[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 741df4: linux-user: Fix fcntl() and fcntl64()
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] 741df4: linux-user: Fix fcntl() and fcntl64() to return O_... |
|
Date: |
Sun, 30 Jul 2023 23:16:49 -0700 |
Branch: refs/heads/staging-8.0
Home: https://github.com/qemu/qemu
Commit: 741df485e8aec3f509a4e26c975e4cdc94239c88
https://github.com/qemu/qemu/commit/741df485e8aec3f509a4e26c975e4cdc94239c88
Author: Helge Deller <deller@gmx.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Fix fcntl() and fcntl64() to return O_LARGEFILE for 32-bit targets
When running a 32-bit guest on a 64-bit host, fcntl[64](F_GETFL) should
return with the TARGET_O_LARGEFILE flag set, because all 64-bit hosts
support large files unconditionally.
But on 64-bit hosts, O_LARGEFILE has the value 0, so the flag
translation can't be done with the fcntl_flags_tbl[]. Instead add the
TARGET_O_LARGEFILE flag afterwards.
Note that for 64-bit guests the compiler will optimize away this code,
since TARGET_O_LARGEFILE is zero.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit e0ddf8eac9f83c0bc5a3d39605d873ee0fe53421)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 43462f77061389368b9ee9d79061fa34ae1292e1
https://github.com/qemu/qemu/commit/43462f77061389368b9ee9d79061fa34ae1292e1
Author: Helge Deller <deller@gmx.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Fix accept4(SOCK_NONBLOCK) syscall
The Linux accept4() syscall allows two flags only: SOCK_NONBLOCK and
SOCK_CLOEXEC, and returns -EINVAL if any other bits have been set.
Change the qemu implementation accordingly, which means we can not use
the fcntl_flags_tbl[] translation table which allows too many other
values.
Beside the correction in behaviour, this actually fixes the accept4()
emulation for hppa, mips and alpha targets for which SOCK_NONBLOCK is
different than TARGET_SOCK_NONBLOCK (aka O_NONBLOCK).
The fix can be verified with the testcase of the debian lwt package,
which hangs forever in a read() syscall without this patch.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit dca4c8384d68bbf5d67f50a5446865d92d61f032)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f48e3ec5813d0a51d1e77de00883570b34efd775
https://github.com/qemu/qemu/commit/f48e3ec5813d0a51d1e77de00883570b34efd775
Author: Avihai Horon <avihaih@nvidia.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/vfio/pci.c
Log Message:
-----------
vfio: Fix null pointer dereference bug in vfio_bars_finalize()
vfio_realize() has the following flow:
1. vfio_bars_prepare() -- sets VFIOBAR->size.
2. msix_early_setup().
3. vfio_bars_register() -- allocates VFIOBAR->mr.
After vfio_bars_prepare() is called msix_early_setup() can fail. If it
does fail, vfio_bars_register() is never called and VFIOBAR->mr is not
allocated.
In this case, vfio_bars_finalize() is called as part of the error flow
to free the bars' resources. However, vfio_bars_finalize() calls
object_unparent() for VFIOBAR->mr after checking only VFIOBAR->size, and
thus we get a null pointer dereference.
Fix it by checking VFIOBAR->mr in vfio_bars_finalize().
Fixes: 89d5202edc50 ("vfio/pci: Allow relocating MSI-X MMIO")
Signed-off-by: Avihai Horon <avihaih@nvidia.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
(cherry picked from commit 8af87a3ec7e42ff1b9cf75ceee0451c31e34d153)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 70ba7cbf50afbc18b2d32572efa98d1f8d54a1b2
https://github.com/qemu/qemu/commit/70ba7cbf50afbc18b2d32572efa98d1f8d54a1b2
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Fix EPSW CC reporting
EPSW should explicitly calculate and insert CC, like IPM does.
Fixes: e30a9d3fea58 ("target-s390: Implement EPSW")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230704081506.276055-3-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 110b1bac2ecd94a78a1d38003e24e37367bf074e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: aa308958e6246ccc71bf1ef65f0566cea116fe37
https://github.com/qemu/qemu/commit/aa308958e6246ccc71bf1ef65f0566cea116fe37
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/fpu_helper.c
M target/s390x/tcg/insn-data.h.inc
Log Message:
-----------
target/s390x: Fix MDEB and MDEBR
These instructions multiply 32 bits by 32 bits, not 32 bits by 64 bits.
Fixes: 83b00736f3d8 ("target-s390: Convert FP MULTIPLY")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230704081506.276055-4-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit fed9a4fe0ce0ec917a6b3a2da0a7ecd3cb9eba56)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: eefa524832a1795674a9c37b4a93610bcb152b23
https://github.com/qemu/qemu/commit/eefa524832a1795674a9c37b4a93610bcb152b23
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/mem_helper.c
Log Message:
-----------
target/s390x: Fix MVCRL with a large value in R0
Using a large R0 causes an assertion error:
qemu-s390x: target/s390x/tcg/mem_helper.c:183: access_prepare_nf: Assertion
`size > 0 && size <= 4096' failed.
Even though PoP explicitly advises against using more than 8 bits for the
size, an emulator crash is never a good thing.
Fix by truncating the size to 8 bits.
Fixes: ea0a1053e276 ("s390x/tcg: Implement Miscellaneous-Instruction-Extensions
Facility 3 for the s390x")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230704081506.276055-5-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 92a57534619a4058544ce8f9c0beae3e054f342b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 523f529d407933c5ba81cd1c0abe9a95d7137885
https://github.com/qemu/qemu/commit/523f529d407933c5ba81cd1c0abe9a95d7137885
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/helper.h
M target/s390x/tcg/mem_helper.c
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Fix LRA overwriting the top 32 bits on DAT error
When a DAT error occurs, LRA is supposed to write the error information
to the bottom 32 bits of R1, and leave the top 32 bits of R1 alone.
Fix by passing the original value of R1 into helper and copying the
top 32 bits to the return value.
Fixes: d8fe4a9c284f ("target-s390: Convert LRA")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230704081506.276055-6-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 6da311a60d58dba27f5f790217d5ebba944e34ab)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b2b1b99da9d48299401ad33ba5e0e55e7d597552
https://github.com/qemu/qemu/commit/b2b1b99da9d48299401ad33ba5e0e55e7d597552
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/mmu_helper.c
Log Message:
-----------
target/s390x: Fix LRA when DAT is off
LRA should perform DAT regardless of whether it's on or off.
Disable DAT check for MMU_S390_LRA.
Fixes: defb0e3157af ("s390x: Implement opcode helpers")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230704081506.276055-7-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit b0ef81062d2404ccef0289b1cc6e70244901c9be)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 520d5fb4cbd362026f759094461a9c17652cd78a
https://github.com/qemu/qemu/commit/520d5fb4cbd362026f759094461a9c17652cd78a
Author: Marcin Nowakowski <marcin.nowakowski@fungible.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/mips/cpu-defs.c.inc
Log Message:
-----------
target/mips: enable GINVx support for I6400 and I6500
GINVI and GINVT operations are supported on MIPS I6400 and I6500 cores,
so indicate that properly in CP0.Config5 register bits [16:15].
Cc: qemu-stable@nongnu.org
Signed-off-by: Marcin Nowakowski <marcin.nowakowski@fungible.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20230630072806.3093704-1-marcin.nowakowski@fungible.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit baf21eebc3e1026d21d94fdf8ca470050e49968f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c280ac3b60da2dbda06ca3fd1bd1937ae8396ae0
https://github.com/qemu/qemu/commit/c280ac3b60da2dbda06ca3fd1bd1937ae8396ae0
Author: Olaf Hering <olaf@aepfle.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/ide/piix.c
Log Message:
-----------
hw/ide/piix: properly initialize the BMIBA register
According to the 82371FB documentation (82371FB.pdf, 2.3.9. BMIBA-BUS
MASTER INTERFACE BASE ADDRESS REGISTER, April 1997), the register is
32bit wide. To properly reset it to default values, all 32bit need to be
cleared. Bit #0 "Resource Type Indicator (RTE)" needs to be enabled.
The initial change wrote just the lower 8 bit, leaving parts of the "Bus
Master Interface Base Address" address at bit 15:4 unchanged.
Fixes: e6a71ae327 ("Add support for 82371FB (Step A1) and Improved support for
82371SB (Function 1)")
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Reviewed-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230712074721.14728-1-olaf@aepfle.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 230dfd9257e92259876c113e58b5f0d22b056d2e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 7b336dcd06d727c2ec98ec5dcf95f38c83ac4b9f
https://github.com/qemu/qemu/commit/7b336dcd06d727c2ec98ec5dcf95f38c83ac4b9f
Author: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user/syscall: Implement execve without execveat
Support for execveat syscall was implemented in 55bbe4 and is available
since QEMU 8.0.0. It relies on host execveat, which is widely available
on most of Linux kernels today.
However, this change breaks qemu-user self emulation, if "host" qemu
version is less than 8.0.0. Indeed, it does not implement yet execveat.
This strange use case happens with most of distribution today having
binfmt support.
With a concrete failing example:
$ qemu-x86_64-7.2 qemu-x86_64-8.0 /bin/bash -c /bin/ls
/bin/bash: line 1: /bin/ls: Function not implemented
-> not implemented means execve returned ENOSYS
qemu-user-static 7.2 and 8.0 can be conveniently grabbed from debian
packages qemu-user-static* [1].
One usage of this is running wine-arm64 from linux-x64 (details [2]).
This is by updating qemu embedded in docker image that we ran into this
issue.
The solution to update host qemu is not always possible. Either it's
complicated or ask you to recompile it, or simply is not accessible
(GitLab CI, GitHub Actions). Thus, it could be worth to implement execve
without relying on execveat, which is the goal of this patch.
This patch was tested with example presented in this commit message.
[1] http://ftp.us.debian.org/debian/pool/main/q/qemu/
[1] https://www.linaro.org/blog/emulate-windows-on-arm/
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20230705121023.973284-1-pierrick.bouvier@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 7a8d9f3a0e882df50681e40f09c29cfb4966ea2d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: fa72d8bcf489766c18c37e48eb96752f056568ad
https://github.com/qemu/qemu/commit/fa72d8bcf489766c18c37e48eb96752f056568ad
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M tcg/tcg.c
Log Message:
-----------
tcg: Fix info_in_idx increment in layout_arg_by_ref
Off by one error, failing to take into account that layout_arg_1
already incremented info_in_idx for the first piece. We only
need care for the n-1 TCG_CALL_ARG_BY_REF_N pieces here.
Cc: qemu-stable@nongnu.org
Fixes: 313bdea84d2 ("tcg: Add TCG_CALL_{RET,ARG}_BY_REF")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1751
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit e18ed26ce785f74a17e6f3a095647e08ba6fc669)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d1063b6551b5f034b6f1f18419af764a85c77a1e
https://github.com/qemu/qemu/commit/d1063b6551b5f034b6f1f18419af764a85c77a1e
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/arm: Do not allocate a commpage at all for M-profile CPUs
Since commit fbd3c4cff6 ("linux-user/arm: Mark the commpage
executable") executing bare-metal (linked with rdimon.specs)
cortex-M code fails as:
$ qemu-arm -cpu cortex-m3 ~/hello.exe.m3
qemu-arm: ../../accel/tcg/user-exec.c:492: page_set_flags: Assertion `last <=
GUEST_ADDR_MAX' failed.
Aborted (core dumped)
Commit 4f5c67f8df ("linux-user/arm: Take more care allocating
commpage") already took care of not allocating a commpage for
M-profile CPUs, however it had to be reverted as commit 6cda41daa2.
Re-introduce the M-profile fix from commit 4f5c67f8df.
Fixes: fbd3c4cff6 ("linux-user/arm: Mark the commpage executable")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1755
Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Anton Johansson <anjo@rev.ng>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230711153408.68389-1-philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit d713cf4d6c71076513a10528303b3e337b4d5998)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 35720b3d90866ed4c174eb35762e04a1b9e533d1
https://github.com/qemu/qemu/commit/35720b3d90866ed4c174eb35762e04a1b9e533d1
Author: Mauro Matteo Cascella <mcascell@redhat.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M ui/vnc-clipboard.c
Log Message:
-----------
ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
(cherry picked from commit d921fea338c1059a27ce7b75309d7a2e485f710b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0167759c9a9ffe89b1479cd95486fdc687ceb677
https://github.com/qemu/qemu/commit/0167759c9a9ffe89b1479cd95486fdc687ceb677
Author: Andreas Schwab <schwab@suse.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Make sure initial brk(0) is page-aligned
Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
Signed-off-by: Andreas Schwab <schwab@suse.de>
Message-Id: <mvmpm55qnno.fsf@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit d28b3c90cfad1a7e211ae2bce36ecb9071086129)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5de88d6e1021a8d6de0b70636126c68af0f7232d
https://github.com/qemu/qemu/commit/5de88d6e1021a8d6de0b70636126c68af0f7232d
Author: Klaus Jensen <k.jensen@samsung.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: fix endianness issue for shadow doorbells
In commit 2fda0726e514 ("hw/nvme: fix missing endian conversions for
doorbell buffers"), we fixed shadow doorbells for big-endian guests
running on little endian hosts. But I did not fix little-endian guests
on big-endian hosts. Fix this.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1765
Fixes: 3f7fe8de3d49 ("hw/nvme: Implement shadow doorbell buffer support")
Cc: qemu-stable@nongnu.org
Reported-by: Thomas Huth <thuth@redhat.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit ea3c76f1494d0c75873c3b470e6e048202661ad8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0102c92a1c2736fc183bd464c1f899c96ca8faea
https://github.com/qemu/qemu/commit/0102c92a1c2736fc183bd464c1f899c96ca8faea
Author: Helge Deller <deller@gmx.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Fix qemu brk() to not zero bytes on current page
The qemu brk() implementation is too aggressive and cleans remaining bytes
on the current page above the last brk address.
But some existing applications are buggy and read/write bytes above their
current heap address. On a phyiscal machine this does not trigger a
runtime error as long as the access happens on the same page. Additionally
the Linux kernel allocates only full pages and does no zeroing on already
allocated pages, even if the brk address is lowered.
Fix qemu to behave the same way as the kernel does. Do not touch already
allocated pages, and - when running with different page sizes of guest and
host - zero out only those memory areas where the host page size is bigger
than the guest page size.
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
Cc: qemu-stable@nongnu.org
Buglink: https://github.com/upx/upx/issues/683
(cherry picked from commit 15ad98536ad9410fb32ddf1ff09389b677643faa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c4a4731408aca296ad88770e8a545b42e40a5d56
https://github.com/qemu/qemu/commit/c4a4731408aca296ad88770e8a545b42e40a5d56
Author: Helge Deller <deller@gmx.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Prohibit brk() to to shrink below initial heap address
Since commit 86f04735ac ("linux-user: Fix brk() to release pages") it's
possible for userspace applications to reduce their memory footprint by
calling brk() with a lower address and free up memory. Before that commit
guest heap memory was never unmapped.
But the Linux kernel prohibits to reduce brk() below the initial memory
address which is set at startup by the set_brk() function in binfmt_elf.c.
Such a range check was missed in commit 86f04735ac.
This patch adds the missing check by storing the initial brk value in
initial_target_brk and verify any new brk addresses against that value.
Tested with the i386 upx binary from
https://github.com/upx/upx/releases/download/v4.0.2/upx-4.0.2-i386_linux.tar.xz
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
Cc: qemu-stable@nongnu.org
Buglink: https://github.com/upx/upx/issues/683
(cherry picked from commit dfe49864afb06e7e452a4366051697bc4fcfc1a5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f90a8b9357e1f0289f6d2975378ee0466f272e45
https://github.com/qemu/qemu/commit/f90a8b9357e1f0289f6d2975378ee0466f272e45
Author: Helge Deller <deller@gmx.de>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Fix signed math overflow in brk() syscall
Fix the math overflow when calculating the new_malloc_size.
new_host_brk_page and brk_page are unsigned integers. If userspace
reduces the heap, new_host_brk_page is lower than brk_page which results
in a huge positive number (but should actually be negative).
Fix it by adding a proper check and as such make the code more readable.
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fixes: 86f04735ac ("linux-user: Fix brk() to release pages")
Cc: qemu-stable@nongnu.org
Buglink: https://github.com/upx/upx/issues/683
(cherry picked from commit eac78a4b0b7da4de2c0a297f4d528ca9cc6256a3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: feb0814b3b48e75b336ad72eb303f9d579c94083
https://github.com/qemu/qemu/commit/feb0814b3b48e75b336ad72eb303f9d579c94083
Author: Denis V. Lunev <den@openvz.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: pass structure into nbd_client_thread instead of plain char*
We are going to pass additional flag inside next patch.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Eric Blake <eblake@redhat.com>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
CC: <qemu-stable@nongnu.org>
Message-ID: <20230717145544.194786-2-den@openvz.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 03b67621445d601c9cdc7dfe25812e9f19b81488)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: bdfecfbc1d59bc9a0c2cc5c82690c8939520c8a2
https://github.com/qemu/qemu/commit/bdfecfbc1d59bc9a0c2cc5c82690c8939520c8a2
Author: Denis V. Lunev <den@openvz.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: fix regression with qemu-nbd --fork run over ssh
Commit e6df58a5578fee7a50bbf36f4a50a2781cff855d
Author: Hanna Reitz <hreitz@redhat.com>
Date: Wed May 8 23:18:18 2019 +0200
qemu-nbd: Do not close stderr
has introduced an interesting regression. Original behavior of
ssh somehost qemu-nbd /home/den/tmp/file -f raw --fork
was the following:
* qemu-nbd was started as a daemon
* the command execution is done and ssh exited with success
The patch has changed this behavior and 'ssh' command now hangs forever.
According to the normal specification of the daemon() call, we should
endup with STDERR pointing to /dev/null. That should be done at the
very end of the successful startup sequence when the pipe to the
bootstrap process (used for diagnostics) is no longer needed.
This could be achived in the same way as done for 'qemu-nbd -c' case.
That was commit 0eaf453e, also fixing up e6df58a5. STDOUT copying to
STDERR does the trick.
This also leads to proper 'ssh' connection closing which fixes my
original problem.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Eric Blake <eblake@redhat.com>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
CC: Hanna Reitz <hreitz@redhat.com>
CC: <qemu-stable@nongnu.org>
Message-ID: <20230717145544.194786-3-den@openvz.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 5c56dd27a2c905c9cf2472d2fd057621ce5fd00d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5a61789df8accdfb715ed081ccb114f4776492c9
https://github.com/qemu/qemu/commit/5a61789df8accdfb715ed081ccb114f4776492c9
Author: Denis V. Lunev <den@openvz.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: regression with arguments passing into nbd_client_thread()
Unfortunately
commit 03b67621445d601c9cdc7dfe25812e9f19b81488
(8.0: feb0814b3b48e75b336ad72eb303f9d579c94083)
Author: Denis V. Lunev <den@openvz.org>
Date: Mon Jul 17 16:55:40 2023 +0200
qemu-nbd: pass structure into nbd_client_thread instead of plain char*
has introduced a regression. struct NbdClientOpts resides on stack inside
'if' block. This specifically means that this stack space could be reused
once the execution will leave that block of the code.
This means that parameters passed into nbd_client_thread could be
overwritten at any moment.
The patch moves the data to the namespace of main() function effectively
preserving it for the whole process lifetime.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Eric Blake <eblake@redhat.com>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
CC: <qemu-stable@nongnu.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-ID: <20230727105828.324314-1-den@openvz.org>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit e5b815b0defcc3617f473ba70c3e675ef0ee69c2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: add reference to feb0814b3b48e75b336ad72eb303f9d579c94083 for 8.0 branch)
Commit: 59a728a031abaf8a069e91484d6d1b0f18b41f72
https://github.com/qemu/qemu/commit/59a728a031abaf8a069e91484d6d1b0f18b41f72
Author: Jordan Niethe <jniethe5@gmail.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M tcg/ppc/tcg-target.c.inc
Log Message:
-----------
tcg/ppc: Fix race in goto_tb implementation
Commit 20b6643324 ("tcg/ppc: Reorg goto_tb implementation") modified
goto_tb to ensure only a single instruction was patched to prevent
incorrect behavior if a thread was in the middle of multiple
instructions when they were replaced. However this introduced a race
between loading the jmp target into TCG_REG_TB and patching and
executing the direct branch.
The relevant part of the goto_tb implementation:
ld TCG_REG_TB, TARGET_ADDR_LOCATION(TCG_REG_TB)
patch_location:
mtctr TCG_REG_TB
bctr
tb_target_set_jmp_target() will replace 'patch_location' with a direct
branch if the target is in range. The direct branch now relies on
TCG_REG_TB being set up correctly by the ld. Prior to this commit
multiple instructions were patched in for the direct branch case; these
instructions would initialize TCG_REG_TB to the same value as the branch
target.
Imagine the following sequence:
1) Thread A is executing the goto_tb sequence and loads the jmp
target into TCG_REG_TB.
2) Thread B updates the jmp target address and calls
tb_target_set_jmp_target(). This patches a new direct branch into the
goto_tb sequence.
3) Thread A executes the newly patched direct branch. The value in
TCG_REG_TB still contains the old jmp target.
TCG_REG_TB MUST contain the translation block's tc.ptr. Execution will
eventually crash after performing memory accesses generated from a
faulty value in TCG_REG_TB.
This presents as segfaults or illegal instruction exceptions.
Do not revert commit 20b6643324 as it did fix a different race
condition. Instead remove the direct branch optimization and always use
indirect branches.
The direct branch optimization can be re-added later with a race free
sequence.
Fixes: 20b6643324 ("tcg/ppc: Reorg goto_tb implementation")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1726
Reported-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com>
Tested-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Co-developed-by: Benjamin Gray <bgray@linux.ibm.com>
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
Message-Id: <20230717093001.13167-1-jniethe5@gmail.com>
(cherry picked from commit 736a1588c104e9995c1831df33554df1f1def8b8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6f7c39a912a601f40681426b16f772db3697e2d1
https://github.com/qemu/qemu/commit/6f7c39a912a601f40681426b16f772db3697e2d1
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M tcg/i386/tcg-target-con-set.h
M tcg/i386/tcg-target.c.inc
M tcg/s390x/tcg-target-con-set.h
M tcg/s390x/tcg-target.c.inc
M tcg/tcg.c
Log Message:
-----------
tcg/{i386, s390x}: Add earlyclobber to the op_add2's first output
i386 and s390x implementations of op_add2 require an earlyclobber,
which is currently missing. This breaks VCKSM in s390x guests. E.g., on
x86_64 the following op:
add2_i32 tmp2,tmp3,tmp2,tmp3,tmp3,tmp2 dead: 0 2 3 4 5 pref=none,0xffff
is translated to:
addl %ebx, %r12d
adcl %r12d, %ebx
Introduce a new C_N1_O1_I4 constraint, and make sure that earlyclobber
of aliased outputs is honored.
Cc: qemu-stable@nongnu.org
Fixes: 82790a870992 ("tcg: Add markup for output requires new register")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230719221310.1968845-7-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 22d2e5351a18aff5a9c7e3984b50ecce61ff8975)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: bdbf5e10166ea9f9955d5118a44a8498ebc603bb
https://github.com/qemu/qemu/commit/bdbf5e10166ea9f9955d5118a44a8498ebc603bb
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/insn-data.h.inc
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Make CKSM raise an exception if R2 is odd
R2 designates an even-odd register pair; the instruction should raise
a specification exception when R2 is not even.
Cc: qemu-stable@nongnu.org
Fixes: e023e832d0ac ("s390x: translate engine for s390x CPU")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-2-iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 761b0aa9381e2f755b9b594f7f3033d564561751)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6bd56e0f82fbba142ec8572e44a4ea78a6c661c9
https://github.com/qemu/qemu/commit/6bd56e0f82fbba142ec8572e44a4ea78a6c661c9
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/mem_helper.c
Log Message:
-----------
target/s390x: Fix CLM with M3=0
When the mask is zero, access exceptions should still be recognized for
1 byte at the second-operand address. CC should be set to 0.
Cc: qemu-stable@nongnu.org
Fixes: defb0e3157af ("s390x: Implement opcode helpers")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-3-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 4b6e4c0b8223681ae85462794848db4386de1a8d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e5e8a8606425d58c67f2deddc0d78a530e713ce6
https://github.com/qemu/qemu/commit/e5e8a8606425d58c67f2deddc0d78a530e713ce6
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/fpu_helper.c
Log Message:
-----------
target/s390x: Fix CONVERT TO LOGICAL/FIXED with out-of-range inputs
CONVERT TO LOGICAL/FIXED deviate from IEEE 754 in that they raise an
inexact exception on out-of-range inputs. float_flag_invalid_cvti
aligns nicely with that behavior, so convert it to
S390_IEEE_MASK_INEXACT.
Cc: qemu-stable@nongnu.org
Fixes: defb0e3157af ("s390x: Implement opcode helpers")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-4-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 53684e344a27da770acc9012740334154ddea24f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 76507abbe1dbdce7a3ecd7a7b19418b38ce6666c
https://github.com/qemu/qemu/commit/76507abbe1dbdce7a3ecd7a7b19418b38ce6666c
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Fix ICM with M3=0
When the mask is zero, access exceptions should still be recognized for
1 byte at the second-operand address. CC should be set to 0.
Cc: qemu-stable@nongnu.org
Fixes: e023e832d0ac ("s390x: translate engine for s390x CPU")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-5-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit a2025557ed4d8d5e6a4d0dd681717c390f51f5be)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c5498fdda0a5ff333f90ea6162ab39f2853bacf8
https://github.com/qemu/qemu/commit/c5498fdda0a5ff333f90ea6162ab39f2853bacf8
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/excp_helper.c
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Make MC raise specification exception when class >= 16
MC requires bit positions 8-11 (upper 4 bits of class) to be zeros,
otherwise it must raise a specification exception.
Cc: qemu-stable@nongnu.org
Fixes: 20d143e2cab8 ("s390x/tcg: Implement MONITOR CALL")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-6-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 9c028c057adce49304c6e4a51f6b426bd4f8f6b8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c8b714f0479810caa1c3bf42c37eb9d7f922b94f
https://github.com/qemu/qemu/commit/c8b714f0479810caa1c3bf42c37eb9d7f922b94f
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/translate_vx.c.inc
Log Message:
-----------
target/s390x: Fix assertion failure in VFMIN/VFMAX with type 13
Type 13 is reserved, so using it should result in specification
exception. Due to an off-by-1 error the code triggers an assertion at a
later point in time instead.
Cc: qemu-stable@nongnu.org
Fixes: da4807527f3b ("s390x/tcg: Implement VECTOR FP (MAXIMUM|MINIMUM)")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-8-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit ff537b0370ab5918052b8d8a798e803c47272406)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0827053612d51d43c94f517927918601599e546e
https://github.com/qemu/qemu/commit/0827053612d51d43c94f517927918601599e546e
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/loongarch/cpu.h
M target/loongarch/csr_helper.c
M target/loongarch/helper.h
M target/loongarch/insn_trans/trans_privileged.c.inc
Log Message:
-----------
target/loongarch: Fix the CSRRD CPUID instruction on big endian hosts
The test in tests/avocado/machine_loongarch.py is currently failing
on big endian hosts like s390x. By comparing the traces between running
the QEMU_EFI.fd bios on a s390x and on a x86 host, it's quickly obvious
that the CSRRD instruction for the CPUID is behaving differently. And
indeed: The code currently does a long read (i.e. 64 bit) from the
address that points to the CPUState->cpu_index field (with tcg_gen_ld_tl()
in the trans_csrrd() function). But this cpu_index field is only an "int"
(i.e. 32 bit). While this dirty pointer magic works on little endian hosts,
it of course fails on big endian hosts. Fix it by using a proper helper
function instead.
Message-Id: <20230720175307.854460-1-thuth@redhat.com>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit c34ad459926f6c600a55fe6782a27edfa405d60b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5f3fe5657d820bd4b1055eface0d9805ec6005e6
https://github.com/qemu/qemu/commit/5f3fe5657d820bd4b1055eface0d9805ec6005e6
Author: Viktor Prutyanov <viktor@daynix.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/virtio/virtio-pci.c
M include/hw/virtio/virtio.h
Log Message:
-----------
virtio-pci: add handling of PCI ATS and Device-TLB enable/disable
According to PCIe Address Translation Services specification 5.1.3.,
ATS Control Register has Enable bit to enable/disable ATS. Guest may
enable/disable PCI ATS and, accordingly, Device-TLB for the VirtIO PCI
device. So, raise/lower a flag and call a trigger function to pass this
event to a device implementation.
Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
Message-Id: <20230512135122.70403-2-viktor@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 206e91d143301414df2deb48a411e402414ba6db)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8eed78e2bff8151f92c4e715a5f9674de56cdf06
https://github.com/qemu/qemu/commit/8eed78e2bff8151f92c4e715a5f9674de56cdf06
Author: Viktor Prutyanov <viktor@daynix.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/virtio/vhost-stub.c
M hw/virtio/vhost.c
M include/hw/virtio/vhost.h
Log Message:
-----------
vhost: register and change IOMMU flag depending on Device-TLB state
The guest can disable or never enable Device-TLB. In these cases,
it can't be used even if enabled in QEMU. So, check Device-TLB state
before registering IOMMU notifier and select unmap flag depending on
that. Also, implement a way to change IOMMU notifier flag if Device-TLB
state is changed.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2001312
Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20230626091258.24453-2-viktor@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit ee071f67f7a103c66f85f68ffe083712929122e3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 123b4291f90bd1945b632e73bed1b1b7943f9ae1
https://github.com/qemu/qemu/commit/123b4291f90bd1945b632e73bed1b1b7943f9ae1
Author: Viktor Prutyanov <viktor@daynix.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: pass Device-TLB enable/disable events to vhost
If vhost is enabled for virtio-net, Device-TLB enable/disable events
must be passed to vhost for proper IOMMU unmap flag selection.
Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20230626091258.24453-3-viktor@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit cd9b8346884353ba9ae6560b44b7cccdf00a6633)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 220869aae1d215a73f74fca657f6b2102d08ea37
https://github.com/qemu/qemu/commit/220869aae1d215a73f74fca657f6b2102d08ea37
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/arm/smmu-common.c
M hw/arm/smmuv3.c
Log Message:
-----------
hw/arm/smmu: Handle big-endian hosts correctly
The implementation of the SMMUv3 has multiple places where it reads a
data structure from the guest and directly operates on it without
doing a guest-to-host endianness conversion. Since all SMMU data
structures are little-endian, this means that the SMMU doesn't work
on a big-endian host. In particular, this causes the Avocado test
machine_aarch64_virt.py:Aarch64VirtMachine.test_alpine_virt_tcg_gic_max
to fail on an s390x host.
Add appropriate byte-swapping on reads and writes of guest in-memory
data structures so that the device works correctly on big-endian
hosts.
As part of this we constrain queue_read() to operate only on Cmd
structs and queue_write() on Evt structs, because in practice these
are the only data structures the two functions are used with, and we
need to know what the data structure is to be able to byte-swap its
parts correctly.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20230717132641.764660-1-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
(cherry picked from commit c6445544d4cea2628fbad3bad09f3d3a03c749d3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 2bff614256f9049c9b731fe38c2f5169daf2825f
https://github.com/qemu/qemu/commit/2bff614256f9049c9b731fe38c2f5169daf2825f
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/arm/debug_helper.c
Log Message:
-----------
target/arm: Special case M-profile in debug_helper.c code
A lot of the code called from helper_exception_bkpt_insn() is written
assuming A-profile, but we will also call this helper on M-profile
CPUs when they execute a BKPT insn. This used to work by accident,
but recent changes mean that we will hit an assert when some of this
code calls down into lower level functions that end up calling
arm_security_space_below_el3(), arm_el_is_aa64(), and other functions
that now explicitly assert that the guest CPU is not M-profile.
Handle M-profile directly to avoid the assertions:
* in arm_debug_target_el(), M-profile debug exceptions always
go to EL1
* in arm_debug_exception_fsr(), M-profile always uses the short
format FSR (compare commit d7fe699be54b2, though in this case
the code in arm_v7m_cpu_do_interrupt() does not need to
look at the FSR value at all)
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1775
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230721143239.1753066-1-peter.maydell@linaro.org
(cherry picked from commit 5d78893f39caf94c8587141e2219b57a7d63dd5c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/cdcbc5327279...2bff614256f9
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 741df4: linux-user: Fix fcntl() and fcntl64() to return O_...,
Peter Maydell <=