[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 2b6a75: hw/ide/piix: properly initialize the
|
From: |
Alex Bennée |
|
Subject: |
[Qemu-commits] [qemu/qemu] 2b6a75: hw/ide/piix: properly initialize the BMIBA register |
|
Date: |
Mon, 07 Aug 2023 06:28:22 -0700 |
Branch: refs/heads/stable-7.2
Home: https://github.com/qemu/qemu
Commit: 2b6a75b78e5f6ec89a640a29379c749ca2651610
https://github.com/qemu/qemu/commit/2b6a75b78e5f6ec89a640a29379c749ca2651610
Author: Olaf Hering <olaf@aepfle.de>
Date: 2023-07-15 (Sat, 15 Jul 2023)
Changed paths:
M hw/ide/piix.c
Log Message:
-----------
hw/ide/piix: properly initialize the BMIBA register
According to the 82371FB documentation (82371FB.pdf, 2.3.9. BMIBA-BUS
MASTER INTERFACE BASE ADDRESS REGISTER, April 1997), the register is
32bit wide. To properly reset it to default values, all 32bit need to be
cleared. Bit #0 "Resource Type Indicator (RTE)" needs to be enabled.
The initial change wrote just the lower 8 bit, leaving parts of the "Bus
Master Interface Base Address" address at bit 15:4 unchanged.
Fixes: e6a71ae327 ("Add support for 82371FB (Step A1) and Improved support for
82371SB (Function 1)")
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Reviewed-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230712074721.14728-1-olaf@aepfle.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 230dfd9257e92259876c113e58b5f0d22b056d2e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8f8a8f20f48e0710d040112ad667b3297b1cd6d5
https://github.com/qemu/qemu/commit/8f8a8f20f48e0710d040112ad667b3297b1cd6d5
Author: Mauro Matteo Cascella <mcascell@redhat.com>
Date: 2023-07-18 (Tue, 18 Jul 2023)
Changed paths:
M ui/vnc-clipboard.c
Log Message:
-----------
ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
(cherry picked from commit d921fea338c1059a27ce7b75309d7a2e485f710b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6e216d21b56a7545a05080a370b5ca7491fecfb3
https://github.com/qemu/qemu/commit/6e216d21b56a7545a05080a370b5ca7491fecfb3
Author: Denis V. Lunev <den@openvz.org>
Date: 2023-07-25 (Tue, 25 Jul 2023)
Changed paths:
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: pass structure into nbd_client_thread instead of plain char*
We are going to pass additional flag inside next patch.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Eric Blake <eblake@redhat.com>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
CC: <qemu-stable@nongnu.org>
Message-ID: <20230717145544.194786-2-den@openvz.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 03b67621445d601c9cdc7dfe25812e9f19b81488)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 742612345a1e6ac8b3408ee1cd1d77bc07e74180
https://github.com/qemu/qemu/commit/742612345a1e6ac8b3408ee1cd1d77bc07e74180
Author: Denis V. Lunev <den@openvz.org>
Date: 2023-07-25 (Tue, 25 Jul 2023)
Changed paths:
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: fix regression with qemu-nbd --fork run over ssh
Commit e6df58a5578fee7a50bbf36f4a50a2781cff855d
Author: Hanna Reitz <hreitz@redhat.com>
Date: Wed May 8 23:18:18 2019 +0200
qemu-nbd: Do not close stderr
has introduced an interesting regression. Original behavior of
ssh somehost qemu-nbd /home/den/tmp/file -f raw --fork
was the following:
* qemu-nbd was started as a daemon
* the command execution is done and ssh exited with success
The patch has changed this behavior and 'ssh' command now hangs forever.
According to the normal specification of the daemon() call, we should
endup with STDERR pointing to /dev/null. That should be done at the
very end of the successful startup sequence when the pipe to the
bootstrap process (used for diagnostics) is no longer needed.
This could be achived in the same way as done for 'qemu-nbd -c' case.
That was commit 0eaf453e, also fixing up e6df58a5. STDOUT copying to
STDERR does the trick.
This also leads to proper 'ssh' connection closing which fixes my
original problem.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Eric Blake <eblake@redhat.com>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
CC: Hanna Reitz <hreitz@redhat.com>
CC: <qemu-stable@nongnu.org>
Message-ID: <20230717145544.194786-3-den@openvz.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 5c56dd27a2c905c9cf2472d2fd057621ce5fd00d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 3b80317c91b66b52b855b380d2d996701becfbde
https://github.com/qemu/qemu/commit/3b80317c91b66b52b855b380d2d996701becfbde
Author: Denis V. Lunev <den@openvz.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M qemu-nbd.c
Log Message:
-----------
qemu-nbd: regression with arguments passing into nbd_client_thread()
Unfortunately
commit 03b67621445d601c9cdc7dfe25812e9f19b81488
(7.2: 6e216d21b56a7545a05080a370b5ca7491fecfb3)
Author: Denis V. Lunev <den@openvz.org>
Date: Mon Jul 17 16:55:40 2023 +0200
qemu-nbd: pass structure into nbd_client_thread instead of plain char*
has introduced a regression. struct NbdClientOpts resides on stack inside
'if' block. This specifically means that this stack space could be reused
once the execution will leave that block of the code.
This means that parameters passed into nbd_client_thread could be
overwritten at any moment.
The patch moves the data to the namespace of main() function effectively
preserving it for the whole process lifetime.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Eric Blake <eblake@redhat.com>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
CC: <qemu-stable@nongnu.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-ID: <20230727105828.324314-1-den@openvz.org>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit e5b815b0defcc3617f473ba70c3e675ef0ee69c2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: add reference to 6e216d21b56a7545a05080a370b5ca7491fecfb3 for 7.2 branch)
Commit: 772caa5f231fc056e7337c185b6a53b7005d759c
https://github.com/qemu/qemu/commit/772caa5f231fc056e7337c185b6a53b7005d759c
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/insn-data.h.inc
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Make CKSM raise an exception if R2 is odd
R2 designates an even-odd register pair; the instruction should raise
a specification exception when R2 is not even.
Cc: qemu-stable@nongnu.org
Fixes: e023e832d0ac ("s390x: translate engine for s390x CPU")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-2-iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 761b0aa9381e2f755b9b594f7f3033d564561751)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 34009bfd68141d90399aa0a4e9f9081a264d28e3
https://github.com/qemu/qemu/commit/34009bfd68141d90399aa0a4e9f9081a264d28e3
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/mem_helper.c
Log Message:
-----------
target/s390x: Fix CLM with M3=0
When the mask is zero, access exceptions should still be recognized for
1 byte at the second-operand address. CC should be set to 0.
Cc: qemu-stable@nongnu.org
Fixes: defb0e3157af ("s390x: Implement opcode helpers")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-3-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 4b6e4c0b8223681ae85462794848db4386de1a8d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 7cf33584512a1a77cc410c121d9555685296491c
https://github.com/qemu/qemu/commit/7cf33584512a1a77cc410c121d9555685296491c
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/fpu_helper.c
Log Message:
-----------
target/s390x: Fix CONVERT TO LOGICAL/FIXED with out-of-range inputs
CONVERT TO LOGICAL/FIXED deviate from IEEE 754 in that they raise an
inexact exception on out-of-range inputs. float_flag_invalid_cvti
aligns nicely with that behavior, so convert it to
S390_IEEE_MASK_INEXACT.
Cc: qemu-stable@nongnu.org
Fixes: defb0e3157af ("s390x: Implement opcode helpers")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-4-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 53684e344a27da770acc9012740334154ddea24f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0ef0b83104e0264122ea13eb46f1b9fe061d7361
https://github.com/qemu/qemu/commit/0ef0b83104e0264122ea13eb46f1b9fe061d7361
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Fix ICM with M3=0
When the mask is zero, access exceptions should still be recognized for
1 byte at the second-operand address. CC should be set to 0.
Cc: qemu-stable@nongnu.org
Fixes: e023e832d0ac ("s390x: translate engine for s390x CPU")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-5-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit a2025557ed4d8d5e6a4d0dd681717c390f51f5be)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cdd6b6a764dc5a17ab03e9f2cba77f45ac200d5b
https://github.com/qemu/qemu/commit/cdd6b6a764dc5a17ab03e9f2cba77f45ac200d5b
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/excp_helper.c
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Make MC raise specification exception when class >= 16
MC requires bit positions 8-11 (upper 4 bits of class) to be zeros,
otherwise it must raise a specification exception.
Cc: qemu-stable@nongnu.org
Fixes: 20d143e2cab8 ("s390x/tcg: Implement MONITOR CALL")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-6-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 9c028c057adce49304c6e4a51f6b426bd4f8f6b8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context edit in target/s390x/tcg/translate.c)
Commit: c1bdd3cdc4636adb150b17f490da5dc5c15689b6
https://github.com/qemu/qemu/commit/c1bdd3cdc4636adb150b17f490da5dc5c15689b6
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/s390x/tcg/translate_vx.c.inc
Log Message:
-----------
target/s390x: Fix assertion failure in VFMIN/VFMAX with type 13
Type 13 is reserved, so using it should result in specification
exception. Due to an off-by-1 error the code triggers an assertion at a
later point in time instead.
Cc: qemu-stable@nongnu.org
Fixes: da4807527f3b ("s390x/tcg: Implement VECTOR FP (MAXIMUM|MINIMUM)")
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20230724082032.66864-8-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit ff537b0370ab5918052b8d8a798e803c47272406)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0c8e6ac989581666b0fe4e0c8502000194152611
https://github.com/qemu/qemu/commit/0c8e6ac989581666b0fe4e0c8502000194152611
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/loongarch/cpu.h
M target/loongarch/csr_helper.c
M target/loongarch/helper.h
M target/loongarch/insn_trans/trans_privileged.c.inc
Log Message:
-----------
target/loongarch: Fix the CSRRD CPUID instruction on big endian hosts
The test in tests/avocado/machine_loongarch.py is currently failing
on big endian hosts like s390x. By comparing the traces between running
the QEMU_EFI.fd bios on a s390x and on a x86 host, it's quickly obvious
that the CSRRD instruction for the CPUID is behaving differently. And
indeed: The code currently does a long read (i.e. 64 bit) from the
address that points to the CPUState->cpu_index field (with tcg_gen_ld_tl()
in the trans_csrrd() function). But this cpu_index field is only an "int"
(i.e. 32 bit). While this dirty pointer magic works on little endian hosts,
it of course fails on big endian hosts. Fix it by using a proper helper
function instead.
Message-Id: <20230720175307.854460-1-thuth@redhat.com>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit c34ad459926f6c600a55fe6782a27edfa405d60b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 61693479d8ff6fff80b346eb7830a61a9db57634
https://github.com/qemu/qemu/commit/61693479d8ff6fff80b346eb7830a61a9db57634
Author: Viktor Prutyanov <viktor@daynix.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/virtio/virtio-pci.c
M include/hw/virtio/virtio.h
Log Message:
-----------
virtio-pci: add handling of PCI ATS and Device-TLB enable/disable
According to PCIe Address Translation Services specification 5.1.3.,
ATS Control Register has Enable bit to enable/disable ATS. Guest may
enable/disable PCI ATS and, accordingly, Device-TLB for the VirtIO PCI
device. So, raise/lower a flag and call a trigger function to pass this
event to a device implementation.
Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
Message-Id: <20230512135122.70403-2-viktor@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 206e91d143301414df2deb48a411e402414ba6db)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: include/hw/virtio/virtio.h: skip extra struct field added in 8.0)
Commit: 9a541b2143d252a0b96b896e771000f53bcc7c84
https://github.com/qemu/qemu/commit/9a541b2143d252a0b96b896e771000f53bcc7c84
Author: Viktor Prutyanov <viktor@daynix.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/virtio/vhost-stub.c
M hw/virtio/vhost.c
M include/hw/virtio/vhost.h
Log Message:
-----------
vhost: register and change IOMMU flag depending on Device-TLB state
The guest can disable or never enable Device-TLB. In these cases,
it can't be used even if enabled in QEMU. So, check Device-TLB state
before registering IOMMU notifier and select unmap flag depending on
that. Also, implement a way to change IOMMU notifier flag if Device-TLB
state is changed.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2001312
Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20230626091258.24453-2-viktor@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit ee071f67f7a103c66f85f68ffe083712929122e3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ec934266fdb21c1791163e5d8ccc1632b667045d
https://github.com/qemu/qemu/commit/ec934266fdb21c1791163e5d8ccc1632b667045d
Author: Viktor Prutyanov <viktor@daynix.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: pass Device-TLB enable/disable events to vhost
If vhost is enabled for virtio-net, Device-TLB enable/disable events
must be passed to vhost for proper IOMMU unmap flag selection.
Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20230626091258.24453-3-viktor@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit cd9b8346884353ba9ae6560b44b7cccdf00a6633)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8cce5d060a3e9fb27b1c954a640df5f8c951c576
https://github.com/qemu/qemu/commit/8cce5d060a3e9fb27b1c954a640df5f8c951c576
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M hw/arm/smmu-common.c
M hw/arm/smmuv3.c
Log Message:
-----------
hw/arm/smmu: Handle big-endian hosts correctly
The implementation of the SMMUv3 has multiple places where it reads a
data structure from the guest and directly operates on it without
doing a guest-to-host endianness conversion. Since all SMMU data
structures are little-endian, this means that the SMMU doesn't work
on a big-endian host. In particular, this causes the Avocado test
machine_aarch64_virt.py:Aarch64VirtMachine.test_alpine_virt_tcg_gic_max
to fail on an s390x host.
Add appropriate byte-swapping on reads and writes of guest in-memory
data structures so that the device works correctly on big-endian
hosts.
As part of this we constrain queue_read() to operate only on Cmd
structs and queue_write() on Evt structs, because in practice these
are the only data structures the two functions are used with, and we
need to know what the data structure is to be able to byte-swap its
parts correctly.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20230717132641.764660-1-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
(cherry picked from commit c6445544d4cea2628fbad3bad09f3d3a03c749d3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 26a49f9f6283083cf6084696ee99914228a3690a
https://github.com/qemu/qemu/commit/26a49f9f6283083cf6084696ee99914228a3690a
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
M target/arm/translate.c
Log Message:
-----------
target/arm: Avoid writing to constant TCGv in trans_CSEL()
In commit 0b188ea05acb5 we changed the implementation of
trans_CSEL() to use tcg_constant_i32(). However, this change
was incorrect, because the implementation of the function
sets up the TCGv_i32 rn and rm to be either zero or else
a TCG temp created in load_reg(), and these TCG temps are
then in both cases written to by the emitted TCG ops.
The result is that we hit a TCG assertion:
qemu-system-arm: ../../tcg/tcg.c:4455: tcg_reg_alloc_mov: Assertion
`!temp_readonly(ots)' failed.
(or on a non-debug build, just produce a garbage result)
Adjust the code so that rn and rm are always writeable
temporaries whether the instruction is using the special
case "0" or a normal register as input.
Cc: qemu-stable@nongnu.org
Fixes: 0b188ea05acb5 ("target/arm: Use tcg_constant in trans_CSEL")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230727103906.2641264-1-peter.maydell@linaro.org
(cherry picked from commit 2b0d656ab6484cae7f174e194215a6d50343ecd2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fixup in target/arm/tcg/translate.c)
Commit: d53d3f07dc488961bb9cb074504efdf890603c96
https://github.com/qemu/qemu/commit/d53d3f07dc488961bb9cb074504efdf890603c96
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-08-01 (Tue, 01 Aug 2023)
Changed paths:
M target/ppc/translate.c
Log Message:
-----------
target/ppc: Disable goto_tb with architectural singlestep
The change to use translator_use_goto_tb went too far, as the
CF_SINGLE_STEP flag managed by the translator only handles
gdb single stepping and not the architectural single stepping
modeled in DisasContext.singlestep_enabled.
Fixes: 6e9cc373ec5 ("target/ppc: Use translator_use_goto_tb")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1795
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 2e718e665706d5fcc3e3501bda26f277f055ed85)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: daa3277175e7fd7ec97d2368a35e9804f1870410
https://github.com/qemu/qemu/commit/daa3277175e7fd7ec97d2368a35e9804f1870410
Author: Helge Deller <deller@gmx.de>
Date: 2023-08-01 (Tue, 01 Aug 2023)
Changed paths:
M linux-user/arm/cpu_loop.c
Log Message:
-----------
linux-user/armeb: Fix __kernel_cmpxchg() for armeb
Commit 7f4f0d9ea870 ("linux-user/arm: Implement __kernel_cmpxchg with host
atomics") switched to use qatomic_cmpxchg() to swap a word with the memory
content, but missed to endianess-swap the oldval and newval values when
emulating an armeb CPU, which expects words to be stored in big endian in
the guest memory.
The bug can be verified with qemu >= v7.0 on any little-endian host, when
starting the armeb binary of the upx program, which just hangs without
this patch.
Cc: qemu-stable@nongnu.org
Signed-off-by: Helge Deller <deller@gmx.de>
Reported-by: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
Reported-by: John Reiser <jreiser@BitWagon.com>
Closes: https://github.com/upx/upx/issues/687
Message-Id: <ZMQVnqY+F+5sTNFd@p100>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 38dd78c41eaf08b490c9e7ec68fc508bbaa5cb1d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b629412e9d2129897126244cdfcc0b0c06df8542
https://github.com/qemu/qemu/commit/b629412e9d2129897126244cdfcc0b0c06df8542
Author: Konstantin Kostiuk <kkostiuk@redhat.com>
Date: 2023-08-02 (Wed, 02 Aug 2023)
Changed paths:
M qga/installer/qemu-ga.wxs
M qga/vss-win32/install.cpp
M qga/vss-win32/qga-vss.def
Log Message:
-----------
qga/win32: Use rundll for VSS installation
The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.
As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.
Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 2 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
(cherry picked from commit 07ce178a2b0768eb9e712bb5ad0cf6dc7fcf0158)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e4aae3f8190948ab75a49f4650630eedbfb28789
https://github.com/qemu/qemu/commit/e4aae3f8190948ab75a49f4650630eedbfb28789
Author: Anthony PERARD <anthony.perard@citrix.com>
Date: 2023-08-02 (Wed, 02 Aug 2023)
Changed paths:
M util/thread-pool.c
Log Message:
-----------
thread-pool: signal "request_cond" while locked
thread_pool_free() might have been called on the `pool`, which would
be a reason for worker_thread() to quit. In this case,
`pool->request_cond` is been destroyed.
If worker_thread() didn't managed to signal `request_cond` before it
been destroyed by thread_pool_free(), we got:
util/qemu-thread-posix.c:198: qemu_cond_signal: Assertion
`cond->initialized' failed.
One backtrace:
__GI___assert_fail (assertion=0x55555614abcb "cond->initialized",
file=0x55555614ab88 "util/qemu-thread-posix.c", line=198,
function=0x55555614ad80 <__PRETTY_FUNCTION__.17104> "qemu_cond_signal")
at assert.c:101
qemu_cond_signal (cond=0x7fffb800db30) at util/qemu-thread-posix.c:198
worker_thread (opaque=0x7fffb800dab0) at util/thread-pool.c:129
qemu_thread_start (args=0x7fffb8000b20) at util/qemu-thread-posix.c:505
start_thread (arg=<optimized out>) at pthread_create.c:486
Reported here:
https://lore.kernel.org/all/ZJwoK50FcnTSfFZ8@MacBook-Air-de-Roger.local/T/#u
To avoid issue, keep lock while sending a signal to `request_cond`.
Fixes: 900fa208f506 ("thread-pool: replace semaphore with condition variable")
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20230714152720.5077-1-anthony.perard@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
(cherry picked from commit f4f71363fcdb1092ff64d2bba6f9af39570c2f2b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f120e4742c3783ca296f2e83b6f2feb05b39712d
https://github.com/qemu/qemu/commit/f120e4742c3783ca296f2e83b6f2feb05b39712d
Author: Anthony PERARD <anthony.perard@citrix.com>
Date: 2023-08-02 (Wed, 02 Aug 2023)
Changed paths:
M hw/block/xen-block.c
Log Message:
-----------
xen-block: Avoid leaks on new error path
Commit 189829399070 ("xen-block: Use specific blockdev driver")
introduced a new error path, without taking care of allocated
resources.
So only allocate the qdicts after the error check, and free both
`filename` and `driver` when we are about to return and thus taking
care of both success and error path.
Coverity only spotted the leak of qdicts (*_layer variables).
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: Coverity CID 1508722, 1398649
Fixes: 189829399070 ("xen-block: Use specific blockdev driver")
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20230704171819.42564-1-anthony.perard@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
(cherry picked from commit aa36243514a777f76c8b8a19b1f8a71f27ec6c78)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5c6b1b20da7bf55cba27fae15ff7517b887a2e83
https://github.com/qemu/qemu/commit/5c6b1b20da7bf55cba27fae15ff7517b887a2e83
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2023-08-02 (Wed, 02 Aug 2023)
Changed paths:
M include/io/channel-tls.h
M io/channel-tls.c
Log Message:
-----------
io: remove io watch if TLS channel is closed during handshake
The TLS handshake make take some time to complete, during which time an
I/O watch might be registered with the main loop. If the owner of the
I/O channel invokes qio_channel_close() while the handshake is waiting
to continue the I/O watch must be removed. Failing to remove it will
later trigger the completion callback which the owner is not expecting
to receive. In the case of the VNC server, this results in a SEGV as
vnc_disconnect_start() tries to shutdown a client connection that is
already gone / NULL.
CVE-2023-3354
Reported-by: jiangyegen <jiangyegen@huawei.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 10be627d2b5ec2d6b3dce045144aa739eef678b4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 4d92f848f102c5608faefa196c8b1950e0053a8e
https://github.com/qemu/qemu/commit/4d92f848f102c5608faefa196c8b1950e0053a8e
Author: Keith Packard <keithp@keithp.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M target/nios2/nios2-semi.c
Log Message:
-----------
target/nios2: Pass semihosting arg to exit
Instead of using R_ARG0 (the semihost function number), use R_ARG1
(the provided exit status).
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20230801152245.332749-1-keithp@keithp.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit c11d5bdae79a8edaf00dfcb2e49c064a50c67671)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 93b403343305313f44632e64b18fe07e23a68be5
https://github.com/qemu/qemu/commit/93b403343305313f44632e64b18fe07e23a68be5
Author: Keith Packard <keithp@keithp.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M target/nios2/nios2-semi.c
Log Message:
-----------
target/nios2: Fix semihost lseek offset computation
The arguments for deposit64 are (value, start, length, fieldval); this
appears to have thought they were (value, fieldval, start,
length). Reorder the parameters to match the actual function.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fixes: d1e23cbaa403b2d ("target/nios2: Use semihosting/syscalls.h")
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20230731235245.295513-1-keithp@keithp.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 71e2dd6aa1bdbac19c661638a4ae91816002ac9e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5bbd0924955720947c9867d9f78a5d3c85e241c7
https://github.com/qemu/qemu/commit/5bbd0924955720947c9867d9f78a5d3c85e241c7
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M target/m68k/m68k-semi.c
Log Message:
-----------
target/m68k: Fix semihost lseek offset computation
The arguments for deposit64 are (value, start, length, fieldval); this
appears to have thought they were (value, fieldval, start,
length). Reorder the parameters to match the actual function.
Cc: qemu-stable@nongnu.org
Fixes: 950272506d ("target/m68k: Use semihosting/syscalls.h")
Reported-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20230801154519.3505531-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 8caaae7319a5f7ca449900c0e6bfcaed78fa3ae2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c315f738419084388722b405c9a3c2aa87b460cf
https://github.com/qemu/qemu/commit/c315f738419084388722b405c9a3c2aa87b460cf
Author: Eric Auger <eric.auger@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/virtio/virtio-iommu.c
Log Message:
-----------
hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command()
In the virtio_iommu_handle_command() when a PROBE request is handled,
output_size takes a value greater than the tail size and on a subsequent
iteration we can get a stack out-of-band access. Initialize the
output_size on each iteration.
The issue was found with ASAN. Credits to:
Yiming Tao(Zhejiang University)
Gaoning Pan(Zhejiang University)
Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit cf2f89edf36a59183166ae8721a8d7ab5cd286bd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 35a60ba42ca2dfcd9600a9467650d440257f7986
https://github.com/qemu/qemu/commit/35a60ba42ca2dfcd9600a9467650d440257f7986
Author: zhenwei pi <pizhenwei@bytedance.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/virtio/virtio-crypto.c
Log Message:
-----------
virtio-crypto: verify src&dst buffer length for sym request
For symmetric algorithms, the length of ciphertext must be as same
as the plaintext.
The missing verification of the src_len and the dst_len in
virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
This patch is originally written by Yiming Tao for QEMU-SECURITY,
resend it(a few changes of error message) in qemu-devel.
Fixes: CVE-2023-3180
Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
Cc: Gonglei <arei.gonglei@huawei.com>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: Yiming Tao <taoym@zju.edu.cn>
Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c9e7442882a6c52ed3084df2d77ab80ec08c9849
https://github.com/qemu/qemu/commit/c9e7442882a6c52ed3084df2d77ab80ec08c9849
Author: Helge Deller <deller@gmx.de>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M target/hppa/cpu.h
Log Message:
-----------
target/hppa: Move iaoq registers and thus reduce generated code size
On hppa the Instruction Address Offset Queue (IAOQ) registers specifies
the next to-be-executed instructions addresses. Each generated TB writes those
registers at least once, so those registers are used heavily in generated
code.
Looking at the generated assembly, for a x86-64 host this code
to write the address $0x7ffe826f into iaoq_f is generated:
0x7f73e8000184: c7 85 d4 01 00 00 6f 82 movl $0x7ffe826f, 0x1d4(%rbp)
0x7f73e800018c: fe 7f
0x7f73e800018e: c7 85 d8 01 00 00 73 82 movl $0x7ffe8273, 0x1d8(%rbp)
0x7f73e8000196: fe 7f
With the trivial change, by moving the variables iaoq_f and iaoq_b to
the top of struct CPUArchState, the offset to %rbp is reduced (from
0x1d4 to 0), which allows the x86-64 tcg to generate 3 bytes less of
generated code per move instruction:
0x7fc1e800018c: c7 45 00 6f 82 fe 7f movl $0x7ffe826f, (%rbp)
0x7fc1e8000193: c7 45 04 73 82 fe 7f movl $0x7ffe8273, 4(%rbp)
Overall this is a reduction of generated code (not a reduction of
number of instructions).
A test run with checks the generated code size by running "/bin/ls"
with qemu-user shows that the code size shrinks from 1616767 to 1569273
bytes, which is ~97% of the former size.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit f8c0fd9804f435a20c3baa4c0c77ba9a02af24ef)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1451a86f6dfe4d1648411bd460d3a4613485d2b1
https://github.com/qemu/qemu/commit/1451a86f6dfe4d1648411bd460d3a4613485d2b1
Author: Yuri Benditovich <yuri.benditovich@daynix.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/pci/pci_host.c
Log Message:
-----------
pci: do not respond config requests after PCI device eject
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224964
In migration with VF failover, Windows guest and ACPI hot
unplug we do not need to satisfy config requests, otherwise
the guest immediately detects the device and brings up its
driver. Many network VF's are stuck on the guest PCI bus after
the migration.
Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Message-Id: <20230728084049.191454-1-yuri.benditovich@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 348e354417b64c484877354ee7cc66f29fa6c7df)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cf2be5881f8da04f03e9a58591358e6057433f26
https://github.com/qemu/qemu/commit/cf2be5881f8da04f03e9a58591358e6057433f26
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/i386/intel_iommu.c
Log Message:
-----------
hw/i386/intel_iommu: Fix trivial endianness problems
After reading the guest memory with dma_memory_read(), we have
to make sure that we byteswap the little endian data to the host's
byte order.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-2-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit cc2a08480e19007c05be8fe5b6893e20448954dc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: bbe3627f44e079a3eadb7713fa3aca291edf6ec9
https://github.com/qemu/qemu/commit/bbe3627f44e079a3eadb7713fa3aca291edf6ec9
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/i386/intel_iommu.c
M include/hw/i386/intel_iommu.h
Log Message:
-----------
hw/i386/intel_iommu: Fix endianness problems related to VTD_IR_TableEntry
The code already tries to do some endianness handling here, but
currently fails badly:
- While it already swaps the data when logging errors / tracing, it fails
to byteswap the value before e.g. accessing entry->irte.present
- entry->irte.source_id is swapped with le32_to_cpu(), though this is
a 16-bit value
- The whole union is apparently supposed to be swapped via the 64-bit
data[2] array, but the struct is a mixture between 32 bit values
(the first 8 bytes) and 64 bit values (the second 8 bytes), so this
cannot work as expected.
Fix it by converting the struct to two proper 64-bit bitfields, and
by swapping the values only once for everybody right after reading
the data from memory.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-3-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 642ba89672279fbdd14016a90da239c85e845d18)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 31e7ef997e849602f742a60d69c1b3b234eb1547
https://github.com/qemu/qemu/commit/31e7ef997e849602f742a60d69c1b3b234eb1547
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/i386/intel_iommu_internal.h
Log Message:
-----------
hw/i386/intel_iommu: Fix struct VTDInvDescIEC on big endian hosts
On big endian hosts, we need to reverse the bitfield order in the
struct VTDInvDescIEC, just like it is already done for the other
bitfields in the various structs of the intel-iommu device.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-4-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 4572b22cf9ba432fa3955686853c706a1821bbc7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: fd02247083faf23488264c44d4a425d44390e4b2
https://github.com/qemu/qemu/commit/fd02247083faf23488264c44d4a425d44390e4b2
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/i386/intel_iommu.c
Log Message:
-----------
hw/i386/intel_iommu: Fix index calculation in vtd_interrupt_remap_msi()
The values in "addr" are populated locally in this function in host
endian byte order, so we must not swap the index_l field here.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-5-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit fcd8027423300b201b37842b88393dc5c6c8ee9e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b58abc4a2b59077bfd5d5b9d1daf7bb86221f6b1
https://github.com/qemu/qemu/commit/b58abc4a2b59077bfd5d5b9d1daf7bb86221f6b1
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M hw/i386/x86-iommu.c
Log Message:
-----------
hw/i386/x86-iommu: Fix endianness issue in x86_iommu_irq_to_msi_message()
The values in "msg" are assembled in host endian byte order (the other
field are also not swapped), so we must not swap the __addr_head here.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-6-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 37cf5cecb039a063c0abe3b51ae30f969e73aa84)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: da6d0af41d66e8c54c430454e534499c289ba47b
https://github.com/qemu/qemu/commit/da6d0af41d66e8c54c430454e534499c289ba47b
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M include/hw/i386/x86-iommu.h
Log Message:
-----------
include/hw/i386/x86-iommu: Fix struct X86IOMMU_MSIMessage for big endian hosts
The first bitfield here is supposed to be used as a 64-bit equivalent
to the "uint64_t msi_addr" in the union. To make this work correctly
on big endian hosts, too, the __addr_hi field has to be part of the
bitfield, and the the bitfield members must be declared with "uint64_t"
instead of "uint32_t" - otherwise the values are placed in the wrong
bytes on big endian hosts.
Same applies to the 32-bit "msi_data" field: __resved1 must be part
of the bitfield, and the members must be declared with "uint32_t"
instead of "uint16_t".
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-7-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit e1e56c07d1fa24aa37a7e89e6633768fc8ea8705)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 988eeb5930b616bb9d9a3848407a59939e0d40f5
https://github.com/qemu/qemu/commit/988eeb5930b616bb9d9a3848407a59939e0d40f5
Author: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M hw/vfio/pci.c
Log Message:
-----------
vfio/pci: Disable INTx in vfio_realize error path
When vfio realize fails, INTx isn't disabled if it has been enabled.
This may confuse host side with unhandled interrupt report.
Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
(cherry picked from commit adee0da0368f50b3ee934cdeeb6076466dabb268)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 4e9a35dfa77962facde6dea364ce52067e554225
https://github.com/qemu/qemu/commit/4e9a35dfa77962facde6dea364ce52067e554225
Author: Hawkins Jiawei <yin31149@gmail.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa: Fix possible use-after-free for VirtQueueElement
QEMU uses vhost_handle_guest_kick() to forward guest's available
buffers to the vdpa device in SVQ avail ring.
In vhost_handle_guest_kick(), a `g_autofree` `elem` is used to
iterate through the available VirtQueueElements. This `elem` is
then passed to `svq->ops->avail_handler`, specifically to the
vhost_vdpa_net_handle_ctrl_avail(). If this handler fails to
process the CVQ command, vhost_handle_guest_kick() regains
ownership of the `elem`, and either frees it or requeues it.
Yet the problem is that, vhost_vdpa_net_handle_ctrl_avail()
mistakenly frees the `elem`, even if it fails to forward the
CVQ command to vdpa device. This can result in a use-after-free
for the `elem` in vhost_handle_guest_kick().
This patch solves this problem by refactoring
vhost_vdpa_net_handle_ctrl_avail() to only freeing the `elem` if
it owns it.
Fixes: bd907ae4b0 ("vdpa: manual forward CVQ buffers")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Message-Id:
<e3f2d7db477734afe5c6a5ab3fa8b8317514ea34.1688746840.git.yin31149@gmail.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 031b1abacbdb3f4e016b6b926f7e7876c05339bb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5e67da966847f8b93ed15c5f1426f9c99da66b83
https://github.com/qemu/qemu/commit/5e67da966847f8b93ed15c5f1426f9c99da66b83
Author: Hawkins Jiawei <yin31149@gmail.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa: Return -EIO if device ack is VIRTIO_NET_ERR in _load_mac()
According to VirtIO standard, "The class, command and
command-specific-data are set by the driver,
and the device sets the ack byte.
There is little it can do except issue a diagnostic
if ack is not VIRTIO_NET_OK."
Therefore, QEMU should stop sending the queued SVQ commands and
cancel the device startup if the device's ack is not VIRTIO_NET_OK.
Yet the problem is that, vhost_vdpa_net_load_mac() returns 1 based on
`*s->status != VIRTIO_NET_OK` when the device's ack is VIRTIO_NET_ERR.
As a result, net->nc->info->load() also returns 1, this makes
vhost_net_start_one() incorrectly assume the device state is
successfully loaded by vhost_vdpa_net_load() and return 0, instead of
goto `fail` label to cancel the device startup, as vhost_net_start_one()
only cancels the device startup when net->nc->info->load() returns a
negative value.
This patch fixes this problem by returning -EIO when the device's
ack is not VIRTIO_NET_OK.
Fixes: f73c0c43ac ("vdpa: extract vhost_vdpa_net_load_mac from
vhost_vdpa_net_load")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id:
<a21731518644abbd0c495c5b7960527c5911f80d.1688438055.git.yin31149@gmail.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit b479bc3c9d5e473553137641fd31069c251f0d6e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1306708795fd617d55b90814977ac369701c6213
https://github.com/qemu/qemu/commit/1306708795fd617d55b90814977ac369701c6213
Author: Hawkins Jiawei <yin31149@gmail.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa: Return -EIO if device ack is VIRTIO_NET_ERR in _load_mq()
According to VirtIO standard, "The class, command and
command-specific-data are set by the driver,
and the device sets the ack byte.
There is little it can do except issue a diagnostic
if ack is not VIRTIO_NET_OK."
Therefore, QEMU should stop sending the queued SVQ commands and
cancel the device startup if the device's ack is not VIRTIO_NET_OK.
Yet the problem is that, vhost_vdpa_net_load_mq() returns 1 based on
`*s->status != VIRTIO_NET_OK` when the device's ack is VIRTIO_NET_ERR.
As a result, net->nc->info->load() also returns 1, this makes
vhost_net_start_one() incorrectly assume the device state is
successfully loaded by vhost_vdpa_net_load() and return 0, instead of
goto `fail` label to cancel the device startup, as vhost_net_start_one()
only cancels the device startup when net->nc->info->load() returns a
negative value.
This patch fixes this problem by returning -EIO when the device's
ack is not VIRTIO_NET_OK.
Fixes: f64c7cda69 ("vdpa: Add vhost_vdpa_net_load_mq")
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id:
<ec515ebb0b4f56368751b9e318e245a5d994fa72.1688438055.git.yin31149@gmail.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit f45fd95ec9e8104f6af801c734375029dda0f542)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 74619c052d4576567ee0a24ce17b7fc4b1804f88
https://github.com/qemu/qemu/commit/74619c052d4576567ee0a24ce17b7fc4b1804f88
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M target/ppc/mmu-hash64.c
Log Message:
-----------
target/ppc: Implement ASDR register for ISA v3.0 for HPT
The ASDR register was introduced in ISA v3.0. It has not been
implemented for HPT. With HPT, ASDR is the format of the slbmte RS
operand (containing VSID), which matches the ppc_slb_t field.
Fixes: 3367c62f522b ("target/ppc: Support for POWER9 native hash")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-ID: <20230726182230.433945-2-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 9201af096962a1967ce5d0b270ed16ae4edd3db6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 4afce84629fac21c54c5b6013e49ec070baa06b1
https://github.com/qemu/qemu/commit/4afce84629fac21c54c5b6013e49ec070baa06b1
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M target/ppc/excp_helper.c
Log Message:
-----------
target/ppc: Fix pending HDEC when entering PM state
HDEC is defined to not wake from PM state. There is a check in the HDEC
timer to avoid setting the interrupt if we are in a PM state, but no
check on PM entry to lower HDEC if it already fired. This can cause a
HDECR wake up and QEMU abort with unsupported exception in Power Save
mode.
Fixes: 4b236b621bf ("ppc: Initial HDEC support")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-ID: <20230726182230.433945-4-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 9915dac4847f3cc5ffd36e4c374a4eec83fe09b5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5a8fdead8556215b3d95a817f5edf8f38bcb2d16
https://github.com/qemu/qemu/commit/5a8fdead8556215b3d95a817f5edf8f38bcb2d16
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M target/ppc/mmu-hash64.c
M target/ppc/mmu-hash64.h
Log Message:
-----------
target/ppc: Fix VRMA page size for ISA v3.0
Until v2.07s, the VRMA page size (L||LP) was encoded in LPCR[VRMASD].
In v3.0 that moved to the partition table PS field.
The powernv machine can now run KVM HPT guests on POWER9/10 CPUs with
this fix and the patch to add ASDR.
Fixes: 3367c62f522b ("target/ppc: Support for POWER9 native hash")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-ID: <20230730111842.39292-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 0e2a3ec36885f6d79a96230f582d4455878c6373)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5e4beb092dc0aa30b4b9474c17231a358e1711b1
https://github.com/qemu/qemu/commit/5e4beb092dc0aa30b4b9474c17231a358e1711b1
Author: Matt Borgerson <contact@mborgerson.com>
Date: 2023-08-05 (Sat, 05 Aug 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386: Check CR0.TS before enter_mmx
When CR0.TS=1, execution of x87 FPU, MMX, and some SSE instructions will
cause a Device Not Available (DNA) exception (#NM). System software uses
this exception event to lazily context switch FPU state.
Before this patch, enter_mmx helpers may be generated just before #NM
generation, prematurely resetting FPU state before the guest has a
chance to save it.
Signed-off-by: Matt Borgerson <contact@mborgerson.com>
Message-ID: <CADc=-s5F10muEhLs4f3mxqsEPAHWj0XFfOC2sfFMVHrk9fcpMg@mail.gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b2ea6450d8e1336a33eb958ccc64604bc35a43dd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 9abcf9776d8906c53feacab686f3d50137654b62
https://github.com/qemu/qemu/commit/9abcf9776d8906c53feacab686f3d50137654b62
Author: Michael Tokarev <mjt@tls.msk.ru>
Date: 2023-08-07 (Mon, 07 Aug 2023)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 7.2.5 release
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/681858ea1424...9abcf9776d89
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 2b6a75: hw/ide/piix: properly initialize the BMIBA register,
Alex Bennée <=