by: Michael Tokarev diff --git a/target/rx/translate.c b/target/rx/translate.c index f6e9e0ec90..30d30770ac 100644 --- a/target/rx/translate.c +++ b/target/rx/translate.c @@ -86,7 +86,8 @@ static uint32_t decode_load_bytes(DisasContext *ctx

[Stable-9.0.3 49/69] nbd/server: CVE-2024-7409: Close stray clients at server-stop

nder Ivanov Fixes: CVE-2024-7409 CC: qemu-sta...@nongnu.org Signed-off-by: Eric Blake Message-ID: <20240807174943.771624-14-ebl...@redhat.com> Reviewed-by: Daniel P. Berrangé (cherry picked from commit 3e7ef738c8462c45043a1d39f702a0990406a3b3) Signed-off-by: Michael Tokarev diff --git a

[Stable-9.0.3 57/69] target/arm: Fix usage of MMU indexes when EL3 is AArch32

ab.com/qemu-project/qemu/-/issues/2326 Signed-off-by: Peter Maydell Tested-by: Bernhard Beschow Reviewed-by: Richard Henderson Message-id: 20240809160430.1144805-3-peter.mayd...@linaro.org (cherry picked from commit 4c2c0474693229c1f533239bb983495c5427784d) Signed-off-by: Michael Tokarev diff -

[Stable-9.0.3 69/69] target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64

ned-off-by: Michael Tokarev (Mjt: context fixup in target/hppa/helper.c due to lack of v9.0.0-688-gebc9401a4067 "target/hppa: Split PSW X and B into their own field") diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h index a072d0bb63..9c42431d72 100644 --- a/target/hppa/cpu.h +++

[Stable-9.0.3 55/69] target/arm: Clear high SVE elements in handle_vec_simd_wshli

: Peter Maydell (cherry picked from commit 8e0c9a9efa21a16190cbac288e414bbf1d80f639) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 922a16e5d4..7d620ef109 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c

[Stable-9.0.3 26/69] target/arm: Fix UMOPA/UMOPS of 16-bit values

bit integer.) Cc: qemu-sta...@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2372 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20240722172957.1041231-3-peter.mayd...@linaro.org (cherry picked from commit ea3f5a90f036734522e9af3bffd77e69e9f47355) Sig

[Stable-9.0.3 47/69] nbd/server: CVE-2024-7409: Cap default max-connections to 100

back-compat behavior without a deprecation period] Signed-off-by: Eric Blake (cherry picked from commit c8a76dbd90c2f48df89b75bef74917f90a59b623) Signed-off-by: Michael Tokarev diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c index d954bec6f1..bdf2eb50b6 100644 --- a/bl

[Stable-9.0.3 31/69] hw/arm/mps2-tz.c: fix RX/TX interrupts order

5a558be93ad628e5bed6e0ee062870f49251725c) Signed-off-by: Michael Tokarev diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c index a2d18afd79..aec57c0d68 100644 --- a/hw/arm/mps2-tz.c +++ b/hw/arm/mps2-tz.c @@ -435,7 +435,7 @@ static MemoryRegion *make_uart(MPS2TZMachineState *mms, void *opaque, const

[Stable-9.0.3 56/69] target/arm: Update translation regime comment for new features

-by: Michael Tokarev (Mjt: pick this one for stable-9.0 so the next commit applies cleanly) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index bc0c84873f..7c721f22bd 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -2687,8 +2687,14 @@ bool write_cpustate_to_list(ARMCPU *cpu, bool

[Stable-9.0.3 45/69] iotests: Add `vvfat` tests

-off-by: Amjad Alsharafi Reviewed-by: Kevin Wolf Tested-by: Kevin Wolf Message-ID: [kwolf: Made mypy and pylint happy to unbreak 297] Signed-off-by: Kevin Wolf (cherry picked from commit c8f60bfb4345ea8343a53eaefe88d47b44c53f24) Signed-off-by: Michael Tokarev diff --git a/tests/qemu-iotests

[Stable-9.0.3 44/69] vvfat: Fix reading files with non-continuous clusters

f-by: Amjad Alsharafi Message-ID: <1f3ea115779abab62ba32c788073cdc99f9ad5dd.1721470238.git.amjadsharaf...@gmail.com> [kwolf: Simplified the patch based on Amjad's analysis and input] Signed-off-by: Kevin Wolf (cherry picked from commit 5eed3db336506b529b927ba221fe0d836e5b8819) Signed-off-by: Mi

[Stable-9.0.3 38/69] target/i386: Fix VSIB decode

...@linaro.org Cc: qemu-sta...@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit ac63755b20013ec6a3d2aef4538d37dc90bc3d10) Signed-off-by: Michael Tokarev (Mjt: modify the change to pre-new-decoder introduced past qemu 9.0) diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg

[Stable-9.0.3 42/69] vvfat: Fix usage of `info.file.offset`

f Message-ID: <72f19a7903886dda1aa78bcae0e17702ee939262.1721470238.git.amjadsharaf...@gmail.com> Signed-off-by: Kevin Wolf (cherry picked from commit 21b25a0e466a5bba0a45600bb8100ab564202ed1) Signed-off-by: Michael Tokarev diff --git a/block/vvfat.c b/block/vvfat.c index 19da009a5b..247b232608 100644 --- a/block/vvfat.c

[Stable-9.0.3 17/69] hw/intc/loongson_ipi: Fix resource leak

cked from commit 0c2086bc7360565dfb9933181dafaefe2c94cddf) Signed-off-by: Michael Tokarev (Mjt: rename loongson back to longarch for 9.0 due to lack of v9.0.0-582-gb4a12dfc2132 "hw/intc/loongarch_ipi: Rename as loongson_ipi") diff --git a/hw/intc/loongarch_ipi.c b/hw/intc/loongarch_ipi.c index 521731342c..c210b

[Stable-9.0.3 48/69] nbd/server: CVE-2024-7409: Drop non-negotiating clients

3.771624-13-ebl...@redhat.com> Reviewed-by: Daniel P. Berrangé [eblake: rebase to changes earlier in series, reduce scope of timer] Signed-off-by: Eric Blake (cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0) Signed-off-by: Michael Tokarev diff --git a/nbd/server.c b/nbd

[Stable-9.0.3 24/69] hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE

nction-global, so it's clearer what type they are when reading the code. Cc: qemu-sta...@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20240723131029.1159908-2-peter.mayd...@linaro.org (cherry picked from commit 0892fffc2abaadfb5d8b79bb0250ae17948625

[Stable-9.0.3 25/69] target/arm: Don't assert for 128-bit tile accesses when SVL is 128

d-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20240722172957.1041231-2-peter.mayd...@linaro.org (cherry picked from commit 56f1c0db928aae0b83fd91c89ddb226b137e2b21) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c index 18

[Stable-9.0.3 28/69] target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled

: 20240722172957.1041231-5-peter.mayd...@linaro.org (cherry picked from commit f573ac059ed060234fcef4299fae9e500d357c33) Signed-off-by: Michael Tokarev diff --git a/target/arm/helper.c b/target/arm/helper.c index a620481d7c..42044ae14b 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -7191,7 +7191,7

[Stable-9.0.3 30/69] hw/i386/amd_iommu: Don't leak memory in amdvi_update_iotlb()

naro.org> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 9a45b0761628cc59267b3283a85d15294464ac31) Signed-off-by: Michael Tokarev diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c index 6d4fde72f9..87643d2891 100644 --- a/hw/i386/amd_iommu

[Stable-9.0.3 34/69] virtio-net: Fix network stall at the host side waiting for kick

ael S. Tsirkin Signed-off-by: Jason Wang (cherry picked from commit f937309fbdbb48c354220a3e7110c202ae4aa7fa) Signed-off-by: Michael Tokarev (Mjt: context fixup in include/hw/virtio/virtio.h) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index f48588638d..d4b979d343 100644 --- a/

[Stable-9.0.3 13/69] intel_iommu: fix FRCD construction macro

an Reviewed-by: Minwoo Im Message-Id: <20240709142557.317271-2-clement.mathieu--d...@eviden.com> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit a3c8d7e38550c3d5a46e6fa94ffadfa625a4861d) Signed-off-by: Michael Tokarev diff --git a/hw/i386/intel_

[Stable-9.0.3 12/69] virtio-snd: check for invalid param shift operands

-by: Manos Pitsidianakis Message-Id: Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 9b6083465fb8311f2410615f8303a41f580a2a20) Signed-off-by: Michael Tokarev diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio

[Stable-9.0.3 01/69] hw/scsi/lsi53c895a: bump instruction limit in scripts processing to fix regression

le Link: https://lore.kernel.org/r/20240715131403.223239-1-f.eb...@proxmox.com Signed-off-by: Paolo Bonzini (cherry picked from commit a4975023fb13cf229bd59c9ceec1b8cbdc5b9a20) Signed-off-by: Michael Tokarev diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index eb9828dd5e..f1935e5328 100644 --- a

[Stable-9.0.3 08/69] hvf: arm: Do not advance PC when raising an exception

hiko Odaki Message-id: 20240716-pmu-v3-4-8c7c1858a...@daynix.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell (cherry picked from commit 30a1690f2402e6c1582d5b3ebcf7940bfe2fad4b) Signed-off-by: Michael Tokarev diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c index ee657f455b..

[Stable-9.0.3 23/69] hw/char/bcm2835_aux: Fix assert when receive FIFO fills up

ed from commit 546d574b11e02bfd5b15cdf1564842c14516dfab) Signed-off-by: Michael Tokarev diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c index 83990e20f7..fca2f27a55 100644 --- a/hw/char/bcm2835_aux.c +++ b/hw/char/bcm2835_aux.c @@ -138,7 +138,7 @@ static uint64_t bcm2835_aux_read(void *opaque, hwaddr offset,

[Stable-9.0.3 35/69] net: Reinstate '-net nic, model=help' output as documented in man page

Signed-off-by: David Woodhouse Reviewed-by: Michael Tokarev Signed-off-by: Jason Wang (cherry picked from commit 64f75f57f9d2c8c12ac6d9355fa5d3a2af5879ca) Signed-off-by: Michael Tokarev diff --git a/net/net.c b/net/net.c index a2f0c828bb..e6ca2529bb 100644 --- a/net/net.c +++ b/net/net.c @@ -1150,6

[Stable-9.0.3 07/69] target/arm: Use FPST_F16 for SME FMOPA (widening)

ned-off-by: Michael Tokarev diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c index 46c7fce8b4..185a8a917b 100644 --- a/target/arm/tcg/translate-sme.c +++ b/target/arm/tcg/translate-sme.c @@ -304,6 +304,7 @@ static bool do_outprod(DisasContext *s, arg_op *a,

[Stable-9.0.3 06/69] target/arm: Use float_status copy in sme_fmopa_s

-by: Peter Maydell (cherry picked from commit 31d93fedf41c24b0badb38cd9317590d1ef74e37) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c index e2e0575039..5a6dd76489 100644 --- a/target/arm/tcg/sme_helper.c +++ b/target/arm/tcg/sme_helper.c @@ -91

[Stable-9.0.3 09/69] hw/nvme: fix memory leak in nvme_dsm

to allow cancellation") Signed-off-by: Zheyu Ma Reviewed-by: Klaus Jensen Signed-off-by: Klaus Jensen (cherry picked from commit c510fe78f1b7c966524489d6ba752107423b20c8) Signed-off-by: Michael Tokarev diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index e89f9f7808..652116085e 100644 --- a/h

[Stable-9.0.3 20/69] Revert "qemu-char: do not operate on sources from finalize callbacks"

2659.216206-1-sergey.dya...@nutanix.com Signed-off-by: Paolo Bonzini (cherry picked from commit e0bf95443ee9326d44031373420cf9f3513ee255) Signed-off-by: Michael Tokarev diff --git a/chardev/char-io.c b/chardev/char-io.c index dab77b112e..3be17b51ca 100644 --- a/chardev/char-io.c +++ b/chardev/char-io.c @@ -87,16 +87,12

[Stable-9.0.3 05/69] target/arm: LDAPR should honour SCTLR_ELx.nAA

ixes: c1a1f80518d360b ("target/arm: Relax ordered/atomic alignment checks for LSE2") Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20240709134504.357-3-peter.mayd...@linaro.org (cherry picked from commit 25489b521b61b874c4c6583956db0012a3674e3a) Signed-off-b

[Stable-9.0.3 02/69] scsi: fix regression and honor bootindex again for legacy drives

ies") Suggested-by: Kevin Wolf Signed-off-by: Fiona Ebner Link: https://lore.kernel.org/r/20240710152529.1737407-1-f.eb...@proxmox.com Signed-off-by: Paolo Bonzini (cherry picked from commit 57a8a80d1a5b28797b21d30bfc60601945820e51) Signed-off-by: Michael Tokarev diff --git a/hw/scsi/scsi-

[Stable-9.0.3 03/69] qapi/qom: Document feature unstable of @x-vfio-user-server

Raman Cc: qemu-sta...@nongnu.org Signed-off-by: Markus Armbruster Message-ID: <20240703095310.1242102-1-arm...@redhat.com> Reviewed-by: John Snow [Indentation fixed] (cherry picked from commit 3becc939081097ccfed6968771f33d65ce8551eb) Signed-off-by: Michael Tokarev diff --git a/qapi/qom.json

[Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb

tps://gitlab.com/qemu-project/qemu/-/issues/2427 Signed-off-by: Manos Pitsidianakis Message-Id: Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3) Signed-off-by: Michael Toka

[Stable-9.0.3 16/69] hw/intc/loongson_ipi: Access memory in little endian

2.10324-3-phi...@linaro.org> (cherry picked from commit 2465c89fb983eed670007742bd68c7d91b6d6f85) Signed-off-by: Michael Tokarev (Mjt: fixups for 9.0, for lack of: v9.0.0-583-g91d0b151de4c "hw/intc/loongson_ipi: Implement IOCSR address space for MIPS" v9.0.0-582-gb4a12dfc2132 "h

[Stable-9.0.3 00/69] Patch Round-up for stable 9.0.3, freeze on 2024-09-16

The following patches are queued for QEMU stable v9.0.3: https://gitlab.com/qemu-project/qemu/-/commits/staging-9.0 Patch freeze is 2024-09-16, and the release is planned for 2024-09-18: https://wiki.qemu.org/Planning/9.0 Please respond here or CC qemu-sta...@nongnu.org on any additional pa

[Stable-9.0.3 04/69] target/arm: Fix handling of LDAPR/STLR with negative offset

ttps://gitlab.com/qemu-project/qemu/-/issues/2419 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson Message-id: 20240709134504.357-2-peter.mayd...@linaro.org (cherry picked from commit 5669d26ec614b3f4c56cf1489b9095ed327938b1) Signed-off-by: Michael

[Stable-9.0.3 10/69] hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property

cked from commit a207d5f87d66f7933b50677e047498fc4af63e1f) Signed-off-by: Michael Tokarev diff --git a/hw/cxl/cxl-host.c b/hw/cxl/cxl-host.c index c5f5fcfd64..e9f2543c43 100644 --- a/hw/cxl/cxl-host.c +++ b/hw/cxl/cxl-host.c @@ -315,7 +315,8 @@ static void machine_set_cxl(Object *obj, Visitor *v, c

Re: [PULL 11/63] hw/virtio: move stubs out of stubs/

05.09.2024 19:27, Paolo Bonzini wrote: On Sat, Aug 3, 2024 at 4:29 AM Michael Tokarev wrote: 23.04.2024 18:08, Paolo Bonzini wrote: Since the virtio memory device stubs are needed exactly when the Kconfig symbol is not enabled, they can be placed in hw/virtio/ and conditionalized on

[Stable-8.2.7 23/53] target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled

: 20240722172957.1041231-5-peter.mayd...@linaro.org (cherry picked from commit f573ac059ed060234fcef4299fae9e500d357c33) Signed-off-by: Michael Tokarev diff --git a/target/arm/helper.c b/target/arm/helper.c index ca2c6e9732..9ff266a235 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -6860,7 +6860,7

[Stable-8.2.7 28/53] virtio-net: Ensure queue index fits with RSS

u Cc: qemu-sta...@nongnu.org Signed-off-by: Akihiko Odaki Reviewed-by: Michael S. Tsirkin Signed-off-by: Jason Wang (cherry picked from commit f1595ceb9aad36a6c1da95bcb77ab9509b38822d) Signed-off-by: Michael Tokarev Fixes: CVE-2024-6505 diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c i

[Stable-8.2.7 50/53] hw/nvme: fix leak of uninitialized memory in io_mgmt_recv

picked from commit 6a22121c4f25b181e99479f65958ecde65da1c92) Signed-off-by: Michael Tokarev diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 1fa117fdff..ca54c250b2 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -4302,7 +4302,7 @@ static uint16_t nvme_io_mgmt_recv_ruhs(NvmeCtrl *n

[Stable-8.2.7 17/53] target/rx: Use target_ulong for address in LI

83340193b991e7a974f117baa86a04db1fd835a9) Signed-off-by: Michael Tokarev diff --git a/target/rx/translate.c b/target/rx/translate.c index c6ce717a95..d33003f3c1 100644 --- a/target/rx/translate.c +++ b/target/rx/translate.c @@ -86,7 +86,8 @@ static uint32_t decode_load_bytes(DisasContext *ctx

[Stable-8.2.7 22/53] target/arm: Avoid shifts by -1 in tszimm_shr() and tszimm_shl()

.org Resolves: Coverity CID 1547617, 1547694 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20240722172957.1041231-4-peter.mayd...@linaro.org (cherry picked from commit 76916dfa89e8900639c1055c07a295c06628a0bc) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/tran

[Stable-8.2.7 18/53] hw/char/bcm2835_aux: Fix assert when receive FIFO fills up

ed from commit 546d574b11e02bfd5b15cdf1564842c14516dfab) Signed-off-by: Michael Tokarev diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c index 96410b1ff8..0f1b28547e 100644 --- a/hw/char/bcm2835_aux.c +++ b/hw/char/bcm2835_aux.c @@ -138,7 +138,7 @@ static uint64_t bcm2835_aux_read(void *opaque, hwaddr offset,

[Stable-8.2.7 39/53] nbd/server: CVE-2024-7409: Drop non-negotiating clients

3.771624-13-ebl...@redhat.com> Reviewed-by: Daniel P. Berrangé [eblake: rebase to changes earlier in series, reduce scope of timer] Signed-off-by: Eric Blake (cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0) Signed-off-by: Michael Tokarev diff --git a/nbd/server.c b/nbd

[Stable-8.2.7 25/53] hw/i386/amd_iommu: Don't leak memory in amdvi_update_iotlb()

naro.org> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 9a45b0761628cc59267b3283a85d15294464ac31) Signed-off-by: Michael Tokarev diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c index 4203144da9..12742b1433 100644 --- a/hw/i386/amd_iommu

[Stable-8.2.7 49/53] crypto/tlscredspsk: Free username on finalize

naro.org> Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit 87e012f29f2e47dcd8c385ff8bb8188f9e06d4ea) Signed-off-by: Michael Tokarev diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 546cad1c5a..0d6b71a37c 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk

[Stable-8.2.7 37/53] nbd/server: Plumb in new args to nbd_client_add()

wed-by: Daniel P. Berrangé [eblake: s/LIMIT/MAX_SECS/ as suggested by Dan] Signed-off-by: Eric Blake (cherry picked from commit fb1c2aaa981e0a2fa6362c9985f1296b74f055ac) Signed-off-by: Michael Tokarev diff --git a/blockdev-nbd.c b/blockdev-nbd.c index 213012435f..267a1de903 100644 --- a/blockdev

[Stable-8.2.7 38/53] nbd/server: CVE-2024-7409: Cap default max-connections to 100

back-compat behavior without a deprecation period] Signed-off-by: Eric Blake (cherry picked from commit c8a76dbd90c2f48df89b75bef74917f90a59b623) Signed-off-by: Michael Tokarev diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c index c729cbf1eb..78a6975852 100644 --- a/bl

[Stable-8.2.7 29/53] virtio-net: Fix network stall at the host side waiting for kick

ael S. Tsirkin Signed-off-by: Jason Wang (cherry picked from commit f937309fbdbb48c354220a3e7110c202ae4aa7fa) Signed-off-by: Michael Tokarev (Mjt: context fixup in include/hw/virtio/virtio.h) diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index f84cff43aa..038604bbec 100644 --- a/

[Stable-8.2.7 48/53] target/sparc: Restrict STQF to sparcv9

2311.353234-2-richard.hender...@linaro.org> Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit 12d36294a2d978faf893101862118d1ac1815e85) Signed-off-by: Michael Tokarev diff --git a/target/sparc/insns.decode b/target/sparc/insns.decode index e2d8a07dc4..d2b29de084 100644 --- a/target/sparc/in

[Stable-8.2.7 30/53] target/i386: Fix VSIB decode

...@linaro.org Cc: qemu-sta...@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit ac63755b20013ec6a3d2aef4538d37dc90bc3d10) Signed-off-by: Michael Tokarev (Mjt: modify the change to pre-new-decoder introduced past qemu 9.0) diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg

[Stable-8.2.7 42/53] hw/core/ptimer: fix timer zero period condition for freq > 1GHz

446e5e8b4515e9a7be69ef6a29852975289bb6f0) Signed-off-by: Michael Tokarev diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c index e03165febf..7177ecfab0 100644 --- a/hw/core/ptimer.c +++ b/hw/core/ptimer.c @@ -83,7 +83,7 @@ static void ptimer_reload(ptimer_state *s, int delta_adjust) delta = s->delta = s->

[Stable-8.2.7 36/53] iotests: Add `vvfat` tests

-off-by: Amjad Alsharafi Reviewed-by: Kevin Wolf Tested-by: Kevin Wolf Message-ID: [kwolf: Made mypy and pylint happy to unbreak 297] Signed-off-by: Kevin Wolf (cherry picked from commit c8f60bfb4345ea8343a53eaefe88d47b44c53f24) Signed-off-by: Michael Tokarev diff --git a/tests/qemu-iotests

[Stable-8.2.7 16/53] hw/virtio: Fix the de-initialization of vhost-user devices

f-by: Thomas Huth Message-Id: <20240618121958.88673-1-th...@redhat.com> Reviewed-by: Manos Pitsidianakis Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit d72479b11797c28893e1e3fc565497a9cae5ca16) Signed-off-by: Michael Tokarev diff --git

[Stable-8.2.7 47/53] target/hexagon: don't look for static glib

f-by: Alyssa Ross Link: https://lore.kernel.org/r/20240805104921.4035256-1...@alyssa.is Signed-off-by: Paolo Bonzini (cherry picked from commit fe68cc0923ebfa0c12e4176f61ec9b363a07a73a) Signed-off-by: Michael Tokarev diff --git a/target/hexagon/meson.build b/target/hexagon/meson.build index da8e608d00..

[Stable-8.2.7 53/53] target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64

ned-off-by: Michael Tokarev (Mjt: context fixup in target/hppa/helper.c due to lack of v9.0.0-688-gebc9401a4067 "target/hppa: Split PSW X and B into their own field") diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h index 9556e95fab..e29e69dc31 100644 --- a/target/hppa/cpu.h +++

[Stable-8.2.7 51/53] virtio-pci: Fix the use of an uninitialized irqfd

d ("virtio-pci: fix use of a released vector") Cc: qemu-sta...@nongnu.org Signed-off-by: Cindy Lu Message-Id: <20240806093715.65105-1-l...@redhat.com> Acked-by: Jason Wang Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit a8e63ff289d137197ad7

[Stable-8.2.7 46/53] module: Prevent crash by resetting local_err in module_load_qom_all()

: https://lore.kernel.org/r/20240809121340.992049-2-alexander.iva...@virtuozzo.com [Do the same by moving the declaration instead. - Paolo] Cc: qemu-sta...@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit 940d802b24e63650e0eacad3714e2ce171cba17c) Signed-off-by: Michael Tokarev

[Stable-8.2.7 41/53] nbd/server: CVE-2024-7409: Avoid use-after-free when closing server

start() > > sst.join() > nlt.join() > > test() Fixes: CVE-2024-7409 Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop") CC: qemu-sta...@nongnu.org Reported-by: Andrey Drobyshev Signed-off-by: Eric Blake Message-ID: <20240822143617.

[Stable-8.2.7 44/53] target/i386: Do not apply REX to MMX operands

linaro.org Signed-off-by: Paolo Bonzini (cherry picked from commit 416f2b16c02c618c0f233372ebfe343f9ee667d4) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc index ffd3a42688..852579eef5 100644 --- a/target/i386/tcg/decode-new.c.inc ++

[Stable-8.2.7 52/53] hw/audio/virtio-snd: fix invalid param check

S. Tsirkin (cherry picked from commit 7d14471a121878602cb4e748c4707f9ab9a9e3e2) Signed-off-by: Michael Tokarev diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index f0e7349c8a..63394cf5b0 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -282,12 +282,12 @@ uint32_t

[Stable-8.2.7 35/53] vvfat: Fix reading files with non-continuous clusters

f-by: Amjad Alsharafi Message-ID: <1f3ea115779abab62ba32c788073cdc99f9ad5dd.1721470238.git.amjadsharaf...@gmail.com> [kwolf: Simplified the patch based on Amjad's analysis and input] Signed-off-by: Kevin Wolf (cherry picked from commit 5eed3db336506b529b927ba221fe0d836e5b8819) Signed-off-by: Mi

[Stable-8.2.7 33/53] vvfat: Fix usage of `info.file.offset`

f Message-ID: <72f19a7903886dda1aa78bcae0e17702ee939262.1721470238.git.amjadsharaf...@gmail.com> Signed-off-by: Kevin Wolf (cherry picked from commit 21b25a0e466a5bba0a45600bb8100ab564202ed1) Signed-off-by: Michael Tokarev diff --git a/block/vvfat.c b/block/vvfat.c index 19da009a5b..247b232608 100644 --- a/block/vvfat.c

[Stable-8.2.7 26/53] hw/arm/mps2-tz.c: fix RX/TX interrupts order

5a558be93ad628e5bed6e0ee062870f49251725c) Signed-off-by: Michael Tokarev diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c index 668db5ed61..9d9c263ef8 100644 --- a/hw/arm/mps2-tz.c +++ b/hw/arm/mps2-tz.c @@ -435,7 +435,7 @@ static MemoryRegion *make_uart(MPS2TZMachineState *mms, void *opaque, const

[Stable-8.2.7 27/53] target/arm: Handle denormals correctly for FMOPA (widening)

://gitlab.com/qemu-project/qemu/-/issues/2373 Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson (cherry picked from commit 55f9f4ee018c5ccea81d8c8c586756d7711ae46f) Signed-off-by: Michael Tokarev diff --git a/target/arm/tcg/helper-sme.h b/target/arm/tcg/helper-sme.h index 27eef49a11

[Stable-8.2.7 15/53] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params()

olves: Coverity CID 1547605 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20240723150927.1396456-1-peter.mayd...@linaro.org Signed-off-by: Stefan Hajnoczi (cherry picked from commit 851495571d14fe2226c52b9d423f88a4f5460836) Signed-off-by: Michael Tokarev diff --

<    1   2   3   4   5   6   7   8   9   10   >