Branch: refs/heads/stable-9.1
Home: https://github.com/qemu/qemu
Commit: 20eee6cb3d3d75a471fbf200c68441893aa5491a
https://github.com/qemu/qemu/commit/20eee6cb3d3d75a471fbf200c68441893aa5491a
Author: Helge Deller <[email protected]>
Date: 2024-09-05 (Thu, 05 Sep 2024)
Changed paths:
M target/hppa/cpu.h
M target/hppa/helper.c
Log Message:
-----------
target/hppa: Fix PSW V-bit packaging in cpu_hppa_get for hppa64
While adding hppa64 support, the psw_v variable got extended from 32 to 64
bits. So, when packaging the PSW-V bit from the psw_v variable for interrupt
processing, check bit 31 instead the 63th (sign) bit.
This fixes a hard to find Linux kernel boot issue where the loss of the PSW-V
bit due to an ITLB interruption in the middle of a series of ds/addc
instructions (from the divU milicode library) generated the wrong division
result and thus triggered a Linux kernel crash.
Link:
https://lore.kernel.org/lkml/[email protected]/
Reported-by: Guenter Roeck <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Tested-by: Guenter Roeck <[email protected]>
Fixes: 931adff31478 ("target/hppa: Update cpu_hppa_get/put_psw for hppa64")
Cc: [email protected] # v8.2+
(cherry picked from commit ead5078cf1a5f11d16e3e8462154c859620bcc7e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f74e5bd9b9ecd189a108c6a0f2f386799804fb9b
https://github.com/qemu/qemu/commit/f74e5bd9b9ecd189a108c6a0f2f386799804fb9b
Author: Daniel P. Berrangé <[email protected]>
Date: 2024-09-11 (Wed, 11 Sep 2024)
Changed paths:
M tests/qemu-iotests/233.out
Log Message:
-----------
iotests: fix expected output from gnutls
Error reporting from gnutls was improved by:
commit 57941c9c86357a6a642f9ee3279d881df4043b6d
Author: Daniel P. Berrangé <[email protected]>
Date: Fri Mar 15 14:07:58 2024 +0000
crypto: push error reporting into TLS session I/O APIs
This has the effect of changing the output from one of the NBD
tests.
Reported-by: Thomas Huth <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 48b8583698d96d6290726400789fcd51c55691b1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ae2dc2a27acf7115b886c9e1b7138ed4ef025160
https://github.com/qemu/qemu/commit/ae2dc2a27acf7115b886c9e1b7138ed4ef025160
Author: Tiago Pasqualini <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M crypto/pbkdf.c
Log Message:
-----------
crypto: run qcrypto_pbkdf2_count_iters in a new thread
CPU time accounting in the kernel has been demonstrated to have a
sawtooth pattern[1][2]. This can cause the getrusage system call to
not be as accurate as we are expecting, which can cause this calculation
to stall.
The kernel discussions shows that this inaccuracy happens when CPU time
gets big enough, so this patch changes qcrypto_pbkdf2_count_iters to run
in a fresh thread to avoid this inaccuracy. It also adds a sanity check
to fail the process if CPU time is not accounted.
[1]
https://lore.kernel.org/lkml/159231011694.16989.16351419333851309713.tip-bot2@tip-bot2/
[2]
https://lore.kernel.org/lkml/[email protected]/t/#m1c7f2fdc0ea742776a70fd1aa2a2e414c437f534
Resolves: #2398
Signed-off-by: Tiago Pasqualini <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit c72cab5ad9f849bbcfcf4be7952b8b8946cc626e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0e8f3eb43ff4fa7d2ef7a79c943e412b812987f9
https://github.com/qemu/qemu/commit/0e8f3eb43ff4fa7d2ef7a79c943e412b812987f9
Author: Daniel P. Berrangé <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M crypto/pbkdf-gcrypt.c
M crypto/pbkdf-gnutls.c
Log Message:
-----------
crypto: check gnutls & gcrypt support the requested pbkdf hash
Both gnutls and gcrypt can be configured to exclude support for certain
algorithms via a runtime check against system crypto policies. Thus it
is not sufficient to have a compile time test for hash support in their
pbkdf implementations.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit e6c09ea4f9e5f8af92a6453642b84b9efd52892f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 3148a16b306485c5b6fb30c06f369b4bba476030
https://github.com/qemu/qemu/commit/3148a16b306485c5b6fb30c06f369b4bba476030
Author: Daniel P. Berrangé <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M crypto/cipher-nettle.c.inc
Log Message:
-----------
crypto: avoid leak of ctx when bad cipher mode is given
Fixes: Coverity CID 1546884
Reviewed-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 586ac2c67d707c2588766c5195d94fa553cc25af)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a160fa0fc3bad5c7fca4b8a332a799b5b9222a8c
https://github.com/qemu/qemu/commit/a160fa0fc3bad5c7fca4b8a332a799b5b9222a8c
Author: Alex Bennée <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M .gitlab-ci.d/container-cross.yml
M .gitlab-ci.d/crossbuilds.yml
R tests/docker/dockerfiles/debian-armel-cross.docker
M tests/lcitool/refresh
Log Message:
-----------
tests/docker: remove debian-armel-cross
As debian-11 transitions to LTS we are starting to have problems
building the image. While we could update to a later Debian building a
32 bit QEMU without modern floating point is niche host amongst the
few remaining 32 bit hosts we regularly build for. For now we still
have armhf-debian-cross-container which is currently built from the
more recent debian-12.
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit d0068b746a0a8cd4bb148527a0d199b130cd5288)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 27a15a2a32a1ce3aec30d6ed181d0de7a0e271c2
https://github.com/qemu/qemu/commit/27a15a2a32a1ce3aec30d6ed181d0de7a0e271c2
Author: Alex Bennée <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M tests/docker/dockerfiles/debian-i686-cross.docker
M tests/docker/dockerfiles/debian-mipsel-cross.docker
M tests/lcitool/refresh
Log Message:
-----------
tests/docker: update debian i686 and mipsel images to bookworm
Whatever issues there were which stopped these being updates when the
rest were have now been resolved. However mips64el continues to be
broken so don't update it here.
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 19d2111059c87d3f58349f27b9be9dee81fc1681)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: cd320c8a82773b8219e58d5e949db419f51b00f3
https://github.com/qemu/qemu/commit/cd320c8a82773b8219e58d5e949db419f51b00f3
Author: Thomas Huth <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M .gitlab-ci.d/buildtest.yml
M contrib/plugins/Makefile
Log Message:
-----------
contrib/plugins/Makefile: Add a 'distclean' target
Running "make distclean" in the build tree currently fails since this
tries to run the "distclean" target in the contrib/plugins/ folder, too,
but the Makefile there is missing this target. Thus add 'distclean' there
to fix this issue.
And to avoid regressions with "make distclean", add this command to one
of the build jobs, too.
Message-ID: <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 1231bc7d12c373e445171dda9e7e5146eee7da55)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: df9aa3dd8c05e1ee58cf38ecf3e2bd5994dbc9ea
https://github.com/qemu/qemu/commit/df9aa3dd8c05e1ee58cf38ecf3e2bd5994dbc9ea
Author: Volker Rümelin <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M hw/audio/trace-events
M hw/audio/virtio-snd.c
Log Message:
-----------
hw/audio/virtio-sound: fix heap buffer overflow
Currently, the guest may write to the device configuration space,
whereas the virtio sound device specification in chapter 5.14.4
clearly states that the fields in the device configuration space
are driver-read-only.
Remove the set_config function from the virtio_snd class.
This also prevents a heap buffer overflow. See QEMU issue #2296.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2296
Signed-off-by: Volker Rümelin <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
(cherry picked from commit 7fc6611cad3e9627b23ce83e550b668abba6c886)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: bec9a96934539cf4d808cc328aa9c6fa9d36274d
https://github.com/qemu/qemu/commit/bec9a96934539cf4d808cc328aa9c6fa9d36274d
Author: Jan Klötzke <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M hw/intc/arm_gic.c
Log Message:
-----------
hw/intc/arm_gic: fix spurious level triggered interrupts
On GICv2 and later, level triggered interrupts are pending when either
the interrupt line is asserted or the interrupt was made pending by a
GICD_ISPENDRn write. Making a level triggered interrupt pending by
software persists until either the interrupt is acknowledged or cleared
by writing GICD_ICPENDRn. As long as the interrupt line is asserted,
the interrupt is pending in any case.
This logic is transparently implemented in gic_test_pending() for
GICv1 and GICv2. The function combines the "pending" irq_state flag
(used for edge triggered interrupts and software requests) and the
line status (tracked in the "level" field). However, we also
incorrectly set the pending flag on a guest write to GICD_ISENABLERn
if the line of a level triggered interrupt was asserted. This keeps
the interrupt pending even if the line is de-asserted after some
time.
This incorrect logic is a leftover of the initial 11MPCore GIC
implementation. That handles things slightly differently to the
architected GICv1 and GICv2. The 11MPCore TRM does not give a lot of
detail on the corner cases of its GIC's behaviour, and historically
we have not wanted to investigate exactly what it does in reality, so
QEMU's GIC model takes the approach of "retain our existing behaviour
for 11MPCore, and implement the architectural standard for later GIC
revisions".
On that basis, commit 8d999995e45c10 in 2013 is where we added the
"level-triggered interrupt with the line asserted" handling to
gic_test_pending(), and we deliberately kept the old behaviour of
gic_test_pending() for REV_11MPCORE. That commit should have added
the "only if 11MPCore" condition to the setting of the pending bit on
writes to GICD_ISENABLERn, but forgot it.
Add the missing "if REV_11MPCORE" condition, so that our behaviour
on GICv1 and GICv2 matches the GIC architecture requirements.
Cc: [email protected]
Fixes: 8d999995e45c10 ("arm_gic: Fix GIC pending behavior")
Signed-off-by: Jan Klötzke <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
[PMM: expanded comment a little and converted to coding-style form;
expanded commit message with the historical backstory]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 110684c9a69a02cbabfbddcd3afa921826ad565c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b95002f47a4da76f98f62e7dcc8e5eed9a83436a
https://github.com/qemu/qemu/commit/b95002f47a4da76f98f62e7dcc8e5eed9a83436a
Author: Gert Wollny <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M ui/sdl2.c
Log Message:
-----------
ui/sdl2: set swap interval explicitly when OpenGL is enabled
Before 176e3783f2ab (ui/sdl2: OpenGL window context)
SDL_CreateRenderer was called unconditionally setting
the swap interval to 0. Since SDL_CreateRenderer is now no
longer called when OpenGL is enabled, the swap interval is
no longer set explicitly and vsync handling depends on
the environment settings which may lead to a performance
regression with virgl as reported in
https://gitlab.com/qemu-project/qemu/-/issues/2565
Restore the old vsync handling by explicitly calling
SDL_GL_SetSwapInterval if OpenGL is enabled.
Fixes: 176e3783f2ab (ui/sdl2: OpenGL window context)
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2565
Signed-off-by: Gert Wollny <[email protected]>
Acked-by: Marc-André Lureau <[email protected]>
Message-ID:
<01020191e05ce6df-84da6386-62c2-4ce8-840e-ad216ac253dd-000...@eu-west-1.amazonses.com>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit ae23cd00170baaa2777eb1ee87b70f472dbb3c44)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 02833b07b6718e0c7c10e8cd600d917a866da5aa
https://github.com/qemu/qemu/commit/02833b07b6718e0c7c10e8cd600d917a866da5aa
Author: Daniel P. Berrangé <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M .gitlab-ci.d/base.yml
Log Message:
-----------
gitlab: fix logic for changing docker tag on stable branches
This fixes:
commit e28112d00703abd136e2411d23931f4f891c9244
Author: Daniel P. Berrangé <[email protected]>
Date: Thu Jun 8 17:40:16 2023 +0100
gitlab: stable staging branches publish containers in a separate tag
Due to a copy+paste mistake, that commit included "QEMU_JOB_SKIPPED"
in the final rule that was meant to be a 'catch all' for staging
branches.
As a result stable branches are still splattering dockers from the
primary development branch.
Signed-off-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Tested-by: Michael Tokarev <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 8d5ab746b1e6668ffb0378820b25665b385c8573)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0d889c5c86d0c5acbcd218c3dc5130c170f74361
https://github.com/qemu/qemu/commit/0d889c5c86d0c5acbcd218c3dc5130c170f74361
Author: Mattias Nissler <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M hw/pci/pci.c
M include/exec/memory.h
M include/hw/pci/pci_device.h
M system/memory.c
M system/physmem.c
Log Message:
-----------
softmmu: Support concurrent bounce buffers
When DMA memory can't be directly accessed, as is the case when
running the device model in a separate process without shareable DMA
file descriptors, bounce buffering is used.
It is not uncommon for device models to request mapping of several DMA
regions at the same time. Examples include:
* net devices, e.g. when transmitting a packet that is split across
several TX descriptors (observed with igb)
* USB host controllers, when handling a packet with multiple data TRBs
(observed with xhci)
Previously, qemu only provided a single bounce buffer per AddressSpace
and would fail DMA map requests while the buffer was already in use. In
turn, this would cause DMA failures that ultimately manifest as hardware
errors from the guest perspective.
This change allocates DMA bounce buffers dynamically instead of
supporting only a single buffer. Thus, multiple DMA mappings work
correctly also when RAM can't be mmap()-ed.
The total bounce buffer allocation size is limited individually for each
AddressSpace. The default limit is 4096 bytes, matching the previous
maximum buffer size. A new x-max-bounce-buffer-size parameter is
provided to configure the limit for PCI devices.
Signed-off-by: Mattias Nissler <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Acked-by: Peter Xu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 637b0aa139565cb82a7b9269e62214f87082635c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 659eeb16b35839a0ea683a82a3896e7344d12319
https://github.com/qemu/qemu/commit/659eeb16b35839a0ea683a82a3896e7344d12319
Author: David Hildenbrand <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M include/exec/ramlist.h
M system/physmem.c
Log Message:
-----------
softmmu/physmem: fix memory leak in dirty_memory_extend()
As reported by Peter, we might be leaking memory when removing the
highest RAMBlock (in the weird ram_addr_t space), and adding a new one.
We will fail to realize that we already allocated bitmaps for more
dirty memory blocks, and effectively discard the pointers to them.
Fix it by getting rid of last_ram_page() and by remembering the number
of dirty memory blocks that have been allocated already.
While at it, let's use "unsigned int" for the number of blocks, which
should be sufficient until we reach ~32 exabytes.
Looks like this leak was introduced as we switched from using a single
bitmap_zero_extend() to allocating multiple bitmaps:
bitmap_zero_extend() relies on g_renew() which should have taken care of
this.
Resolves:
https://lkml.kernel.org/r/CAFEAcA-k7a+VObGAfCFNygQNfCKL=AfX6A4kScq=vssk0pe...@mail.gmail.com
Reported-by: Peter Maydell <[email protected]>
Fixes: 5b82b703b69a ("memory: RCU ram_list.dirty_memory[] for safe RAM hotplug")
Reviewed-by: Stefan Hajnoczi <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Tested-by: Peter Maydell <[email protected]>
Cc: [email protected]
Cc: Stefan Hajnoczi <[email protected]>
Cc: Paolo Bonzini <[email protected]>
Cc: Peter Xu <[email protected]>
Cc: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: David Hildenbrand <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit b84f06c2bee727b3870b4eeccbe3a45c5aea14c1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 97fa3d7fccb1975a33caf011dfd83aba437608d9
https://github.com/qemu/qemu/commit/97fa3d7fccb1975a33caf011dfd83aba437608d9
Author: Fea.Wang <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M system/physmem.c
Log Message:
-----------
softmmu/physmem.c: Keep transaction attribute in address_space_map()
The follow-up transactions may use the data in the attribution, so keep
the value of attribution from the function parameter just as
flatview_translate() above.
Signed-off-by: Fea.Wang <[email protected]>
Cc: [email protected]
Fixes: f26404fbee ("Make address_space_map() take a MemTxAttrs argument")
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit d8d5ca40048b04750de5a0ae0b2b9f153a391951)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 73f5d5bfb7b1f53c830bdd41cc20aefe12ab4827
https://github.com/qemu/qemu/commit/73f5d5bfb7b1f53c830bdd41cc20aefe12ab4827
Author: Mattias Nissler <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M hw/ide/macio.c
M include/hw/ppc/mac_dbdma.h
Log Message:
-----------
mac_dbdma: Remove leftover `dma_memory_unmap` calls
These were passing a NULL buffer pointer unconditionally, which happens
to behave in a mostly benign way (except for the chance of an excess
memory region unref and a bounce buffer leak). Per the function comment,
this was never meant to be accepted though, and triggers an assertion
with the "softmmu: Support concurrent bounce buffers" change.
Given that the code in question never sets up any mappings, just remove
the unnecessary dma_memory_unmap calls along with the DBDMA_io struct
fields that are now entirely unused.
Signed-off-by: Mattias Nissler <[email protected]>
Message-Id: <[email protected]>
Fixes: be1e343995 ("macio: switch over to new byte-aligned DMA helpers")
Reviewed-by: Mark Cave-Ayland <[email protected]>
Tested-by: Mark Cave-Ayland <[email protected]>
Signed-off-by: Mark Cave-Ayland <[email protected]>
(cherry picked from commit 2d0a071e625d7234e8c5623b7e7bf445e1bef72c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9b42e33bda413faa9d649643548b72a68f203f53
https://github.com/qemu/qemu/commit/9b42e33bda413faa9d649643548b72a68f203f53
Author: Fabiano Rosas <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M migration/migration.c
M migration/savevm.c
Log Message:
-----------
migration/multifd: Fix rb->receivedmap cleanup race
Fix a segmentation fault in multifd when rb->receivedmap is cleared
too early.
After commit 5ef7e26bdb ("migration/multifd: solve zero page causing
multiple page faults"), multifd started using the rb->receivedmap
bitmap, which belongs to ram.c and is initialized and *freed* from the
ram SaveVMHandlers.
Multifd threads are live until migration_incoming_state_destroy(),
which is called after qemu_loadvm_state_cleanup(), leading to a crash
when accessing rb->receivedmap.
process_incoming_migration_co() ...
qemu_loadvm_state() multifd_nocomp_recv()
qemu_loadvm_state_cleanup() ramblock_recv_bitmap_set_offset()
rb->receivedmap = NULL set_bit_atomic(..., rb->receivedmap)
...
migration_incoming_state_destroy()
multifd_recv_cleanup()
multifd_recv_terminate_threads(NULL)
Move the loadvm cleanup into migration_incoming_state_destroy(), after
multifd_recv_cleanup() to ensure multifd threads have already exited
when rb->receivedmap is cleared.
Adjust the postcopy listen thread comment to indicate that we still
want to skip the cpu synchronization.
CC: [email protected]
Fixes: 5ef7e26bdb ("migration/multifd: solve zero page causing multiple page
faults")
Signed-off-by: Fabiano Rosas <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
[peterx: added comment in migration_incoming_state_destroy()]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 4ce56229087860805877075ddb29dd44578365a9)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1faa437db9b5e9217648f1e8db8a03ef93e5aed1
https://github.com/qemu/qemu/commit/1faa437db9b5e9217648f1e8db8a03ef93e5aed1
Author: Jacob Abrams <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M hw/char/stm32l4x5_usart.c
M tests/qtest/stm32l4x5_usart-test.c
Log Message:
-----------
hw/char/stm32l4x5_usart.c: Enable USART ACK bit response
SW modifying USART_CR1 TE bit should cuase HW to respond by altering
USART_ISR TEACK bit, and likewise for RE and REACK bit.
This resolves some but not all issues necessary for the official STM USART
HAL driver to function as is.
Fixes: 87b77e6e01ca ("hw/char/stm32l4x5_usart: Enable serial read and write")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2540
Signed-off-by: Jacob Abrams <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 6cce0dcc6f7aaaeb7f17577776da510b04f67c99)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 03ee5e0c532d24a689b59495a36111a960420723
https://github.com/qemu/qemu/commit/03ee5e0c532d24a689b59495a36111a960420723
Author: Peter Maydell <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M target/arm/tcg/cpu64.c
Log Message:
-----------
target/arm: Correct ID_AA64ISAR1_EL1 value for neoverse-v1
The Neoverse-V1 TRM is a bit confused about the layout of the
ID_AA64ISAR1_EL1 register, and so its table 3-6 has the wrong value
for this ID register. Trust instead section 3.2.74's list of which
fields are set.
This means that we stop incorrectly reporting FEAT_XS as present, and
now report the presence of FEAT_BF16.
Cc: [email protected]
Reported-by: Marcin Juszkiewicz <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
(cherry picked from commit 8676007eff04bb4e454bcdf92fab3f855bcc59b3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: eb40b14740b9507c60805fccb723c3bd8903ab66
https://github.com/qemu/qemu/commit/eb40b14740b9507c60805fccb723c3bd8903ab66
Author: Helge Deller <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M target/hppa/cpu.h
Log Message:
-----------
target/hppa: Fix random 32-bit linux-user crashes
The linux-user hppa target crashes randomly for me since commit
081a0ed188d8 ("target/hppa: Do not mask in copy_iaoq_entry").
That commit dropped the masking of the IAOQ addresses while copying them
from other registers and instead keeps them with all 64 bits up until
the full gva is formed with the help of hppa_form_gva_psw().
So, when running in linux-user mode on an emulated 64-bit CPU, we need
to mask to a 32-bit address space at the very end in hppa_form_gva_psw()
if the PSW-W flag isn't set (which is the case for linux-user on hppa).
Fixes: 081a0ed188d8 ("target/hppa: Do not mask in copy_iaoq_entry")
Cc: [email protected] # v9.1+
Signed-off-by: Helge Deller <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
(cherry picked from commit d33d3adb573794903380e03e767e06470514cefe)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f84b79a8fcf46d73bc2345cf14ca863fa8e05ea6
https://github.com/qemu/qemu/commit/f84b79a8fcf46d73bc2345cf14ca863fa8e05ea6
Author: Arman Nabiev <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M target/ppc/machine.c
Log Message:
-----------
target/ppc: Fix migration of CPUs with TLB_EMB TLB type
In vmstate_tlbemb a cut-and-paste error meant we gave
this vmstate subsection the same "cpu/tlb6xx" name as
the vmstate_tlb6xx subsection. This breaks migration load
for any CPU using the TLB_EMB CPU type, because when we
see the "tlb6xx" name in the incoming data we try to
interpret it as a vmstate_tlb6xx subsection, which it
isn't the right format for:
$ qemu-system-ppc -drive
if=none,format=qcow2,file=/home/petmay01/test-images/virt/dummy.qcow2
-monitor stdio -M bamboo
QEMU 9.0.92 monitor - type 'help' for more information
(qemu) savevm foo
(qemu) loadvm foo
Missing section footer for cpu
Error: Error -22 while loading VM state
Correct the incorrect vmstate section name. Since migration
for these CPU types was completely broken before, we don't
need to care that this is a migration compatibility break.
This affects the PPC 405, 440, 460 and e200 CPU families.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2522
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Arman Nabiev <[email protected]>
Signed-off-by: Fabiano Rosas <[email protected]>
(cherry picked from commit 203beb6f047467a4abfc8267c234393cea3f471c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9cd1fd4b5025df866eb0bd8a86230e83ae049882
https://github.com/qemu/qemu/commit/9cd1fd4b5025df866eb0bd8a86230e83ae049882
Author: Fabiano Rosas <[email protected]>
Date: 2024-09-25 (Wed, 25 Sep 2024)
Changed paths:
M migration/multifd-uadk.c
Log Message:
-----------
migration/multifd: Fix p->iov leak in multifd-uadk.c
The send_cleanup() hook should free the p->iov that was allocated at
send_setup(). This was missed because the UADK code is conditional on
the presence of the accelerator, so it's not tested by default.
Fixes: 819dd20636 ("migration/multifd: Add UADK initialization")
Reported-by: Peter Xu <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Signed-off-by: Fabiano Rosas <[email protected]>
(cherry picked from commit 405e352d28c24991cacfdebccf67d56c4795cf6e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 51c943931d75959b787ea72e2cf8e79369ac1cd0
https://github.com/qemu/qemu/commit/51c943931d75959b787ea72e2cf8e79369ac1cd0
Author: Bibo Mao <[email protected]>
Date: 2024-09-26 (Thu, 26 Sep 2024)
Changed paths:
M hw/loongarch/virt.c
Log Message:
-----------
hw/loongarch/virt: Add description for virt machine type
The description about virt machine type is removed by mistake, add
new description here. Here is output result with command
"./qemu-system-loongarch64 -M help"
Supported machines are:
none empty machine
virt QEMU LoongArch Virtual Machine (default)
x-remote Experimental remote machine
Without the patch, it shows as follows:
Supported machines are:
none empty machine
virt (null) (default)
x-remote Experimental remote machine
Fixes: ef2f11454c(hw/loongarch/virt: Replace Loongson IPI with LoongArch IPI)
Signed-off-by: Bibo Mao <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 4265b4f358436252ef36164566f316458f1df671)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4c7c0d2442fbfcbe128198aa5f3613f387f291ac
https://github.com/qemu/qemu/commit/4c7c0d2442fbfcbe128198aa5f3613f387f291ac
Author: TANG Tiancheng <[email protected]>
Date: 2024-09-28 (Sat, 28 Sep 2024)
Changed paths:
M tcg/tcg-op-gvec.c
Log Message:
-----------
tcg: Fix iteration step in 32-bit gvec operation
The loop in the 32-bit case of the vector compare operation
was incorrectly incrementing by 8 bytes per iteration instead
of 4 bytes. This caused the function to process only half of
the intended elements.
Cc: [email protected]
Fixes: 9622c697d1 (tcg: Add gvec compare with immediate and scalar operand)
Signed-off-by: TANG Tiancheng <[email protected]>
Reviewed-by: Liu Zhiwei <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 9d8d5a5b9078a16b4c0862fe54248c5cc8435648)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f8244f3b8c87bd7483c4cc48f86947993bcf32fa
https://github.com/qemu/qemu/commit/f8244f3b8c87bd7483c4cc48f86947993bcf32fa
Author: Fabiano Rosas <[email protected]>
Date: 2024-09-28 (Sat, 28 Sep 2024)
Changed paths:
M target/ppc/translate/vsx-impl.c.inc
Log Message:
-----------
target/ppc: Fix lxvx/stxvx facility check
The XT check for the lxvx/stxvx instructions is currently
inverted. This was introduced during the move to decodetree.
>From the ISA:
Chapter 7. Vector-Scalar Extension Facility
Load VSX Vector Indexed X-form
lxvx XT,RA,RB
if TX=0 & MSR.VSX=0 then VSX_Unavailable()
if TX=1 & MSR.VEC=0 then Vector_Unavailable()
...
Let XT be the value 32×TX + T.
The code currently does the opposite:
if (paired || a->rt >= 32) {
REQUIRE_VSX(ctx);
} else {
REQUIRE_VECTOR(ctx);
}
This was already fixed for lxv/stxv at commit "2cc0e449d1 (target/ppc:
Fix lxv/stxv MSR facility check)", but the indexed forms were missed.
Cc: [email protected]
Fixes: 70426b5bb7 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Claudio Fontana <[email protected]>
Acked-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Fabiano Rosas <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 8bded2e73e80823a67f730140788a3c5e60bf4b5)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 8fc8dd2efdedec96082777dc3065a389a9ecf5d9
https://github.com/qemu/qemu/commit/8fc8dd2efdedec96082777dc3065a389a9ecf5d9
Author: Mark Cave-Ayland <[email protected]>
Date: 2024-09-28 (Sat, 28 Sep 2024)
Changed paths:
M hw/mips/jazz.c
Log Message:
-----------
hw/mips/jazz: fix typo in in-built NIC alias
Commit e104edbb9d ("hw/mips/jazz: use qemu_find_nic_info()") contained a typo
in the NIC alias which caused initialisation of the in-built dp83932 NIC to fail
when using the normal -nic user,model=dp83932 command line.
Fixes: e104edbb9d ("hw/mips/jazz: use qemu_find_nic_info()")
Signed-off-by: Mark Cave-Ayland <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: David Woodhouse <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 2e4fdf566062c03456230fd8136b88c5c1e5c4bf)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: bb630d92516cb39ee830566b5e0335a4e14b1cc6
https://github.com/qemu/qemu/commit/bb630d92516cb39ee830566b5e0335a4e14b1cc6
Author: Alex Bennée <[email protected]>
Date: 2024-09-30 (Mon, 30 Sep 2024)
Changed paths:
M util/qemu-timer.c
Log Message:
-----------
util/timer: avoid deadlock when shutting down
When we shut down a guest we disable the timers. However this can
cause deadlock if the guest has queued some async work that is trying
to advance system time and spins forever trying to wind time forward.
Pay attention to the return code and bail early if we can't wind time
forward.
Reported-by: Elisha Hollander <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit bc02be4508d8753d1f6071b77d10f4661587df6f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7eefbf8bb72c1bec0972ca19901207dc6d2acf5a
https://github.com/qemu/qemu/commit/7eefbf8bb72c1bec0972ca19901207dc6d2acf5a
Author: Fiona Ebner <[email protected]>
Date: 2024-10-01 (Tue, 01 Oct 2024)
Changed paths:
M block/copy-before-write.c
M block/reqlist.c
Log Message:
-----------
block/reqlist: allow adding overlapping requests
Allow overlapping request by removing the assert that made it
impossible. There are only two callers:
1. block_copy_task_create()
It already asserts the very same condition before calling
reqlist_init_req().
2. cbw_snapshot_read_lock()
There is no need to have read requests be non-overlapping in
copy-before-write when used for snapshot-access. In fact, there was no
protection against two callers of cbw_snapshot_read_lock() calling
reqlist_init_req() with overlapping ranges and this could lead to an
assertion failure [1].
In particular, with the reproducer script below [0], two
cbw_co_snapshot_block_status() callers could race, with the second
calling reqlist_init_req() before the first one finishes and removes
its conflicting request.
[0]:
> #!/bin/bash -e
> dd if=/dev/urandom of=/tmp/disk.raw bs=1M count=1024
> ./qemu-img create /tmp/fleecing.raw -f raw 1G
> (
> ./qemu-system-x86_64 --qmp stdio \
> --blockdev raw,node-name=node0,file.driver=file,file.filename=/tmp/disk.raw \
> --blockdev
> raw,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.raw \
> <<EOF
> {"execute": "qmp_capabilities"}
> {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write",
> "file": "node0", "target": "node1", "node-name": "node3" } }
> {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access",
> "file": "node3", "node-name": "snap0" } }
> {"execute": "nbd-server-start", "arguments": {"addr": { "type": "unix",
> "data": { "path": "/tmp/nbd.socket" } } } }
> {"execute": "block-export-add", "arguments": {"id": "exp0", "node-name":
> "snap0", "type": "nbd", "name": "exp0"}}
> EOF
> ) &
> sleep 5
> while true; do
> ./qemu-nbd -d /dev/nbd0
> ./qemu-nbd -c /dev/nbd0 nbd:unix:/tmp/nbd.socket:exportname=exp0 -f raw -r
> nbdinfo --map 'nbd+unix:///exp0?socket=/tmp/nbd.socket'
> done
[1]:
> #5 0x000071e5f0088eb2 in __GI___assert_fail (...) at ./assert/assert.c:101
> #6 0x0000615285438017 in reqlist_init_req (...) at ../block/reqlist.c:23
> #7 0x00006152853e2d98 in cbw_snapshot_read_lock (...) at
> ../block/copy-before-write.c:237
> #8 0x00006152853e3068 in cbw_co_snapshot_block_status (...) at
> ../block/copy-before-write.c:304
> #9 0x00006152853f4d22 in bdrv_co_snapshot_block_status (...) at
> ../block/io.c:3726
> #10 0x000061528543a63e in snapshot_access_co_block_status (...) at
> ../block/snapshot-access.c:48
> #11 0x00006152853f1a0a in bdrv_co_do_block_status (...) at ../block/io.c:2474
> #12 0x00006152853f2016 in bdrv_co_common_block_status_above (...) at
> ../block/io.c:2652
> #13 0x00006152853f22cf in bdrv_co_block_status_above (...) at
> ../block/io.c:2732
> #14 0x00006152853d9a86 in blk_co_block_status_above (...) at
> ../block/block-backend.c:1473
> #15 0x000061528538da6c in blockstatus_to_extents (...) at ../nbd/server.c:2374
> #16 0x000061528538deb1 in nbd_co_send_block_status (...) at
> ../nbd/server.c:2481
> #17 0x000061528538f424 in nbd_handle_request (...) at ../nbd/server.c:2978
> #18 0x000061528538f906 in nbd_trip (...) at ../nbd/server.c:3121
> #19 0x00006152855a7caf in coroutine_trampoline (...) at
> ../util/coroutine-ucontext.c:175
Cc: [email protected]
Suggested-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Signed-off-by: Fiona Ebner <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]>
(cherry picked from commit 6475155d519209c80fdda53e05130365aa769838)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 767e7d8ae1aee94e63f3d94a77dc1515a8a16dab
https://github.com/qemu/qemu/commit/767e7d8ae1aee94e63f3d94a77dc1515a8a16dab
Author: Ard Biesheuvel <[email protected]>
Date: 2024-10-02 (Wed, 02 Oct 2024)
Changed paths:
M target/arm/internals.h
M target/arm/ptw.c
Log Message:
-----------
target/arm: Avoid target_ulong for physical address lookups
target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermediate physical address when LPAE is being used.
Given that Linux may place leaf level user page tables in high memory
when built for LPAE, the kernel will crash with an external abort as
soon as it enters user space when running with more than ~3 GiB of
system RAM.
So replace target_ulong with vaddr in places where it may carry an
address value that is not representable in 32 bits.
Fixes: f3639a64f602ea ("target/arm: Use softmmu tlbs for page table walking")
Cc: [email protected]
Reported-by: Arnd Bergmann <[email protected]>
Tested-by: Arnd Bergmann <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Ard Biesheuvel <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 67d762e716a7127ecc114e9708254316dd521911)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e32ac563b8375ef9dca7b6d02e1cd2feaaab3f58
https://github.com/qemu/qemu/commit/e32ac563b8375ef9dca7b6d02e1cd2feaaab3f58
Author: Jan Luebbe <[email protected]>
Date: 2024-10-02 (Wed, 02 Oct 2024)
Changed paths:
M hw/sd/sd.c
Log Message:
-----------
hw/sd/sdcard: Fix handling of disabled boot partitions
The enable bits in the EXT_CSD_PART_CONFIG ext_csd register do *not*
specify whether the boot partitions exist, but whether they are enabled
for booting. Existence of the boot partitions is specified by a
EXT_CSD_BOOT_MULT != 0.
Currently, in the case of boot-partition-size=1M and boot-config=0,
Linux detects boot partitions of 1M. But as sd_bootpart_offset always
returns 0, all reads/writes are mapped to the same offset in the backing
file.
Fix this bug by calculating the offset independent of which partition is
enabled for booting.
This bug is unlikely to affect many users with QEMU's current set of
boards, because only aspeed sets boot-partition-size, and it also
sets boot-config to 8. So to run into this a user would have to
manually mark the boot partition non-booting from within the guest.
Cc: [email protected]
Signed-off-by: Jan Luebbe <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
[PMM: added note to commit message about effects of bug]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 9601076b3b0bced7ed597d1470e3ff2f4e7177d6)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 02ac67c41fbc6c4fe78ccec63dae959f45d13705
https://github.com/qemu/qemu/commit/02ac67c41fbc6c4fe78ccec63dae959f45d13705
Author: Alex Bennée <[email protected]>
Date: 2024-10-03 (Thu, 03 Oct 2024)
Changed paths:
M tests/docker/dockerfiles/debian-mips64el-cross.docker
M tests/lcitool/mappings.yml
M tests/lcitool/refresh
Log Message:
-----------
testing: bump mips64el cross to bookworm and fix package list
The mips64el cross setup is very broken for bullseye which has now
entered LTS support so is unlikely to be fixed. While we still can't
build the container with all packages for bookworm due to a single
missing dependency that will hopefully get fixed in due course. For
the sake of keeping the CI green we disable the problematic packages
via the lcitool's mappings.yml file.
See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081535
Signed-off-by: Alex Bennée <[email protected]>
[thuth: Disable the problematic packages via lcitool's mappings.yml]
Message-ID: <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit c60473d29254b79d9437eface8b342e84663ba66)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 5762cdaf45b0b75d55d64f3b8f441b140026ccb2
https://github.com/qemu/qemu/commit/5762cdaf45b0b75d55d64f3b8f441b140026ccb2
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-04 (Fri, 04 Oct 2024)
Changed paths:
M ui/vnc.c
Log Message:
-----------
vnc: fix crash when no console attached
Since commit e99441a3793b5 ("ui/curses: Do not use console_select()")
qemu_text_console_put_keysym() no longer checks for NULL console
argument, which leads to a later crash:
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at
../ui/console-vc.c:332
332 } else if (s->echo && (keysym == '\r' || keysym == '\n')) {
(gdb) bt
#0 0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31)
at ../ui/console-vc.c:332
#1 0x00005555559e18e5 in qemu_text_console_put_keysym (s=<optimized out>,
keysym=<optimized out>) at ../ui/console.c:303
#2 0x00005555559f2e88 in do_key_event (vs=vs@entry=0x5555579045c0,
down=down@entry=1, keycode=keycode@entry=60, sym=sym@entry=65471) at
../ui/vnc.c:2034
#3 0x00005555559f845c in ext_key_event (vs=0x5555579045c0, down=1, sym=65471,
keycode=<optimized out>) at ../ui/vnc.c:2070
#4 protocol_client_msg (vs=0x5555579045c0, data=<optimized out>,
len=<optimized out>) at ../ui/vnc.c:2514
#5 0x00005555559f515c in vnc_client_read (vs=0x5555579045c0) at
../ui/vnc.c:1607
Fixes: e99441a3793b5 ("ui/curses: Do not use console_select()")
Fixes: https://issues.redhat.com/browse/RHEL-50529
Cc: [email protected]
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 0e60fc80938d9ce84274a36ddfaaa640bdef2be8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 18046fbec50a43f195ad5818efaeed9935afed02
https://github.com/qemu/qemu/commit/18046fbec50a43f195ad5818efaeed9935afed02
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M linux-user/flatload.c
Log Message:
-----------
linux-user/flatload: Take mmap_lock in load_flt_binary()
load_flt_binary() calls load_flat_file() -> page_set_flags().
page_set_flags() must be called with the mmap_lock held,
otherwise it aborts:
$ qemu-arm -L stm32/lib/ stm32/bin/busybox
qemu-arm: ../accel/tcg/user-exec.c:505: page_set_flags: Assertion
`have_mmap_lock()' failed.
Aborted (core dumped)
Fix by taking the lock in load_flt_binary().
Fixes: fbd3c4cff6 ("linux-user/arm: Mark the commpage executable")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2525
Suggested-by: Richard Henderson <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a9ee641bd46f5462eeed183ac3c3760bddfc2600)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 167c8d374aba92fd24f87445b43d093f31f84c09
https://github.com/qemu/qemu/commit/167c8d374aba92fd24f87445b43d093f31f84c09
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user: Fix parse_elf_properties GNU0_MAGIC check
Comparing a string of 4 bytes only works in little-endian.
Adjust bulk bswap to only apply to the note payload.
Perform swapping of the note header manually; the magic
is defined so that it does not need a runtime swap.
Fixes: 83f990eb5adb ("linux-user/elfload: Parse NT_GNU_PROPERTY_TYPE_0 notes")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2596
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
(cherry picked from commit 2884596f5f385b5712c356310dd4125a089888a8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 854a38fd9d212d2fce594b34bd989f9ef7e40c75
https://github.com/qemu/qemu/commit/854a38fd9d212d2fce594b34bd989f9ef7e40c75
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M tcg/ppc/tcg-target.c.inc
Log Message:
-----------
tcg/ppc: Use TCG_REG_TMP2 for scratch tcg_out_qemu_st
In the fallback when STDBRX is not available, avoid clobbering
TCG_REG_TMP1, which might be h.base, which is still in use.
Use TCG_REG_TMP2 instead.
Cc: [email protected]
Fixes: 01a112e2e9 ("tcg/ppc: Reorg tcg_out_tlb_read")
Signed-off-by: Richard Henderson <[email protected]>
Tested-By: Michael Tokarev <[email protected]>
(cherry picked from commit 4cabcb89b101942346aebff081aa1453e958fe7f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 8f583fd99a2832b2e660e8ca5d53fa6496c27dd5
https://github.com/qemu/qemu/commit/8f583fd99a2832b2e660e8ca5d53fa6496c27dd5
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M tcg/ppc/tcg-target.c.inc
Log Message:
-----------
tcg/ppc: Use TCG_REG_TMP2 for scratch index in prepare_host_addr
In tcg_out_qemu_ldst_i128, we need a non-zero index register,
which we then use as a base register in several address modes.
Since we always have TCG_REG_TMP2 available, use that.
Cc: [email protected]
Fixes: 526cd4ec01f ("tcg/ppc: Support 128-bit load/store")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2597
Signed-off-by: Richard Henderson <[email protected]>
Tested-By: Michael Tokarev <[email protected]>
(cherry picked from commit 3213da7b9539581c6df95f8ced5b09d0b02d425f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a4f9d9a4b2167201d53050eb7e00bef0c863d075
https://github.com/qemu/qemu/commit/a4f9d9a4b2167201d53050eb7e00bef0c863d075
Author: Richard Henderson <[email protected]>
Date: 2024-10-10 (Thu, 10 Oct 2024)
Changed paths:
M target/m68k/translate.c
Log Message:
-----------
target/m68k: Always return a temporary from gen_lea_mode
Returning a raw areg does not preserve the value if the areg
is subsequently modified. Fixes, e.g. "jsr (sp)", where the
return address is pushed before the branch.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2483
Signed-off-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 352cc9f300d83ea48b8154bfd2ff985fece887d0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e894be998d0871f55581cb9cf6ce330bf6d590b2
https://github.com/qemu/qemu/commit/e894be998d0871f55581cb9cf6ce330bf6d590b2
Author: Pierrick Bouvier <[email protected]>
Date: 2024-10-14 (Mon, 14 Oct 2024)
Changed paths:
M meson.build
Log Message:
-----------
meson: fix machine option for x86_version
s/mbmi1/mbmi/
When configuring with -Dx86_version >= 3, meson step works, but
compilation fails because option -mbmi1 is unknown.
Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Cc: [email protected]
Fixes: ef7d1adfa85 ("meson: allow configuring the x86-64 baseline", 2024-06-28)
Revieved-by: Michael Tokarev <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 461a9252e249adab5f0bae3b9634be77dd5be17e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 22359e0e6ee4ddc0ed1bfe6f8a02d81fdb13693b
https://github.com/qemu/qemu/commit/22359e0e6ee4ddc0ed1bfe6f8a02d81fdb13693b
Author: Paolo Bonzini <[email protected]>
Date: 2024-10-14 (Mon, 14 Oct 2024)
Changed paths:
M meson.build
Log Message:
-----------
meson: define qemu_isa_flags
Create a separate variable for compiler flags that enable
specific instruction set extensions, so that they can be used with
cc.compiles/cc.links.
Note that -mfpmath=sse is a code generation option but it does not
enable new instructions, therefore I did not make it part of
qemu_isa_flags.
Suggested-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 6ae8c5382b2396d394e135c2c6d3742d11c6d0c2)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 997f8d5c2b5ea4d1f07976ed54b944d6cdcdf2b6
https://github.com/qemu/qemu/commit/997f8d5c2b5ea4d1f07976ed54b944d6cdcdf2b6
Author: Paolo Bonzini <[email protected]>
Date: 2024-10-14 (Mon, 14 Oct 2024)
Changed paths:
M meson.build
Log Message:
-----------
meson: ensure -mcx16 is passed when detecting ATOMIC128
Moving -mcx16 out of CPU_CFLAGS caused the detection of ATOMIC128 to
fail, because flags have to be specified by hand in cc.compiles and
cc.links invocations (why oh why??).
Ensure that these tests enable all the instruction set extensions that
will be used to build the emulators.
Fixes: c2bf2ccb266 ("configure: move -mcx16 flag out of CPU_CFLAGS", 2024-05-24)
Reported-by: Alex Bennée <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 8db4e0f92e83fd80b6609439440b303ddded7ad8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c5f652a0532961c20bd5ba78a65288209605b522
https://github.com/qemu/qemu/commit/c5f652a0532961c20bd5ba78a65288209605b522
Author: Alexandra Diupina <[email protected]>
Date: 2024-10-15 (Tue, 15 Oct 2024)
Changed paths:
M hw/intc/arm_gicv3_cpuif.c
Log Message:
-----------
hw/intc/arm_gicv3: Add cast to match the documentation
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved.
Add an explicit cast to match the documentation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: [email protected]
Fixes: d2c0c6aab6 ("hw/intc/arm_gicv3: Handle icv_nmiar1_read() for
icc_nmiar1_read()")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit e0c0ea6eca4f210a52b9742817586cc97b1ee434)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6fecfc5978e25c2298eed4aa0f254ac7a0384d81
https://github.com/qemu/qemu/commit/6fecfc5978e25c2298eed4aa0f254ac7a0384d81
Author: Alexandra Diupina <[email protected]>
Date: 2024-10-15 (Tue, 15 Oct 2024)
Changed paths:
M hw/intc/arm_gicv3_cpuif.c
Log Message:
-----------
hw/intc/arm_gicv3: Add cast to match the documentation
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICC_AP[0/1]R<n>_EL2 are reserved.
Add an explicit cast to match the documentation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: [email protected]
Fixes: 28cca59c46 ("hw/intc/arm_gicv3: Add NMI handling CPU interface
registers")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 12dc8f6eca1ead876142fd3d6731cf3da1295f2a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 460ddd62fa559ec6c53e6229a3f1b6ceea7f5390
https://github.com/qemu/qemu/commit/460ddd62fa559ec6c53e6229a3f1b6ceea7f5390
Author: Alexandra Diupina <[email protected]>
Date: 2024-10-15 (Tue, 15 Oct 2024)
Changed paths:
M hw/intc/arm_gicv3_cpuif.c
Log Message:
-----------
hw/intc/arm_gicv3_cpuif: Add cast to match the documentation
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved.
Add an explicit cast to match the documentation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: [email protected]
Fixes: c3f21b065a ("hw/intc/arm_gicv3_cpuif: Support vLPIs")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 3db74afec3ca87f81fbdf5918ed1e21d837fbfab)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 10e3edd9b3b745ca7772a046c06a27ef539fba33
https://github.com/qemu/qemu/commit/10e3edd9b3b745ca7772a046c06a27ef539fba33
Author: Peter Maydell <[email protected]>
Date: 2024-10-15 (Tue, 15 Oct 2024)
Changed paths:
M hw/char/pl011.c
Log Message:
-----------
hw/char/pl011: Use correct masks for IBRD and FBRD
In commit b88cfee90268cad we defined masks for the IBRD and FBRD
integer and fractional baud rate divider registers, to prevent the
guest from writing invalid values which could cause division-by-zero.
Unfortunately we got the mask values the wrong way around: the FBRD
register is six bits and the IBRD register is 16 bits, not
vice-versa.
You would only run into this bug if you programmed the UART to a baud
rate of less than 9600, because for 9600 baud and above the IBRD
value will fit into 6 bits, as per the table in
https://developer.arm.com/documentation/ddi0183/g/programmers-model/register-descriptions/fractional-baud-rate-register--uartfbrd
The only visible effects would be that the value read back from
the register by the guest would be truncated, and we would
print an incorrect baud rate in the debug logs.
Cc: [email protected]
Fixes: b88cfee90268 ("hw/char/pl011: Avoid division-by-zero in
pl011_get_baudrate()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2610
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Gavin Shan <[email protected]>
Message-id: [email protected]
(cherry picked from commit cd247eae16ab1b9ce97fd34c000c1b883feeda45)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2787ca0e0abec57be2c2989520b7a19997b592f6
https://github.com/qemu/qemu/commit/2787ca0e0abec57be2c2989520b7a19997b592f6
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-16 (Wed, 16 Oct 2024)
Changed paths:
M hw/audio/hda-codec.c
Log Message:
-----------
hw/audio/hda: free timer on exit
Fixes: 280c1e1cd ("audio/hda: create millisecond timers that handle IO")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit f27206ceedbe2efae37c8d143c5eb2db05251508)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6d03242a7e47815ed56687ecd13f683d8da3f2fe
https://github.com/qemu/qemu/commit/6d03242a7e47815ed56687ecd13f683d8da3f2fe
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-16 (Wed, 16 Oct 2024)
Changed paths:
M hw/audio/hda-codec.c
Log Message:
-----------
hw/audio/hda: fix memory leak on audio setup
When SET_STREAM_FORMAT is called, we should clear the existing setup.
Factor out common function to close a stream.
Direct leak of 144 byte(s) in 3 object(s) allocated from:
#0 0x7f91d38f7350 in calloc (/lib64/libasan.so.8+0xf7350) (BuildId:
a4ad7eb954b390cf00f07fa10952988a41d9fc7a)
#1 0x7f91d2ab7871 in g_malloc0 (/lib64/libglib-2.0.so.0+0x64871) (BuildId:
36b60dbd02e796145a982d0151ce37202ec05649)
#2 0x562fa2f447ee in timer_new_full
/home/elmarco/src/qemu/include/qemu/timer.h:538
#3 0x562fa2f4486f in timer_new
/home/elmarco/src/qemu/include/qemu/timer.h:559
#4 0x562fa2f448a9 in timer_new_ns
/home/elmarco/src/qemu/include/qemu/timer.h:577
#5 0x562fa2f47955 in hda_audio_setup ../hw/audio/hda-codec.c:490
#6 0x562fa2f4897e in hda_audio_command ../hw/audio/hda-codec.c:605
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 6d6e23361fc732e4fe36a8bc5873b85f264ed53a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9391f419c7ef5e180e42177ea9a662389a69bbbe
https://github.com/qemu/qemu/commit/9391f419c7ef5e180e42177ea9a662389a69bbbe
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-16 (Wed, 16 Oct 2024)
Changed paths:
M ui/dbus-listener.c
Log Message:
-----------
ui/dbus: fix leak on message filtering
A filter function that wants to drop a message should return NULL, in
which case it must also unref the message itself.
Fixes: fa88b85de ("ui/dbus: filter out pending messages when scanout")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 244d52ff736fefc3dd364ed091720aa896af306d)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e1324ec9465efbd7ca95c4ad29d3d3cf102d05c3
https://github.com/qemu/qemu/commit/e1324ec9465efbd7ca95c4ad29d3d3cf102d05c3
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-16 (Wed, 16 Oct 2024)
Changed paths:
M hw/display/virtio-gpu.c
M include/ui/qemu-pixman.h
M ui/console.c
M ui/qemu-pixman.c
Log Message:
-----------
ui/win32: fix potential use-after-free with dbus shared memory
DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.
Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.
Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 01fff50626c2bffd7be1ce92e531852ea69372f3
https://github.com/qemu/qemu/commit/01fff50626c2bffd7be1ce92e531852ea69372f3
Author: Marc-André Lureau <[email protected]>
Date: 2024-10-16 (Wed, 16 Oct 2024)
Changed paths:
M ui/dbus-listener.c
Log Message:
-----------
ui/dbus: fix filtering all update messages
Filtering pending messages when a new scanout is given shouldn't discard
pending cursor changes, for example.
Since filtering happens in a different thread, use atomic set/get.
Fixes: fa88b85dea ("ui/dbus: filter out pending messages when scanout")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit cf59889781297a5618f1735a5f31402caa806b42)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0ff5ab6f57a2427a3e83969b2e7dd71e04caae39
https://github.com/qemu/qemu/commit/0ff5ab6f57a2427a3e83969b2e7dd71e04caae39
Author: Michael Tokarev <[email protected]>
Date: 2024-10-18 (Fri, 18 Oct 2024)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 9.1.1 release
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/fd1952d814da...0ff5ab6f57a2
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
