[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ded5ed: hw/ppc: Introduce functions for conve
|
From: |
Alex Bennée |
|
Subject: |
[Qemu-commits] [qemu/qemu] ded5ed: hw/ppc: Introduce functions for conversion between... |
|
Date: |
Mon, 16 Oct 2023 07:17:26 -0700 |
Branch: refs/heads/stable-8.1
Home: https://github.com/qemu/qemu
Commit: ded5edee00b97521fb98c5407768995bd4873a4e
https://github.com/qemu/qemu/commit/ded5edee00b97521fb98c5407768995bd4873a4e
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Introduce functions for conversion between timebase and nanoseconds
These calculations are repeated several times, and they will become
a little more complicated with subsequent changes.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 7798f5c576d898e7e10c4a2518f3f16411dedeb9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 4bff0a82874366a32d5931e1a21d5a071ec3b931
https://github.com/qemu/qemu/commit/4bff0a82874366a32d5931e1a21d5a071ec3b931
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M include/qemu/host-utils.h
Log Message:
-----------
host-utils: Add muldiv64_round_up
This will be used for converting time intervals in different base units
to host units, for the purpose of scheduling timers to emulate target
timers. Timers typically must not fire before their requested expiry
time but may fire some time afterward, so rounding up is the right way
to implement these.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
[ clg: renamed __muldiv64() to muldiv64_rounding() ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 47de6c4c287079744ceb96f606b3c0457addf380)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 73b7a8110713e0f50a54b514ccc91dc1746cee17
https://github.com/qemu/qemu/commit/73b7a8110713e0f50a54b514ccc91dc1746cee17
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Round up the decrementer interval when converting to ns
The rule of timers is typically that they should never expire before the
timeout, but some time afterward. Rounding timer intervals up when doing
conversion is the right thing to do.
Under most circumstances it is impossible observe the decrementer
interrupt before the dec register has triggered. However with icount
timing, problems can arise. For example setting DEC to 0 can schedule
the timer for now, causing it to fire before any more instructions
have been executed and DEC is still 0.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit eab0888418ab44344864965193cf6cd194ab6858)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0e35c812b9bb76a881c714f4dad2dcbb849bd1a4
https://github.com/qemu/qemu/commit/0e35c812b9bb76a881c714f4dad2dcbb849bd1a4
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Avoid decrementer rounding errors
The decrementer register contains a relative time in timebase units.
When writing to DECR this is converted and stored as an absolute value
in nanosecond units, reading DECR converts back to relative timebase.
The tb<->ns conversion of the relative part can cause rounding such that
a value writen to the decrementer can read back a different, with time
held constant. This is a particular problem for a deterministic icount
and record-replay trace.
Fix this by storing the absolute value in timebase units rather than
nanoseconds. The math before:
store: decr_next = now_ns + decr * ns_per_sec / tb_per_sec
load: decr = (decr_next - now_ns) * tb_per_sec / ns_per_sec
load(store): decr = decr * ns_per_sec / tb_per_sec * tb_per_sec /
ns_per_sec
After:
store: decr_next = now_ns * tb_per_sec / ns_per_sec + decr
load: decr = decr_next - now_ns * tb_per_sec / ns_per_sec
load(store): decr = decr
Fixes: 9fddaa0c0cab ("PowerPC merge: real time TB and decrementer - faster and
simpler exception handling (Jocelyn Mayer)")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 8e0a5ac87800ccc6dd5013f89f27652f4480ab33)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 97fec8f2c4c2c80c154050f403fe986e6edee2f1
https://github.com/qemu/qemu/commit/97fec8f2c4c2c80c154050f403fe986e6edee2f1
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
target/ppc: Sign-extend large decrementer to 64-bits
When storing a large decrementer value with the most significant
implemented bit set, it is to be treated as a negative and sign
extended.
This isn't hit for book3s DEC because of another bug, fixing it
in the next patch exposes this one and can cause additional
problems, so fix this first. It can be hit with HDECR and other
edge triggered types.
Fixes: a8dafa52518 ("target/ppc: Implement large decrementer support for TCG")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
[ clg: removed extra cpu and pcc variables shadowing local variables ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit c8fbc6b9f2f3c732ee3307093c1c5c367eaa64ae)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1c2343cc6113968766953deb176a6b40b7c164b6
https://github.com/qemu/qemu/commit/1c2343cc6113968766953deb176a6b40b7c164b6
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Always store the decrementer value
When writing a value to the decrementer that raises an exception, the
irq is raised, but the value is not stored so the store doesn't appear
to have changed the register when it is read again.
Always store the write value to the register.
Fixes: e81a982aa53 ("PPC: Clean up DECR implementation")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit febb71d543a8f747b2f8aaf0182d0a385c6a02c3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b6fa8e42d14d320af6a045468f294bca2d17aeac
https://github.com/qemu/qemu/commit/b6fa8e42d14d320af6a045468f294bca2d17aeac
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/mac_oldworld.c
M hw/ppc/pegasos2.c
M hw/ppc/pnv_core.c
M hw/ppc/ppc.c
M hw/ppc/prep.c
M hw/ppc/spapr_cpu_core.c
M include/hw/ppc/ppc.h
Log Message:
-----------
hw/ppc: Reset timebase facilities on machine reset
Lower interrupts, delete timers, and set time facility registers
back to initial state on machine reset.
This is not so important for record-replay since timebase and
decrementer are migrated, but it gives a cleaner reset state.
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Cc: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
[ clg: checkpatch.pl fixes ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 30d0647bcfa99d4a141eaa843a9fb5b091ddbb76)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: fb9e03529cb25c0c0a2bf019d7982082666394ae
https://github.com/qemu/qemu/commit/fb9e03529cb25c0c0a2bf019d7982082666394ae
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Read time only once to perform decrementer write
Reading the time more than once to perform an operation always increases
complexity and fragility due to introduced deltas. Simplify the
decrementer write by reading the clock once for the operation.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit ea62f8a5172cf5fcd97df143b758730f6865a625)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f7f97b9ad84af1aef842efa508cc07d1cde55196
https://github.com/qemu/qemu/commit/f7f97b9ad84af1aef842efa508cc07d1cde55196
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M linux-user/hppa/signal.c
Log Message:
-----------
linux-user/hppa: clear the PSW 'N' bit when delivering signals
qemu-hppa may crash when delivering a signal. It can be demonstrated with
this program. Compile the program with "hppa-linux-gnu-gcc -O2 signal.c"
and run it with "qemu-hppa -one-insn-per-tb a.out". It reports that the
address of the flag is 0xb4 and it crashes when attempting to touch it.
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <signal.h>
sig_atomic_t flag;
void sig(int n)
{
printf("&flag: %p\n", &flag);
flag = 1;
}
int main(void)
{
struct sigaction sa;
struct itimerval it;
sa.sa_handler = sig;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if (sigaction(SIGALRM, &sa, NULL)) perror("sigaction"), exit(1);
it.it_interval.tv_sec = 0;
it.it_interval.tv_usec = 100;
it.it_value.tv_sec = it.it_interval.tv_sec;
it.it_value.tv_usec = it.it_interval.tv_usec;
if (setitimer(ITIMER_REAL, &it, NULL)) perror("setitimer"), exit(1);
while (1) {
}
}
The reason for the crash is that the signal handling routine doesn't clear
the 'N' flag in the PSW. If the signal interrupts a thread when the 'N'
flag is set, the flag remains set at the beginning of the signal handler
and the first instruction of the signal handler is skipped.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 2529497cb6b298e732e8dbe5212da7925240b4f4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: fda70be0c55eaa12c1cee6f6b45e0c770981f592
https://github.com/qemu/qemu/commit/fda70be0c55eaa12c1cee6f6b45e0c770981f592
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M linux-user/hppa/signal.c
Log Message:
-----------
linux-user/hppa: lock both words of function descriptor
The code in setup_rt_frame reads two words at haddr, but locks only one.
This patch fixes it to lock both.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 5b1270ef1477bb7f240c3bfe2cd8b0fe4721fd51)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6970f5ba0e7785b4726509e119a30eeb50cc207c
https://github.com/qemu/qemu/commit/6970f5ba0e7785b4726509e119a30eeb50cc207c
Author: Li Zhijian <lizhijian@cn.fujitsu.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/cxl/cxl-host.c
Log Message:
-----------
hw/cxl: Fix CFMW config memory leak
Allocate targets and targets[n] resources when all sanity checks are
passed to avoid memory leaks.
Cc: qemu-stable@nongnu.org
Suggested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Fan Ni <fan.ni@samsung.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 7b165fa164022b756c2b001d0a1525f98199d3ac)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f59caeca76795341cd1e82575c79bb4a9218650d
https://github.com/qemu/qemu/commit/f59caeca76795341cd1e82575c79bb4a9218650d
Author: Dmitry Frolov <frolov@swemel.ru>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M include/hw/cxl/cxl.h
Log Message:
-----------
hw/cxl: Fix out of bound array access
According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up
to 16. This also corresponds to CXL r3.0 spec. So, the fw->target_hbs[]
array is iterated from 0 to 15. But it is statically declared of length 8.
Thus, out of bound array access may occur.
Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from
TYPE_PXB_DEV")
Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Link: https://lore.kernel.org/r/20230913101055.754709-1-frolov@swemel.ru
Cc: qemu-stable@nongnu.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit de5bbfc602ef1b9b79c494a914c6083a1a23cca2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c2e6a00b5fb96bfb4f47b8b8fa984b1209da84d8
https://github.com/qemu/qemu/commit/c2e6a00b5fb96bfb4f47b8b8fa984b1209da84d8
Author: Hanna Czenczek <hreitz@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M block/file-posix.c
Log Message:
-----------
file-posix: Clear bs->bl.zoned on error
bs->bl.zoned is what indicates whether the zone information is present
and valid; it is the only thing that raw_refresh_zoned_limits() sets if
CONFIG_BLKZONED is not defined, and it is also the only thing that it
sets if CONFIG_BLKZONED is defined, but there are no zones.
Make sure that it is always set to BLK_Z_NONE if there is an error
anywhere in raw_refresh_zoned_limits() so that we do not accidentally
announce zones while our information is incomplete or invalid.
This also fixes a memory leak in the last error path in
raw_refresh_zoned_limits().
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-Id: <20230824155345.109765-2-hreitz@redhat.com>
Reviewed-by: Sam Li <faithilikerun@gmail.com>
(cherry picked from commit 56d1a022a77ea2125564913665eeadf3e303a671)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 825af96d6a4fbc6c5e41fc892bbf903ab74873f4
https://github.com/qemu/qemu/commit/825af96d6a4fbc6c5e41fc892bbf903ab74873f4
Author: Hanna Czenczek <hreitz@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M block/file-posix.c
Log Message:
-----------
file-posix: Check bs->bl.zoned for zone info
Instead of checking bs->wps or bs->bl.zone_size for whether zone
information is present, check bs->bl.zoned. That is the flag that
raw_refresh_zoned_limits() reliably sets to indicate zone support. If
it is set to something other than BLK_Z_NONE, other values and objects
like bs->wps and bs->bl.zone_size must be non-null/zero and valid; if it
is not, we cannot rely on their validity.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-Id: <20230824155345.109765-3-hreitz@redhat.com>
Reviewed-by: Sam Li <faithilikerun@gmail.com>
(cherry picked from commit 4b5d80f3d02096a9bb1f651f6b3401ba40877159)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 31a471430fc4da19d6af1c9a7e4500db117d9066
https://github.com/qemu/qemu/commit/31a471430fc4da19d6af1c9a7e4500db117d9066
Author: Hanna Czenczek <hreitz@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M block/file-posix.c
Log Message:
-----------
file-posix: Fix zone update in I/O error path
We must check that zone information is present before running
update_zones_wp().
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2234374
Fixes: Coverity CID 1512459
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-Id: <20230824155345.109765-4-hreitz@redhat.com>
Reviewed-by: Sam Li <faithilikerun@gmail.com>
(cherry picked from commit deab5c9a4ed74f76a713008a42527762b30a7e84)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8ef6104413b275015d29a673236081e6bf7c6894
https://github.com/qemu/qemu/commit/8ef6104413b275015d29a673236081e6bf7c6894
Author: Hanna Czenczek <hreitz@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M block/file-posix.c
Log Message:
-----------
file-posix: Simplify raw_co_prw's 'out' zone code
We duplicate the same condition three times here, pull it out to the top
level.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-Id: <20230824155345.109765-5-hreitz@redhat.com>
Reviewed-by: Sam Li <faithilikerun@gmail.com>
(cherry picked from commit d31b50a15dd25a560749b25fc40b6484fd1a57b7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8a043309ada860e6ffdf58015339b38450ece9dd
https://github.com/qemu/qemu/commit/8a043309ada860e6ffdf58015339b38450ece9dd
Author: Hanna Czenczek <hreitz@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
A tests/qemu-iotests/tests/file-io-error
A tests/qemu-iotests/tests/file-io-error.out
Log Message:
-----------
tests/file-io-error: New test
This is a regression test for
https://bugzilla.redhat.com/show_bug.cgi?id=2234374.
All this test needs to do is trigger an I/O error inside of file-posix
(specifically raw_co_prw()). One reliable way to do this without
requiring special privileges is to use a FUSE export, which allows us to
inject any error that we want, e.g. via blkdebug.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-Id: <20230824155345.109765-6-hreitz@redhat.com>
[hreitz: Fixed test to be skipped when there is no FUSE support, to
suppress fusermount's allow_other warning, and to be skipped
with $IMGOPTSSYNTAX enabled]
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit 380448464dd89291cf7fd7434be6c225482a334d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cb6ed2f7f73fbbfa321fdb47d058073bb02f1b41
https://github.com/qemu/qemu/commit/cb6ed2f7f73fbbfa321fdb47d058073bb02f1b41
Author: Anton Johansson <anjo@rev.ng>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M include/exec/cpu-all.h
Log Message:
-----------
include/exec: Widen tlb_hit/tlb_hit_page()
tlb_addr is changed from target_ulong to uint64_t to match the type of
a CPUTLBEntry value, and the addressed is changed to vaddr.
Signed-off-by: Anton Johansson <anjo@rev.ng>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230807155706.9580-8-anjo@rev.ng>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit c78edb563942ce80c9c6c03b07397725b006b625)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d0cd94e2b6eff0dbe3746da6b2c4c4643eecb101
https://github.com/qemu/qemu/commit/d0cd94e2b6eff0dbe3746da6b2c4c4643eecb101
Author: Fabian Vogt <fvogt@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/arm/boot.c
Log Message:
-----------
hw/arm/boot: Set SCR_EL3.FGTEn when booting kernel
Just like d7ef5e16a17c sets SCR_EL3.HXEn for FEAT_HCX, this commit
handles SCR_EL3.FGTEn for FEAT_FGT:
When we direct boot a kernel on a CPU which emulates EL3, we need to
set up the EL3 system registers as the Linux kernel documentation
specifies:
https://www.kernel.org/doc/Documentation/arm64/booting.rst
> For CPUs with the Fine Grained Traps (FEAT_FGT) extension present:
> - If EL3 is present and the kernel is entered at EL2:
> - SCR_EL3.FGTEn (bit 27) must be initialised to 0b1.
Cc: qemu-stable@nongnu.org
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Message-id: 4831384.GXAFRqVoOG@linux-e202.suse.de
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 32b214384e1e1472ddfa875196c57f6620172301)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 7329cc1c196a1a7048c027ae0eaee6eaa7b12bf9
https://github.com/qemu/qemu/commit/7329cc1c196a1a7048c027ae0eaee6eaa7b12bf9
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M target/arm/tcg/hflags.c
Log Message:
-----------
target/arm: Don't skip MTE checks for LDRT/STRT at EL0
The LDRT/STRT "unprivileged load/store" instructions behave like
normal ones if executed at EL0. We handle this correctly for
the load/store semantics, but get the MTE checking wrong.
We always look at s->mte_active[is_unpriv] to see whether we should
be doing MTE checks, but in hflags.c when we set the TB flags that
will be used to fill the mte_active[] array we only set the
MTE0_ACTIVE bit if UNPRIV is true (i.e. we are not at EL0).
This means that a LDRT at EL0 will see s->mte_active[1] as 0,
and will not do MTE checks even when MTE is enabled.
To avoid the translate-time code having to do an explicit check on
s->unpriv to see if it is OK to index into the mte_active[] array,
duplicate MTE_ACTIVE into MTE0_ACTIVE when UNPRIV is false.
(This isn't a very serious bug because generally nobody executes
LDRT/STRT at EL0, because they have no use there.)
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-2-peter.maydell@linaro.org
(cherry picked from commit 903dbefc2b6918c10d12d9aafa0168cee8d287c7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0215e8e872cd8db6f2c40111ed045b7829967a46
https://github.com/qemu/qemu/commit/0215e8e872cd8db6f2c40111ed045b7829967a46
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M meson.build
M meson_options.txt
M scripts/meson-buildoptions.sh
Log Message:
-----------
meson.build: Make keyutils independent from keyring
Commit 0db0fbb5cf ("Add conditional dependency for libkeyutils")
tried to provide a possibility for the user to disable keyutils
if not required by makeing it depend on the keyring feature. This
looked reasonable at a first glance (the unit test in tests/unit/
needs both), but the condition in meson.build fails if the feature
is meant to be detected automatically, and there is also another
spot in backends/meson.build where keyutils is used independently
from keyring. So let's remove the dependency on keyring again and
introduce a proper meson build option instead.
Cc: qemu-stable@nongnu.org
Fixes: 0db0fbb5cf ("Add conditional dependency for libkeyutils")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1842
Message-ID: <20230824094208.255279-1-thuth@redhat.com>
Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit c64023b0ba677cfa6b878e82ea8e18507a597396)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b9b84b2d4190eef78fffdb1f1063e3e37ebbc91a
https://github.com/qemu/qemu/commit/b9b84b2d4190eef78fffdb1f1063e3e37ebbc91a
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/tcg-accel-ops-mttcg.c
Log Message:
-----------
accel/tcg: mttcg remove false-negative halted assertion
mttcg asserts that an execution ending with EXCP_HALTED must have
cpu->halted. However between the event or instruction that sets
cpu->halted and requests exit and the assertion here, an
asynchronous event could clear cpu->halted.
This leads to crashes running AIX on ppc/pseries because it uses
H_CEDE/H_PROD hcalls, where H_CEDE sets self->halted = 1 and
H_PROD sets other cpu->halted = 0 and kicks it.
H_PROD could be turned into an interrupt to wake, but several other
places in ppc, sparc, and semihosting follow what looks like a similar
pattern setting halted = 0 directly. So remove this assertion.
Reported-by: Ivan Warren <ivan@vmfacility.fr>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20230829010658.8252-1-npiggin@gmail.com>
[rth: Keep the case label and adjust the comment.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 0e5903436de712844b0e6cdd862b499c767e09e9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6b7fa3cbab92097785a7c1c67b3ccb1047ca4919
https://github.com/qemu/qemu/commit/6b7fa3cbab92097785a7c1c67b3ccb1047ca4919
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
We are doing things like
nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
with a division by 0 exception. Thus disallow block sizes of 256
bytes to avoid this situation.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
CVE: 2023-42467
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230925091854.49198-1-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7cfcc79b0ab800959716738aff9419f53fc68c9c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 17f3a6221f010a95e277b88a80b6f763eafaeb0d
https://github.com/qemu/qemu/commit/17f3a6221f010a95e277b88a80b6f763eafaeb0d
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: fix debug output for invalid audio message
The debug message was cut and pasted from the invalid audio format
case, but the audio message is at bytes 2-3.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0cb9c5880e6b8dedc4e20026ce859dd1ea9aac84)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 3b86b92bfbbebbc8f6801588dafce7d76c1782d9
https://github.com/qemu/qemu/commit/3b86b92bfbbebbc8f6801588dafce7d76c1782d9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: fix handling of VNC_FEATURE_XVP
VNC_FEATURE_XVP was not shifted left before adding it to vs->features,
so it was never enabled; but it was also checked the wrong way with
a logical AND instead of vnc_has_feature. Fix both places.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 477b301000d665313217f65e3a368d2cb7769c42)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0b246f8e9e02d088ad2303b337a0663b69ad9002
https://github.com/qemu/qemu/commit/0b246f8e9e02d088ad2303b337a0663b69ad9002
Author: Peter Xu <peterx@redhat.com>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
M migration/migration.h
M migration/postcopy-ram.c
Log Message:
-----------
migration: Fix race that dest preempt thread close too early
We hit intermit CI issue on failing at migration-test over the unit test
preempt/plain:
qemu-system-x86_64: Unable to read from socket: Connection reset by peer
Memory content inconsistency at 5b43000 first_byte = bd last_byte = bc current
= 4f hit_edge = 1
**
ERROR:../tests/qtest/migration-test.c:300:check_guests_ram: assertion failed:
(bad == 0)
(test program exited with status code -6)
Fabiano debugged into it and found that the preempt thread can quit even
without receiving all the pages, which can cause guest not receiving all
the pages and corrupt the guest memory.
To make sure preempt thread finished receiving all the pages, we can rely
on the page_requested_count being zero because preempt channel will only
receive requested page faults. Note, not all the faulted pages are required
to be sent via the preempt channel/thread; imagine the case when a
requested page is just queued into the background main channel for
migration, the src qemu will just still send it via the background channel.
Here instead of spinning over reading the count, we add a condvar so the
main thread can wait on it if that unusual case happened, without burning
the cpu for no good reason, even if the duration is short; so even if we
spin in this rare case is probably fine. It's just better to not do so.
The condvar is only used when that special case is triggered. Some memory
ordering trick is needed to guarantee it from happening (against the
preempt thread status field), so the main thread will always get a kick
when that triggers correctly.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/1886
Debugged-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-2-farosas@suse.de>
(cherry picked from commit cf02f29e1e3843784630d04783e372fa541a77e5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cc3a33400c98658807be6a9d47e34b005838529d
https://github.com/qemu/qemu/commit/cc3a33400c98658807be6a9d47e34b005838529d
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix possible race when setting rp_state.error
We don't need to set the rp_state.error right after a shutdown because
qemu_file_shutdown() always sets the QEMUFile error, so the return
path thread would have seen it and set the rp error itself.
Setting the error outside of the thread is also racy because the
thread could clear it after we set it.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-3-farosas@suse.de>
(cherry picked from commit 28a8347281e24c2e7bba6d3301472eda41d4c096)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f5480c4d82a70bd5af1803aa74f0e853a46cc79a
https://github.com/qemu/qemu/commit/f5480c4d82a70bd5af1803aa74f0e853a46cc79a
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix possible races when shutting down the return path
We cannot call qemu_file_shutdown() on the return path file without
taking the file lock. The return path thread could be running it's
cleanup code and have just cleared the from_dst_file pointer.
Checking ms->to_dst_file for errors could also race with
migrate_fd_cleanup() which clears the to_dst_file pointer.
Protect both accesses by taking the file lock.
This was caught by inspection, it should be rare, but the next patches
will start calling this code from other places, so let's do the
correct thing.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-4-farosas@suse.de>
(cherry picked from commit 639decf529793fc544c8055b82be8abe77fa48fa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 73393af917401ab67dabebae5f12017066503fad
https://github.com/qemu/qemu/commit/73393af917401ab67dabebae5f12017066503fad
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix possible race when shutting down to_dst_file
It's not safe to call qemu_file_shutdown() on the to_dst_file without
first checking for the file's presence under the lock. The cleanup of
this file happens at postcopy_pause() and migrate_fd_cleanup() which
are not necessarily running in the same thread as migrate_fd_cancel().
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-5-farosas@suse.de>
(cherry picked from commit 7478fb0df914f0a5ab551ff74b1df62dd250500e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d37260b9f0e65cb4722d006d1a96efe4e531954e
https://github.com/qemu/qemu/commit/d37260b9f0e65cb4722d006d1a96efe4e531954e
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Remove redundant cleanup of postcopy_qemufile_src
This file is owned by the return path thread which is already doing
cleanup.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-6-farosas@suse.de>
(cherry picked from commit b3b101157d4651f12e6b3361af2de6bace7f9b4a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1ad3fa152c15eda62d26bd0b6cb9bf4ee8ab9310
https://github.com/qemu/qemu/commit/1ad3fa152c15eda62d26bd0b6cb9bf4ee8ab9310
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Consolidate return path closing code
We'll start calling the await_return_path_close_on_source() function
from other parts of the code, so move all of the related checks and
tracepoints into it.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-7-farosas@suse.de>
(cherry picked from commit d50f5dc075cbb891bfe4a9378600a4871264468a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: dec7785fabc31f4fd7c6906dc5bbf509ff85da55
https://github.com/qemu/qemu/commit/dec7785fabc31f4fd7c6906dc5bbf509ff85da55
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
M migration/migration.h
Log Message:
-----------
migration: Replace the return path retry logic
Replace the return path retry logic with finishing and restarting the
thread. This fixes a race when resuming the migration that leads to a
segfault.
Currently when doing postcopy we consider that an IO error on the
return path file could be due to a network intermittency. We then keep
the thread alive but have it do cleanup of the 'from_dst_file' and
wait on the 'postcopy_pause_rp' semaphore. When the user issues a
migrate resume, a new return path is opened and the thread is allowed
to continue.
There's a race condition in the above mechanism. It is possible for
the new return path file to be setup *before* the cleanup code in the
return path thread has had a chance to run, leading to the *new* file
being closed and the pointer set to NULL. When the thread is released
after the resume, it tries to dereference 'from_dst_file' and crashes:
Thread 7 "return path" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd1dbf700 (LWP 9611)]
0x00005555560e4893 in qemu_file_get_error_obj (f=0x0, errp=0x0) at
../migration/qemu-file.c:154
154 return f->last_error;
(gdb) bt
#0 0x00005555560e4893 in qemu_file_get_error_obj (f=0x0, errp=0x0) at
../migration/qemu-file.c:154
#1 0x00005555560e4983 in qemu_file_get_error (f=0x0) at
../migration/qemu-file.c:206
#2 0x0000555555b9a1df in source_return_path_thread (opaque=0x555556e06000) at
../migration/migration.c:1876
#3 0x000055555602e14f in qemu_thread_start (args=0x55555782e780) at
../util/qemu-thread-posix.c:541
#4 0x00007ffff38d76ea in start_thread (arg=0x7fffd1dbf700) at
pthread_create.c:477
#5 0x00007ffff35efa6f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Here's the race (important bit is open_return_path happening before
migration_release_dst_files):
migration | qmp | return path
--------------------------+-----------------------------+---------------------------------
qmp_migrate_pause()
shutdown(ms->to_dst_file)
f->last_error = -EIO
migrate_detect_error()
postcopy_pause()
set_state(PAUSED)
wait(postcopy_pause_sem)
qmp_migrate(resume)
migrate_fd_connect()
resume = state == PAUSED
open_return_path <-- TOO SOON!
set_state(RECOVER)
post(postcopy_pause_sem)
(incoming closes
to_src_file)
res =
qemu_file_get_error(rp)
migration_release_dst_files()
ms->rp_state.from_dst_file = NULL
post(postcopy_pause_rp_sem)
postcopy_pause_return_path_thread()
wait(postcopy_pause_rp_sem)
rp =
ms->rp_state.from_dst_file
goto retry
qemu_file_get_error(rp)
SIGSEGV
-------------------------------------------------------------------------------------------
We can keep the retry logic without having the thread alive and
waiting. The only piece of data used by it is the 'from_dst_file' and
it is only allowed to proceed after a migrate resume is issued and the
semaphore released at migrate_fd_connect().
Move the retry logic to outside the thread by waiting for the thread
to finish before pausing the migration.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-8-farosas@suse.de>
(cherry picked from commit ef796ee93b313ed2f0b427ef30320417387d2ad5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 4ade907b3026990e58b221fa931762812e21362a
https://github.com/qemu/qemu/commit/4ade907b3026990e58b221fa931762812e21362a
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Move return path cleanup to main migration thread
Now that the return path thread is allowed to finish during a paused
migration, we can move the cleanup of the QEMUFiles to the main
migration thread.
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230918172822.19052-9-farosas@suse.de>
(cherry picked from commit 36e9aab3c569d4c9ad780473596e18479838d1aa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d9ec18a0fc058dd3c421524fb284bcd76b8b9f5f
https://github.com/qemu/qemu/commit/d9ec18a0fc058dd3c421524fb284bcd76b8b9f5f
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/cpu-exec-common.c
M include/exec/cpu-common.h
M softmmu/physmem.c
Log Message:
-----------
softmmu: Use async_run_on_cpu in tcg_commit
After system startup, run the update to memory_dispatch
and the tlb_flush on the cpu. This eliminates a race,
wherein a running cpu sees the memory_dispatch change
but has not yet seen the tlb_flush.
Since the update now happens on the cpu, we need not use
qatomic_rcu_read to protect the read of memory_dispatch.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1826
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1834
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1846
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 0d58c660689f6da1e3feff8a997014003d928b3b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 837ca790c68b5447dfece971646eca2f39f4e0ad
https://github.com/qemu/qemu/commit/837ca790c68b5447dfece971646eca2f39f4e0ad
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/translator.c
Log Message:
-----------
accel/tcg: Avoid load of icount_decr if unused
With CF_NOIRQ and without !CF_USE_ICOUNT, the load isn't used.
Avoid emitting it.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit f47a90dacca8f74210a2675bdde7ab3856872b94)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: de11111ee8b4ad0f17eecd1250ae6a2380589c0b
https://github.com/qemu/qemu/commit/de11111ee8b4ad0f17eecd1250ae6a2380589c0b
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/translator.c
Log Message:
-----------
accel/tcg: Hoist CF_MEMI_ONLY check outside translation loop
The condition checked is loop invariant; check it only once.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 5d97e94638100fd3e5b8d76ab30e1066cd4b1823)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: a98097d3a96bb24e4a1ffb02a2033ecd394da757
https://github.com/qemu/qemu/commit/a98097d3a96bb24e4a1ffb02a2033ecd394da757
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/translator.c
M include/exec/translator.h
Log Message:
-----------
accel/tcg: Track current value of can_do_io in the TB
Simplify translator_io_start by recording the current
known value of can_do_io within DisasContextBase.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 0ca41ccf1c555f97873b8e02a47390fd6af4b18f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6c2e2e4f77f7c3ac8f20f5a37d5e02eaf5e99246
https://github.com/qemu/qemu/commit/6c2e2e4f77f7c3ac8f20f5a37d5e02eaf5e99246
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/translator.c
Log Message:
-----------
accel/tcg: Improve setting of can_do_io at start of TB
Initialize can_do_io to true if this the TB has CF_LAST_IO
and will consist of a single instruction. This avoids a
set to 0 followed immediately by a set to 1.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit a2f99d484c54adda13e62bf75ba512618a3fe470)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d6cca99ecdce65afc8d3dabf99b51c63baf7e588
https://github.com/qemu/qemu/commit/d6cca99ecdce65afc8d3dabf99b51c63baf7e588
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/cpu-exec.c
M accel/tcg/tb-maint.c
Log Message:
-----------
accel/tcg: Always set CF_LAST_IO with CF_NOIRQ
Without this we can get see loops through cpu_io_recompile,
in which the cpu makes no progress.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 200c1f904f46c209cb022e711a48b89e46512902)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 9fb45b05582438dcd52d2d48d48feb05de680c37
https://github.com/qemu/qemu/commit/9fb45b05582438dcd52d2d48d48feb05de680c37
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M accel/tcg/translator.c
M target/mips/tcg/translate.c
Log Message:
-----------
accel/tcg: Always require can_do_io
Require i/o as the last insn of a TranslationBlock always,
not only with icount. This is required for i/o that alters
the address space, such as a pci config space write.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1866
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 18a536f1f8d6222e562f59179e837fdfd8b92718)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d1b867cca6a40a15c4bc08205be0b96c60684b2c
https://github.com/qemu/qemu/commit/d1b867cca6a40a15c4bc08205be0b96c60684b2c
Author: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M target/tricore/translate.c
M tests/tcg/tricore/asm/macros.h
M tests/tcg/tricore/asm/test_insert.S
Log Message:
-----------
target/tricore: Fix RCPW/RRPW_INSERT insns for width = 0
we would crash if width was 0 for these insns, as tcg_gen_deposit() is
undefined for that case. For TriCore, width = 0 is a mov from the src reg
to the dst reg, so we special case this here.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Message-ID: <20230828112651.522058-9-kbastian@mail.uni-paderborn.de>
(cherry picked from commit 23fa6f56b33f8fddf86ba4d027fb7d3081440cd9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ee7ce8a949717bbdad165609e3bba5827a18f474
https://github.com/qemu/qemu/commit/ee7ce8a949717bbdad165609e3bba5827a18f474
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M pc-bios/optionrom/Makefile
Log Message:
-----------
optionrom: Remove build-id section
Our linker script for optionroms specifies only the placement of the
.text section, leaving the linker free to place the remaining sections
at arbitrary places in the file.
Since at least binutils 2.39, the .note.gnu.build-id section is now
being placed at the start of the file, which causes label addresses to
be shifted. For linuxboot_dma.bin that means that the PnP header
(among others) will not be found when determining the type of ROM at
optionrom_setup():
(0x1c is the label _pnph, where the magic "PnP" is)
$ xxd /usr/share/qemu/linuxboot_dma.bin | grep "PnP"
00000010: 0000 0000 0000 0000 0000 1c00 2450 6e50 ............$PnP
$ xxd pc-bios/optionrom/linuxboot_dma.bin | grep "PnP"
00000010: 0000 0000 0000 0000 0000 4c00 2450 6e50 ............$PnP
^bad
Using a freshly built linuxboot_dma.bin ROM results in a broken boot:
SeaBIOS (version rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org)
Booting from Hard Disk...
Boot failed: could not read the boot disk
Booting from Floppy...
Boot failed: could not read the boot disk
No bootable device.
We're not using the build-id section, so pass the --build-id=none
option to the linker to remove it entirely.
Note: In theory, this same issue could happen with any other
section. The ideal solution would be to have all unused sections
discarded in the linker script. However that would be a larger change,
specially for the pvh rom which uses the .bss and COMMON sections so
I'm addressing only the immediate issue here.
Reported-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230926192502.15986-1-farosas@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 35ed01ba5448208695ada5fa20a13c0a4689a1c1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(mjt: remove unrelated stable@vger)
Commit: 8194d5827e6e230136e1ad390298a09d178c0e17
https://github.com/qemu/qemu/commit/8194d5827e6e230136e1ad390298a09d178c0e17
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux()
The call to esp_dma_enable() was being made with the SYSBUS_ESP type instead of
the ESP type. This meant that when GPIO 1 was being used to trigger a DMA
request from an external DMA controller, the setting of ESPState's dma_enabled
field would clobber unknown memory whilst the dma_cb callback pointer would
typically return NULL so the DMA request would never start.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b86dc5cb0b4105fa8ad29e822ab5d21c589c5ec5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e855a6ec516b38d60a9a69b2ba4a88d720a97f97
https://github.com/qemu/qemu/commit/e855a6ec516b38d60a9a69b2ba4a88d720a97f97
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: restrict non-DMA transfer length to that of available data
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.
Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f9f1d0906bed0278960912e0b57216a57c6b9fca
https://github.com/qemu/qemu/commit/f9f1d0906bed0278960912e0b57216a57c6b9fca
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-disk: ensure that FORMAT UNIT commands are terminated
Otherwise when a FORMAT UNIT command is issued, the SCSI layer can become
confused because it can find itself in the situation where it thinks there
is still data to be transferred which can cause the next emulated SCSI
command to fail.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Fixes: 6ab71761 ("scsi-disk: add FORMAT UNIT command")
Tested-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-4-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit be2b619a17345d007bcf9987a3e4afd1edea3e4f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6831048324b71934d2606e682fec852f6fc7112d
https://github.com/qemu/qemu/commit/6831048324b71934d2606e682fec852f6fc7112d
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M subprojects/berkeley-testfloat-3.wrap
Log Message:
-----------
subprojects/berkeley-testfloat-3: Update to fix a problem with compiler
warnings
Update the berkeley-testfloat-3 wrap to include a patch provided by
Olaf Hering. This fixes a problem with "control reaches end of non-void
function [-Werror=return-type]" compiler warning/errors that are now
enabled by default in certain versions of GCC.
Reported-by: Olaf Hering <olaf@aepfle.de>
Message-Id: <20230816091522.1292029-1-thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit c01196bdddc280ae3710912e98e78f3103155eaf)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: db2d4bcb8e22347881eee326ec91c936237260b3
https://github.com/qemu/qemu/commit/db2d4bcb8e22347881eee326ec91c936237260b3
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/decode-new.h
Log Message:
-----------
target/i386: generalize operand size "ph" for use in CVTPS2PD
CVTPS2PD only loads a half-register for memory, like CVTPH2PS. It can
reuse the "ph" packed half-precision size to load a half-register,
but rename it to "xh" because it is now a variation of "x" (it is not
used only for half-precision values).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a48b26978a090fe1f3f3e54319902d4ab56a6b3a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1e5839828d9a283057149c17e91bca9201e4003c
https://github.com/qemu/qemu/commit/1e5839828d9a283057149c17e91bca9201e4003c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/emit.c.inc
Log Message:
-----------
target/i386: fix memory operand size for CVTPS2PD
CVTPS2PD only loads a half-register for memory, unlike the other
operations under 0x0F 0x5A. "Unpack" the group into separate
emission functions instead of using gen_unary_fp_sse.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit abd41884c530aa025ada253bf1a5bd0c2b808219)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ab6314506d7d898f9498afd92bfc12dd55ec9711
https://github.com/qemu/qemu/commit/ab6314506d7d898f9498afd92bfc12dd55ec9711
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2023-10-05 (Thu, 05 Oct 2023)
Changed paths:
M include/qemu/compiler.h
M util/oslib-win32.c
Log Message:
-----------
win32: avoid discarding the exception handler
In all likelihood, the compiler with lto doesn't see the function being
used, from assembly macro __try1. Help it by marking the function has
being used.
Resolves:
https://gitlab.com/qemu-project/qemu/-/issues/1904
Fixes: commit d89f30b4df ("win32: wrap socket close() with an exception
handler")
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 75b773d84c89220463a14a6883d2b2a8e49e5b68)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(mjt: trivial context fixup in include/qemu/compiler.h)
Commit: 7771e35b3933db6b4583e5e5b1d1ff34c7de5a58
https://github.com/qemu/qemu/commit/7771e35b3933db6b4583e5e5b1d1ff34c7de5a58
Author: Laszlo Ersek <lersek@redhat.com>
Date: 2023-10-05 (Thu, 05 Oct 2023)
Changed paths:
M hw/display/ramfb.c
Log Message:
-----------
hw/display/ramfb: plug slight guest-triggerable leak on mode setting
The fw_cfg DMA write callback in ramfb prepares a new display surface in
QEMU; this new surface is put to use ("swapped in") upon the next display
update. At that time, the old surface (if any) is released.
If the guest triggers the fw_cfg DMA write callback at least twice between
two adjacent display updates, then the second callback (and further such
callbacks) will leak the previously prepared (but not yet swapped in)
display surface.
The issue can be shown by:
(1) starting QEMU with "-trace displaysurface_free", and
(2) running the following program in the guest UEFI shell:
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> #include <Library/UefiBootServicesTableLib.h> // gBS
> #include <Protocol/GraphicsOutput.h> // EFI_GRAPHICS_OUTPUT_PROTOCOL
>
> INTN
> EFIAPI
> ShellAppMain (
> IN UINTN Argc,
> IN CHAR16 **Argv
> )
> {
> EFI_STATUS Status;
> VOID *Interface;
> EFI_GRAPHICS_OUTPUT_PROTOCOL *Gop;
> UINT32 Mode;
>
> Status = gBS->LocateProtocol (
> &gEfiGraphicsOutputProtocolGuid,
> NULL,
> &Interface
> );
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Gop = Interface;
>
> Mode = 1;
> for ( ; ;) {
> Status = Gop->SetMode (Gop, Mode);
> if (EFI_ERROR (Status)) {
> break;
> }
>
> Mode = 1 - Mode;
> }
>
> return 1;
> }
The symptom is then that:
- only one trace message appears periodically,
- the time between adjacent messages keeps increasing -- implying that
some list structure (containing the leaked resources) keeps growing,
- the "surface" pointer is ever different.
> 18566@1695127471.449586:displaysurface_free surface=0x7f2fcc09a7c0
> 18566@1695127471.529559:displaysurface_free surface=0x7f2fcc9dac10
> 18566@1695127471.659812:displaysurface_free surface=0x7f2fcc441dd0
> 18566@1695127471.839669:displaysurface_free surface=0x7f2fcc0363d0
> 18566@1695127472.069674:displaysurface_free surface=0x7f2fcc413a80
> 18566@1695127472.349580:displaysurface_free surface=0x7f2fcc09cd00
> 18566@1695127472.679783:displaysurface_free surface=0x7f2fcc1395f0
> 18566@1695127473.059848:displaysurface_free surface=0x7f2fcc1cae50
> 18566@1695127473.489724:displaysurface_free surface=0x7f2fcc42fc50
> 18566@1695127473.969791:displaysurface_free surface=0x7f2fcc45dcc0
> 18566@1695127474.499708:displaysurface_free surface=0x7f2fcc70b9d0
> 18566@1695127475.079769:displaysurface_free surface=0x7f2fcc82acc0
> 18566@1695127475.709941:displaysurface_free surface=0x7f2fcc369c00
> 18566@1695127476.389619:displaysurface_free surface=0x7f2fcc32b910
> 18566@1695127477.119772:displaysurface_free surface=0x7f2fcc0d5a20
> 18566@1695127477.899517:displaysurface_free surface=0x7f2fcc086c40
> 18566@1695127478.729962:displaysurface_free surface=0x7f2fccc72020
> 18566@1695127479.609839:displaysurface_free surface=0x7f2fcc185160
> 18566@1695127480.539688:displaysurface_free surface=0x7f2fcc23a7e0
> 18566@1695127481.519759:displaysurface_free surface=0x7f2fcc3ec870
> 18566@1695127482.549930:displaysurface_free surface=0x7f2fcc634960
> 18566@1695127483.629661:displaysurface_free surface=0x7f2fcc26b140
> 18566@1695127484.759987:displaysurface_free surface=0x7f2fcc321700
> 18566@1695127485.940289:displaysurface_free surface=0x7f2fccaad100
We figured this wasn't a CVE-worthy problem, as only small amounts of
memory were leaked (the framebuffer itself is mapped from guest RAM, QEMU
only allocates administrative structures), plus libvirt restricts QEMU
memory footprint anyway, thus the guest can only DoS itself.
Plug the leak, by releasing the last prepared (not yet swapped in) display
surface, if any, in the fw_cfg DMA write callback.
Regarding the "reproducer", with the fix in place, the log is flooded with
trace messages (one per fw_cfg write), *and* the trace message alternates
between just two "surface" pointer values (i.e., nothing is leaked, the
allocator flip-flops between two objects in effect).
This issue appears to date back to the introducion of ramfb (995b30179bdc,
"hw/display: add ramfb, a simple boot framebuffer living in guest ram",
2018-06-18).
Cc: Gerd Hoffmann <kraxel@redhat.com> (maintainer:ramfb)
Cc: qemu-stable@nongnu.org
Fixes: 995b30179bdc
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230919131955.27223-1-lersek@redhat.com>
(cherry picked from commit e0288a778473ebd35eac6cc1924faca7d477d241)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 19159a7f012b8f886c0e631003e4834145b62ac9
https://github.com/qemu/qemu/commit/19159a7f012b8f886c0e631003e4834145b62ac9
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-10-05 (Thu, 05 Oct 2023)
Changed paths:
M chardev/char-pty.c
Log Message:
-----------
chardev/char-pty: Avoid losing bytes when the other side just (re-)connected
When starting a guest via libvirt with "virsh start --console ...",
the first second of the console output is missing. This is especially
annoying on s390x that only has a text console by default and no graphical
output - if the bios fails to boot here, the information about what went
wrong is completely lost.
One part of the problem (there is also some things to be done on the
libvirt side) is that QEMU only checks with a 1 second timer whether
the other side of the pty is already connected, so the first second of
the console output is always lost.
This likely used to work better in the past, since the code once checked
for a re-connection during write, but this has been removed in commit
f8278c7d74 ("char-pty: remove the check for connection on write") to avoid
some locking.
To ease the situation here at least a little bit, let's check with g_poll()
whether we could send out the data anyway, even if the connection has not
been marked as "connected" yet. The file descriptor is marked as non-blocking
anyway since commit fac6688a18 ("Do not hang on full PTY"), so this should
not cause any trouble if the other side is not ready for receiving yet.
With this patch applied, I can now successfully see the bios output of
a s390x guest when running it with "virsh start --console" (with a patched
version of virsh that fixes the remaining issues there, too).
Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20230816210743.1319018-1-thuth@redhat.com>
(cherry picked from commit 4f7689f0817a717d18cc8aca298990760f27a89b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 2990ba54715fc802fc28eb67930d6b7c3b90af3c
https://github.com/qemu/qemu/commit/2990ba54715fc802fc28eb67930d6b7c3b90af3c
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-06 (Fri, 06 Oct 2023)
Changed paths:
M linux-user/hppa/signal.c
Log Message:
-----------
linux-user/hppa: Fix struct target_sigcontext layout
Use abi_ullong not uint64_t so that the alignment of the field
and therefore the layout of the struct is correct.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 33bc4fa78b06fc4e5fe22e5576811a97707e0cc6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 809d5995c8b9560fbf2c2bea69123d767c8caca5
https://github.com/qemu/qemu/commit/809d5995c8b9560fbf2c2bea69123d767c8caca5
Author: Eugenio Pérez <eperezma@redhat.com>
Date: 2023-10-06 (Fri, 06 Oct 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa net: zero vhost_vdpa iova_tree pointer at cleanup
Not zeroing it causes a SIGSEGV if the live migration is cancelled, at
net device restart.
This is caused because CVQ tries to reuse the iova_tree that is present
in the first vhost_vdpa device at the end of vhost_vdpa_net_cvq_start.
As a consequence, it tries to access an iova_tree that has been already
free.
Fixes: 00ef422e9fbf ("vdpa net: move iova tree creation from init to start")
Reported-by: Yanhui Ma <yama@redhat.com>
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20230913123408.2819185-1-eperezma@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 0a7a164bc37b4ecbf74466e1e5243d72a768ad06)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 197cc86a1241fcbb1b9e670ab2f94a5fe300d24c
https://github.com/qemu/qemu/commit/197cc86a1241fcbb1b9e670ab2f94a5fe300d24c
Author: Eugenio Pérez <eperezma@redhat.com>
Date: 2023-10-06 (Fri, 06 Oct 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa net: fix error message setting virtio status
It incorrectly prints "error setting features", probably because a copy
paste miss.
Fixes: 152128d646 ("vdpa: move CVQ isolation check to net_init_vhost_vdpa")
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20230915170836.3078172-2-eperezma@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit cbc9ae87b5f6f81c52a249e0b64100d5011fca53)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e6d9dd102dc57e9043265f9d44aec02e3774a86a
https://github.com/qemu/qemu/commit/e6d9dd102dc57e9043265f9d44aec02e3774a86a
Author: Eugenio Pérez <eperezma@redhat.com>
Date: 2023-10-06 (Fri, 06 Oct 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa net: stop probing if cannot set features
Otherwise it continues the CVQ isolation probing.
Fixes: 152128d646 ("vdpa: move CVQ isolation check to net_init_vhost_vdpa")
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20230915170836.3078172-3-eperezma@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit f1085882d028e5a1b227443cd6e96bbb63d66f43)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: fe3afc06fac1a07b575de638cd82335a3bac1058
https://github.com/qemu/qemu/commit/fe3afc06fac1a07b575de638cd82335a3bac1058
Author: Eugenio Pérez <eperezma@redhat.com>
Date: 2023-10-06 (Fri, 06 Oct 2023)
Changed paths:
M net/vhost-vdpa.c
Log Message:
-----------
vdpa net: follow VirtIO initialization properly at cvq isolation probing
This patch solves a few issues. The most obvious is that the feature
set was done previous to ACKNOWLEDGE | DRIVER status bit set. Current
vdpa devices are permissive with this, but it is better to follow the
standard.
Fixes: 152128d646 ("vdpa: move CVQ isolation check to net_init_vhost_vdpa")
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <20230915170836.3078172-4-eperezma@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 845ec38ae1578dd2d42ff15c9979f1bf44b23418)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 2adbc3b1e5092db5d839c142d179cf9d24fbef04
https://github.com/qemu/qemu/commit/2adbc3b1e5092db5d839c142d179cf9d24fbef04
Author: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: 2023-10-06 (Fri, 06 Oct 2023)
Changed paths:
M hw/i386/amd_iommu.c
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Fix APIC address check
An MSI from I/O APIC may not exactly equal to APIC_DEFAULT_ADDRESS. In
fact, Windows 17763.3650 configures I/O APIC to set the dest_mode bit.
Cover the range assigned to APIC.
Fixes: 577c470f43 ("x86_iommu/amd: Prepare for interrupt remap support")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20230921114612.40671-1-akihiko.odaki@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 0114c4513095598cdf1cd8d7dacdfff757628121)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0f1d63d8241e7b28afcb3b705b17f6df29888116
https://github.com/qemu/qemu/commit/0f1d63d8241e7b28afcb3b705b17f6df29888116
Author: Alex Williamson <alex.williamson@redhat.com>
Date: 2023-10-10 (Tue, 10 Oct 2023)
Changed paths:
M hw/vfio/display.c
Log Message:
-----------
vfio/display: Fix missing update to set backing fields
The below referenced commit renames scanout_width/height to
backing_width/height, but also promotes these fields in various portions
of the egl interface. Meanwhile vfio dmabuf support has never used the
previous scanout fields and is therefore missed in the update. This
results in a black screen when transitioning from ramfb to dmabuf display
when using Intel vGPU with these features.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1891
Link: https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg02726.html
Fixes: 9ac06df8b684 ("virtio-gpu-udmabuf: correct naming of QemuDmaBuf size
properties")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
(cherry picked from commit 931150e56b056b120c868f94751722710df0b6a7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d8b9e0c8bcbd3f58512672ad260ef86e0d87cefe
https://github.com/qemu/qemu/commit/d8b9e0c8bcbd3f58512672ad260ef86e0d87cefe
Author: Fiona Ebner <f.ebner@proxmox.com>
Date: 2023-10-10 (Tue, 10 Oct 2023)
Changed paths:
M util/log.c
Log Message:
-----------
util/log: re-allow switching away from stderr log file
Commit 59bde21374 ("util/log: do not close and reopen log files when
flags are turned off") prevented switching away from stderr on a
subsequent invocation of qemu_set_log_internal(). This prevented
switching away from stderr with the 'logfile' monitor command as well
as an invocation like
> ./qemu-system-x86_64 -trace 'qemu_mutex_lock,file=log'
from opening the specified log file.
Fixes: 59bde21374 ("util/log: do not close and reopen log files when flags are
turned off")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20231004124446.491481-1-f.ebner@proxmox.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f05142d511e86d8e97967d21f205d990dfc634de)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b6170717ea2636a7eec93afb6254649c2563f01b
https://github.com/qemu/qemu/commit/b6170717ea2636a7eec93afb6254649c2563f01b
Author: Peter Xu <peterx@redhat.com>
Date: 2023-10-12 (Thu, 12 Oct 2023)
Changed paths:
M migration/options.c
Log Message:
-----------
migration/qmp: Fix crash on setting tls-authz with null
QEMU will crash if anyone tries to set tls-authz (which is a type
StrOrNull) with 'null' value. Fix it in the easy way by converting it to
qstring just like the other two tls parameters.
Cc: qemu-stable@nongnu.org # v4.0+
Fixes: d2f1d29b95 ("migration: add support for a "tls-authz" migration
parameter")
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Message-ID: <20230905162335.235619-2-peterx@redhat.com>
(cherry picked from commit 86dec715a7339fc61c3bdb9715993b277b2089db)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5dddba9f382fd579a47c32fc8f077d45e477e8df
https://github.com/qemu/qemu/commit/5dddba9f382fd579a47c32fc8f077d45e477e8df
Author: Volker Rümelin <vr_qemu@t-online.de>
Date: 2023-10-12 (Thu, 12 Oct 2023)
Changed paths:
M hw/audio/es1370.c
Log Message:
-----------
hw/audio/es1370: reset current sample counter
Reset the current sample counter when writing the Channel Sample
Count Register. The Linux ens1370 driver and the AROS sb128
driver expect the current sample counter counts down from sample
count to 0 after a write to the Channel Sample Count Register.
Currently the current sample counter starts from 0 after a reset
or the last count when the counter was stopped.
The current sample counter is used to raise an interrupt whenever
a complete buffer was transferred. When the counter starts with a
value lower than the reload value, the interrupt triggeres before
the buffer was completly transferred. This may lead to corrupted
audio streams.
Tested-by: Rene Engel <ReneEngel80@emailn.de>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-Id: <20230917065813.6692-1-vr_qemu@t-online.de>
(cherry picked from commit 00e3b29d065f3b88bb3726afbd5c73f8b2bff1b4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 2e42ba01f1ecdbdcaa194a0a8424c32e45e32ec7
https://github.com/qemu/qemu/commit/2e42ba01f1ecdbdcaa194a0a8424c32e45e32ec7
Author: Olaf Hering <olaf@aepfle.de>
Date: 2023-10-13 (Fri, 13 Oct 2023)
Changed paths:
M roms/Makefile
Log Message:
-----------
roms: use PYTHON to invoke python
python3 may not be the expected python version.
Use PYTHON to invoke python.
Fixes: 22e11539e1 ("edk2: replace build scripts")
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 17b8d8ac3309e2cfed0d8cb3861afdcc23f66ce0)
Commit: a8c0d82f7b8d912e34a79f738c1e4bbcfb205f15
https://github.com/qemu/qemu/commit/a8c0d82f7b8d912e34a79f738c1e4bbcfb205f15
Author: Alvin Chang <vivahavey@gmail.com>
Date: 2023-10-13 (Fri, 13 Oct 2023)
Changed paths:
M disas/riscv.c
Log Message:
-----------
disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14
Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name().
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20230907084500.328-1-alvinga@andestech.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit cffa9954908830276c93b430681f66cc0e599aef)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cc33ee45d62d14926a3352254b9f5d00faa946f8
https://github.com/qemu/qemu/commit/cc33ee45d62d14926a3352254b9f5d00faa946f8
Author: Max Chou <max.chou@sifive.com>
Date: 2023-10-13 (Fri, 13 Oct 2023)
Changed paths:
M target/riscv/vector_helper.c
Log Message:
-----------
target/riscv: Fix vfwmaccbf16.vf
The operator (fwmacc16) of vfwmaccbf16.vf helper function should be
replaced by fwmaccbf16.
Fixes: adf772b0f7 ("target/riscv: Add support for Zvfbfwma extension")
Signed-off-by: Max Chou <max.chou@sifive.com>
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231005095734.567575-1-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 837570cef237b634eb4c245363470deebea7089d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 78385bc738108a9b5b20e639520dc60425ca2a5a
https://github.com/qemu/qemu/commit/78385bc738108a9b5b20e639520dc60425ca2a5a
Author: Michael Tokarev <mjt@tls.msk.ru>
Date: 2023-10-16 (Mon, 16 Oct 2023)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 8.1.2 release
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/6bb4a8a47a43...78385bc73810