[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] b960bf: hw/ppc: Introduce functions for conve
|
From: |
Niklas Cassel |
|
Subject: |
[Qemu-commits] [qemu/qemu] b960bf: hw/ppc: Introduce functions for conversion between... |
|
Date: |
Thu, 09 Nov 2023 08:58:52 -0800 |
Branch: refs/heads/staging-7.2
Home: https://github.com/qemu/qemu
Commit: b960bf3f7805146be16b6ee5a9bd8fd6cfaa67f7
https://github.com/qemu/qemu/commit/b960bf3f7805146be16b6ee5a9bd8fd6cfaa67f7
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Introduce functions for conversion between timebase and nanoseconds
These calculations are repeated several times, and they will become
a little more complicated with subsequent changes.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 7798f5c576d898e7e10c4a2518f3f16411dedeb9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ba8cc5693f3f1136e84f23f9ca0b98654134f5ed
https://github.com/qemu/qemu/commit/ba8cc5693f3f1136e84f23f9ca0b98654134f5ed
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M include/qemu/host-utils.h
Log Message:
-----------
host-utils: Add muldiv64_round_up
This will be used for converting time intervals in different base units
to host units, for the purpose of scheduling timers to emulate target
timers. Timers typically must not fire before their requested expiry
time but may fire some time afterward, so rounding up is the right way
to implement these.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
[ clg: renamed __muldiv64() to muldiv64_rounding() ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 47de6c4c287079744ceb96f606b3c0457addf380)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b9a0f1194a06bbc36aefe9f2f0866a8651843e62
https://github.com/qemu/qemu/commit/b9a0f1194a06bbc36aefe9f2f0866a8651843e62
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Round up the decrementer interval when converting to ns
The rule of timers is typically that they should never expire before the
timeout, but some time afterward. Rounding timer intervals up when doing
conversion is the right thing to do.
Under most circumstances it is impossible observe the decrementer
interrupt before the dec register has triggered. However with icount
timing, problems can arise. For example setting DEC to 0 can schedule
the timer for now, causing it to fire before any more instructions
have been executed and DEC is still 0.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit eab0888418ab44344864965193cf6cd194ab6858)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5eadeeec0d1fa321bc3dbfa6a4abc0555b742892
https://github.com/qemu/qemu/commit/5eadeeec0d1fa321bc3dbfa6a4abc0555b742892
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Avoid decrementer rounding errors
The decrementer register contains a relative time in timebase units.
When writing to DECR this is converted and stored as an absolute value
in nanosecond units, reading DECR converts back to relative timebase.
The tb<->ns conversion of the relative part can cause rounding such that
a value writen to the decrementer can read back a different, with time
held constant. This is a particular problem for a deterministic icount
and record-replay trace.
Fix this by storing the absolute value in timebase units rather than
nanoseconds. The math before:
store: decr_next = now_ns + decr * ns_per_sec / tb_per_sec
load: decr = (decr_next - now_ns) * tb_per_sec / ns_per_sec
load(store): decr = decr * ns_per_sec / tb_per_sec * tb_per_sec /
ns_per_sec
After:
store: decr_next = now_ns * tb_per_sec / ns_per_sec + decr
load: decr = decr_next - now_ns * tb_per_sec / ns_per_sec
load(store): decr = decr
Fixes: 9fddaa0c0cab ("PowerPC merge: real time TB and decrementer - faster and
simpler exception handling (Jocelyn Mayer)")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 8e0a5ac87800ccc6dd5013f89f27652f4480ab33)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8cfe6d241bb0d857206c4ccc3cf1054de8f76637
https://github.com/qemu/qemu/commit/8cfe6d241bb0d857206c4ccc3cf1054de8f76637
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
target/ppc: Sign-extend large decrementer to 64-bits
When storing a large decrementer value with the most significant
implemented bit set, it is to be treated as a negative and sign
extended.
This isn't hit for book3s DEC because of another bug, fixing it
in the next patch exposes this one and can cause additional
problems, so fix this first. It can be hit with HDECR and other
edge triggered types.
Fixes: a8dafa52518 ("target/ppc: Implement large decrementer support for TCG")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
[ clg: removed extra cpu and pcc variables shadowing local variables ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit c8fbc6b9f2f3c732ee3307093c1c5c367eaa64ae)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e916d29608c83f4dc521c58fe9c57b17affcc943
https://github.com/qemu/qemu/commit/e916d29608c83f4dc521c58fe9c57b17affcc943
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
target/ppc: Decrementer fix BookE semantics
The decrementer store function has logic that short-cuts the timer if a
very small value is stored (0, 1, or 2) and raises an interrupt
directly. There are two problem with this on BookE.
First is that BookE says a decrementer interrupt should not be raised
on a store of 0, only of a decrement from 1. Second is that raising
the irq directly will bypass the auto-reload logic in the booke decr
timer function, breaking autoreload when 1 or 2 is stored.
Fix this by removing that small-value special case. It makes this
tricky logic even more difficult to reason about, and it hardly matters
for performance.
Cc: sdicaro@DDCI.com
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20230530131214.373524-2-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
(cherry picked from commit 17dd1354c1d1aba9caf4af01e11aa7dbe128474f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 270bf7977fbda35d1bb63decd8c670f16c30602e
https://github.com/qemu/qemu/commit/270bf7977fbda35d1bb63decd8c670f16c30602e
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/ppc/ppc.c
Log Message:
-----------
hw/ppc: Always store the decrementer value
When writing a value to the decrementer that raises an exception, the
irq is raised, but the value is not stored so the store doesn't appear
to have changed the register when it is read again.
Always store the write value to the register.
Fixes: e81a982aa53 ("PPC: Clean up DECR implementation")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit febb71d543a8f747b2f8aaf0182d0a385c6a02c3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 96783cfe1ecce8843c543fd976bde1eecdb6c081
https://github.com/qemu/qemu/commit/96783cfe1ecce8843c543fd976bde1eecdb6c081
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M linux-user/hppa/signal.c
Log Message:
-----------
linux-user/hppa: clear the PSW 'N' bit when delivering signals
qemu-hppa may crash when delivering a signal. It can be demonstrated with
this program. Compile the program with "hppa-linux-gnu-gcc -O2 signal.c"
and run it with "qemu-hppa -one-insn-per-tb a.out". It reports that the
address of the flag is 0xb4 and it crashes when attempting to touch it.
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <signal.h>
sig_atomic_t flag;
void sig(int n)
{
printf("&flag: %p\n", &flag);
flag = 1;
}
int main(void)
{
struct sigaction sa;
struct itimerval it;
sa.sa_handler = sig;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if (sigaction(SIGALRM, &sa, NULL)) perror("sigaction"), exit(1);
it.it_interval.tv_sec = 0;
it.it_interval.tv_usec = 100;
it.it_value.tv_sec = it.it_interval.tv_sec;
it.it_value.tv_usec = it.it_interval.tv_usec;
if (setitimer(ITIMER_REAL, &it, NULL)) perror("setitimer"), exit(1);
while (1) {
}
}
The reason for the crash is that the signal handling routine doesn't clear
the 'N' flag in the PSW. If the signal interrupts a thread when the 'N'
flag is set, the flag remains set at the beginning of the signal handler
and the first instruction of the signal handler is skipped.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 2529497cb6b298e732e8dbe5212da7925240b4f4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 19bbe3a6e979c017cddc8ce233645415b5374e4b
https://github.com/qemu/qemu/commit/19bbe3a6e979c017cddc8ce233645415b5374e4b
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M linux-user/hppa/signal.c
Log Message:
-----------
linux-user/hppa: lock both words of function descriptor
The code in setup_rt_frame reads two words at haddr, but locks only one.
This patch fixes it to lock both.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 5b1270ef1477bb7f240c3bfe2cd8b0fe4721fd51)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 79f113448a08e72acbcca60e8ee3e909dc690bbb
https://github.com/qemu/qemu/commit/79f113448a08e72acbcca60e8ee3e909dc690bbb
Author: Li Zhijian <lizhijian@cn.fujitsu.com>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M hw/cxl/cxl-host.c
Log Message:
-----------
hw/cxl: Fix CFMW config memory leak
Allocate targets and targets[n] resources when all sanity checks are
passed to avoid memory leaks.
Cc: qemu-stable@nongnu.org
Suggested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Fan Ni <fan.ni@samsung.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 7b165fa164022b756c2b001d0a1525f98199d3ac)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c8d2fc2177cfa020bc37937e46fbfe8d0bc6043f
https://github.com/qemu/qemu/commit/c8d2fc2177cfa020bc37937e46fbfe8d0bc6043f
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-09-25 (Mon, 25 Sep 2023)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: Don't skip MTE checks for LDRT/STRT at EL0
The LDRT/STRT "unprivileged load/store" instructions behave like
normal ones if executed at EL0. We handle this correctly for
the load/store semantics, but get the MTE checking wrong.
We always look at s->mte_active[is_unpriv] to see whether we should
be doing MTE checks, but in hflags.c when we set the TB flags that
will be used to fill the mte_active[] array we only set the
MTE0_ACTIVE bit if UNPRIV is true (i.e. we are not at EL0).
This means that a LDRT at EL0 will see s->mte_active[1] as 0,
and will not do MTE checks even when MTE is enabled.
To avoid the translate-time code having to do an explicit check on
s->unpriv to see if it is OK to index into the mte_active[] array,
duplicate MTE_ACTIVE into MTE0_ACTIVE when UNPRIV is false.
(This isn't a very serious bug because generally nobody executes
LDRT/STRT at EL0, because they have no use there.)
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-2-peter.maydell@linaro.org
(cherry picked from commit 903dbefc2b6918c10d12d9aafa0168cee8d287c7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: before v7.2.0-1636-g671efad16a this code was in target/arm/helper.c)
Commit: e6fdfb8433743bc882d11728b6b9e3d03f8ccdd2
https://github.com/qemu/qemu/commit/e6fdfb8433743bc882d11728b6b9e3d03f8ccdd2
Author: Nicholas Piggin <npiggin@gmail.com>
Date: 2023-09-27 (Wed, 27 Sep 2023)
Changed paths:
M accel/tcg/tcg-accel-ops-mttcg.c
Log Message:
-----------
accel/tcg: mttcg remove false-negative halted assertion
mttcg asserts that an execution ending with EXCP_HALTED must have
cpu->halted. However between the event or instruction that sets
cpu->halted and requests exit and the assertion here, an
asynchronous event could clear cpu->halted.
This leads to crashes running AIX on ppc/pseries because it uses
H_CEDE/H_PROD hcalls, where H_CEDE sets self->halted = 1 and
H_PROD sets other cpu->halted = 0 and kicks it.
H_PROD could be turned into an interrupt to wake, but several other
places in ppc, sparc, and semihosting follow what looks like a similar
pattern setting halted = 0 directly. So remove this assertion.
Reported-by: Ivan Warren <ivan@vmfacility.fr>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20230829010658.8252-1-npiggin@gmail.com>
[rth: Keep the case label and adjust the comment.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 0e5903436de712844b0e6cdd862b499c767e09e9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 66aa4b1b4b14b93cc726082755828ed9265509b2
https://github.com/qemu/qemu/commit/66aa4b1b4b14b93cc726082755828ed9265509b2
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-09-28 (Thu, 28 Sep 2023)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
We are doing things like
nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
with a division by 0 exception. Thus disallow block sizes of 256
bytes to avoid this situation.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
CVE: 2023-42467
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230925091854.49198-1-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7cfcc79b0ab800959716738aff9419f53fc68c9c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0732512dbb21764a709c07058a9aced8727cf068
https://github.com/qemu/qemu/commit/0732512dbb21764a709c07058a9aced8727cf068
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-28 (Thu, 28 Sep 2023)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: fix debug output for invalid audio message
The debug message was cut and pasted from the invalid audio format
case, but the audio message is at bytes 2-3.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0cb9c5880e6b8dedc4e20026ce859dd1ea9aac84)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 97037995c1c3e7645f2600046a7f4c88c5ec45cd
https://github.com/qemu/qemu/commit/97037995c1c3e7645f2600046a7f4c88c5ec45cd
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-09-28 (Thu, 28 Sep 2023)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: fix handling of VNC_FEATURE_XVP
VNC_FEATURE_XVP was not shifted left before adding it to vs->features,
so it was never enabled; but it was also checked the wrong way with
a logical AND instead of vnc_has_feature. Fix both places.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 477b301000d665313217f65e3a368d2cb7769c42)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ae0b40d9d97f48040ffae4be7bcfebb5e5b17a5b
https://github.com/qemu/qemu/commit/ae0b40d9d97f48040ffae4be7bcfebb5e5b17a5b
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M pc-bios/optionrom/Makefile
Log Message:
-----------
optionrom: Remove build-id section
Our linker script for optionroms specifies only the placement of the
.text section, leaving the linker free to place the remaining sections
at arbitrary places in the file.
Since at least binutils 2.39, the .note.gnu.build-id section is now
being placed at the start of the file, which causes label addresses to
be shifted. For linuxboot_dma.bin that means that the PnP header
(among others) will not be found when determining the type of ROM at
optionrom_setup():
(0x1c is the label _pnph, where the magic "PnP" is)
$ xxd /usr/share/qemu/linuxboot_dma.bin | grep "PnP"
00000010: 0000 0000 0000 0000 0000 1c00 2450 6e50 ............$PnP
$ xxd pc-bios/optionrom/linuxboot_dma.bin | grep "PnP"
00000010: 0000 0000 0000 0000 0000 4c00 2450 6e50 ............$PnP
^bad
Using a freshly built linuxboot_dma.bin ROM results in a broken boot:
SeaBIOS (version rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org)
Booting from Hard Disk...
Boot failed: could not read the boot disk
Booting from Floppy...
Boot failed: could not read the boot disk
No bootable device.
We're not using the build-id section, so pass the --build-id=none
option to the linker to remove it entirely.
Note: In theory, this same issue could happen with any other
section. The ideal solution would be to have all unused sections
discarded in the linker script. However that would be a larger change,
specially for the pvh rom which uses the .bss and COMMON sections so
I'm addressing only the immediate issue here.
Reported-by: Vasiliy Ulyanov <vulyanov@suse.de>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230926192502.15986-1-farosas@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 35ed01ba5448208695ada5fa20a13c0a4689a1c1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(mjt: remove unrelated stable@vger)
Commit: 9b7feb87d0acfda5aff5b0830740ddc2d9ed7dcb
https://github.com/qemu/qemu/commit/9b7feb87d0acfda5aff5b0830740ddc2d9ed7dcb
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux()
The call to esp_dma_enable() was being made with the SYSBUS_ESP type instead of
the ESP type. This meant that when GPIO 1 was being used to trigger a DMA
request from an external DMA controller, the setting of ESPState's dma_enabled
field would clobber unknown memory whilst the dma_cb callback pointer would
typically return NULL so the DMA request would never start.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-2-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b86dc5cb0b4105fa8ad29e822ab5d21c589c5ec5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: fa2f090d6225b1266fa1a44f27e3048f530ef06e
https://github.com/qemu/qemu/commit/fa2f090d6225b1266fa1a44f27e3048f530ef06e
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: restrict non-DMA transfer length to that of available data
In the case where a SCSI layer transfer is incorrectly terminated, it is
possible for a TI command to cause a SCSI buffer overflow due to the
expected transfer data length being less than the available data in the
FIFO. When this occurs the unsigned async_len variable underflows and
becomes a large offset which writes past the end of the allocated SCSI
buffer.
Restrict the non-DMA transfer length to be the smallest of the expected
transfer length and the available FIFO data to ensure that it is no longer
possible for the SCSI buffer overflow to occur.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8da0da879929e5b7593e8f841d8accd54b5ad511
https://github.com/qemu/qemu/commit/8da0da879929e5b7593e8f841d8accd54b5ad511
Author: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: 2023-10-03 (Tue, 03 Oct 2023)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-disk: ensure that FORMAT UNIT commands are terminated
Otherwise when a FORMAT UNIT command is issued, the SCSI layer can become
confused because it can find itself in the situation where it thinks there
is still data to be transferred which can cause the next emulated SCSI
command to fail.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Fixes: 6ab71761 ("scsi-disk: add FORMAT UNIT command")
Tested-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230913204410.65650-4-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit be2b619a17345d007bcf9987a3e4afd1edea3e4f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c9a2d122bfc274ea4ca4a460b7a0d0ee7499190d
https://github.com/qemu/qemu/commit/c9a2d122bfc274ea4ca4a460b7a0d0ee7499190d
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386: fix operand size of unary SSE operations
VRCPSS, VRSQRTSS and VCVTSx2Sx have a 32-bit or 64-bit memory operand,
which is represented in the decoding tables by X86_VEX_REPScalar. Add it
to the tables, and make validate_vex() handle the case of an instruction
that is in exception type 4 without the REP prefix and exception type 5
with it; this is the cas of VRCP and VRSQRT.
Reported-by: yongwoo <https://gitlab.com/yongwoo36>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1377
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3d304620ec6c95f31db17acc132f42f243369299)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 91fa1379791e44d4df706a6bf76c152c987cb477
https://github.com/qemu/qemu/commit/91fa1379791e44d4df706a6bf76c152c987cb477
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M tests/tcg/i386/test-avx.py
Log Message:
-----------
tests/tcg/i386: correct mask for VPERM2F128/VPERM2I128
The instructions also use bits 3 and 7 of their 8-byte immediate.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 9e65829699f901c62a612316a2897f4ad8a27049)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cebd957e7b62b915a175015691bfb06149c9ccd0
https://github.com/qemu/qemu/commit/cebd957e7b62b915a175015691bfb06149c9ccd0
Author: Ricky Zhou <ricky@rzhou.org>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386: Fix and add some comments next to SSE/AVX instructions.
Adds some comments describing what instructions correspond to decoding
table entries and fixes some existing comments which named the wrong
instruction.
Message-Id: <20230501111428.95998-1-ricky@rzhou.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit afa94dabc52b17e340975e158d5a816ec2b2de23)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 72ef83b12fbde8334a09598ff97f29efb24d4f38
https://github.com/qemu/qemu/commit/72ef83b12fbde8334a09598ff97f29efb24d4f38
Author: Ricky Zhou <ricky@rzhou.org>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386: Fix exception classes for SSE/AVX instructions.
Fix the exception classes for some SSE/AVX instructions to match what is
documented in the Intel manual.
These changes are expected to have no functional effect on the behavior
that qemu implements (primarily >= 16-byte memory alignment checks). For
instance, since qemu does not implement the AC flag, there is no
difference in behavior between Exception Classes 4 and 5 for
instructions where the SSE version only takes <16 byte memory operands.
Message-Id: <20230501111428.95998-2-ricky@rzhou.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cab529b0dc15746b270e87d77e1dd12c6216807c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 327d65ea97f708638771b510f9faf07eae4dad23
https://github.com/qemu/qemu/commit/327d65ea97f708638771b510f9faf07eae4dad23
Author: Ricky Zhou <ricky@rzhou.org>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386: Fix exception classes for MOVNTPS/MOVNTPD.
Before this change, MOVNTPS and MOVNTPD were labeled as Exception Class
4 (only requiring alignment for legacy SSE instructions). This changes
them to Exception Class 1 (always requiring memory alignment), as
documented in the Intel manual.
Message-Id: <20230501111428.95998-3-ricky@rzhou.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 8bf171c2d126aea6b60b818f1cee7e0e9eef0390)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 796468c24a8ff2b752710d5577d0bda545ed3a46
https://github.com/qemu/qemu/commit/796468c24a8ff2b752710d5577d0bda545ed3a46
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/decode-new.h
Log Message:
-----------
target/i386: generalize operand size "ph" for use in CVTPS2PD
CVTPS2PD only loads a half-register for memory, like CVTPH2PS. It can
reuse the "ph" packed half-precision size to load a half-register,
but rename it to "xh" because it is now a variation of "x" (it is not
used only for half-precision values).
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a48b26978a090fe1f3f3e54319902d4ab56a6b3a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 755cf29eade59550eaf0d676f8f98d2111465cf3
https://github.com/qemu/qemu/commit/755cf29eade59550eaf0d676f8f98d2111465cf3
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2023-10-04 (Wed, 04 Oct 2023)
Changed paths:
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/emit.c.inc
Log Message:
-----------
target/i386: fix memory operand size for CVTPS2PD
CVTPS2PD only loads a half-register for memory, unlike the other
operations under 0x0F 0x5A. "Unpack" the group into separate
emission functions instead of using gen_unary_fp_sse.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit abd41884c530aa025ada253bf1a5bd0c2b808219)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e12abe5a7dea55801abeb58bac74fd038eb1086f
https://github.com/qemu/qemu/commit/e12abe5a7dea55801abeb58bac74fd038eb1086f
Author: Laszlo Ersek <lersek@redhat.com>
Date: 2023-10-05 (Thu, 05 Oct 2023)
Changed paths:
M hw/display/ramfb.c
Log Message:
-----------
hw/display/ramfb: plug slight guest-triggerable leak on mode setting
The fw_cfg DMA write callback in ramfb prepares a new display surface in
QEMU; this new surface is put to use ("swapped in") upon the next display
update. At that time, the old surface (if any) is released.
If the guest triggers the fw_cfg DMA write callback at least twice between
two adjacent display updates, then the second callback (and further such
callbacks) will leak the previously prepared (but not yet swapped in)
display surface.
The issue can be shown by:
(1) starting QEMU with "-trace displaysurface_free", and
(2) running the following program in the guest UEFI shell:
> #include <Library/ShellCEntryLib.h> // ShellAppMain()
> #include <Library/UefiBootServicesTableLib.h> // gBS
> #include <Protocol/GraphicsOutput.h> // EFI_GRAPHICS_OUTPUT_PROTOCOL
>
> INTN
> EFIAPI
> ShellAppMain (
> IN UINTN Argc,
> IN CHAR16 **Argv
> )
> {
> EFI_STATUS Status;
> VOID *Interface;
> EFI_GRAPHICS_OUTPUT_PROTOCOL *Gop;
> UINT32 Mode;
>
> Status = gBS->LocateProtocol (
> &gEfiGraphicsOutputProtocolGuid,
> NULL,
> &Interface
> );
> if (EFI_ERROR (Status)) {
> return 1;
> }
>
> Gop = Interface;
>
> Mode = 1;
> for ( ; ;) {
> Status = Gop->SetMode (Gop, Mode);
> if (EFI_ERROR (Status)) {
> break;
> }
>
> Mode = 1 - Mode;
> }
>
> return 1;
> }
The symptom is then that:
- only one trace message appears periodically,
- the time between adjacent messages keeps increasing -- implying that
some list structure (containing the leaked resources) keeps growing,
- the "surface" pointer is ever different.
> 18566@1695127471.449586:displaysurface_free surface=0x7f2fcc09a7c0
> 18566@1695127471.529559:displaysurface_free surface=0x7f2fcc9dac10
> 18566@1695127471.659812:displaysurface_free surface=0x7f2fcc441dd0
> 18566@1695127471.839669:displaysurface_free surface=0x7f2fcc0363d0
> 18566@1695127472.069674:displaysurface_free surface=0x7f2fcc413a80
> 18566@1695127472.349580:displaysurface_free surface=0x7f2fcc09cd00
> 18566@1695127472.679783:displaysurface_free surface=0x7f2fcc1395f0
> 18566@1695127473.059848:displaysurface_free surface=0x7f2fcc1cae50
> 18566@1695127473.489724:displaysurface_free surface=0x7f2fcc42fc50
> 18566@1695127473.969791:displaysurface_free surface=0x7f2fcc45dcc0
> 18566@1695127474.499708:displaysurface_free surface=0x7f2fcc70b9d0
> 18566@1695127475.079769:displaysurface_free surface=0x7f2fcc82acc0
> 18566@1695127475.709941:displaysurface_free surface=0x7f2fcc369c00
> 18566@1695127476.389619:displaysurface_free surface=0x7f2fcc32b910
> 18566@1695127477.119772:displaysurface_free surface=0x7f2fcc0d5a20
> 18566@1695127477.899517:displaysurface_free surface=0x7f2fcc086c40
> 18566@1695127478.729962:displaysurface_free surface=0x7f2fccc72020
> 18566@1695127479.609839:displaysurface_free surface=0x7f2fcc185160
> 18566@1695127480.539688:displaysurface_free surface=0x7f2fcc23a7e0
> 18566@1695127481.519759:displaysurface_free surface=0x7f2fcc3ec870
> 18566@1695127482.549930:displaysurface_free surface=0x7f2fcc634960
> 18566@1695127483.629661:displaysurface_free surface=0x7f2fcc26b140
> 18566@1695127484.759987:displaysurface_free surface=0x7f2fcc321700
> 18566@1695127485.940289:displaysurface_free surface=0x7f2fccaad100
We figured this wasn't a CVE-worthy problem, as only small amounts of
memory were leaked (the framebuffer itself is mapped from guest RAM, QEMU
only allocates administrative structures), plus libvirt restricts QEMU
memory footprint anyway, thus the guest can only DoS itself.
Plug the leak, by releasing the last prepared (not yet swapped in) display
surface, if any, in the fw_cfg DMA write callback.
Regarding the "reproducer", with the fix in place, the log is flooded with
trace messages (one per fw_cfg write), *and* the trace message alternates
between just two "surface" pointer values (i.e., nothing is leaked, the
allocator flip-flops between two objects in effect).
This issue appears to date back to the introducion of ramfb (995b30179bdc,
"hw/display: add ramfb, a simple boot framebuffer living in guest ram",
2018-06-18).
Cc: Gerd Hoffmann <kraxel@redhat.com> (maintainer:ramfb)
Cc: qemu-stable@nongnu.org
Fixes: 995b30179bdc
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230919131955.27223-1-lersek@redhat.com>
(cherry picked from commit e0288a778473ebd35eac6cc1924faca7d477d241)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 5f2b5606e2d7448a745fdd680071121dd5ddea75
https://github.com/qemu/qemu/commit/5f2b5606e2d7448a745fdd680071121dd5ddea75
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M chardev/char-pty.c
Log Message:
-----------
chardev/char-pty: Avoid losing bytes when the other side just (re-)connected
When starting a guest via libvirt with "virsh start --console ...",
the first second of the console output is missing. This is especially
annoying on s390x that only has a text console by default and no graphical
output - if the bios fails to boot here, the information about what went
wrong is completely lost.
One part of the problem (there is also some things to be done on the
libvirt side) is that QEMU only checks with a 1 second timer whether
the other side of the pty is already connected, so the first second of
the console output is always lost.
This likely used to work better in the past, since the code once checked
for a re-connection during write, but this has been removed in commit
f8278c7d74 ("char-pty: remove the check for connection on write") to avoid
some locking.
To ease the situation here at least a little bit, let's check with g_poll()
whether we could send out the data anyway, even if the connection has not
been marked as "connected" yet. The file descriptor is marked as non-blocking
anyway since commit fac6688a18 ("Do not hang on full PTY"), so this should
not cause any trouble if the other side is not ready for receiving yet.
With this patch applied, I can now successfully see the bios output of
a s390x guest when running it with "virsh start --console" (with a patched
version of virsh that fixes the remaining issues there, too).
Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20230816210743.1319018-1-thuth@redhat.com>
(cherry picked from commit 4f7689f0817a717d18cc8aca298990760f27a89b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: use TFR() instead of RETRY_ON_EINTR() before v7.2.0-538-g8b6aa69365)
Commit: 24d5b718847801e561aa97b1c21694b37c864676
https://github.com/qemu/qemu/commit/24d5b718847801e561aa97b1c21694b37c864676
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M linux-user/hppa/signal.c
Log Message:
-----------
linux-user/hppa: Fix struct target_sigcontext layout
Use abi_ullong not uint64_t so that the alignment of the field
and therefore the layout of the struct is correct.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 33bc4fa78b06fc4e5fe22e5576811a97707e0cc6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 85c27e5b372ad90931374f080045608275df3645
https://github.com/qemu/qemu/commit/85c27e5b372ad90931374f080045608275df3645
Author: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M hw/i386/amd_iommu.c
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Fix APIC address check
An MSI from I/O APIC may not exactly equal to APIC_DEFAULT_ADDRESS. In
fact, Windows 17763.3650 configures I/O APIC to set the dest_mode bit.
Cover the range assigned to APIC.
Fixes: 577c470f43 ("x86_iommu/amd: Prepare for interrupt remap support")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20230921114612.40671-1-akihiko.odaki@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 0114c4513095598cdf1cd8d7dacdfff757628121)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 77d36ba30083265269501552e9c092e6954cd382
https://github.com/qemu/qemu/commit/77d36ba30083265269501552e9c092e6954cd382
Author: Peter Xu <peterx@redhat.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration/qmp: Fix crash on setting tls-authz with null
QEMU will crash if anyone tries to set tls-authz (which is a type
StrOrNull) with 'null' value. Fix it in the easy way by converting it to
qstring just like the other two tls parameters.
Cc: qemu-stable@nongnu.org # v4.0+
Fixes: d2f1d29b95 ("migration: add support for a "tls-authz" migration
parameter")
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Message-ID: <20230905162335.235619-2-peterx@redhat.com>
(cherry picked from commit 86dec715a7339fc61c3bdb9715993b277b2089db)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: the function is in m/migration.c, not m/option.c; minor context tweak)
Commit: c19fd37eb32ecd250e5bd9c25abb787277408ce2
https://github.com/qemu/qemu/commit/c19fd37eb32ecd250e5bd9c25abb787277408ce2
Author: Volker Rümelin <vr_qemu@t-online.de>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M hw/audio/es1370.c
Log Message:
-----------
hw/audio/es1370: reset current sample counter
Reset the current sample counter when writing the Channel Sample
Count Register. The Linux ens1370 driver and the AROS sb128
driver expect the current sample counter counts down from sample
count to 0 after a write to the Channel Sample Count Register.
Currently the current sample counter starts from 0 after a reset
or the last count when the counter was stopped.
The current sample counter is used to raise an interrupt whenever
a complete buffer was transferred. When the counter starts with a
value lower than the reload value, the interrupt triggeres before
the buffer was completly transferred. This may lead to corrupted
audio streams.
Tested-by: Rene Engel <ReneEngel80@emailn.de>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-Id: <20230917065813.6692-1-vr_qemu@t-online.de>
(cherry picked from commit 00e3b29d065f3b88bb3726afbd5c73f8b2bff1b4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 0c049eafd5a76e25ffe842d4eb4bb4f4d4919f5c
https://github.com/qemu/qemu/commit/0c049eafd5a76e25ffe842d4eb4bb4f4d4919f5c
Author: Alvin Chang <vivahavey@gmail.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M disas/riscv.c
Log Message:
-----------
disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14
Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name().
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20230907084500.328-1-alvinga@andestech.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit cffa9954908830276c93b430681f66cc0e599aef)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 06c9bf032f5581629819affd95fcbd7c54cf493a
https://github.com/qemu/qemu/commit/06c9bf032f5581629819affd95fcbd7c54cf493a
Author: Yuval Shaia <yuval.shaia.ml@gmail.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M hw/rdma/vmw/pvrdma_main.c
Log Message:
-----------
hw/pvrdma: Protect against buggy or malicious guest driver
Guest driver allocates and initialize page tables to be used as a ring
of descriptors for CQ and async events.
The page table that represents the ring, along with the number of pages
in the page table is passed to the device.
Currently our device supports only one page table for a ring.
Let's make sure that the number of page table entries the driver
reports, do not exceeds the one page table size.
Reported-by: Soul Chen <soulchen8650@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Fixes: CVE-2023-1544
Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f5358bc18b8c2da23a82ec52ad5a701d2969fe5e
https://github.com/qemu/qemu/commit/f5358bc18b8c2da23a82ec52ad5a701d2969fe5e
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M scripts/analyze-migration.py
Log Message:
-----------
migration: Fix analyze-migration read operation signedness
The migration code uses unsigned values for 16, 32 and 64-bit
operations. Fix the script to do the same.
This was causing an issue when parsing the migration stream generated
on the ppc64 target because one of instance_ids was larger than the
32bit signed maximum:
Traceback (most recent call last):
File "/home/fabiano/kvm/qemu/build/scripts/analyze-migration.py", line 658,
in <module>
dump.read(dump_memory = args.memory)
File "/home/fabiano/kvm/qemu/build/scripts/analyze-migration.py", line 592,
in read
classdesc = self.section_classes[section_key]
KeyError: ('spapr_iommu', -2147483648)
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Message-ID: <20231009184326.15777-6-farosas@suse.de>
(cherry picked from commit caea03279e11dfcb0e5a567b81fe7f02ee80af02)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ea3c95a6b0afae799a34458b819e9a30b9ca6817
https://github.com/qemu/qemu/commit/ea3c95a6b0afae799a34458b819e9a30b9ca6817
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M linux-user/mips/cpu_loop.c
Log Message:
-----------
linux-user/mips: fix abort on integer overflow
QEMU mips userspace emulation crashes with "qemu: unhandled CPU exception
0x15 - aborting" when one of the integer arithmetic instructions detects
an overflow.
This patch fixes it so that it delivers SIGFPE with FPE_INTOVF instead.
Cc: qemu-stable@nongnu.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Message-Id: <3ef979a8-3ee1-eb2d-71f7-d788ff88dd11@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 6fad9b4bb91dcc824f9c00a36ee843883b58313b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cb79e6a45159b0b18483aa1ec6cfea287ae3b985
https://github.com/qemu/qemu/commit/cb79e6a45159b0b18483aa1ec6cfea287ae3b985
Author: Mikulas Patocka <mpatocka@redhat.com>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M linux-user/sh4/signal.c
Log Message:
-----------
linux-user/sh4: Fix crashes on signal delivery
sh4 uses gUSA (general UserSpace Atomicity) to provide atomicity on CPUs
that don't have atomic instructions. A gUSA region that adds 1 to an
atomic variable stored in @R2 looks like this:
4004b6: 03 c7 mova 4004c4 <gusa+0x10>,r0
4004b8: f3 61 mov r15,r1
4004ba: 09 00 nop
4004bc: fa ef mov #-6,r15
4004be: 22 63 mov.l @r2,r3
4004c0: 01 73 add #1,r3
4004c2: 32 22 mov.l r3,@r2
4004c4: 13 6f mov r1,r15
R0 contains a pointer to the end of the gUSA region
R1 contains the saved stack pointer
R15 contains negative length of the gUSA region
When this region is interrupted by a signal, the kernel detects if
R15 >= -128U. If yes, the kernel rolls back PC to the beginning of the
region and restores SP by copying R1 to R15.
The problem happens if we are interrupted by a signal at address 4004c4.
R15 still holds the value -6, but the atomic value was already written by
an instruction at address 4004c2. In this situation we can't undo the
gUSA. The function unwind_gusa does nothing, the signal handler attempts
to push a signal frame to the address -6 and crashes.
This patch fixes it, so that if we are interrupted at the last instruction
in a gUSA region, we copy R1 to R15 to restore the correct stack pointer
and avoid crashing.
There's another bug: if we are interrupted in a delay slot, we save the
address of the instruction in the delay slot. We must save the address of
the previous instruction.
Cc: qemu-stable@nongnu.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Yoshinori Sato <ysato@users.sourcefoege.jp>
Message-Id: <b16389f7-6c62-70b7-59b3-87533c0bcc@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 3b894b699c9a9c064466e128c18be80a3f2113bc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ef93ba0d7b58597811d0c228b31c0d63c687c077
https://github.com/qemu/qemu/commit/ef93ba0d7b58597811d0c228b31c0d63c687c077
Author: Helge Deller <deller@gmx.de>
Date: 2023-10-21 (Sat, 21 Oct 2023)
Changed paths:
M hw/input/lasips2.c
Log Message:
-----------
lasips2: LASI PS/2 devices are not user-createable
Those PS/2 ports are created with the LASI controller when
a 32-bit PA-RISC machine is created.
Mark them not user-createable to avoid showing them in
the qemu device list.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit a1e6a5c46219bada2c7b932748527553b36559ae)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cec02bc03781e22daa994c21e828ad7e78f7168c
https://github.com/qemu/qemu/commit/cec02bc03781e22daa994c21e828ad7e78f7168c
Author: Lu Gao <lu.gao@verisilicon.com>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M hw/sd/sdhci.c
Log Message:
-----------
hw/sd/sdhci: Block Size Register bits [14:12] is lost
Block Size Register bits [14:12] is SDMA Buffer Boundary, it is missed
in register write, but it is needed in SDMA transfer. e.g. it will be
used in sdhci_sdma_transfer_multi_blocks to calculate boundary_ variables.
Missing this field will cause wrong operation for different SDMA Buffer
Boundary settings.
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller")
Fixes: dfba99f17f ("hw/sdhci: Fix DMA Transfer Block Size field")
Signed-off-by: Lu Gao <lu.gao@verisilicon.com>
Signed-off-by: Jianxian Wen <jianxian.wen@verisilicon.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-ID: <20220321055618.4026-1-lu.gao@verisilicon.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit ae5f70baf549925080fcdbc6c1939c98a4a39246)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d241c15f75d61674927c59c43aa67711b33515f0
https://github.com/qemu/qemu/commit/d241c15f75d61674927c59c43aa67711b33515f0
Author: Glenn Miles <milesg@linux.vnet.ibm.com>
Date: 2023-10-31 (Tue, 31 Oct 2023)
Changed paths:
M hw/misc/led.c
Log Message:
-----------
misc/led: LED state is set opposite of what is expected
Testing of the LED state showed that when the LED polarity was
set to GPIO_POLARITY_ACTIVE_LOW and a low logic value was set on
the input GPIO of the LED, the LED was being turn off when it was
expected to be turned on.
Fixes: ddb67f6402 ("hw/misc/led: Allow connecting from GPIO output")
Signed-off-by: Glenn Miles <milesg@linux.vnet.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Message-id: 20231024191945.4135036-1-milesg@linux.vnet.ibm.com
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 6f83dc67168d17856744275e2a0d7a6addf6cfb9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 30811710fb5c566d71174ac9b3b5bf9cc4d16a1e
https://github.com/qemu/qemu/commit/30811710fb5c566d71174ac9b3b5bf9cc4d16a1e
Author: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M tests/migration/s390x/Makefile
Log Message:
-----------
tests/migration: Add -fno-stack-protector
A build of GCC 13.2 will have stack protector enabled by default if it
was configured with --enable-default-ssp option. For such a compiler,
it is necessary to explicitly disable stack protector when linking
without standard libraries.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230731091042.139159-2-akihiko.odaki@daynix.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 7a06a8fec9df3b6a0f72e7b37dff0969430aab96)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6367e823caead19cfbe5ba0724a93691b65c257d
https://github.com/qemu/qemu/commit/6367e823caead19cfbe5ba0724a93691b65c257d
Author: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M tests/tcg/Makefile.target
M tests/tcg/aarch64/Makefile.target
M tests/tcg/arm/Makefile.target
M tests/tcg/cris/Makefile.target
M tests/tcg/hexagon/Makefile.target
M tests/tcg/i386/Makefile.target
M tests/tcg/minilib/Makefile.target
M tests/tcg/mips/Makefile.target
M tests/tcg/mips/hello-mips.c
Log Message:
-----------
tests/tcg: Add -fno-stack-protector
A build of GCC 13.2 will have stack protector enabled by default if it
was configured with --enable-default-ssp option. For such a compiler,
it is necessary to explicitly disable stack protector when linking
without standard libraries.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20230731091042.139159-3-akihiko.odaki@daynix.com>
[AJB: fix comment string typo]
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231029145033.592566-3-alex.bennee@linaro.org>
(cherry picked from commit 580731dcc87eb27a2b0dc20ec331f1ce51864c97)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1e67bd7c217eac41518b752074125be89f70b81d
https://github.com/qemu/qemu/commit/1e67bd7c217eac41518b752074125be89f70b81d
Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M qemu-img.c
Log Message:
-----------
qemu-img: rebase: stop when reaching EOF of old backing file
In case when we're rebasing within one backing chain, and when target image
is larger than old backing file, bdrv_is_allocated_above() ends up setting
*pnum = 0. As a result, target offset isn't getting incremented, and we
get stuck in an infinite for loop. Let's detect this case and proceed
further down the loop body, as the offsets beyond the old backing size need
to be explicitly zeroed.
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20230919165804.439110-2-andrey.drobyshev@virtuozzo.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 8b097fd6b06ec295faefd4f30f96f8709abc9605)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e4a44eb819a7a59c46cdb62fbaefa559506a8410
https://github.com/qemu/qemu/commit/e4a44eb819a7a59c46cdb62fbaefa559506a8410
Author: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M tests/qemu-iotests/024
M tests/qemu-iotests/024.out
Log Message:
-----------
qemu-iotests: 024: add rebasing test case for overlay_size > backing_size
Before previous commit, rebase was getting infitely stuck in case of
rebasing within the same backing chain and when overlay_size > backing_size.
Let's add this case to the rebasing test 024 to make sure it doesn't
break again.
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20230919165804.439110-3-andrey.drobyshev@virtuozzo.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 827171c3180533f4ad0bc338ea166f401bb5d348)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cc64f9ac3d52d0b6f8af3039c531e15d0e95267f
https://github.com/qemu/qemu/commit/cc64f9ac3d52d0b6f8af3039c531e15d0e95267f
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
Revert "linux-user: add more compat ioctl definitions"
This reverts commit c5495f4ecb0cdaaf2e9dddeb48f1689cdb520ca0.
glibc has fixed (in 2.36.9000-40-g774058d729) the problem
that caused a clash when both sys/mount.h annd linux/mount.h
are included, and backported this to the 2.36 stable release
too:
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
It is saner for QEMU to remove the workaround it applied for
glibc 2.36 and expect distros to ship the 2.36 maint release
with the fix. This avoids needing to add a further workaround
to QEMU to deal with the fact that linux/brtfs.h now also pulls
in linux/mount.h via linux/fs.h since Linux 6.1
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20230110174901.2580297-2-berrange@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 9f0246539ae84a5e21efd1cc4516fc343f08115a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 3e273f4c16eeaf65d43b0198c909ab9803987f6b
https://github.com/qemu/qemu/commit/3e273f4c16eeaf65d43b0198c909ab9803987f6b
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2023-11-02 (Thu, 02 Nov 2023)
Changed paths:
M linux-user/syscall.c
M meson.build
Log Message:
-----------
Revert "linux-user: fix compat with glibc >= 2.36 sys/mount.h"
This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532.
glibc has fixed (in 2.36.9000-40-g774058d729) the problem
that caused a clash when both sys/mount.h annd linux/mount.h
are included, and backported this to the 2.36 stable release
too:
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
It is saner for QEMU to remove the workaround it applied for
glibc 2.36 and expect distros to ship the 2.36 maint release
with the fix. This avoids needing to add a further workaround
to QEMU to deal with the fact that linux/brtfs.h now also pulls
in linux/mount.h via linux/fs.h since Linux 6.1
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20230110174901.2580297-3-berrange@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 6003159ce18faad4e1bc7bf9c85669019cd4950e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d9da3f8dbd58109bf7bd9d67b63300fa7cb6539f
https://github.com/qemu/qemu/commit/d9da3f8dbd58109bf7bd9d67b63300fa7cb6539f
Author: Fabiano Rosas <farosas@suse.de>
Date: 2023-11-03 (Fri, 03 Nov 2023)
Changed paths:
M target/arm/ptw.c
Log Message:
-----------
target/arm: Don't access TCG code when debugging with KVM
When TCG is disabled this part of the code should not be reachable, so
wrap it with an ifdef for now.
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 0d3de77a07f4f774f7a9248afa8ea497ad5f2ae5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: trivial change which makes two subsequent cherry-picks to apply cleanly)
Commit: 6861482deaf802e401def432ed730d99e06871c7
https://github.com/qemu/qemu/commit/6861482deaf802e401def432ed730d99e06871c7
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-11-03 (Fri, 03 Nov 2023)
Changed paths:
M target/arm/ptw.c
Log Message:
-----------
target/arm: Don't allow stage 2 page table walks to downgrade to NS
Bit 63 in a Table descriptor is only the NSTable bit for stage 1
translations; in stage 2 it is RES0. We were incorrectly looking at
it all the time.
This causes problems if:
* the stage 2 table descriptor was incorrectly setting the RES0 bit
* we are doing a stage 2 translation in Secure address space for
a NonSecure stage 1 regime -- in this case we would incorrectly
do an immediate downgrade to NonSecure
A bug elsewhere in the code currently prevents us from getting
to the second situation, but when we fix that it will be possible.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230504135425.2748672-2-peter.maydell@linaro.org
(cherry picked from commit 21a4ab8318ba6f049aac244e237cd1557586e216)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: e19b7b81657b394fda986ee0fdf1456b04b08da8
https://github.com/qemu/qemu/commit/e19b7b81657b394fda986ee0fdf1456b04b08da8
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-11-03 (Fri, 03 Nov 2023)
Changed paths:
M target/arm/ptw.c
Log Message:
-----------
target/arm: Fix handling of SW and NSW bits for stage 2 walks
We currently don't correctly handle the VSTCR_EL2.SW and VTCR_EL2.NSW
configuration bits. These allow configuration of whether the stage 2
page table walks for Secure IPA and NonSecure IPA should do their
descriptor reads from Secure or NonSecure physical addresses. (This
is separate from how the translation table base address and other
parameters are set: an NS IPA always uses VTTBR_EL2 and VTCR_EL2
for its base address and walk parameters, regardless of the NSW bit,
and similarly for Secure.)
Provide a new function ptw_idx_for_stage_2() which returns the
MMU index to use for descriptor reads, and use it to set up
the .in_ptw_idx wherever we call get_phys_addr_lpae().
For a stage 2 walk, wherever we call get_phys_addr_lpae():
* .in_ptw_idx should be ptw_idx_for_stage_2() of the .in_mmu_idx
* .in_secure should be true if .in_mmu_idx is Stage2_S
This allows us to correct S1_ptw_translate() so that it consistently
always sets its (out_secure, out_phys) to the result it gets from the
S2 walk (either by calling get_phys_addr_lpae() or by TLB lookup).
This makes better conceptual sense because the S2 walk should return
us an (address space, address) tuple, not an address that we then
randomly assign to S or NS.
Our previous handling of SW and NSW was broken, so guest code
trying to use these bits to put the s2 page tables in the "other"
address space wouldn't work correctly.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1600
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230504135425.2748672-3-peter.maydell@linaro.org
(cherry picked from commit fcc0b0418fff655f20fd0cf86a1bbdc41fd2e7c6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 26bb3ab8ffd6d7f3c9095ffeec17d2a929f5c6ea
https://github.com/qemu/qemu/commit/26bb3ab8ffd6d7f3c9095ffeec17d2a929f5c6ea
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-11-03 (Fri, 03 Nov 2023)
Changed paths:
M target/arm/internals.h
M target/arm/ptw.c
Log Message:
-----------
target/arm: Correctly propagate stage 1 BTI guarded bit in a two-stage walk
In a two-stage translation, the result of the BTI guarded bit should
be the guarded bit from the first stage of translation, as there is
no BTI guard information in stage two. Our code tried to do this,
but got it wrong, because we currently have two fields where the GP
bit information might live (ARMCacheAttrs::guarded and
CPUTLBEntryFull::extra::arm::guarded), and we were storing the GP bit
in the latter during the stage 1 walk but trying to copy the former
in combine_cacheattrs().
Remove the duplicated storage, and always use the field in
CPUTLBEntryFull; correctly propagate the stage 1 value to the output
in get_phys_addr_twostage().
Note for stable backports: in v8.0 and earlier the field is named
result->f.guarded, not result->f.extra.arm.guarded.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1950
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20231031173723.26582-1-peter.maydell@linaro.org
(cherry picked from commit 4c09abeae8704970ff03bf2196973f6bf08ab6f9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: replace f.extra.arm.guarded -> f.guarded due to v8.1.0-1179-ga81fef4b64)
Commit: 0d7c40a1e2a8c6368614ea58b24c845e1e9522de
https://github.com/qemu/qemu/commit/0d7c40a1e2a8c6368614ea58b24c845e1e9522de
Author: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M block/nvme.c
Log Message:
-----------
block/nvme: nvme_process_completion() fix bound for cid
NVMeQueuePair::reqs has length NVME_NUM_REQS, which less than
NVME_QUEUE_SIZE by 1.
Fixes: 1086e95da17050 ("block/nvme: switch to a NVMeRequest freelist")
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-5-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit cc8fb0c3ae3c950eb40e969607e17ff16a7519ac)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 091798aaf091ee83f32317a56bb181fb1ddf30c0
https://github.com/qemu/qemu/commit/091798aaf091ee83f32317a56bb181fb1ddf30c0
Author: BALATON Zoltan <balaton@eik.bme.hu>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M hw/display/ati.c
M hw/display/ati_2d.c
M hw/display/ati_int.h
Log Message:
-----------
ati-vga: Implement fallback for pixman routines
Pixman routines can fail if no implementation is available and it will
become optional soon so add fallbacks when pixman does not work.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID:
<ed0fba3f74e48143f02228b83bf8796ca49f3e7d.1698871239.git.balaton@eik.bme.hu>
(cherry picked from commit 08730ee0cc01c3fceb907a93436d15170a7556c4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ad8457e85ee951faaf53eb83435b1438eed191c5
https://github.com/qemu/qemu/commit/ad8457e85ee951faaf53eb83435b1438eed191c5
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M ui/gtk.c
Log Message:
-----------
ui/gtk: force realization of drawing area
Fixes the GL context creation from a widget that isn't yet realized (in
a hidden tab for example).
Resolves:
https://gitlab.com/qemu-project/qemu/-/issues/1727
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Antonio Caggiano <quic_acaggian@quicinc.com>
Message-Id: <20231017111642.1155545-1-marcandre.lureau@redhat.com>
(cherry picked from commit 565f85a9c293818a91a3d3414311303de7e00cec)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 2c1c0cdc253ae303a2306b9fe9df0b1c56e3c027
https://github.com/qemu/qemu/commit/2c1c0cdc253ae303a2306b9fe9df0b1c56e3c027
Author: Dongwon Kim <dongwon.kim@intel.com>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M ui/gtk-egl.c
Log Message:
-----------
ui/gtk-egl: apply scale factor when calculating window's dimension
Scale factor needs to be applied when calculating width/height of the
GTK windows.
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20231012222643.13996-1-dongwon.kim@intel.com>
(cherry picked from commit 47fd6ab1e334962890bc3e8d2e32857f6594e1c1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: c6ae30a3536758cb3d5dfdb68ff55baf8f8ecacb
https://github.com/qemu/qemu/commit/c6ae30a3536758cb3d5dfdb68ff55baf8f8ecacb
Author: Antonio Caggiano <quic_acaggian@quicinc.com>
Date: 2023-11-07 (Tue, 07 Nov 2023)
Changed paths:
M ui/gtk-egl.c
Log Message:
-----------
ui/gtk-egl: Check EGLSurface before doing scanout
The first time gd_egl_scanout_texture() is called, there's a possibility
that the GTK drawing area might not be realized yet, in which case its
associated GdkWindow is NULL. This means gd_egl_init() was also skipped
and the EGLContext and EGLSurface stored in the VirtualGfxConsole are
not valid yet.
Continuing with the scanout in this conditions would result in hitting
an assert in libepoxy: "Couldn't find current GLX or EGL context".
A possible workaround is to just ignore the scanout request, giving the
the GTK drawing area some time to finish its realization. At that point,
the gd_egl_init() will succeed and the EGLContext and EGLSurface stored
in the VirtualGfxConsole will be valid.
Signed-off-by: Antonio Caggiano <quic_acaggian@quicinc.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20231016123215.2699269-1-quic_acaggian@quicinc.com>
(cherry picked from commit 6f189a08c1b0085808af1bfbf4567f0da193ecc1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: b6b207129b614045e709734eb2979c8c7dfcb8ba
https://github.com/qemu/qemu/commit/b6b207129b614045e709734eb2979c8c7dfcb8ba
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M target/mips/tcg/msa.decode
Log Message:
-----------
target/mips: Fix MSA BZ/BNZ opcodes displacement
The PC offset is *signed*.
Cc: qemu-stable@nongnu.org
Reported-by: Sergey Evlashev <vectorchiefrocks@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1624
Fixes: c7a9ef7517 ("target/mips: Introduce decode tree bindings for MSA ASE")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230914085807.12241-1-philmd@linaro.org>
(cherry picked from commit 04591b3ddd9a96b9298a1dd437a6464ab55e62ee)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 16f81c6b18638102a369b1e42a50b597c60b83dc
https://github.com/qemu/qemu/commit/16f81c6b18638102a369b1e42a50b597c60b83dc
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M target/mips/tcg/tx79.decode
Log Message:
-----------
target/mips: Fix TX79 LQ/SQ opcodes
The base register address offset is *signed*.
Cc: qemu-stable@nongnu.org
Fixes: aaaa82a9f9 ("target/mips/tx79: Introduce LQ opcode (Load Quadword)")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230914090447.12557-1-philmd@linaro.org>
(cherry picked from commit 18f86aecd6a1bea0f78af14587a684ad966d8d3a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 3a2560eb9eb8f093de44e81c91c8c257f50cae83
https://github.com/qemu/qemu/commit/3a2560eb9eb8f093de44e81c91c8c257f50cae83
Author: Fiona Ebner <f.ebner@proxmox.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M hw/ide/core.c
Log Message:
-----------
hw/ide: reset: cancel async DMA operation before resetting state
If there is a pending DMA operation during ide_bus_reset(), the fact
that the IDEState is already reset before the operation is canceled
can be problematic. In particular, ide_dma_cb() might be called and
then use the reset IDEState which contains the signature after the
reset. When used to construct the IO operation this leads to
ide_get_sector() returning 0 and nsector being 1. This is particularly
bad, because a write command will thus destroy the first sector which
often contains a partition table or similar.
Traces showing the unsolicited write happening with IDEState
0x5595af6949d0 being used after reset:
> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c:
> 0x00000300
> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port
> ide_reset IDEstate 0x5595af6949d0
> ide_reset IDEstate 0x5595af694da8
> ide_bus_reset_aio aio_cancel
> dma_aio_cancel dbs=0x7f64600089a0
> dma_blk_cb dbs=0x7f64600089a0 ret=0
> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30
> ahci_populate_sglist ahci(0x5595af6923f0)[0]
> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512
> prepared=512
> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE
> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1
> dma_blk_cb dbs=0x7f6420802010 ret=0
> (gdb) p *qiov
> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base =
> 0x0,
> iov_len = 512}}, {__pad =
> "\001\000\000\000\000\000\000\000\000\000\000",
> size = 512}}}
> (gdb) bt
> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070,
> flags=0,
> cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010)
> at ../block/block-backend.c:1682
> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized
> out>)
> at ../softmmu/dma-helpers.c:179
> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0,
> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
> io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>,
> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30,
> cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0,
> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244
> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30,
> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
> cb=cb@entry=0x5595acd40b30 <ide_dma_cb>,
> opaque=opaque@entry=0x5595af6949d0)
> at ../softmmu/dma-helpers.c:280
> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized
> out>)
> at ../hw/ide/core.c:953
> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0)
> at ../softmmu/dma-helpers.c:107
> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127
> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10)
> at ../block/block-backend.c:1527
> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524
> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at
> ../block/block-backend.c:1594
> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>,
> i1=<optimized out>) at ../util/coroutine-ucontext.c:177
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: simon.rowe@nutanix.com
Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 7d7512019fc40c577e2bdd61f114f31a9eb84a8e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 963ea682519ea644535b588cc8b86e5c189e8328
https://github.com/qemu/qemu/commit/963ea682519ea644535b588cc8b86e5c189e8328
Author: Fiona Ebner <f.ebner@proxmox.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M tests/qtest/ahci-test.c
Log Message:
-----------
tests/qtest: ahci-test: add test exposing reset issue with pending callback
Before commit "hw/ide: reset: cancel async DMA operation before
resetting state", this test would fail, because a reset with a
pending write operation would lead to an unsolicited write to the
first sector of the disk.
The test writes a pattern to the beginning of the disk and verifies
that it is still intact after a reset with a pending operation. It
also checks that the pending operation actually completes correctly.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20230906130922.142845-2-f.ebner@proxmox.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit cc610857bbd3551f4b86ae2299336b5d9aa0db2b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d2a098bc860a9468dc46db9e6d8764beef260936
https://github.com/qemu/qemu/commit/d2a098bc860a9468dc46db9e6d8764beef260936
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M target/s390x/tcg/insn-data.h.inc
M target/s390x/tcg/translate.c
Log Message:
-----------
target/s390x: Fix LAALG not updating cc_src
LAALG uses op_laa() and wout_addu64(). The latter expects cc_src to be
set, but the former does not do it. This can lead to assertion failures
if something sets cc_src to neither 0 nor 1 before.
Fix by introducing op_laa_addu64(), which sets cc_src, and using it for
LAALG.
Fixes: 4dba4d6fef61 ("target/s390x: Use atomic operations for LOAD AND OP")
Cc: qemu-stable@nongnu.org
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20231106093605.1349201-4-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit bea402482a8c94389638cbd3d7fe3963fb317f4c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 329a3806ad451e04156b0a249eeba2e1d794c24a
https://github.com/qemu/qemu/commit/329a3806ad451e04156b0a249eeba2e1d794c24a
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date: 2023-11-08 (Wed, 08 Nov 2023)
Changed paths:
M tests/tcg/s390x/Makefile.target
A tests/tcg/s390x/laalg.c
Log Message:
-----------
tests/tcg/s390x: Test LAALG with negative cc_src
Add a small test to prevent regressions.
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20231106093605.1349201-5-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit ebc14107f1f3ac1db13132cd28cf94adcd38e5d7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fix in tests/tcg/s390x/Makefile.target)
Commit: 6e021651ff100358812c4bb785055d91dccfca7a
https://github.com/qemu/qemu/commit/6e021651ff100358812c4bb785055d91dccfca7a
Author: Niklas Cassel <niklas.cassel@wdc.com>
Date: 2023-11-09 (Thu, 09 Nov 2023)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
hw/ide/ahci: trigger either error IRQ or regular IRQ, not both
According to AHCI 1.3.1, 5.3.8.1 RegFIS:Entry, if ERR_STAT is set,
we jump to state ERR:FatalTaskfile, which will raise a TFES IRQ
unconditionally, regardless if the I bit is set in the FIS or not.
Thus, we should never raise a normal IRQ after having sent an error
IRQ.
NOTE: for QEMU platforms that use SeaBIOS, this patch depends on QEMU
commit 784155cdcb02 ("seabios: update submodule to git snapshot"), and
QEMU commit 14f5a7bae4cb ("seabios: update binaries to git snapshot"),
which update SeaBIOS to a version that contains SeaBIOS commit 1281e340
("ahci: handle TFES irq correctly").
Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
Message-ID: <20231011131220.1992064-1-nks@flawful.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b523a3d54f3d031a54cd0931cc5d855608e63140)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/7be98a058341...6e021651ff10
- [Qemu-commits] [qemu/qemu] b960bf: hw/ppc: Introduce functions for conversion between...,
Niklas Cassel <=