Branch: refs/heads/staging-9.0
Home: https://github.com/qemu/qemu
Commit: fb355214485a0255d201ff22acc00a58c260bf66
https://github.com/qemu/qemu/commit/fb355214485a0255d201ff22acc00a58c260bf66
Author: Fiona Ebner <f.eb...@proxmox.com>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M hw/scsi/lsi53c895a.c
Log Message:
-----------
hw/scsi/lsi53c895a: bump instruction limit in scripts processing to fix
regression
Commit 9876359990 ("hw/scsi/lsi53c895a: add timer to scripts
processing") reduced the maximum allowed instruction count by
a factor of 100 all the way down to 100.
This causes the "Check Point R81.20 Gaia" appliance [0] to fail to
boot after fully finishing the installation via the appliance's web
interface (there is already one reboot before that).
With a limit of 150, the appliance still fails to boot, while with a
limit of 200, it works. Bump to 500 to fix the regression and be on
the safe side.
Originally reported in the Proxmox community forum[1].
[0]: https://support.checkpoint.com/results/download/124397
[1]: https://forum.proxmox.com/threads/149772/post-683459
Cc: qemu-sta...@nongnu.org
Fixes: 9876359990 ("hw/scsi/lsi53c895a: add timer to scripts processing")
Signed-off-by: Fiona Ebner <f.eb...@proxmox.com>
Acked-by: Sven Schnelle <sv...@stackframe.org>
Link: https://lore.kernel.org/r/20240715131403.223239-1-f.eb...@proxmox.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit a4975023fb13cf229bd59c9ceec1b8cbdc5b9a20)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 34ac08aa1c05c86640eaf447e74ad822cd7cc6bc
https://github.com/qemu/qemu/commit/34ac08aa1c05c86640eaf447e74ad822cd7cc6bc
Author: Fiona Ebner <f.eb...@proxmox.com>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M hw/scsi/scsi-bus.c
Log Message:
-----------
scsi: fix regression and honor bootindex again for legacy drives
Commit 3089637461 ("scsi: Don't ignore most usb-storage properties")
removed the call to object_property_set_int() and thus the 'set'
method for the bootindex property was also not called anymore. Here
that method is device_set_bootindex() (as configured by
scsi_dev_instance_init() -> device_add_bootindex_property()) which as
a side effect registers the device via add_boot_device_path().
As reported by a downstream user [0], the bootindex property did not
have the desired effect anymore for legacy drives. Fix the regression
by explicitly calling the add_boot_device_path() function after
checking that the bootindex is not yet used (to avoid
add_boot_device_path() calling exit()).
[0]: https://forum.proxmox.com/threads/149772/post-679433
Cc: qemu-sta...@nongnu.org
Fixes: 3089637461 ("scsi: Don't ignore most usb-storage properties")
Suggested-by: Kevin Wolf <kw...@redhat.com>
Signed-off-by: Fiona Ebner <f.eb...@proxmox.com>
Link: https://lore.kernel.org/r/20240710152529.1737407-1-f.eb...@proxmox.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 57a8a80d1a5b28797b21d30bfc60601945820e51)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: ab32beaa8e17de1731be2a7950a3da3a629ff43c
https://github.com/qemu/qemu/commit/ab32beaa8e17de1731be2a7950a3da3a629ff43c
Author: Markus Armbruster <arm...@redhat.com>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M qapi/qom.json
Log Message:
-----------
qapi/qom: Document feature unstable of @x-vfio-user-server
Commit 8f9a9259d32c added ObjectType member @x-vfio-user-server with
feature unstable, but neglected to explain why it is unstable. Do
that now.
Fixes: 8f9a9259d32c (vfio-user: define vfio-user-server object)
Cc: Elena Ufimtseva <elena.ufimts...@oracle.com>
Cc: John G Johnson <john.g.john...@oracle.com>
Cc: Jagannathan Raman <jag.ra...@oracle.com>
Cc: qemu-sta...@nongnu.org
Signed-off-by: Markus Armbruster <arm...@redhat.com>
Message-ID: <20240703095310.1242102-1-arm...@redhat.com>
Reviewed-by: John Snow <js...@redhat.com>
[Indentation fixed]
(cherry picked from commit 3becc939081097ccfed6968771f33d65ce8551eb)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: c68b380b629ca923252f8946ff0addfb4fc94925
https://github.com/qemu/qemu/commit/c68b380b629ca923252f8946ff0addfb4fc94925
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M target/arm/tcg/a64.decode
Log Message:
-----------
target/arm: Fix handling of LDAPR/STLR with negative offset
When we converted the LDAPR/STLR instructions to decodetree we
accidentally introduced a regression where the offset is negative.
The 9-bit immediate field is signed, and the old hand decoder
correctly used sextract32() to get it out of the insn word,
but the ldapr_stlr_i pattern in the decode file used "imm:9"
instead of "imm:s9", so it treated the field as unsigned.
Fix the pattern to treat the field as a signed immediate.
Cc: qemu-sta...@nongnu.org
Fixes: 2521b6073b7 ("target/arm: Convert LDAPR/STLR (imm) to decodetree")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2419
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240709134504.3500007-2-peter.mayd...@linaro.org
(cherry picked from commit 5669d26ec614b3f4c56cf1489b9095ed327938b1)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 50ecd5b1fdfb1bc4bba677023c213d2cc8763cec
https://github.com/qemu/qemu/commit/50ecd5b1fdfb1bc4bba677023c213d2cc8763cec
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M target/arm/tcg/translate-a64.c
Log Message:
-----------
target/arm: LDAPR should honour SCTLR_ELx.nAA
In commit c1a1f80518d360b when we added the FEAT_LSE2 relaxations to
the alignment requirements for atomic and ordered loads and stores,
we didn't quite get it right for LDAPR/LDAPRH/LDAPRB with no
immediate offset. These instructions were handled in the old decoder
as part of disas_ldst_atomic(), but unlike all the other insns that
function decoded (LDADD, LDCLR, etc) these insns are "ordered", not
"atomic", so they should be using check_ordered_align() rather than
check_atomic_align(). Commit c1a1f80518d360b used
check_atomic_align() regardless for everything in
disas_ldst_atomic(). We then carried that incorrect check over in
the decodetree conversion, where LDAPR/LDAPRH/LDAPRB are now handled
by trans_LDAPR().
The effect is that when FEAT_LSE2 is implemented, these instructions
don't honour the SCTLR_ELx.nAA bit and will generate alignment
faults when they should not.
(The LDAPR insns with an immediate offset were in disas_ldst_ldapr_stlr()
and then in trans_LDAPR_i() and trans_STLR_i(), and have always used
the correct check_ordered_align().)
Use check_ordered_align() in trans_LDAPR().
Cc: qemu-sta...@nongnu.org
Fixes: c1a1f80518d360b ("target/arm: Relax ordered/atomic alignment checks for
LSE2")
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240709134504.3500007-3-peter.mayd...@linaro.org
(cherry picked from commit 25489b521b61b874c4c6583956db0012a3674e3a)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 0169889dcacd9c32e1d626acb56edb14f083c5ab
https://github.com/qemu/qemu/commit/0169889dcacd9c32e1d626acb56edb14f083c5ab
Author: Daniyal Khan <danikhan...@gmail.com>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M target/arm/tcg/sme_helper.c
Log Message:
-----------
target/arm: Use float_status copy in sme_fmopa_s
We made a copy above because the fp exception flags
are not propagated back to the FPST register, but
then failed to use the copy.
Cc: qemu-sta...@nongnu.org
Fixes: 558e956c719 ("target/arm: Implement FMOPA, FMOPS (non-widening)")
Signed-off-by: Daniyal Khan <danikhan...@gmail.com>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Alex Bennée <alex.ben...@linaro.org>
Message-id: 20240717060149.204788-2-richard.hender...@linaro.org
[rth: Split from a larger patch]
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Alex Bennée <alex.ben...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 31d93fedf41c24b0badb38cd9317590d1ef74e37)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 43929c818c4b9e9e2d7601d254004303b7aa0971
https://github.com/qemu/qemu/commit/43929c818c4b9e9e2d7601d254004303b7aa0971
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M target/arm/tcg/translate-sme.c
Log Message:
-----------
target/arm: Use FPST_F16 for SME FMOPA (widening)
This operation has float16 inputs and thus must use
the FZ16 control not the FZ control.
Cc: qemu-sta...@nongnu.org
Fixes: 3916841ac75 ("target/arm: Implement FMOPA, FMOPS (widening)")
Reported-by: Daniyal Khan <danikhan...@gmail.com>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Alex Bennée <alex.ben...@linaro.org>
Message-id: 20240717060149.204788-3-richard.hender...@linaro.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2374
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Alex Bennée <alex.ben...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 207d30b5fdb5b45a36f26eefcf52fe2c1714dd4f)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 44304ff1a80d6c1f740d5b44377a7adfe387da27
https://github.com/qemu/qemu/commit/44304ff1a80d6c1f740d5b44377a7adfe387da27
Author: Akihiko Odaki <akihiko.od...@daynix.com>
Date: 2024-07-19 (Fri, 19 Jul 2024)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
hvf: arm: Do not advance PC when raising an exception
hvf did not advance PC when raising an exception for most unhandled
system registers, but it mistakenly advanced PC when raising an
exception for GICv3 registers.
Cc: qemu-sta...@nongnu.org
Fixes: a2260983c655 ("hvf: arm: Add support for GICv3")
Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com>
Message-id: 20240716-pmu-v3-4-8c7c1858a...@daynix.com
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 30a1690f2402e6c1582d5b3ebcf7940bfe2fad4b)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 7676498754fe50904113723c469f2037632358d9
https://github.com/qemu/qemu/commit/7676498754fe50904113723c469f2037632358d9
Author: Zheyu Ma <zheyum...@gmail.com>
Date: 2024-07-23 (Tue, 23 Jul 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: fix memory leak in nvme_dsm
The allocated memory to hold LBA ranges leaks in the nvme_dsm function. This
happens because the allocated memory for iocb->range is not freed in all
error handling paths.
Fix this by adding a free to ensure that the allocated memory is properly freed.
ASAN log:
==3075137==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 480 byte(s) in 6 object(s) allocated from:
#0 0x55f1f8a0eddd in malloc
llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7f531e0f6738 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738)
#2 0x55f1faf1f091 in blk_aio_get block/block-backend.c:2583:12
#3 0x55f1f945c74b in nvme_dsm hw/nvme/ctrl.c:2609:30
#4 0x55f1f945831b in nvme_io_cmd hw/nvme/ctrl.c:4470:16
#5 0x55f1f94561b7 in nvme_process_sq hw/nvme/ctrl.c:7039:29
Cc: qemu-sta...@nongnu.org
Fixes: d7d1474fd85d ("hw/nvme: reimplement dsm to allow cancellation")
Signed-off-by: Zheyu Ma <zheyum...@gmail.com>
Reviewed-by: Klaus Jensen <k.jen...@samsung.com>
Signed-off-by: Klaus Jensen <k.jen...@samsung.com>
(cherry picked from commit c510fe78f1b7c966524489d6ba752107423b20c8)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: e9e92433c8bd2c09cc6d5b15c6922cfd79a695eb
https://github.com/qemu/qemu/commit/e9e92433c8bd2c09cc6d5b15c6922cfd79a695eb
Author: Zhao Liu <zhao1....@intel.com>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/cxl/cxl-host.c
Log Message:
-----------
hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property
QEMU crashes (Segmentation fault) when getting cxl-fmw property via
qmp:
(QEMU) qom-get path=machine property=cxl-fmw
This issue is caused by accessing wrong callback (opaque) type in
machine_get_cfmw().
cxl_machine_init() sets the callback as `CXLState *` type but
machine_get_cfmw() treats the callback as
`CXLFixedMemoryWindowOptionsList **`.
Fix this error by casting opaque to `CXLState *` type in
machine_get_cfmw().
Fixes: 03b39fcf64bc ("hw/cxl: Make the CXL fixed memory window setup a machine
parameter.")
Signed-off-by: Zhao Liu <zhao1....@intel.com>
Reviewed-by: Li Zhijian <lizhij...@fujitsu.com>
Reviewed-by: Xingtao Yao <yaoxt.f...@fujitsu.com>
Link:
https://lore.kernel.org/r/20240704093404.1848132-1-zhao1....@linux.intel.com
Signed-off-by: Jonathan Cameron <jonathan.came...@huawei.com>
Message-Id: <20240705113956.941732-2-jonathan.came...@huawei.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit a207d5f87d66f7933b50677e047498fc4af63e1f)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 6ef295cb1c67575a4ae291a5c756b82db0cf5bbe
https://github.com/qemu/qemu/commit/6ef295cb1c67575a4ae291a5c756b82db0cf5bbe
Author: Manos Pitsidianakis <manos.pitsidiana...@linaro.org>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/audio/virtio-snd.c
Log Message:
-----------
virtio-snd: add max size bounds check in input cb
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
the data buffer. This is because we use the buffer->size field as a
total-so-far accumulator instead of byte-size-left like in TX buffers.
This triggers an out of bounds write if the size of the virtio queue
element is equal to virtio_snd_pcm_status, which makes the available
space for audio data zero. This commit adds a check for reaching the
maximum buffer size before attempting any writes.
Reported-by: Zheyu Ma <zheyum...@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427
Signed-off-by: Manos Pitsidianakis <manos.pitsidiana...@linaro.org>
Message-Id: <virtio-snd-fuzz-2427-fix-v1-manos.pitsidiana...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 439009617e85f369756808c4e54c399583196d38
https://github.com/qemu/qemu/commit/439009617e85f369756808c4e54c399583196d38
Author: Manos Pitsidianakis <manos.pitsidiana...@linaro.org>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/audio/virtio-snd.c
Log Message:
-----------
virtio-snd: check for invalid param shift operands
When setting the parameters of a PCM stream, we compute the bit flag
with the format and rate values as shift operand to check if they are
set in supported_formats and supported_rates.
If the guest provides a format/rate value which when shifting 1 results
in a value bigger than the number of bits in
supported_formats/supported_rates, we must report an error.
Previously, this ended up triggering the not reached assertions later
when converting to internal QEMU values.
Reported-by: Zheyu Ma <zheyum...@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2416
Signed-off-by: Manos Pitsidianakis <manos.pitsidiana...@linaro.org>
Message-Id: <virtio-snd-fuzz-2416-fix-v1-manos.pitsidiana...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 9b6083465fb8311f2410615f8303a41f580a2a20)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 485637f2821bda84bc28b0f532559e1cd3bc2de0
https://github.com/qemu/qemu/commit/485637f2821bda84bc28b0f532559e1cd3bc2de0
Author: Clément Mathieu--Drif <clement.mathieu--d...@eviden.com>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/i386/intel_iommu_internal.h
Log Message:
-----------
intel_iommu: fix FRCD construction macro
The constant must be unsigned, otherwise the two's complement
overrides the other fields when a PASID is present.
Fixes: 1b2b12376c8a ("intel-iommu: PASID support")
Signed-off-by: Clément Mathieu--Drif <clement.mathieu--d...@eviden.com>
Reviewed-by: Yi Liu <yi.l....@intel.com>
Reviewed-by: Zhenzhong Duan <zhenzhong.d...@intel.com>
Reviewed-by: Minwoo Im <minwoo...@samsung.com>
Message-Id: <20240709142557.317271-2-clement.mathieu--d...@eviden.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit a3c8d7e38550c3d5a46e6fa94ffadfa625a4861d)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 8b9e56e7327ca27264fe01e988c700f958d2bec2
https://github.com/qemu/qemu/commit/8b9e56e7327ca27264fe01e988c700f958d2bec2
Author: Paolo Bonzini <pbonz...@redhat.com>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/i386/sgx.c
Log Message:
-----------
target/i386: do not crash if microvm guest uses SGX CPUID leaves
sgx_epc_get_section assumes a PC platform is in use:
bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
{
PCMachineState *pcms = PC_MACHINE(qdev_get_machine());
However, sgx_epc_get_section is called by CPUID regardless of whether
SGX state has been initialized or which platform is in use. Check
whether the machine has the right QOM class and if not behave as if
there are no EPC sections.
Fixes: 1dec2e1f19f ("i386: Update SGX CPUID info according to hardware/KVM/user
input", 2021-09-30)
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2142
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 13be929aff804581b21e69087a9caf3698fd5c3c)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 425457bf75fa8ce0b27a2db4b4972dc804b48e61
https://github.com/qemu/qemu/commit/425457bf75fa8ce0b27a2db4b4972dc804b48e61
Author: songziming <s.zim...@hotmail.com>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M chardev/char-win-stdio.c
Log Message:
-----------
chardev/char-win-stdio.c: restore old console mode
If I use `-serial stdio` on Windows, after QEMU exits, the terminal
could not handle arrow keys and tab any more. Because stdio backend
on Windows sets console mode to virtual terminal input when starts,
but does not restore the old mode when finalize.
This small patch saves the old console mode and set it back.
Signed-off-by: Ziming Song <s.zim...@hotmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
Message-ID:
<me3p282mb25488be7c39bf0c35cd0da5d8c...@me3p282mb2548.ausp282.prod.outlook.com>
(cherry picked from commit 903cc9e1173e0778caa50871e8275c898770c690)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 437c556037ac9101bfcb6fbbabddeca7e3a93bf1
https://github.com/qemu/qemu/commit/437c556037ac9101bfcb6fbbabddeca7e3a93bf1
Author: Bibo Mao <maob...@loongson.cn>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/intc/loongarch_ipi.c
Log Message:
-----------
hw/intc/loongson_ipi: Access memory in little endian
Loongson IPI is only available in little-endian,
so use that to access the guest memory (in case
we run on a big-endian host).
Cc: qemu-sta...@nongnu.org
Signed-off-by: Bibo Mao <maob...@loongson.cn>
Fixes: f6783e3438 ("hw/loongarch: Add LoongArch ipi interrupt support")
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Bibo Mao <maob...@loongson.cn>
Tested-by: Bibo Mao <maob...@loongson.cn>
Acked-by: Song Gao <gaos...@loongson.cn>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Jiaxun Yang <jiaxun.y...@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.y...@flygoat.com>
Message-Id: <20240718133312.10324-3-phi...@linaro.org>
(cherry picked from commit 2465c89fb983eed670007742bd68c7d91b6d6f85)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(Mjt: fixups for 9.0, for lack of:
v9.0.0-583-g91d0b151de4c "hw/intc/loongson_ipi: Implement IOCSR address space
for MIPS"
v9.0.0-582-gb4a12dfc2132 "hw/intc/loongarch_ipi: Rename as loongson_ipi")
Commit: 9d0076b4a1a49a125ca9567cd4641d07b0447573
https://github.com/qemu/qemu/commit/9d0076b4a1a49a125ca9567cd4641d07b0447573
Author: Philippe Mathieu-Daudé <phi...@linaro.org>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M hw/intc/loongarch_ipi.c
Log Message:
-----------
hw/intc/loongson_ipi: Fix resource leak
Once initialised, QOM objects can be realized and
unrealized multiple times before being finalized.
Resources allocated in REALIZE must be deallocated
in an equivalent UNREALIZE handler.
Free the CPU array in loongson_ipi_unrealize()
instead of loongson_ipi_finalize().
Cc: qemu-sta...@nongnu.org
Fixes: 5e90b8db382 ("hw/loongarch: Set iocsr address space per-board rather
than percpu")
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Song Gao <gaos...@loongson.cn>
Message-Id: <20240723111405.14208-3-phi...@linaro.org>
(cherry picked from commit 0c2086bc7360565dfb9933181dafaefe2c94cddf)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(Mjt: rename loongson back to longarch for 9.0 due to lack of
v9.0.0-582-gb4a12dfc2132 "hw/intc/loongarch_ipi: Rename as loongson_ipi")
Commit: 50675777a07395e2ee84e3f2e7c90cf6522ef966
https://github.com/qemu/qemu/commit/50675777a07395e2ee84e3f2e7c90cf6522ef966
Author: Song Gao <gaos...@loongson.cn>
Date: 2024-07-26 (Fri, 26 Jul 2024)
Changed paths:
M target/loongarch/tcg/tlb_helper.c
Log Message:
-----------
target/loongarch: Fix helper_lddir() a CID INTEGER_OVERFLOW issue
When the lddir level is 4 and the base is a HugePage, we may try to put value 4
into a field in the TLBENTRY that is only 2 bits wide.
Fixes: Coverity CID 1547717
Fixes: 9c70db9a43388 ("target/loongarch: Fix tlb huge page loading issue")
Signed-off-by: Song Gao <gaos...@loongson.cn>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-Id: <20240724015853.1317396-1-gaos...@loongson.cn>
(cherry picked from commit a18ffbcf8b9fabfc6c850ebb1d3e40a21b885c67)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 7c5cd2bc178349ddf240f42d9b4bec2ae0d56e48
https://github.com/qemu/qemu/commit/7c5cd2bc178349ddf240f42d9b4bec2ae0d56e48
Author: Nicholas Piggin <npig...@gmail.com>
Date: 2024-07-27 (Sat, 27 Jul 2024)
Changed paths:
M hw/ppc/spapr.c
M hw/ppc/spapr_caps.c
M include/hw/ppc/spapr.h
Log Message:
-----------
spapr: Migrate ail-mode-3 spapr cap
This cap did not add the migration code when it was introduced. This
results in migration failure when changing the default using the
command line.
Cc: qemu-sta...@nongnu.org
Fixes: ccc5a4c5e10 ("spapr: Add SPAPR_CAP_AIL_MODE_3 for AIL mode 3 support for
H_SET_MODE hcall")
Reviewed-by: Harsh Prateek Bora <hars...@linux.ibm.com>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Nicholas Piggin <npig...@gmail.com>
(cherry picked from commit 1a7a31aec4758d6fd89b60d88669f74f30cdb6bb)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 3379d31b499449cf94bd2f00797ad0b951774b99
https://github.com/qemu/qemu/commit/3379d31b499449cf94bd2f00797ad0b951774b99
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-07-27 (Sat, 27 Jul 2024)
Changed paths:
M util/async.c
Log Message:
-----------
util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params()
aio_context_set_thread_pool_params() takes two int64_t arguments to
set the minimum and maximum number of threads in the pool. We do
some bounds checking on these, but we don't catch the case where the
inputs are negative. This means that later in the function when we
assign these inputs to the AioContext::thread_pool_min and
::thread_pool_max fields, which are of type int, the values might
overflow the smaller type.
A negative number of threads is meaningless, so make
aio_context_set_thread_pool_params() return an error if either min or
max are negative.
Resolves: Coverity CID 1547605
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Message-id: 20240723150927.1396456-1-peter.mayd...@linaro.org
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
(cherry picked from commit 851495571d14fe2226c52b9d423f88a4f5460836)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 514c29b112fd7afa7f1bbcce9516dba09507cda3
https://github.com/qemu/qemu/commit/514c29b112fd7afa7f1bbcce9516dba09507cda3
Author: Sergey Dyasli <sergey.dya...@nutanix.com>
Date: 2024-07-27 (Sat, 27 Jul 2024)
Changed paths:
M chardev/char-io.c
Log Message:
-----------
Revert "qemu-char: do not operate on sources from finalize callbacks"
This reverts commit 2b316774f60291f57ca9ecb6a9f0712c532cae34.
After 038b4217884c ("Revert "chardev: use a child source for qio input
source"") we've been observing the "iwp->src == NULL" assertion
triggering periodically during the initial capabilities querying by
libvirtd. One of possible backtraces:
Thread 1 (Thread 0x7f16cd4f0700 (LWP 43858)):
0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
1 0x00007f16c6c21e65 in __GI_abort () at abort.c:79
2 0x00007f16c6c21d39 in __assert_fail_base at assert.c:92
3 0x00007f16c6c46e86 in __GI___assert_fail
(assertion=assertion@entry=0x562e9bcdaadd "iwp->src == NULL",
file=file@entry=0x562e9bcdaac8 "../chardev/char-io.c", line=line@entry=99,
function=function@entry=0x562e9bcdab10 <__PRETTY_FUNCTION__.20549>
"io_watch_poll_finalize") at assert.c:101
4 0x0000562e9ba20c2c in io_watch_poll_finalize (source=<optimized out>) at
../chardev/char-io.c:99
5 io_watch_poll_finalize (source=<optimized out>) at ../chardev/char-io.c:88
6 0x00007f16c904aae0 in g_source_unref_internal () from /lib64/libglib-2.0.so.0
7 0x00007f16c904baf9 in g_source_destroy_internal () from
/lib64/libglib-2.0.so.0
8 0x0000562e9ba20db0 in io_remove_watch_poll (source=0x562e9d6720b0) at
../chardev/char-io.c:147
9 remove_fd_in_watch (chr=chr@entry=0x562e9d5f3800) at ../chardev/char-io.c:153
10 0x0000562e9ba23ffb in update_ioc_handlers (s=0x562e9d5f3800) at
../chardev/char-socket.c:592
11 0x0000562e9ba2072f in qemu_chr_fe_set_handlers_full at
../chardev/char-fe.c:279
12 0x0000562e9ba207a9 in qemu_chr_fe_set_handlers at ../chardev/char-fe.c:304
13 0x0000562e9ba2ca75 in monitor_qmp_setup_handlers_bh (opaque=0x562e9d4c2c60)
at ../monitor/qmp.c:509
14 0x0000562e9bb6222e in aio_bh_poll (ctx=ctx@entry=0x562e9d4c2f20) at
../util/async.c:216
15 0x0000562e9bb4de0a in aio_poll (ctx=0x562e9d4c2f20,
blocking=blocking@entry=true) at ../util/aio-posix.c:722
16 0x0000562e9b99dfaa in iothread_run (opaque=0x562e9d4c26f0) at
../iothread.c:63
17 0x0000562e9bb505a4 in qemu_thread_start (args=0x562e9d4c7ea0) at
../util/qemu-thread-posix.c:543
18 0x00007f16c70081ca in start_thread (arg=<optimized out>) at
pthread_create.c:479
19 0x00007f16c6c398d3 in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
io_remove_watch_poll(), which makes sure that iwp->src is NULL, calls
g_source_destroy() which finds that iwp->src is not NULL in the finalize
callback. This can only happen if another thread has managed to trigger
io_watch_poll_prepare() callback in the meantime.
Move iwp->src destruction back to the finalize callback to prevent the
described race, and also remove the stale comment. The deadlock glib bug
was fixed back in 2010 by b35820285668 ("gmain: move finalization of
GSource outside of context lock").
Suggested-by: Paolo Bonzini <pbonz...@redhat.com>
Signed-off-by: Sergey Dyasli <sergey.dya...@nutanix.com>
Link:
https://lore.kernel.org/r/20240712092659.216206-1-sergey.dya...@nutanix.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit e0bf95443ee9326d44031373420cf9f3513ee255)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 92bdbc905920595a09b869f9d161b9dbcbedef13
https://github.com/qemu/qemu/commit/92bdbc905920595a09b869f9d161b9dbcbedef13
Author: Thomas Huth <th...@redhat.com>
Date: 2024-07-27 (Sat, 27 Jul 2024)
Changed paths:
M include/hw/virtio/virtio.h
Log Message:
-----------
hw/virtio: Fix the de-initialization of vhost-user devices
The unrealize functions of the various vhost-user devices are
calling the corresponding vhost_*_set_status() functions with a
status of 0 to shut down the device correctly.
Now these vhost_*_set_status() functions all follow this scheme:
bool should_start = virtio_device_should_start(vdev, status);
if (vhost_dev_is_started(&vvc->vhost_dev) == should_start) {
return;
}
if (should_start) {
/* ... do the initialization stuff ... */
} else {
/* ... do the cleanup stuff ... */
}
The problem here is virtio_device_should_start(vdev, 0) currently
always returns "true" since it internally only looks at vdev->started
instead of looking at the "status" parameter. Thus once the device
got started once, virtio_device_should_start() always returns true
and thus the vhost_*_set_status() functions return early, without
ever doing any clean-up when being called with status == 0. This
causes e.g. problems when trying to hot-plug and hot-unplug a vhost
user devices multiple times since the de-initialization step is
completely skipped during the unplug operation.
This bug has been introduced in commit 9f6bcfd99f ("hw/virtio: move
vm_running check to virtio_device_started") which replaced
should_start = status & VIRTIO_CONFIG_S_DRIVER_OK;
with
should_start = virtio_device_started(vdev, status);
which later got replaced by virtio_device_should_start(). This blocked
the possibility to set should_start to false in case the status flag
VIRTIO_CONFIG_S_DRIVER_OK was not set.
Fix it by adjusting the virtio_device_should_start() function to
only consider the status flag instead of vdev->started. Since this
function is only used in the various vhost_*_set_status() functions
for exactly the same purpose, it should be fine to fix it in this
central place there without any risk to change the behavior of other
code.
Fixes: 9f6bcfd99f ("hw/virtio: move vm_running check to virtio_device_started")
Buglink: https://issues.redhat.com/browse/RHEL-40708
Signed-off-by: Thomas Huth <th...@redhat.com>
Message-Id: <20240618121958.88673-1-th...@redhat.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidiana...@linaro.org>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit d72479b11797c28893e1e3fc565497a9cae5ca16)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 045157018a3207c9b3d33ad8bd650bcec47e8f2f
https://github.com/qemu/qemu/commit/045157018a3207c9b3d33ad8bd650bcec47e8f2f
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-07-30 (Tue, 30 Jul 2024)
Changed paths:
M target/rx/translate.c
Log Message:
-----------
target/rx: Use target_ulong for address in LI
Using int32_t meant that the address was sign-extended to uint64_t
when passing to translator_ld*, triggering an assert.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2453
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Tested-by: Thomas Huth <th...@redhat.com>
(cherry picked from commit 83340193b991e7a974f117baa86a04db1fd835a9)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 23dc4953105bbcb9492dec5ee9c230e4cb7a57c2
https://github.com/qemu/qemu/commit/23dc4953105bbcb9492dec5ee9c230e4cb7a57c2
Author: Frederik van Hövell <frede...@fvhovell.nl>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M hw/char/bcm2835_aux.c
Log Message:
-----------
hw/char/bcm2835_aux: Fix assert when receive FIFO fills up
When a bare-metal application on the raspi3 board reads the
AUX_MU_STAT_REG MMIO register while the device's buffer is
at full receive FIFO capacity
(i.e. `s->read_count == BCM2835_AUX_RX_FIFO_LEN`) the
assertion `assert(s->read_count < BCM2835_AUX_RX_FIFO_LEN)`
fails.
Reported-by: Cryptjar <cryptjar@junk.studio>
Suggested-by: Cryptjar <cryptjar@junk.studio>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/459
Signed-off-by: Frederik van Hövell <frede...@fvhovell.nl>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
[PMM: commit message tweaks]
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 546d574b11e02bfd5b15cdf1564842c14516dfab)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 668bc22e3ba36c31811a9ce4d1d7599185d55bef
https://github.com/qemu/qemu/commit/668bc22e3ba36c31811a9ce4d1d7599185d55bef
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M hw/misc/bcm2835_property.c
Log Message:
-----------
hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE
The documentation of the "Set palette" mailbox property at
https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface#set-palette
says it has the form:
Length: 24..1032
Value:
u32: offset: first palette index to set (0-255)
u32: length: number of palette entries to set (1-256)
u32...: RGBA palette values (offset to offset+length-1)
We get this wrong in a couple of ways:
* we aren't checking the offset and length are in range, so the guest
can make us spin for a long time by providing a large length
* the bounds check on our loop is wrong: we should iterate through
'length' palette entries, not 'length - offset' entries
Fix the loop to implement the bounds checks and get the loop
condition right. In the process, make the variables local to
this switch case, rather than function-global, so it's clearer
what type they are when reading the code.
Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Message-id: 20240723131029.1159908-2-peter.mayd...@linaro.org
(cherry picked from commit 0892fffc2abaadfb5d8b79bb0250ae1794862560)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(Mjt: context fix due to lack of
v9.0.0-1812-g5d5f1b60916a "hw/misc: Implement mailbox properties for customer
OTP and device specific private keys"
also remove now-unused local `n' variable which gets removed in the next
change in this file,
v9.0.0-2720-g32f1c201eedf "hw/misc/bcm2835_property: Avoid overflow in OTP
access properties")
Commit: 457cd629a27e9aeaba42529cadf257c1e514108e
https://github.com/qemu/qemu/commit/457cd629a27e9aeaba42529cadf257c1e514108e
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M target/arm/tcg/translate-sme.c
Log Message:
-----------
target/arm: Don't assert for 128-bit tile accesses when SVL is 128
For an instruction which accesses a 128-bit element tile when
the SVL is also 128 (for example MOV z0.Q, p0/M, ZA0H.Q[w0,0]),
we will assert in get_tile_rowcol():
qemu-system-aarch64: ../../tcg/tcg-op.c:926: tcg_gen_deposit_z_i32: Assertion
`len > 0' failed.
This happens because we calculate
len = ctz32(streaming_vec_reg_size(s)) - esz;$
but if the SVL and the element size are the same len is 0, and
the deposit operation asserts.
In this case the ZA storage contains exactly one 128 bit
element ZA tile, and the horizontal or vertical slice is just
that tile. This means that regardless of the index value in
the Ws register, we always access that tile. (In pseudocode terms,
we calculate (index + offset) MOD 1, which is 0.)
Special case the len == 0 case to avoid hitting the assertion
in tcg_gen_deposit_z_i32().
Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240722172957.1041231-2-peter.mayd...@linaro.org
(cherry picked from commit 56f1c0db928aae0b83fd91c89ddb226b137e2b21)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 0fe2a414fc4cc1e1b4898d635356f768343276e5
https://github.com/qemu/qemu/commit/0fe2a414fc4cc1e1b4898d635356f768343276e5
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M target/arm/tcg/sme_helper.c
Log Message:
-----------
target/arm: Fix UMOPA/UMOPS of 16-bit values
The UMOPA/UMOPS instructions are supposed to multiply unsigned 8 or
16 bit elements and accumulate the products into a 64-bit element.
In the Arm ARM pseudocode, this is done with the usual
infinite-precision signed arithmetic. However our implementation
doesn't quite get it right, because in the DEF_IMOP_64() macro we do:
sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);
where NTYPE and MTYPE are uint16_t or int16_t. In the uint16_t case,
the C usual arithmetic conversions mean the values are converted to
"int" type and the multiply is done as a 32-bit multiply. This means
that if the inputs are, for example, 0xffff and 0xffff then the
result is 0xFFFE0001 as an int, which is then promoted to uint64_t
for the accumulation into sum; this promotion incorrectly sign
extends the multiply.
Avoid the incorrect sign extension by casting to int64_t before
the multiply, so we do the multiply as 64-bit signed arithmetic,
which is a type large enough that the multiply can never
overflow into the sign bit.
(The equivalent 8-bit operations in DEF_IMOP_32() are fine, because
the 8-bit multiplies can never overflow into the sign bit of a
32-bit integer.)
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2372
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240722172957.1041231-3-peter.mayd...@linaro.org
(cherry picked from commit ea3f5a90f036734522e9af3bffd77e69e9f47355)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 8fafba246b90b04d366f55298707e7e53c8448fd
https://github.com/qemu/qemu/commit/8fafba246b90b04d366f55298707e7e53c8448fd
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M target/arm/tcg/translate-sve.c
Log Message:
-----------
target/arm: Avoid shifts by -1 in tszimm_shr() and tszimm_shl()
The function tszimm_esz() returns a shift amount, or possibly -1 in
certain cases that correspond to unallocated encodings in the
instruction set. We catch these later in the trans_ functions
(generally with an "a-esz < 0" check), but before we do the
decodetree-generated code will also call tszimm_shr() or tszimm_sl(),
which will use the tszimm_esz() return value as a shift count without
checking that it is not negative, which is undefined behaviour.
Avoid the UB by checking the return value in tszimm_shr() and
tszimm_shl().
Cc: qemu-sta...@nongnu.org
Resolves: Coverity CID 1547617, 1547694
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240722172957.1041231-4-peter.mayd...@linaro.org
(cherry picked from commit 76916dfa89e8900639c1055c07a295c06628a0bc)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 0969a9cbdad4dd36ca8307f34c37bb9761309403
https://github.com/qemu/qemu/commit/0969a9cbdad4dd36ca8307f34c37bb9761309403
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled
When determining the current vector length, the SMCR_EL2.LEN and
SVCR_EL2.LEN settings should only be considered if EL2 is enabled
(compare the pseudocode CurrentSVL and CurrentNSVL which call
EL2Enabled()).
We were checking against ARM_FEATURE_EL2 rather than calling
arm_is_el2_enabled(), which meant that we would look at
SMCR_EL2/SVCR_EL2 when in Secure EL1 or Secure EL0 even if Secure EL2
was not enabled.
Use the correct check in sve_vqm1_for_el_sm().
Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240722172957.1041231-5-peter.mayd...@linaro.org
(cherry picked from commit f573ac059ed060234fcef4299fae9e500d357c33)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: d97ecf1ec5294500cf780c2c12ec386f0a537352
https://github.com/qemu/qemu/commit/d97ecf1ec5294500cf780c2c12ec386f0a537352
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M docs/sphinx/depfile.py
Log Message:
-----------
docs/sphinx/depfile.py: Handle env.doc2path() returning a Path not a str
In newer versions of Sphinx the env.doc2path() API is going to change
to return a Path object rather than a str. This was originally visible
in Sphinx 8.0.0rc1, but has been rolled back for the final 8.0.0
release. However it will probably emit a deprecation warning and is
likely to change for good in 9.0:
https://github.com/sphinx-doc/sphinx/issues/12686
Our use in depfile.py assumes a str, and if it is passed a Path
it will fall over:
Handler <function write_depfile at 0x77a1775ff560> for event 'build-finished'
threw an exception (exception: unsupported operand type(s) for +: 'PosixPath'
and 'str')
Wrapping the env.doc2path() call in str() will coerce a Path object
to the str we expect, and have no effect in older Sphinx versions
that do return a str.
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2458
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Message-ID: <20240729120533.2486427-1-peter.mayd...@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit 48e5b5f994bccf161dd88a67fdd819d4bfb400f1)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: c378b2e0a222d1ec13ad3f31b8207d422491babc
https://github.com/qemu/qemu/commit/c378b2e0a222d1ec13ad3f31b8207d422491babc
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M hw/i386/amd_iommu.c
Log Message:
-----------
hw/i386/amd_iommu: Don't leak memory in amdvi_update_iotlb()
In amdvi_update_iotlb() we will only put a new entry in the hash
table if to_cache.perm is not IOMMU_NONE. However we allocate the
memory for the new AMDVIIOTLBEntry and for the hash table key
regardless. This means that in the IOMMU_NONE case we will leak the
memory we alloacted.
Move the allocations into the if() to the point where we know we're
going to add the item to the hash table.
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2452
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Message-Id: <20240731170019.3590563-1-peter.mayd...@linaro.org>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 9a45b0761628cc59267b3283a85d15294464ac31)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 15f0158cc6201790f2e994c8f64a70345d765133
https://github.com/qemu/qemu/commit/15f0158cc6201790f2e994c8f64a70345d765133
Author: Marco Palumbi <marco.palu...@tii.ae>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M hw/arm/mps2-tz.c
Log Message:
-----------
hw/arm/mps2-tz.c: fix RX/TX interrupts order
The order of the RX and TX interrupts are swapped.
This commit fixes the order as per the following documents:
* https://developer.arm.com/documentation/dai0505/latest/
* https://developer.arm.com/documentation/dai0521/latest/
* https://developer.arm.com/documentation/dai0524/latest/
* https://developer.arm.com/documentation/dai0547/latest/
Cc: qemu-sta...@nongnu.org
Signed-off-by: Marco Palumbi <marco.palu...@tii.ae>
Message-id: 20240730073123.72992-1-ma...@palumbi.it
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 5a558be93ad628e5bed6e0ee062870f49251725c)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 11613b66a72edf1209ad4607c023e8803b3502ed
https://github.com/qemu/qemu/commit/11613b66a72edf1209ad4607c023e8803b3502ed
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-02 (Fri, 02 Aug 2024)
Changed paths:
M target/arm/tcg/helper-sme.h
M target/arm/tcg/sme_helper.c
M target/arm/tcg/translate-sme.c
Log Message:
-----------
target/arm: Handle denormals correctly for FMOPA (widening)
The FMOPA (widening) SME instruction takes pairs of half-precision
floating point values, widens them to single-precision, does a
two-way dot product and accumulates the results into a
single-precision destination. We don't quite correctly handle the
FPCR bits FZ and FZ16 which control flushing of denormal inputs and
outputs. This is because at the moment we pass a single float_status
value to the helper function, which then uses that configuration for
all the fp operations it does. However, because the inputs to this
operation are float16 and the outputs are float32 we need to use the
fp_status_f16 for the float16 input widening but the normal fp_status
for everything else. Otherwise we will apply the flushing control
FPCR.FZ16 to the 32-bit output rather than the FPCR.FZ control, and
incorrectly flush a denormal output to zero when we should not (or
vice-versa).
(In commit 207d30b5fdb5b we tried to fix the FZ handling but
didn't get it right, switching from "use FPCR.FZ for everything" to
"use FPCR.FZ16 for everything".)
(Mjt: it is commit 43929c818c4b in stable-9.0)
Pass the CPU env to the sme_fmopa_h helper instead of an fp_status
pointer, and have the helper pass an extra fp_status into the
f16_dotadd() function so that we can use the right status for the
right parts of this operation.
Cc: qemu-sta...@nongnu.org
Fixes: 207d30b5fdb5 ("target/arm: Use FPST_F16 for SME FMOPA (widening)")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2373
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
(cherry picked from commit 55f9f4ee018c5ccea81d8c8c586756d7711ae46f)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 7c36dce9da3ae608e4176efffc42f8568e39411b
https://github.com/qemu/qemu/commit/7c36dce9da3ae608e4176efffc42f8568e39411b
Author: Akihiko Odaki <akihiko.od...@daynix.com>
Date: 2024-08-06 (Tue, 06 Aug 2024)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: Ensure queue index fits with RSS
Ensure the queue index points to a valid queue when software RSS
enabled. The new calculation matches with the behavior of Linux's TAP
device with the RSS eBPF program.
Fixes: 4474e37a5b3a ("virtio-net: implement RX RSS processing")
Reported-by: Zhibin Hu <huzhib...@huawei.com>
Cc: qemu-sta...@nongnu.org
Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Jason Wang <jasow...@redhat.com>
(cherry picked from commit f1595ceb9aad36a6c1da95bcb77ab9509b38822d)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Fixes: CVE-2024-6505
Commit: 341600287900172eb73336112150c173409d07a7
https://github.com/qemu/qemu/commit/341600287900172eb73336112150c173409d07a7
Author: thomas <east.moutain.y...@gmail.com>
Date: 2024-08-06 (Tue, 06 Aug 2024)
Changed paths:
M hw/net/virtio-net.c
M hw/virtio/virtio.c
M include/hw/virtio/virtio.h
Log Message:
-----------
virtio-net: Fix network stall at the host side waiting for kick
Patch 06b12970174 ("virtio-net: fix network stall under load")
added double-check to test whether the available buffer size
can satisfy the request or not, in case the guest has added
some buffers to the avail ring simultaneously after the first
check. It will be lucky if the available buffer size becomes
okay after the double-check, then the host can send the packet
to the guest. If the buffer size still can't satisfy the request,
even if the guest has added some buffers, viritio-net would
stall at the host side forever.
The patch enables notification and checks whether the guest has
added some buffers since last check of available buffers when
the available buffers are insufficient. If no buffer is added,
return false, else recheck the available buffers in the loop.
If the available buffers are sufficient, disable notification
and return true.
Changes:
1. Change the return type of virtqueue_get_avail_bytes() from void
to int, it returns an opaque that represents the shadow_avail_idx
of the virtqueue on success, else -1 on error.
2. Add a new API: virtio_queue_enable_notification_and_check(),
it takes an opaque as input arg which is returned from
virtqueue_get_avail_bytes(). It enables notification firstly,
then checks whether the guest has added some buffers since
last check of available buffers or not by virtio_queue_poll(),
return ture if yes.
The patch also reverts patch "06b12970174".
The case below can reproduce the stall.
Guest 0
+--------+
| iperf |
---------------> | server |
Host | +--------+
+--------+ | ...
| iperf |----
| client |---- Guest n
+--------+ | +--------+
| | iperf |
---------------> | server |
+--------+
Boot many guests from qemu with virtio network:
qemu ... -netdev tap,id=net_x \
-device virtio-net-pci-non-transitional,\
iommu_platform=on,mac=xx:xx:xx:xx:xx:xx,netdev=net_x
Each guest acts as iperf server with commands below:
iperf3 -s -D -i 10 -p 8001
iperf3 -s -D -i 10 -p 8002
The host as iperf client:
iperf3 -c guest_IP -p 8001 -i 30 -w 256k -P 20 -t 40000
iperf3 -c guest_IP -p 8002 -i 30 -w 256k -P 20 -t 40000
After some time, the host loses connection to the guest,
the guest can send packet to the host, but can't receive
packet from the host.
It's more likely to happen if SWIOTLB is enabled in the guest,
allocating and freeing bounce buffer takes some CPU ticks,
copying from/to bounce buffer takes more CPU ticks, compared
with that there is no bounce buffer in the guest.
Once the rate of producing packets from the host approximates
the rate of receiveing packets in the guest, the guest would
loop in NAPI.
receive packets ---
| |
v |
free buf virtnet_poll
| |
v |
add buf to avail ring ---
|
| need kick the host?
| NAPI continues
v
receive packets ---
| |
v |
free buf virtnet_poll
| |
v |
add buf to avail ring ---
|
v
... ...
On the other hand, the host fetches free buf from avail
ring, if the buf in the avail ring is not enough, the
host notifies the guest the event by writing the avail
idx read from avail ring to the event idx of used ring,
then the host goes to sleep, waiting for the kick signal
from the guest.
Once the guest finds the host is waiting for kick singal
(in virtqueue_kick_prepare_split()), it kicks the host.
The host may stall forever at the sequences below:
Host Guest
------------ -----------
fetch buf, send packet receive packet ---
... ... |
fetch buf, send packet add buf |
... add buf virtnet_poll
buf not enough avail idx-> add buf |
read avail idx add buf |
add buf ---
receive packet ---
write event idx ... |
wait for kick add buf virtnet_poll
... |
---
no more packet, exit NAPI
In the first loop of NAPI above, indicated in the range of
virtnet_poll above, the host is sending packets while the
guest is receiving packets and adding buffers.
step 1: The buf is not enough, for example, a big packet
needs 5 buf, but the available buf count is 3.
The host read current avail idx.
step 2: The guest adds some buf, then checks whether the
host is waiting for kick signal, not at this time.
The used ring is not empty, the guest continues
the second loop of NAPI.
step 3: The host writes the avail idx read from avail
ring to used ring as event idx via
virtio_queue_set_notification(q->rx_vq, 1).
step 4: At the end of the second loop of NAPI, recheck
whether kick is needed, as the event idx in the
used ring written by the host is beyound the
range of kick condition, the guest will not
send kick signal to the host.
Fixes: 06b12970174 ("virtio-net: fix network stall under load")
Cc: qemu-sta...@nongnu.org
Signed-off-by: Wencheng Yang <east.moutain.y...@gmail.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Jason Wang <jasow...@redhat.com>
(cherry picked from commit f937309fbdbb48c354220a3e7110c202ae4aa7fa)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(Mjt: context fixup in include/hw/virtio/virtio.h)
Commit: 731d656545abdeb56d8f7214b5c2ec57adfdc8cd
https://github.com/qemu/qemu/commit/731d656545abdeb56d8f7214b5c2ec57adfdc8cd
Author: David Woodhouse <d...@amazon.co.uk>
Date: 2024-08-06 (Tue, 06 Aug 2024)
Changed paths:
M net/net.c
Log Message:
-----------
net: Reinstate '-net nic, model=help' output as documented in man page
While refactoring the NIC initialization code, I broke '-net nic,model=help'
which no longer outputs a list of available NIC models.
Fixes: 2cdeca04adab ("net: report list of available models according to
platform")
Cc: qemu-sta...@nongnu.org
Signed-off-by: David Woodhouse <d...@amazon.co.uk>
Reviewed-by: Michael Tokarev <m...@tls.msk.ru>
Signed-off-by: Jason Wang <jasow...@redhat.com>
(cherry picked from commit 64f75f57f9d2c8c12ac6d9355fa5d3a2af5879ca)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 1d55351216127e42bdd33ca606232d43641c1753
https://github.com/qemu/qemu/commit/1d55351216127e42bdd33ca606232d43641c1753
Author: Fabiano Rosas <faro...@suse.de>
Date: 2024-08-06 (Tue, 06 Aug 2024)
Changed paths:
M migration/multifd.c
Log Message:
-----------
migration/multifd: Fix multifd_send_setup cleanup when channel creation fails
When a channel fails to create, the code currently just returns. This
is wrong for two reasons:
1) Channel n+1 will not get to initialize it's semaphores, leading to
an assert when terminate_threads tries to post to it:
qemu-system-x86_64: ../util/qemu-thread-posix.c:92:
qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.
2) (theoretical) If channel n-1 already started creation it will
defeat the purpose of the channels_created logic which is in place
to avoid migrate_fd_cleanup() to run while channels are still being
created.
This cannot really happen today because the current failure cases
for multifd_new_send_channel_create() are all synchronous,
resulting from qio_channel_file_new_path() getting a bad
filename. This would hit all channels equally.
But I don't want to set a trap for future people, so have all
channels try to create (even if failing), and only fail after the
channels_created semaphore has been posted.
While here, remove the error_report_err call. There's one already at
migrate_fd_cleanup later on.
Cc: qemu-sta...@nongnu.org
Reported-by: Jim Fehlig <jfeh...@suse.com>
Fixes: b7b03eb614 ("migration/multifd: Add outgoing QIOChannelFile support")
Reviewed-by: Peter Xu <pet...@redhat.com>
Signed-off-by: Fabiano Rosas <faro...@suse.de>
(cherry picked from commit 0bd5b9284fa94a6242a0d27a46380d93e753488b)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 758ee15d7f3c42c0a3722972483adc54b3949c75
https://github.com/qemu/qemu/commit/758ee15d7f3c42c0a3722972483adc54b3949c75
Author: Ilya Leoshkevich <i...@linux.ibm.com>
Date: 2024-08-06 (Tue, 06 Aug 2024)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload: Fix pr_pid values in core files
Analyzing qemu-produced core dumps of multi-threaded apps runs into:
(gdb) info threads
[...]
21 Thread 0x3ff83cc0740 (LWP 9295) warning: Couldn't find
general-purpose registers in core file.
<unavailable> in ?? ()
The reason is that all pr_pid values are the same, because the same
TaskState is used for all CPUs when generating NT_PRSTATUS notes.
Fix by using TaskStates associated with individual CPUs.
Cc: qemu-sta...@nongnu.org
Fixes: 243c47066253 ("linux-user/elfload: Write corefile elf header in one
block")
Signed-off-by: Ilya Leoshkevich <i...@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-ID: <20240801202340.21845-1-...@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
(cherry picked from commit 5b0c2742c839376b7e03c4654914aaec6a8a7b09)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 580e6bbc0cfcbb9ea2d59e57d82eb107d27cbb3c
https://github.com/qemu/qemu/commit/580e6bbc0cfcbb9ea2d59e57d82eb107d27cbb3c
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-06 (Tue, 06 Aug 2024)
Changed paths:
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/translate.c
Log Message:
-----------
target/i386: Fix VSIB decode
With normal SIB, index == 4 indicates no index.
With VSIB, there is no exception for VR4/VR12.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2474
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Link:
https://lore.kernel.org/r/20240805003130.1421051-3-richard.hender...@linaro.org
Cc: qemu-sta...@nongnu.org
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit ac63755b20013ec6a3d2aef4538d37dc90bc3d10)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(Mjt: modify the change to pre-new-decoder introduced past qemu 9.0)
Commit: 61b280df3127103d0a2d4b1274a1905a43a8a4a6
https://github.com/qemu/qemu/commit/61b280df3127103d0a2d4b1274a1905a43a8a4a6
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-10 (Sat, 10 Aug 2024)
Changed paths:
M tcg/ppc/tcg-target.c.inc
Log Message:
-----------
tcg/ppc: Sync tcg_out_test and constraints
Ensure the code structure is the same for matching constraints
and emitting code, lest we allow constants that cannot be
trivially tested.
Cc: qemu-sta...@nongnu.org
Fixes: ad788aebbab ("tcg/ppc: Support TCG_COND_TST{EQ,NE}")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2487
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-Id: <44328324-af73-4439-9d2b-d414e0e13...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit 682a05280504d2fab32e16096b58d7ea068435c2)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 9af696d2300cd79cb44e4f2db1b05e8288f0aeb6
https://github.com/qemu/qemu/commit/9af696d2300cd79cb44e4f2db1b05e8288f0aeb6
Author: Philippe Mathieu-Daudé <phi...@linaro.org>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M hw/sd/sdhci.c
Log Message:
-----------
hw/sd/sdhci: Reset @data_count index on invalid ADMA transfers
We neglected to clear the @data_count index on ADMA error,
allowing to trigger assertion in sdhci_read_dataport() or
sdhci_write_dataport().
Cc: qemu-sta...@nongnu.org
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Zheyu Ma <zheyum...@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2455
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-Id: <20240730092138.32443-4-phi...@linaro.org>
(cherry picked from commit ed5a159c3de48a581f46de4c8c02b4b295e6c52d)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 0ce98ccba55d1b808b970ea8e3c3a59200bc9330
https://github.com/qemu/qemu/commit/0ce98ccba55d1b808b970ea8e3c3a59200bc9330
Author: Amjad Alsharafi <amjadsharaf...@gmail.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M block/vvfat.c
Log Message:
-----------
vvfat: Fix bug in writing to middle of file
Before this commit, the behavior when calling `commit_one_file` for
example with `offset=0x2000` (second cluster), what will happen is that
we won't fetch the next cluster from the fat, and instead use the first
cluster for the read operation.
This is due to off-by-one error here, where `i=0x2000 !< offset=0x2000`,
thus not fetching the next cluster.
Signed-off-by: Amjad Alsharafi <amjadsharaf...@gmail.com>
Reviewed-by: Kevin Wolf <kw...@redhat.com>
Tested-by: Kevin Wolf <kw...@redhat.com>
Message-ID:
<b97c1e1f1bc2f776061ae914f95d799d124fcd73.1721470238.git.amjadsharaf...@gmail.com>
Signed-off-by: Kevin Wolf <kw...@redhat.com>
(cherry picked from commit b881cf00c99e03bc8a3648581f97736ff275b18b)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 13e7c7e5ff6a0aa55297a4a7e4b5634716a5504d
https://github.com/qemu/qemu/commit/13e7c7e5ff6a0aa55297a4a7e4b5634716a5504d
Author: Amjad Alsharafi <amjadsharaf...@gmail.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M block/vvfat.c
Log Message:
-----------
vvfat: Fix usage of `info.file.offset`
The field is marked as "the offset in the file (in clusters)", but it
was being used like this
`cluster_size*(nums)+mapping->info.file.offset`, which is incorrect.
Signed-off-by: Amjad Alsharafi <amjadsharaf...@gmail.com>
Reviewed-by: Kevin Wolf <kw...@redhat.com>
Message-ID:
<72f19a7903886dda1aa78bcae0e17702ee939262.1721470238.git.amjadsharaf...@gmail.com>
Signed-off-by: Kevin Wolf <kw...@redhat.com>
(cherry picked from commit 21b25a0e466a5bba0a45600bb8100ab564202ed1)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 511354e2c8616e041345c57fa191b6b80c8010c9
https://github.com/qemu/qemu/commit/511354e2c8616e041345c57fa191b6b80c8010c9
Author: Amjad Alsharafi <amjadsharaf...@gmail.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M block/vvfat.c
Log Message:
-----------
vvfat: Fix wrong checks for cluster mappings invariant
How this `abort` was intended to check for was:
- if the `mapping->first_mapping_index` is not the same as
`first_mapping_index`, which **should** happen only in one case,
when we are handling the first mapping, in that case
`mapping->first_mapping_index == -1`, in all other cases, the other
mappings after the first should have the condition `true`.
- From above, we know that this is the first mapping, so if the offset
is not `0`, then abort, since this is an invalid state.
The issue was that `first_mapping_index` is not set if we are
checking from the middle, the variable `first_mapping_index` is
only set if we passed through the check `cluster_was_modified` with the
first mapping, and in the same function call we checked the other
mappings.
One approach is to go into the loop even if `cluster_was_modified`
is not true so that we will be able to set `first_mapping_index` for the
first mapping, but since `first_mapping_index` is only used here,
another approach is to just check manually for the
`mapping->first_mapping_index != -1` since we know that this is the
value for the only entry where `offset == 0` (i.e. first mapping).
Signed-off-by: Amjad Alsharafi <amjadsharaf...@gmail.com>
Reviewed-by: Kevin Wolf <kw...@redhat.com>
Message-ID:
<b0fbca3ee208c565885838f6a7deeaeb23f4f9c2.1721470238.git.amjadsharaf...@gmail.com>
Signed-off-by: Kevin Wolf <kw...@redhat.com>
(cherry picked from commit f60a6f7e17bf2a2a0f0a08265ac9b077fce42858)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 10a0a67979c08b85f1e82d0c1c4a75a44d4533c0
https://github.com/qemu/qemu/commit/10a0a67979c08b85f1e82d0c1c4a75a44d4533c0
Author: Amjad Alsharafi <amjadsharaf...@gmail.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M block/vvfat.c
Log Message:
-----------
vvfat: Fix reading files with non-continuous clusters
When reading with `read_cluster` we get the `mapping` with
`find_mapping_for_cluster` and then we call `open_file` for this
mapping.
The issue appear when its the same file, but a second cluster that is
not immediately after it, imagine clusters `500 -> 503`, this will give
us 2 mappings one has the range `500..501` and another `503..504`, both
point to the same file, but different offsets.
When we don't open the file since the path is the same, we won't assign
`s->current_mapping` and thus accessing way out of bound of the file.
>From our example above, after `open_file` (that didn't open anything) we
will get the offset into the file with
`s->cluster_size*(cluster_num-s->current_mapping->begin)`, which will
give us `0x2000 * (504-500)`, which is out of bound for this mapping and
will produce some issues.
Signed-off-by: Amjad Alsharafi <amjadsharaf...@gmail.com>
Message-ID:
<1f3ea115779abab62ba32c788073cdc99f9ad5dd.1721470238.git.amjadsharaf...@gmail.com>
[kwolf: Simplified the patch based on Amjad's analysis and input]
Signed-off-by: Kevin Wolf <kw...@redhat.com>
(cherry picked from commit 5eed3db336506b529b927ba221fe0d836e5b8819)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 4c9ba1b2fb260e75276a0ee869222e45e9846b02
https://github.com/qemu/qemu/commit/4c9ba1b2fb260e75276a0ee869222e45e9846b02
Author: Amjad Alsharafi <amjadsharaf...@gmail.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M tests/qemu-iotests/check
A tests/qemu-iotests/fat16.py
M tests/qemu-iotests/testenv.py
A tests/qemu-iotests/tests/vvfat
A tests/qemu-iotests/tests/vvfat.out
Log Message:
-----------
iotests: Add `vvfat` tests
Added several tests to verify the implementation of the vvfat driver.
We needed a way to interact with it, so created a basic `fat16.py` driver
that handled writing correct sectors for us.
Added `vvfat` to the non-generic formats, as its not a normal image format.
Signed-off-by: Amjad Alsharafi <amjadsharaf...@gmail.com>
Reviewed-by: Kevin Wolf <kw...@redhat.com>
Tested-by: Kevin Wolf <kw...@redhat.com>
Message-ID:
<bb8149c945301aefbdf470a0924c07f69f9c087d.1721470238.git.amjadsharaf...@gmail.com>
[kwolf: Made mypy and pylint happy to unbreak 297]
Signed-off-by: Kevin Wolf <kw...@redhat.com>
(cherry picked from commit c8f60bfb4345ea8343a53eaefe88d47b44c53f24)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: c73859d3e83184be1df1b458b3b59bc843182440
https://github.com/qemu/qemu/commit/c73859d3e83184be1df1b458b3b59bc843182440
Author: Eric Blake <ebl...@redhat.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M blockdev-nbd.c
M include/block/nbd.h
M nbd/server.c
M qemu-nbd.c
Log Message:
-----------
nbd/server: Plumb in new args to nbd_client_add()
Upcoming patches to fix a CVE need to track an opaque pointer passed
in by the owner of a client object, as well as request for a time
limit on how fast negotiation must complete. Prepare for that by
changing the signature of nbd_client_new() and adding an accessor to
get at the opaque pointer, although for now the two servers
(qemu-nbd.c and blockdev-nbd.c) do not change behavior even though
they pass in a new default timeout value.
Suggested-by: Vladimir Sementsov-Ogievskiy <vsement...@yandex-team.ru>
Signed-off-by: Eric Blake <ebl...@redhat.com>
Message-ID: <20240807174943.771624-11-ebl...@redhat.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
[eblake: s/LIMIT/MAX_SECS/ as suggested by Dan]
Signed-off-by: Eric Blake <ebl...@redhat.com>
(cherry picked from commit fb1c2aaa981e0a2fa6362c9985f1296b74f055ac)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 8a0f4568b8198f33d6e17f31dbc3579bb5be0026
https://github.com/qemu/qemu/commit/8a0f4568b8198f33d6e17f31dbc3579bb5be0026
Author: Eric Blake <ebl...@redhat.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M block/monitor/block-hmp-cmds.c
M blockdev-nbd.c
M include/block/nbd.h
M qapi/block-export.json
Log Message:
-----------
nbd/server: CVE-2024-7409: Cap default max-connections to 100
Allowing an unlimited number of clients to any web service is a recipe
for a rudimentary denial of service attack: the client merely needs to
open lots of sockets without closing them, until qemu no longer has
any more fds available to allocate.
For qemu-nbd, we default to allowing only 1 connection unless more are
explicitly asked for (-e or --shared); this was historically picked as
a nice default (without an explicit -t, a non-persistent qemu-nbd goes
away after a client disconnects, without needing any additional
follow-up commands), and we are not going to change that interface now
(besides, someday we want to point people towards qemu-storage-daemon
instead of qemu-nbd).
But for qemu proper, and the newer qemu-storage-daemon, the QMP
nbd-server-start command has historically had a default of unlimited
number of connections, in part because unlike qemu-nbd it is
inherently persistent until nbd-server-stop. Allowing multiple client
sockets is particularly useful for clients that can take advantage of
MULTI_CONN (creating parallel sockets to increase throughput),
although known clients that do so (such as libnbd's nbdcopy) typically
use only 8 or 16 connections (the benefits of scaling diminish once
more sockets are competing for kernel attention). Picking a number
large enough for typical use cases, but not unlimited, makes it
slightly harder for a malicious client to perform a denial of service
merely by opening lots of connections withot progressing through the
handshake.
This change does not eliminate CVE-2024-7409 on its own, but reduces
the chance for fd exhaustion or unlimited memory usage as an attack
surface. On the other hand, by itself, it makes it more obvious that
with a finite limit, we have the problem of an unauthenticated client
holding 100 fds opened as a way to block out a legitimate client from
being able to connect; thus, later patches will further add timeouts
to reject clients that are not making progress.
This is an INTENTIONAL change in behavior, and will break any client
of nbd-server-start that was not passing an explicit max-connections
parameter, yet expects more than 100 simultaneous connections. We are
not aware of any such client (as stated above, most clients aware of
MULTI_CONN get by just fine on 8 or 16 connections, and probably cope
with later connections failing by relying on the earlier connections;
libvirt has not yet been passing max-connections, but generally
creates NBD servers with the intent for a single client for the sake
of live storage migration; meanwhile, the KubeSAN project anticipates
a large cluster sharing multiple clients [up to 8 per node, and up to
100 nodes in a cluster], but it currently uses qemu-nbd with an
explicit --shared=0 rather than qemu-storage-daemon with
nbd-server-start).
We considered using a deprecation period (declare that omitting
max-parameters is deprecated, and make it mandatory in 3 releases -
then we don't need to pick an arbitrary default); that has zero risk
of breaking any apps that accidentally depended on more than 100
connections, and where such breakage might not be noticed under unit
testing but only under the larger loads of production usage. But it
does not close the denial-of-service hole until far into the future,
and requires all apps to change to add the parameter even if 100 was
good enough. It also has a drawback that any app (like libvirt) that
is accidentally relying on an unlimited default should seriously
consider their own CVE now, at which point they are going to change to
pass explicit max-connections sooner than waiting for 3 qemu releases.
Finally, if our changed default breaks an app, that app can always
pass in an explicit max-parameters with a larger value.
It is also intentional that the HMP interface to nbd-server-start is
not changed to expose max-connections (any client needing to fine-tune
things should be using QMP).
Suggested-by: Daniel P. Berrangé <berra...@redhat.com>
Signed-off-by: Eric Blake <ebl...@redhat.com>
Message-ID: <20240807174943.771624-12-ebl...@redhat.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
[ericb: Expand commit message to summarize Dan's argument for why we
break corner-case back-compat behavior without a deprecation period]
Signed-off-by: Eric Blake <ebl...@redhat.com>
(cherry picked from commit c8a76dbd90c2f48df89b75bef74917f90a59b623)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 04d8a3e10ec8e255ce3deb7dde57a2e22db4e673
https://github.com/qemu/qemu/commit/04d8a3e10ec8e255ce3deb7dde57a2e22db4e673
Author: Eric Blake <ebl...@redhat.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M nbd/server.c
M nbd/trace-events
Log Message:
-----------
nbd/server: CVE-2024-7409: Drop non-negotiating clients
A client that opens a socket but does not negotiate is merely hogging
qemu's resources (an open fd and a small amount of memory); and a
malicious client that can access the port where NBD is listening can
attempt a denial of service attack by intentionally opening and
abandoning lots of unfinished connections. The previous patch put a
default bound on the number of such ongoing connections, but once that
limit is hit, no more clients can connect (including legitimate ones).
The solution is to insist that clients complete handshake within a
reasonable time limit, defaulting to 10 seconds. A client that has
not successfully completed NBD_OPT_GO by then (including the case of
where the client didn't know TLS credentials to even reach the point
of NBD_OPT_GO) is wasting our time and does not deserve to stay
connected. Later patches will allow fine-tuning the limit away from
the default value (including disabling it for doing integration
testing of the handshake process itself).
Note that this patch in isolation actually makes it more likely to see
qemu SEGV after nbd-server-stop, as any client socket still connected
when the server shuts down will now be closed after 10 seconds rather
than at the client's whims. That will be addressed in the next patch.
For a demo of this patch in action:
$ qemu-nbd -f raw -r -t -e 10 file &
$ nbdsh --opt-mode -c '
H = list()
for i in range(20):
print(i)
H.insert(i, nbd.NBD())
H[i].set_opt_mode(True)
H[i].connect_uri("nbd://localhost")
'
$ kill $!
where later connections get to start progressing once earlier ones are
forcefully dropped for taking too long, rather than hanging.
Suggested-by: Daniel P. Berrangé <berra...@redhat.com>
Signed-off-by: Eric Blake <ebl...@redhat.com>
Message-ID: <20240807174943.771624-13-ebl...@redhat.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
[eblake: rebase to changes earlier in series, reduce scope of timer]
Signed-off-by: Eric Blake <ebl...@redhat.com>
(cherry picked from commit b9b72cb3ce15b693148bd09cef7e50110566d8a0)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 0b569ce72cd0bc057a3167a23c707e80b8513239
https://github.com/qemu/qemu/commit/0b569ce72cd0bc057a3167a23c707e80b8513239
Author: Eric Blake <ebl...@redhat.com>
Date: 2024-08-11 (Sun, 11 Aug 2024)
Changed paths:
M blockdev-nbd.c
Log Message:
-----------
nbd/server: CVE-2024-7409: Close stray clients at server-stop
A malicious client can attempt to connect to an NBD server, and then
intentionally delay progress in the handshake, including if it does
not know the TLS secrets. Although the previous two patches reduce
this behavior by capping the default max-connections parameter and
killing slow clients, they did not eliminate the possibility of a
client waiting to close the socket until after the QMP nbd-server-stop
command is executed, at which point qemu would SEGV when trying to
dereference the NULL nbd_server global which is no longer present.
This amounts to a denial of service attack. Worse, if another NBD
server is started before the malicious client disconnects, I cannot
rule out additional adverse effects when the old client interferes
with the connection count of the new server (although the most likely
is a crash due to an assertion failure when checking
nbd_server->connections > 0).
For environments without this patch, the CVE can be mitigated by
ensuring (such as via a firewall) that only trusted clients can
connect to an NBD server. Note that using frameworks like libvirt
that ensure that TLS is used and that nbd-server-stop is not executed
while any trusted clients are still connected will only help if there
is also no possibility for an untrusted client to open a connection
but then stall on the NBD handshake.
Given the previous patches, it would be possible to guarantee that no
clients remain connected by having nbd-server-stop sleep for longer
than the default handshake deadline before finally freeing the global
nbd_server object, but that could make QMP non-responsive for a long
time. So intead, this patch fixes the problem by tracking all client
sockets opened while the server is running, and forcefully closing any
such sockets remaining without a completed handshake at the time of
nbd-server-stop, then waiting until the coroutines servicing those
sockets notice the state change. nbd-server-stop now has a second
AIO_WAIT_WHILE_UNLOCKED (the first is indirectly through the
blk_exp_close_all_type() that disconnects all clients that completed
handshakes), but forced socket shutdown is enough to progress the
coroutines and quickly tear down all clients before the server is
freed, thus finally fixing the CVE.
This patch relies heavily on the fact that nbd/server.c guarantees
that it only calls nbd_blockdev_client_closed() from the main loop
(see the assertion in nbd_client_put() and the hoops used in
nbd_client_put_nonzero() to achieve that); if we did not have that
guarantee, we would also need a mutex protecting our accesses of the
list of connections to survive re-entrancy from independent iothreads.
Although I did not actually try to test old builds, it looks like this
problem has existed since at least commit 862172f45c (v2.12.0, 2017) -
even back when that patch started using a QIONetListener to handle
listening on multiple sockets, nbd_server_free() was already unaware
that the nbd_blockdev_client_closed callback can be reached later by a
client thread that has not completed handshakes (and therefore the
client's socket never got added to the list closed in
nbd_export_close_all), despite that patch intentionally tearing down
the QIONetListener to prevent new clients.
Reported-by: Alexander Ivanov <alexander.iva...@virtuozzo.com>
Fixes: CVE-2024-7409
CC: qemu-sta...@nongnu.org
Signed-off-by: Eric Blake <ebl...@redhat.com>
Message-ID: <20240807174943.771624-14-ebl...@redhat.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
(cherry picked from commit 3e7ef738c8462c45043a1d39f702a0990406a3b3)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: e75dff935d6f82a1cda750735a5ba7d444ab6e5f
https://github.com/qemu/qemu/commit/e75dff935d6f82a1cda750735a5ba7d444ab6e5f
Author: David Woodhouse <d...@amazon.co.uk>
Date: 2024-08-13 (Tue, 13 Aug 2024)
Changed paths:
M net/net.c
Log Message:
-----------
net: Fix '-net nic,model=' for non-help arguments
Oops, don't *delete* the model option when checking for 'help'.
Fixes: 64f75f57f9d2 ("net: Reinstate '-net nic, model=help' output as
documented in man page")
Reported-by: Hans <sungdgdhtr...@gmail.com>
Signed-off-by: David Woodhouse <d...@amazon.co.uk>
Cc: qemu-sta...@nongnu.org
Reviewed-by: Michael Tokarev <m...@tls.msk.ru>
Signed-off-by: Jason Wang <jasow...@redhat.com>
(cherry picked from commit fa62cb989a9146c82f8f172715042852f5d36200)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 83e92acda037c920faf308eb492b3b5db4b61b0d
https://github.com/qemu/qemu/commit/83e92acda037c920faf308eb492b3b5db4b61b0d
Author: Jianzhou Yue <jianzhou....@verisilicon.com>
Date: 2024-08-13 (Tue, 13 Aug 2024)
Changed paths:
M hw/core/ptimer.c
M tests/unit/ptimer-test.c
Log Message:
-----------
hw/core/ptimer: fix timer zero period condition for freq > 1GHz
The real period is zero when both period and period_frac are zero.
Check the method ptimer_set_freq, if freq is larger than 1000 MHz,
the period is zero, but the period_frac is not, in this case, the
ptimer will work but the current code incorrectly recognizes that
the ptimer is disabled.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2306
Signed-off-by: JianZhou Yue <jianzhou....@verisilicon.com>
Message-id: 3da024aea8b57545af1b3caa37077d0fb75e8...@shasxm03.verisilicon.com
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 446e5e8b4515e9a7be69ef6a29852975289bb6f0)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: ad628ad55e19b6fb54417aa90441faada14a8012
https://github.com/qemu/qemu/commit/ad628ad55e19b6fb54417aa90441faada14a8012
Author: Stefano Garzarella <sgarz...@redhat.com>
Date: 2024-08-13 (Tue, 13 Aug 2024)
Changed paths:
M block/blkio.c
M meson.build
Log Message:
-----------
block/blkio: use FUA flag on write zeroes only if supported
libblkio supports BLKIO_REQ_FUA with write zeros requests only since
version 1.4.0, so let's inform the block layer that the blkio driver
supports it only in this case. Otherwise we can have runtime errors
as reported in https://issues.redhat.com/browse/RHEL-32878
Fixes: fd66dbd424 ("blkio: add libblkio block driver")
Cc: qemu-sta...@nongnu.org
Buglink: https://issues.redhat.com/browse/RHEL-32878
Signed-off-by: Stefano Garzarella <sgarz...@redhat.com>
Reviewed-by: Eric Blake <ebl...@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Message-id: 20240808080545.40744-1-sgarz...@redhat.com
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
(cherry picked from commit 547c4e50929ec6c091d9c16a7b280e829b12b463)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 79478f49f745a2cc3f5f66982047502751dc7122
https://github.com/qemu/qemu/commit/79478f49f745a2cc3f5f66982047502751dc7122
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-14 (Wed, 14 Aug 2024)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386: Do not apply REX to MMX operands
Cc: qemu-sta...@nongnu.org
Fixes: b3e22b2318a ("target/i386: add core of new i386 decoder")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2495
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Link:
https://lore.kernel.org/r/20240812025844.58956-2-richard.hender...@linaro.org
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 416f2b16c02c618c0f233372ebfe343f9ee667d4)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 832bd544b84f5611806540ccf677ba744e1d4467
https://github.com/qemu/qemu/commit/832bd544b84f5611806540ccf677ba744e1d4467
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-14 (Wed, 14 Aug 2024)
Changed paths:
M target/arm/tcg/translate-a64.c
Log Message:
-----------
target/arm: Clear high SVE elements in handle_vec_simd_wshli
AdvSIMD instructions are supposed to zero bits beyond 128.
Affects SSHLL, USHLL, SSHLL2, USHLL2.
Cc: qemu-sta...@nongnu.org
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240717060903.205098-15-richard.hender...@linaro.org
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 8e0c9a9efa21a16190cbac288e414bbf1d80f639)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 989fcb18aa0d083fb5dc2bc2b088199af320f59b
https://github.com/qemu/qemu/commit/989fcb18aa0d083fb5dc2bc2b088199af320f59b
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-14 (Wed, 14 Aug 2024)
Changed paths:
M target/arm/cpu.h
Log Message:
-----------
target/arm: Update translation regime comment for new features
We have a long comment describing the Arm architectural translation
regimes and how we map them to QEMU MMU indexes. This comment has
got a bit out of date:
* FEAT_SEL2 allows Secure EL2 and corresponding new regimes
* FEAT_RME introduces Realm state and its translation regimes
* We now model the Cortex-R52 so that is no longer a hypothetical
* We separated Secure Stage 2 and NonSecure Stage 2 MMU indexes
* We have an MMU index per physical address spacea
Add the missing pieces so that the list of architectural translation
regimes matches the Arm ARM, and the list and count of QEMU MMU
indexes in the comment matches the enum.
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Tested-by: Bernhard Beschow <shen...@gmail.com>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240809160430.1144805-2-peter.mayd...@linaro.org
(cherry picked from commit 150c24f34e9c3388c0f0ad04ddd997e5559db800)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(Mjt: pick this one for stable-9.0 so the next commit applies cleanly)
Commit: 1a3647f92d1f1ce47c1fabf66647de11566f9cde
https://github.com/qemu/qemu/commit/1a3647f92d1f1ce47c1fabf66647de11566f9cde
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-14 (Wed, 14 Aug 2024)
Changed paths:
M target/arm/cpu.h
M target/arm/helper.c
M target/arm/internals.h
M target/arm/ptw.c
M target/arm/tcg/hflags.c
M target/arm/tcg/translate-a64.c
M target/arm/tcg/translate.c
M target/arm/tcg/translate.h
Log Message:
-----------
target/arm: Fix usage of MMU indexes when EL3 is AArch32
Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure PL1&0 translation regime:
* code at EL3, which might be Mon, or SVC, or any of the
other privileged modes (PL1)
* code at EL0 (Secure PL0)
This is different from when EL3 is AArch64, in which case EL3 is its
own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
have their own regime.
We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
do anything special about Secure PL0, which meant it used the same
ARMMMUIdx_EL10_0 that NonSecure PL0 does. This resulted in a bug
where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
controlling register when in Secure PL0, which meant we were
spuriously generating alignment faults because we were looking at the
wrong SCTLR control bits.
The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
we wouldn't honour the PAN bit for Secure PL1, because there's no
equivalent _PAN mmu index for it.
We could fix this in one of two ways:
* The most straightforward is to add new MMU indexes EL30_0,
EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0",
"Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN".
This matches how we use indexes for the AArch64 regimes, and
preserves propirties like being able to determine the privilege
level from an MMU index without any other information. However
it would add two MMU indexes (we can share one with ARMMMUIdx_EL3),
and we are already using 14 of the 16 the core TLB code permits.
* The more complicated approach is the one we take here. We use
the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0
than we do for NonSecure PL1&0. This saves on MMU indexes, but
means we need to check in some places whether we're in the
Secure PL1&0 regime or not before we interpret an MMU index.
The changes in this commit were created by auditing all the places
where we use specific ARMMMUIdx_ values, and checking whether they
needed to be changed to handle the new index value usage.
Note for potential stable backports: taking also the previous
(comment-change-only) commit might make the backport easier.
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Tested-by: Bernhard Beschow <shen...@gmail.com>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20240809160430.1144805-3-peter.mayd...@linaro.org
(cherry picked from commit 4c2c0474693229c1f533239bb983495c5427784d)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: c8803b4f58042c8d64dfecf7cc39aa8d7379467a
https://github.com/qemu/qemu/commit/c8803b4f58042c8d64dfecf7cc39aa8d7379467a
Author: Alexander Ivanov <alexander.iva...@virtuozzo.com>
Date: 2024-08-14 (Wed, 14 Aug 2024)
Changed paths:
M util/module.c
Log Message:
-----------
module: Prevent crash by resetting local_err in module_load_qom_all()
Set local_err to NULL after it has been freed in error_report_err(). This
avoids triggering assert(*errp == NULL) failure in error_setv() when
local_err is reused in the loop.
Signed-off-by: Alexander Ivanov <alexander.iva...@virtuozzo.com>
Reviewed-by: Claudio Fontana <cfont...@suse.de>
Reviewed-by: Denis V. Lunev <d...@openvz.org>
Link:
https://lore.kernel.org/r/20240809121340.992049-2-alexander.iva...@virtuozzo.com
[Do the same by moving the declaration instead. - Paolo]
Cc: qemu-sta...@nongnu.org
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 940d802b24e63650e0eacad3714e2ce171cba17c)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: bb5f3849f67a0eeb5f806889a6e114e272d7119c
https://github.com/qemu/qemu/commit/bb5f3849f67a0eeb5f806889a6e114e272d7119c
Author: Alyssa Ross <h...@alyssa.is>
Date: 2024-08-14 (Wed, 14 Aug 2024)
Changed paths:
M target/hexagon/meson.build
Log Message:
-----------
target/hexagon: don't look for static glib
When cross compiling QEMU configured with --static, I've been getting
configure errors like the following:
Build-time dependency glib-2.0 found: NO
../target/hexagon/meson.build:303:15: ERROR: Dependency lookup for glib-2.0
with method 'pkgconfig' failed: Could not generate libs for glib-2.0:
Package libpcre2-8 was not found in the pkg-config search path.
Perhaps you should add the directory containing `libpcre2-8.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libpcre2-8', required by 'glib-2.0', not found
This happens because --static sets the prefer_static Meson option, but
my build machine doesn't have a static libpcre2. I don't think it
makes sense to insist that native dependencies are static, just
because I want the non-native QEMU binaries to be static.
Signed-off-by: Alyssa Ross <h...@alyssa.is>
Link: https://lore.kernel.org/r/20240805104921.4035256-1...@alyssa.is
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit fe68cc0923ebfa0c12e4176f61ec9b363a07a73a)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 8db3c6a2c73939f5e597bf6bcdb2c4b427d61347
https://github.com/qemu/qemu/commit/8db3c6a2c73939f5e597bf6bcdb2c4b427d61347
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-15 (Thu, 15 Aug 2024)
Changed paths:
M linux-user/mmap.c
Log Message:
-----------
linux-user: Preserve NULL hit in target_mmap subroutines
Do not pass guest_base to the host mmap instead of zero hint.
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2353
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
(cherry picked from commit 3aefee3ec01e607529a9918e2978f365c5c3b5e9)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 1cc0218f561ee3aa8b0892851bf1777d637ed734
https://github.com/qemu/qemu/commit/1cc0218f561ee3aa8b0892851bf1777d637ed734
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M target/sparc/insns.decode
M target/sparc/translate.c
Log Message:
-----------
target/sparc: Restrict STQF to sparcv9
Prior to sparcv9, the same encoding was STDFQ.
Cc: qemu-sta...@nongnu.org
Fixes: 06c060d9e5b ("target/sparc: Move simple fp load/store to decodetree")
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Message-ID: <20240816072311.353234-2-richard.hender...@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit 12d36294a2d978faf893101862118d1ac1815e85)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: e32432caee74fc62c4f6eaf0859494aa8308967f
https://github.com/qemu/qemu/commit/e32432caee74fc62c4f6eaf0859494aa8308967f
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M crypto/tlscredspsk.c
Log Message:
-----------
crypto/tlscredspsk: Free username on finalize
When the creds->username property is set we allocate memory
for it in qcrypto_tls_creds_psk_prop_set_username(), but
we never free this when the QCryptoTLSCredsPSK is destroyed.
Free the memory in finalize.
This fixes a LeakSanitizer complaint in migration-test:
$ (cd build/asan; ASAN_OPTIONS="fast_unwind_on_malloc=0"
QTEST_QEMU_BINARY=./qemu-system-x86_64 ./tests/qtest/migration-test --tap -k -p
/x86_64/migration/precopy/unix/tls/psk)
=================================================================
==3867512==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x5624e5c99dee in malloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218edee)
(BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3)
#1 0x7fb199ae9738 in g_malloc debian/build/deb/../../../glib/gmem.c:128:13
#2 0x7fb199afe583 in g_strdup
debian/build/deb/../../../glib/gstrfuncs.c:361:17
#3 0x5624e82ea919 in qcrypto_tls_creds_psk_prop_set_username
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../crypto/tlscredspsk.c:255:23
#4 0x5624e812c6b5 in property_set_str
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:2277:5
#5 0x5624e8125ce5 in object_property_set
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:1463:5
#6 0x5624e8136e7c in object_set_properties_from_qdict
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:55:14
#7 0x5624e81372d2 in user_creatable_add_type
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:112:5
#8 0x5624e8137964 in user_creatable_add_qapi
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:157:11
#9 0x5624e891ba3c in qmp_object_add
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/qom-qmp-cmds.c:227:5
#10 0x5624e8af9118 in qmp_marshal_object_add
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qapi/qapi-commands-qom.c:337:5
#11 0x5624e8bd1d49 in do_qmp_dispatch_bh
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qapi/qmp-dispatch.c:128:5
#12 0x5624e8cb2531 in aio_bh_call
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:171:5
#13 0x5624e8cb340c in aio_bh_poll
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:218:13
#14 0x5624e8c0be98 in aio_dispatch
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/aio-posix.c:423:5
#15 0x5624e8cba3ce in aio_ctx_dispatch
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:360:5
#16 0x7fb199ae0d3a in g_main_dispatch
debian/build/deb/../../../glib/gmain.c:3419:28
#17 0x7fb199ae0d3a in g_main_context_dispatch
debian/build/deb/../../../glib/gmain.c:4137:7
#18 0x5624e8cbe1d9 in glib_pollfds_poll
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:287:9
#19 0x5624e8cbcb13 in os_host_main_loop_wait
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:310:5
#20 0x5624e8cbc6dc in main_loop_wait
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:589:11
#21 0x5624e6f3f917 in qemu_main_loop
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/runstate.c:801:9
#22 0x5624e893379c in qemu_default_main
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:37:14
#23 0x5624e89337e7 in main
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:48:12
#24 0x7fb197972d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x7fb197972e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#26 0x5624e5c16fa4 in _start
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4)
(BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3)
SUMMARY: AddressSanitizer: 5 byte(s) leaked in 1 allocation(s).
Cc: qemu-sta...@nongnu.org
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
Message-ID: <20240819145021.38524-1-peter.mayd...@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit 87e012f29f2e47dcd8c385ff8bb8188f9e06d4ea)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 8ecee46eded12ec306f52da791e3e4afbd79159c
https://github.com/qemu/qemu/commit/8ecee46eded12ec306f52da791e3e4afbd79159c
Author: Klaus Jensen <k.jen...@samsung.com>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M hw/nvme/ctrl.c
Log Message:
-----------
hw/nvme: fix leak of uninitialized memory in io_mgmt_recv
Yutaro Shimizu from the Cyber Defense Institute discovered a bug in the
NVMe emulation that leaks contents of an uninitialized heap buffer if
subsystem and FDP emulation are enabled.
Cc: qemu-sta...@nongnu.org
Reported-by: Yutaro Shimizu <shim...@cyberdefense.jp>
Signed-off-by: Klaus Jensen <k.jen...@samsung.com>
(cherry picked from commit 6a22121c4f25b181e99479f65958ecde65da1c92)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: e7a4f813e04d32e89028125836b2d7743ec93183
https://github.com/qemu/qemu/commit/e7a4f813e04d32e89028125836b2d7743ec93183
Author: Cindy Lu <l...@redhat.com>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M hw/virtio/virtio-pci.c
Log Message:
-----------
virtio-pci: Fix the use of an uninitialized irqfd
The crash was reported in MAC OS and NixOS, here is the link for this bug
https://gitlab.com/qemu-project/qemu/-/issues/2334
https://gitlab.com/qemu-project/qemu/-/issues/2321
In this bug, they are using the virtio_input device. The guest notifier was
not supported for this device, The function virtio_pci_set_guest_notifiers()
was not called, and the vector_irqfd was not initialized.
So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier()
The function virtio_pci_get_notifier() can be used in various devices.
It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this
situation,
the vector_irqfd being NULL is acceptable. We can allow the device continue to
boot
If the vector_irqfd still hasn't been initialized after
VIRTIO_CONFIG_S_DRIVER_OK
is set, it means that the function set_guest_notifiers was not called before the
driver started. This indicates that the device is not using the notifier.
At this point, we will let the check fail.
This fix is verified in vyatta,MacOS,NixOS,fedora system.
The bt tree for this bug is:
Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7c817be006c0 (LWP 1269146)]
kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
817 if (irqfd->users == 0) {
(gdb) thread apply all bt
...
Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):
0 kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
1 kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893
2 0x00005983657045e2 in memory_region_write_accessor () at
../qemu-9.0.0/system/memory.c:497
3 0x0000598365704ba6 in access_with_adjusted_size () at
../qemu-9.0.0/system/memory.c:573
4 0x0000598365705059 in memory_region_dispatch_write () at
../qemu-9.0.0/system/memory.c:1528
5 0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at
../qemu-9.0.0/system/physmem.c:2713
6 0x000059836570ba7d in flatview_write_continue () at
../qemu-9.0.0/system/physmem.c:2743
7 flatview_write () at ../qemu-9.0.0/system/physmem.c:2774
8 0x000059836570bb76 in address_space_write () at
../qemu-9.0.0/system/physmem.c:2894
9 0x0000598365763afe in address_space_rw () at
../qemu-9.0.0/system/physmem.c:2904
10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917
11 0x000059836576656e in kvm_vcpu_thread_fn () at
../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50
12 0x0000598365926ca8 in qemu_thread_start () at
../qemu-9.0.0/util/qemu-thread-posix.c:541
13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6
14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6
Fixes: 2ce6cff94d ("virtio-pci: fix use of a released vector")
Cc: qemu-sta...@nongnu.org
Signed-off-by: Cindy Lu <l...@redhat.com>
Message-Id: <20240806093715.65105-1-l...@redhat.com>
Acked-by: Jason Wang <jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit a8e63ff289d137197ad7a701a587cc432872d798)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 88e764b124e7ff91d7e7e1b831832d615b6a4fed
https://github.com/qemu/qemu/commit/88e764b124e7ff91d7e7e1b831832d615b6a4fed
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M migration/multifd.c
Log Message:
-----------
migration/multifd: Free MultiFDRecvParams::data
In multifd_recv_setup() we allocate (among other things)
* a MultiFDRecvData struct to multifd_recv_state::data
* a MultiFDRecvData struct to each multfd_recv_state->params[i].data
(Then during execution we might swap these pointers around.)
But in multifd_recv_cleanup() we free multifd_recv_state->data
in multifd_recv_cleanup_state() but we don't ever free the
multifd_recv_state->params[i].data. This results in a memory
leak reported by LeakSanitizer:
(cd build/asan && \
ASAN_OPTIONS="fast_unwind_on_malloc=0:strip_path_prefix=/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../"
\
QTEST_QEMU_BINARY=./qemu-system-x86_64 \
./tests/qtest/migration-test --tap -k -p
/x86_64/migration/multifd/file/mapped-ram )
[...]
Direct leak of 72 byte(s) in 3 object(s) allocated from:
#0 0x561cc0afcfd8 in __interceptor_calloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218efd8)
(BuildId: be72e086d4e47b172b0a72779972213fd9916466)
#1 0x7f89d37acc50 in g_malloc0 debian/build/deb/../../../glib/gmem.c:161:13
#2 0x561cc1e9c83c in multifd_recv_setup migration/multifd.c:1606:19
#3 0x561cc1e68618 in migration_ioc_process_incoming
migration/migration.c:972:9
#4 0x561cc1e3ac59 in migration_channel_process_incoming
migration/channel.c:45:9
#5 0x561cc1e4fa0b in file_accept_incoming_migration migration/file.c:132:5
#6 0x561cc30f2c0c in qio_channel_fd_source_dispatch io/channel-watch.c:84:12
#7 0x7f89d37a3c43 in g_main_dispatch
debian/build/deb/../../../glib/gmain.c:3419:28
#8 0x7f89d37a3c43 in g_main_context_dispatch
debian/build/deb/../../../glib/gmain.c:4137:7
#9 0x561cc3b21659 in glib_pollfds_poll util/main-loop.c:287:9
#10 0x561cc3b1ff93 in os_host_main_loop_wait util/main-loop.c:310:5
#11 0x561cc3b1fb5c in main_loop_wait util/main-loop.c:589:11
#12 0x561cc1da2917 in qemu_main_loop system/runstate.c:801:9
#13 0x561cc3796c1c in qemu_default_main system/main.c:37:14
#14 0x561cc3796c67 in main system/main.c:48:12
#15 0x7f89d163bd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7f89d163be3f in __libc_start_main csu/../csu/libc-start.c:392:3
#17 0x561cc0a79fa4 in _start
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4)
(BuildId: be72e086d4e47b172b0a72779972213fd9916466)
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x561cc0afcfd8 in __interceptor_calloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218efd8)
(BuildId: be72e086d4e47b172b0a72779972213fd9916466)
#1 0x7f89d37acc50 in g_malloc0 debian/build/deb/../../../glib/gmem.c:161:13
#2 0x561cc1e9bed9 in multifd_recv_setup migration/multifd.c:1588:32
#3 0x561cc1e68618 in migration_ioc_process_incoming
migration/migration.c:972:9
#4 0x561cc1e3ac59 in migration_channel_process_incoming
migration/channel.c:45:9
#5 0x561cc1e4fa0b in file_accept_incoming_migration migration/file.c:132:5
#6 0x561cc30f2c0c in qio_channel_fd_source_dispatch io/channel-watch.c:84:12
#7 0x7f89d37a3c43 in g_main_dispatch
debian/build/deb/../../../glib/gmain.c:3419:28
#8 0x7f89d37a3c43 in g_main_context_dispatch
debian/build/deb/../../../glib/gmain.c:4137:7
#9 0x561cc3b21659 in glib_pollfds_poll util/main-loop.c:287:9
#10 0x561cc3b1ff93 in os_host_main_loop_wait util/main-loop.c:310:5
#11 0x561cc3b1fb5c in main_loop_wait util/main-loop.c:589:11
#12 0x561cc1da2917 in qemu_main_loop system/runstate.c:801:9
#13 0x561cc3796c1c in qemu_default_main system/main.c:37:14
#14 0x561cc3796c67 in main system/main.c:48:12
#15 0x7f89d163bd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7f89d163be3f in __libc_start_main csu/../csu/libc-start.c:392:3
#17 0x561cc0a79fa4 in _start
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4)
(BuildId: be72e086d4e47b172b0a72779972213fd9916466)
SUMMARY: AddressSanitizer: 96 byte(s) leaked in 4 allocation(s).
Free the params[i].data too.
Cc: qemu-sta...@nongnu.org
Fixes: d117ed0699d41 ("migration/multifd: Allow receiving pages without
packets")
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Fabiano Rosas <faro...@suse.de>
Signed-off-by: Fabiano Rosas <faro...@suse.de>
(cherry picked from commit 4c107870e8b2ba3951ee0c46123f1c3b5d3a19d3)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: c6e1566e290601d7b48193ce77a421f34b5e4844
https://github.com/qemu/qemu/commit/c6e1566e290601d7b48193ce77a421f34b5e4844
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M linux-user/mmap.c
Log Message:
-----------
linux-user: Handle short reads in mmap_h_gt_g
In particular, if an image has a large bss, we can hit
EOF before reading all host_len bytes of the mapping.
Create a helper, mmap_pread to handle the job for both
the larger block in mmap_h_gt_g itself, as well as the
smaller block in mmap_frag.
Cc: qemu-sta...@nongnu.org
Fixes: eb5027ac618 ("linux-user: Split out mmap_h_gt_g")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2504
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-Id: <20240820050848.165253-2-richard.hender...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit a4ad4a9d98f7fbde806f07da21e69f39e134cdf1)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: be421f42af05881057f2cbe1eea793f41fc0e5ce
https://github.com/qemu/qemu/commit/be421f42af05881057f2cbe1eea793f41fc0e5ce
Author: Nicholas Piggin <npig...@gmail.com>
Date: 2024-08-22 (Thu, 22 Aug 2024)
Changed paths:
M accel/tcg/tcg-accel-ops-rr.c
M include/sysemu/replay.h
M replay/replay.c
Log Message:
-----------
Revert "replay: stop us hanging in rr_wait_io_event"
This reverts commit 1f881ea4a444ef36a8b6907b0b82be4b3af253a2.
That commit causes reverse_debugging.py test failures, and does
not seem to solve the root cause of the problem x86-64 still
hangs in record/replay tests.
The problem with short-cutting the iowait that was taken during
record phase is that related events will not get consumed at the
same points (e.g., reading the clock).
A hang with zero icount always seems to be a symptom of an earlier
problem that has caused the recording to become out of synch with
the execution and consumption of events by replay.
Acked-by: Alex Bennée <alex.ben...@linaro.org>
Signed-off-by: Nicholas Piggin <npig...@gmail.com>
Message-Id: <20240813050638.446172-6-npig...@gmail.com>
Signed-off-by: Alex Bennée <alex.ben...@linaro.org>
Message-Id: <20240813202329.1237572-14-alex.ben...@linaro.org>
(cherry picked from commit 94962ff00d09674047aed896e87ba09736cd6941)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2524
Compare: https://github.com/qemu/qemu/compare/5ebde3b5c00e...be421f42af05
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
