[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] ef7402: accel/tcg: Revert mapping of PCREL tr
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] ef7402: accel/tcg: Revert mapping of PCREL translation blo... |
|
Date: |
Sat, 27 Jan 2024 09:51:10 -0800 |
Branch: refs/heads/staging-8.2
Home: https://github.com/qemu/qemu
Commit: ef74024b76bf285e247add8538c11cb3c7399a1a
https://github.com/qemu/qemu/commit/ef74024b76bf285e247add8538c11cb3c7399a1a
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M accel/tcg/cpu-exec.c
M accel/tcg/tb-maint.c
M accel/tcg/translate-all.c
Log Message:
-----------
accel/tcg: Revert mapping of PCREL translation block to multiple virtual
addresses
This is causing regressions that have not been analyzed yet. Revert the
change on stable branches.
Cc: qemu-stable@nongnu.org
Cc: Michael Tokarev <mjt@tls.msk.ru>
Related: https://gitlab.com/qemu-project/qemu/-/issues/2092
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 005d7236dba9434afdbcb8e2e174364cd330a2c4
https://github.com/qemu/qemu/commit/005d7236dba9434afdbcb8e2e174364cd330a2c4
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M tcg/s390x/tcg-target.c.inc
Log Message:
-----------
tcg/s390x: Fix encoding of VRIc, VRSa, VRSc insns
While the format names the second vector register 'v3',
it is still in the second position (bits 12-15) and
the argument to RXB must match.
Example error:
- e7 00 00 10 2a 33 verllf %v16,%v0,16
+ e7 00 00 10 2c 33 verllf %v16,%v16,16
Cc: qemu-stable@nongnu.org
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Fixes: 22cb37b4172 ("tcg/s390x: Implement vector shift operations")
Fixes: 79cada8693d ("tcg/s390x: Implement tcg_out_dup*_vec")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2054
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20240117213646.159697-2-richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit c1ddc18f37108498f45d57afd6bf33a23b703648)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f413f9fcc923083a7db038e32964148cf74134e6
https://github.com/qemu/qemu/commit/f413f9fcc923083a7db038e32964148cf74134e6
Author: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M util/coroutine-ucontext.c
Log Message:
-----------
coroutine-ucontext: Save fake stack for pooled coroutine
Coroutine may be pooled even after COROUTINE_TERMINATE if
CONFIG_COROUTINE_POOL is enabled and fake stack should be saved in
such a case to keep AddressSanitizerUseAfterReturn working. Even worse,
I'm seeing stack corruption without fake stack being saved.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240117-asan-v2-1-26f9e1ea6e72@daynix.com>
(cherry picked from commit d9945ccda08ef83b09ac7725b6ee2d1959f2c0c0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 99dd4a1563022338229791df41b42e320a38581b
https://github.com/qemu/qemu/commit/99dd4a1563022338229791df41b42e320a38581b
Author: Fiona Ebner <f.ebner@proxmox.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M block/io.c
Log Message:
-----------
block/io: clear BDRV_BLOCK_RECURSE flag after recursing in
bdrv_co_block_status
Using fleecing backup like in [0] on a qcow2 image (with metadata
preallocation) can lead to the following assertion failure:
> bdrv_co_do_block_status: Assertion `!(ret & BDRV_BLOCK_ZERO)' failed.
In the reproducer [0], it happens because the BDRV_BLOCK_RECURSE flag
will be set by the qcow2 driver, so the caller will recursively check
the file child. Then the BDRV_BLOCK_ZERO set too. Later up the call
chain, in bdrv_co_do_block_status() for the snapshot-access driver,
the assertion failure will happen, because both flags are set.
To fix it, clear the recurse flag after the recursive check was done.
In detail:
> #0 qcow2_co_block_status
Returns 0x45 = BDRV_BLOCK_RECURSE | BDRV_BLOCK_DATA |
BDRV_BLOCK_OFFSET_VALID.
> #1 bdrv_co_do_block_status
Because of the data flag, bdrv_co_do_block_status() will now also set
BDRV_BLOCK_ALLOCATED. Because of the recurse flag,
bdrv_co_do_block_status() for the bdrv_file child will be called,
which returns 0x16 = BDRV_BLOCK_ALLOCATED | BDRV_BLOCK_OFFSET_VALID |
BDRV_BLOCK_ZERO. Now the return value inherits the zero flag.
Returns 0x57 = BDRV_BLOCK_RECURSE | BDRV_BLOCK_DATA |
BDRV_BLOCK_OFFSET_VALID | BDRV_BLOCK_ALLOCATED | BDRV_BLOCK_ZERO.
> #2 bdrv_co_common_block_status_above
> #3 bdrv_co_block_status_above
> #4 bdrv_co_block_status
> #5 cbw_co_snapshot_block_status
> #6 bdrv_co_snapshot_block_status
> #7 snapshot_access_co_block_status
> #8 bdrv_co_do_block_status
Return value is propagated all the way up to here, where the assertion
failure happens, because BDRV_BLOCK_RECURSE and BDRV_BLOCK_ZERO are
both set.
> #9 bdrv_co_common_block_status_above
> #10 bdrv_co_block_status_above
> #11 block_copy_block_status
> #12 block_copy_dirty_clusters
> #13 block_copy_common
> #14 block_copy_async_co_entry
> #15 coroutine_trampoline
[0]:
> #!/bin/bash
> rm /tmp/disk.qcow2
> ./qemu-img create /tmp/disk.qcow2 -o preallocation=metadata -f qcow2 1G
> ./qemu-img create /tmp/fleecing.qcow2 -f qcow2 1G
> ./qemu-img create /tmp/backup.qcow2 -f qcow2 1G
> ./qemu-system-x86_64 --qmp stdio \
> --blockdev
> qcow2,node-name=node0,file.driver=file,file.filename=/tmp/disk.qcow2 \
> --blockdev
> qcow2,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.qcow2 \
> --blockdev
> qcow2,node-name=node2,file.driver=file,file.filename=/tmp/backup.qcow2 \
> <<EOF
> {"execute": "qmp_capabilities"}
> {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write",
> "file": "node0", "target": "node1", "node-name": "node3" } }
> {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access",
> "file": "node3", "node-name": "snap0" } }
> {"execute": "blockdev-backup", "arguments": { "device": "snap0", "target":
> "node1", "sync": "full", "job-id": "backup0" } }
> EOF
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Message-id: 20240116154839.401030-1-f.ebner@proxmox.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 8a9be7992426c8920d4178e7dca59306a18c7a3a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 8bdd3abcf1c989ebe4428190e5789dfbbdf6c6ca
https://github.com/qemu/qemu/commit/8bdd3abcf1c989ebe4428190e5789dfbbdf6c6ca
Author: Robbin Ehn <rehn@rivosinc.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M linux-user/signal.c
Log Message:
-----------
linux-user: Fixed cpu restore with pc 0 on SIGBUS
Commit f4e1168198 (linux-user: Split out host_sig{segv,bus}_handler)
introduced a bug, when returning from host_sigbus_handler the PC is
never set. Thus cpu_loop_exit_restore is called with a zero PC and
we immediate get a SIGSEGV.
Signed-off-by: Robbin Ehn <rehn@rivosinc.com>
Fixes: f4e1168198 ("linux-user: Split out host_sig{segv,bus}_handler")
Reviewed-by: Palmer Dabbelt <palmer@rivosinc.com>
Message-Id: <33f27425878fb529b9e39ef22c303f6e0d90525f.camel@rivosinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 6d913158b5023ac948b8fd649d77fc86e28072f6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 1e0f028de71dc6aea7103b40281d32f4f0ebbbb9
https://github.com/qemu/qemu/commit/1e0f028de71dc6aea7103b40281d32f4f0ebbbb9
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M linux-user/riscv/vdso-32.so
M linux-user/riscv/vdso-64.so
M linux-user/riscv/vdso.S
Log Message:
-----------
linux-user/riscv: Adjust vdso signal frame cfa offsets
A typo in sizeof_reg put the registers at the wrong offset.
Simplify the expressions to use positive addresses from the
start of uc_mcontext instead of negative addresses from the
end of uc_mcontext.
Reported-by: Vineet Gupta <vineetg@rivosinc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 1b21fe27e75a59bfe2513f5abcc6a18cfc35cfc8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 6f6492ab070f10843c881690cacc3bf2e051f9e5
https://github.com/qemu/qemu/commit/6f6492ab070f10843c881690cacc3bf2e051f9e5
Author: Joseph Burt <caseorum@gmail.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M tcg/arm/tcg-target.c.inc
Log Message:
-----------
tcg/arm: Fix SIGILL in tcg_out_qemu_st_direct
When tcg_out_qemu_st_{index,direct} were merged, the direct case for
MO_64 was omitted, causing qemu_st_i64 to be encoded as 0xffffffff due
to underflow when adding h.base and h.index.
Fixes: 1df6d611bdc2 ("tcg/arm: Introduce HostAddress")
Signed-off-by: Joseph Burt <caseorum@gmail.com>
Message-Id: <20240121211439.100829-1-caseorum@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 9f6523e8e4689cafdbed7c10b7cf7c775b5a607b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 939a09575fff7048446e36ce438fa7be6e251d41
https://github.com/qemu/qemu/commit/939a09575fff7048446e36ce438fa7be6e251d41
Author: Jason Wang <jasowang@redhat.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: correctly copy vnet header when flushing TX
When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
the size of the mergeable rx buffer header. Using
virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
instead.
Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn>
Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
Cc: qemu-stable@nongnu.org
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Fixes: CVE-2023-6693
Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 2220e8189fb94068dbad333228659fbac819abb0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: cf70966523fd6c13ce1fff764eac0e1bfdf785a3
https://github.com/qemu/qemu/commit/cf70966523fd6c13ce1fff764eac0e1bfdf785a3
Author: Ari Sundholm <ari@tuxera.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M block/blklogwrites.c
Log Message:
-----------
block/blklogwrites: Fix a bug when logging "write zeroes" operations.
There is a bug in the blklogwrites driver pertaining to logging "write
zeroes" operations, causing log corruption. This can be easily observed
by setting detect-zeroes to something other than "off" for the driver.
The issue is caused by a concurrency bug pertaining to the fact that
"write zeroes" operations have to be logged in two parts: first the log
entry metadata, then the zeroed-out region. While the log entry
metadata is being written by bdrv_co_pwritev(), another operation may
begin in the meanwhile and modify the state of the blklogwrites driver.
This is as intended by the coroutine-driven I/O model in QEMU, of
course.
Unfortunately, this specific scenario is mishandled. A short example:
1. Initially, in the current operation (#1), the current log sector
number in the driver state is only incremented by the number of sectors
taken by the log entry metadata, after which the log entry metadata is
written. The current operation yields.
2. Another operation (#2) may start while the log entry metadata is
being written. It uses the current log position as the start offset for
its log entry. This is in the sector right after the operation #1 log
entry metadata, which is bad!
3. After bdrv_co_pwritev() returns (#1), the current log sector
number is reread from the driver state in order to find out the start
offset for bdrv_co_pwrite_zeroes(). This is an obvious blunder, as the
offset will be the sector right after the (misplaced) operation #2 log
entry, which means that the zeroed-out region begins at the wrong
offset.
4. As a result of the above, the log is corrupt.
Fix this by only reading the driver metadata once, computing the
offsets and sizes in one go (including the optional zeroed-out region)
and setting the log sector number to the appropriate value for the next
operation in line.
Signed-off-by: Ari Sundholm <ari@tuxera.com>
Cc: qemu-stable@nongnu.org
Message-ID: <20240109184646.1128475-1-megari@gmx.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit a9c8ea95470c27a8a02062b67f9fa6940e828ab6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: d7a64c4517c2b59429ac7edea7c2b52e4806e135
https://github.com/qemu/qemu/commit/d7a64c4517c2b59429ac7edea7c2b52e4806e135
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M tests/qemu-iotests/iotests.py
Log Message:
-----------
iotests: add filter_qmp_generated_node_ids()
Add a filter function for QMP responses that contain QEMU's
automatically generated node ids. The ids change between runs and must
be masked in the reference output.
The next commit will use this new function.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240118144823.1497953-2-stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit da62b507a20510d819bcfbe8f5e573409b954006)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 823892d19f6b79dc44ac1a885a9ceed0bd0965e7
https://github.com/qemu/qemu/commit/823892d19f6b79dc44ac1a885a9ceed0bd0965e7
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M tests/qemu-iotests/141
M tests/qemu-iotests/141.out
Log Message:
-----------
iotests: port 141 to Python for reliable QMP testing
The common.qemu bash functions allow tests to interact with the QMP
monitor of a QEMU process. I spent two days trying to update 141 when
the order of the test output changed, but found it would still fail
occassionally because printf() and QMP events race with synchronous QMP
communication.
I gave up and ported 141 to the existing Python API for QMP tests. The
Python API is less affected by the order in which QEMU prints output
because it does not print all QMP traffic by default.
The next commit changes the order in which QMP messages are received.
Make 141 reliable first.
Cc: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240118144823.1497953-3-stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 9ee2dd4c22a3639c5462b3fc20df60c005c3de64)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: f389309d2937e66960dd371014a1971678fb4ce7
https://github.com/qemu/qemu/commit/f389309d2937e66960dd371014a1971678fb4ce7
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M monitor/qmp.c
M qapi/qmp-dispatch.c
M tests/qemu-iotests/060.out
M tests/qemu-iotests/071.out
M tests/qemu-iotests/081.out
M tests/qemu-iotests/087.out
M tests/qemu-iotests/108.out
M tests/qemu-iotests/109
M tests/qemu-iotests/109.out
M tests/qemu-iotests/117.out
M tests/qemu-iotests/120.out
M tests/qemu-iotests/127.out
M tests/qemu-iotests/140.out
M tests/qemu-iotests/143.out
M tests/qemu-iotests/156.out
M tests/qemu-iotests/176.out
M tests/qemu-iotests/182.out
M tests/qemu-iotests/183.out
M tests/qemu-iotests/184.out
M tests/qemu-iotests/185
M tests/qemu-iotests/185.out
M tests/qemu-iotests/191.out
M tests/qemu-iotests/195.out
M tests/qemu-iotests/223.out
M tests/qemu-iotests/227.out
M tests/qemu-iotests/247.out
M tests/qemu-iotests/273.out
M tests/qemu-iotests/308
M tests/qemu-iotests/308.out
M tests/qemu-iotests/tests/file-io-error
M tests/qemu-iotests/tests/iothreads-resize.out
M tests/qemu-iotests/tests/qsd-jobs.out
Log Message:
-----------
monitor: only run coroutine commands in qemu_aio_context
monitor_qmp_dispatcher_co() runs in the iohandler AioContext that is not
polled during nested event loops. The coroutine currently reschedules
itself in the main loop's qemu_aio_context AioContext, which is polled
during nested event loops. One known problem is that QMP device-add
calls drain_call_rcu(), which temporarily drops the BQL, leading to all
sorts of havoc like other vCPU threads re-entering device emulation code
while another vCPU thread is waiting in device emulation code with
aio_poll().
Paolo Bonzini suggested running non-coroutine QMP handlers in the
iohandler AioContext. This avoids trouble with nested event loops. His
original idea was to move coroutine rescheduling to
monitor_qmp_dispatch(), but I resorted to moving it to qmp_dispatch()
because we don't know if the QMP handler needs to run in coroutine
context in monitor_qmp_dispatch(). monitor_qmp_dispatch() would have
been nicer since it's associated with the monitor implementation and not
as general as qmp_dispatch(), which is also used by qemu-ga.
A number of qemu-iotests need updated .out files because the order of
QMP events vs QMP responses has changed.
Solves Issue #1933.
Cc: qemu-stable@nongnu.org
Fixes: 7bed89958bfbf40df9ca681cefbdca63abdde39d ("device_core: use
drain_call_rcu in in qmp_device_add")
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2215192
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2214985
Buglink: https://issues.redhat.com/browse/RHEL-17369
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20240118144823.1497953-4-stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit effd60c878176bcaf97fa7ce2b12d04bb8ead6f7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: ce34d02f91a10b43940e8ed186c9c334cb571a15
https://github.com/qemu/qemu/commit/ce34d02f91a10b43940e8ed186c9c334cb571a15
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M tests/qtest/meson.build
Log Message:
-----------
qtest: bump aspeed_smc-test timeout to 6 minutes
On a loaded system with --enable-debug, this test can take longer than
5 minutes. Raising the timeout to 6 minutes gives greater headroom for
such situations.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
[thuth: Increase the timeout to 6 minutes for very loaded systems]
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20231215070357.10888-11-thuth@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
(cherry picked from commit e8a12fe31f776c60fec993513cd1b1e66c2b8e29)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fixup in tests/qtest/meson.build)
Commit: 553e53b4421ed5b671dc79ab32e82cf7ba9ad229
https://github.com/qemu/qemu/commit/553e53b4421ed5b671dc79ab32e82cf7ba9ad229
Author: Max Filippov <jcmvbkbc@gmail.com>
Date: 2024-01-27 (Sat, 27 Jan 2024)
Changed paths:
M target/xtensa/mmu_helper.c
Log Message:
-----------
target/xtensa: fix OOB TLB entry access
r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
by the guest. The host uses 3 bits of the index for ITLB indexing and 4
bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
the DTLB array, so a malicious guest may trigger out-of-bound access to
these arrays.
Change split_tlb_entry_spec return type to bool to indicate whether TLB
way passed to it is valid. Change get_tlb_entry to return NULL in case
invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
requested TLB way and entry indices are valid. Add checks to the
[rwi]tlb helpers that requested TLB way is valid and return 0 or do
nothing when it's not.
Cc: qemu-stable@nongnu.org
Fixes: b67ea0cd7441 ("target-xtensa: implement memory protection options")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 604927e357c2b292c70826e4ce42574ad126ef32)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 570e624426421a37fa97b04b1de2d096281530bb
https://github.com/qemu/qemu/commit/570e624426421a37fa97b04b1de2d096281530bb
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2024-01-27 (Sat, 27 Jan 2024)
Changed paths:
M target/arm/tcg/translate-a64.c
Log Message:
-----------
target/arm: Fix A64 scalar SQSHRN and SQRSHRN
In commit 1b7bc9b5c8bf374dd we changed handle_vec_simd_sqshrn() so
that instead of starting with a 0 value and depositing in each new
element from the narrowing operation, it instead started with the raw
result of the narrowing operation of the first element.
This is fine in the vector case, because the deposit operations for
the second and subsequent elements will always overwrite any higher
bits that might have been in the first element's result value in
tcg_rd. However in the scalar case we only go through this loop
once. The effect is that for a signed narrowing operation, if the
result is negative then we will now return a value where the bits
above the first element are incorrectly 1 (because the narrowfn
returns a sign-extended result, not one that is truncated to the
element size).
Fix this by using an extract operation to get exactly the correct
bits of the output of the narrowfn for element 1, instead of a
plain move.
Cc: qemu-stable@nongnu.org
Fixes: 1b7bc9b5c8bf374dd3 ("target/arm: Avoid tcg_const_ptr in
handle_vec_simd_sqshrn")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2089
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240123153416.877308-1-peter.maydell@linaro.org
(cherry picked from commit 6fffc8378562c7fea6290c430b4f653f830a4c1a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Commit: 45b3ce5e83a6e6677ed9197ed203d6076d25848e
https://github.com/qemu/qemu/commit/45b3ce5e83a6e6677ed9197ed203d6076d25848e
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2024-01-27 (Sat, 27 Jan 2024)
Changed paths:
M target/arm/cpu-features.h
Log Message:
-----------
target/arm: Fix incorrect aa64_tidcp1 feature check
A typo in the implementation of isar_feature_aa64_tidcp1() means we
were checking the field in the wrong ID register, so we might have
provided the feature on CPUs that don't have it and not provided
it on CPUs that should have it. Correct this bug.
Cc: qemu-stable@nongnu.org
Fixes: 9cd0c0dec97be9 "target/arm: Implement FEAT_TIDCP1"
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2120
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240123160333.958841-1-peter.maydell@linaro.org
(cherry picked from commit ee0a2e3c9d2991a11c13ffadb15e4d0add43c257)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/5e4e438f9d60...45b3ce5e83a6
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] ef7402: accel/tcg: Revert mapping of PCREL translation blo...,
Peter Maydell <=