Branch: refs/heads/staging-7.2
Home: https://github.com/qemu/qemu
Commit: b401e48860d7aaf226b4db0d19531db1452b3880
https://github.com/qemu/qemu/commit/b401e48860d7aaf226b4db0d19531db1452b3880
Author: Paolo Bonzini <pbonz...@redhat.com>
Date: 2025-04-24 (Thu, 24 Apr 2025)
Changed paths:
M target/i386/hvf/x86_flags.c
Log Message:
-----------
target/i386/hvf: fix lflags_to_rflags
Clear the flags before adding in the ones computed from lflags.
Cc: Wei Liu <li...@linux.microsoft.com>
Cc: qemu-sta...@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 94a159f3dc737d00749cc930adaec112abe07b3c)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 927d89739393257f6eaf02183a3672c6fc351932
https://github.com/qemu/qemu/commit/927d89739393257f6eaf02183a3672c6fc351932
Author: Richard Henderson <richard.hender...@linaro.org>
Date: 2025-04-24 (Thu, 24 Apr 2025)
Changed paths:
M target/avr/insn.decode
M target/avr/translate.c
Log Message:
-----------
target/avr: Improve decode of LDS, STS
The comment about not being able to define a field with
zero bits is out of date since 94597b6146f3
("decodetree: Allow !function with no input bits").
This fixes the missing load of imm in the disassembler.
Cc: qemu-sta...@nongnu.org
Fixes: 9d8caa67a24 ("target/avr: Add support for disassembling via option '-d
in_asm'")
Reviewed-by: Pierrick Bouvier <pierrick.bouv...@linaro.org>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
(cherry picked from commit 6b661b7ed7cd02c54a78426d5eb7dd8543b030ed)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 5f2fd50a7619b992db8e512c461921dba4a45df8
https://github.com/qemu/qemu/commit/5f2fd50a7619b992db8e512c461921dba4a45df8
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2025-05-08 (Thu, 08 May 2025)
Changed paths:
M target/arm/translate.c
Log Message:
-----------
target/arm: Don't assert() for ISB/SB inside IT block
If the guest code has an ISB or SB insn inside an IT block, we
generate incorrect code which trips a TCG assertion:
qemu-system-arm: ../tcg/tcg-op.c:3343: void tcg_gen_goto_tb(unsigned int):
Assertion `(tcg_ctx->goto_tb_issue_mask & (1 << idx)) == 0' failed.
This is because we call gen_goto_tb(dc, 1, ...) twice:
brcond_i32 ZF,$0x0,ne,$L1
add_i32 pc,pc,$0x4
goto_tb $0x1
exit_tb $0x73d948001b81
set_label $L1
add_i32 pc,pc,$0x4
goto_tb $0x1
exit_tb $0x73d948001b81
Both calls are in arm_tr_tb_stop(), one for the
DISAS_NEXT/DISAS_TOO_MANY handling, and one for the dc->condjump
condition-failed codepath. The DISAS_NEXT handling doesn't have this
problem because arm_post_translate_insn() does the handling of "emit
the label for the condition-failed conditional execution" and so
arm_tr_tb_stop() doesn't have dc->condjump set. But for
DISAS_TOO_MANY we don't do that.
Fix the bug by making arm_post_translate_insn() handle the
DISAS_TOO_MANY case. This only affects the SB and ISB insns when
used in Thumb mode inside an IT block: only these insns specifically
set is_jmp to TOO_MANY, and their A32 encodings are unconditional.
For the major TOO_MANY case (breaking the TB because it would cross a
page boundary) we do that check and set is_jmp to TOO_MANY only after
the call to arm_post_translate_insn(); so arm_post_translate_insn()
sees is_jmp == DISAS_NEXT, and we emit the correct code for that
situation.
With this fix we generate the somewhat more sensible set of TCG ops:
brcond_i32 ZF,$0x0,ne,$L1
set_label $L1
add_i32 pc,pc,$0x4
goto_tb $0x1
exit_tb $0x7c5434001b81
(NB: the TCG optimizer doesn't optimize out the jump-to-next, but
we can't really avoid emitting it because we don't know at the
point we're emitting the handling for the condexec check whether
this insn is going to happen to be a nop for us or not.)
Cc: qemu-sta...@nongnu.org
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2942
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20250501125544.727038-1-peter.mayd...@linaro.org
(cherry picked from commit 8ed7c0b6488a7f20318d6ba414f1cbcd0ed92afe)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 7e2ff77f73be14330f698d49a72a583848cf5562
https://github.com/qemu/qemu/commit/7e2ff77f73be14330f698d49a72a583848cf5562
Author: Bernhard Beschow <shen...@gmail.com>
Date: 2025-05-08 (Thu, 08 May 2025)
Changed paths:
M hw/gpio/imx_gpio.c
Log Message:
-----------
hw/gpio/imx_gpio: Fix interpretation of GDIR polarity
According to the i.MX 8M Plus reference manual, a GPIO pin is
configured as an output when the corresponding bit in the GDIR
register is set. The function imx_gpio_set_int_line() is intended to
be a no-op if the pin is configured as an output, returning early in
such cases. However, it inverts the condition. Fix this by
returning early when the bit is set.
cc: qemu-sta...@nongnu.org
Fixes: f44272809779 ("i.MX: Add GPIO device")
Signed-off-by: Bernhard Beschow <shen...@gmail.com>
Message-id: 20250501183445.2389-4-shen...@gmail.com
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit eba837a31b9579e30cc6d7ecb4b5c2662a6ffaba)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 95dacfb15767bfaa0e22840d379434013de1fa75
https://github.com/qemu/qemu/commit/95dacfb15767bfaa0e22840d379434013de1fa75
Author: Bernhard Beschow <shen...@gmail.com>
Date: 2025-05-11 (Sun, 11 May 2025)
Changed paths:
M hw/i2c/imx_i2c.c
Log Message:
-----------
hw/i2c/imx: Always set interrupt status bit if interrupt condition occurs
According to the i.MX 8M Plus reference manual, the status flag
I2C_I2SR[IIF] continues to be set when an interrupt condition
occurs even when I2C interrupts are disabled (I2C_I2CR[IIEN] is
clear). However, the device model only sets the flag when I2C
interrupts are enabled which causes U-Boot to loop forever. Fix
the device model by always setting the flag and let I2C_I2CR[IIEN]
guard I2C interrupts only.
Also remove the comment in the code since it merely stated the
obvious and would be outdated now.
Cc: qemu-sta...@nongnu.org
Fixes: 20d0f9cf6a41 ("i.MX: Add I2C controller emulator")
Signed-off-by: Bernhard Beschow <shen...@gmail.com>
Acked-by: Corey Minyard <cminy...@mvista.com>
Message-ID: <20250507124040.425773-1-shen...@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit 54e54e594bc8273d210f7ff4448c165a989cbbe8)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 75cc804bc7eb5556edd3cc9aa9e9a3487f6a80d6
https://github.com/qemu/qemu/commit/75cc804bc7eb5556edd3cc9aa9e9a3487f6a80d6
Author: Christian Schoenebeck <qemu_...@crudebyte.com>
Date: 2025-05-12 (Mon, 12 May 2025)
Changed paths:
M hw/9pfs/9p.c
M hw/9pfs/9p.h
Log Message:
-----------
9pfs: fix concurrent v9fs_reclaim_fd() calls
Even though this function is serialized to be always called from main
thread, v9fs_reclaim_fd() is dispatching the coroutine to a worker thread
in between via its v9fs_co_*() calls, hence leading to the situation where
v9fs_reclaim_fd() is effectively executed multiple times simultaniously,
which renders its LRU algorithm useless and causes high latency.
Fix this by adding a simple boolean variable to ensure this function is
only called once at a time. No synchronization needed for this boolean
variable as this function is only entered and returned on main thread.
Fixes: 7a46274529c ('hw/9pfs: Add file descriptor reclaim support')
Signed-off-by: Christian Schoenebeck <qemu_...@crudebyte.com>
Reviewed-by: Greg Kurz <gr...@kaod.org>
Message-Id:
<5c622067efd66dd4ee5eca740dcf263f41db20b2.1741339452.git.qemu_...@crudebyte.com>
(cherry picked from commit 61da38db70affd925226ce1e8a61d761c20d045b)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: cf303fefc974a8c6e876a33ab669eabbf7bf3d20
https://github.com/qemu/qemu/commit/cf303fefc974a8c6e876a33ab669eabbf7bf3d20
Author: Christian Schoenebeck <qemu_...@crudebyte.com>
Date: 2025-05-12 (Mon, 12 May 2025)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: fix FD leak and reduce latency of v9fs_reclaim_fd()
This patch fixes two different bugs in v9fs_reclaim_fd():
1. Reduce latency:
This function calls v9fs_co_close() and v9fs_co_closedir() in a loop. Each
one of the calls adds two thread hops (between main thread and a fs driver
background thread). Each thread hop adds latency, which sums up in
function's loop to a significant duration.
Reduce overall latency by open coding what v9fs_co_close() and
v9fs_co_closedir() do, executing those and the loop itself altogether in
only one background thread block, hence reducing the total amount of
thread hops to only two.
2. Fix file descriptor leak:
The existing code called v9fs_co_close() and v9fs_co_closedir() to close
file descriptors. Both functions check right at the beginning if the 9p
request was cancelled:
if (v9fs_request_cancelled(pdu)) {
return -EINTR;
}
So if client sent a 'Tflush' message, v9fs_co_close() / v9fs_co_closedir()
returned without having closed the file descriptor and v9fs_reclaim_fd()
subsequently freed the FID without its file descriptor being closed, hence
leaking those file descriptors.
This 2nd bug is fixed by this patch as well by open coding v9fs_co_close()
and v9fs_co_closedir() inside of v9fs_reclaim_fd() and not performing the
v9fs_request_cancelled(pdu) check there.
Fixes: 7a46274529c ('hw/9pfs: Add file descriptor reclaim support')
Fixes: bccacf6c792 ('hw/9pfs: Implement TFLUSH operation')
Signed-off-by: Christian Schoenebeck <qemu_...@crudebyte.com>
Reviewed-by: Greg Kurz <gr...@kaod.org>
Message-Id:
<5747469d3f039c53147e850b456943a1d4b5485c.1741339452.git.qemu_...@crudebyte.com>
(cherry picked from commit 89f7b4da7662ecc6840ffb0846045f03f9714bc6)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: ce1431615292dc735597db4062834bfb271381bc
https://github.com/qemu/qemu/commit/ce1431615292dc735597db4062834bfb271381bc
Author: Akihiko Odaki <akihiko.od...@daynix.com>
Date: 2025-05-16 (Fri, 16 May 2025)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: Call set_features during reset
virtio-net expects set_features() will be called when the feature set
used by the guest changes to update the number of virtqueues but it is
not called during reset, which will clear all features, leaving the
queues added for VIRTIO_NET_F_MQ or VIRTIO_NET_F_RSS. Not only these
extra queues are visible to the guest, they will cause segmentation
fault during migration.
Call set_features() during reset to remove those queues for virtio-net
as we call set_status(). It will also prevent similar bugs for
virtio-net and other devices in the future.
Fixes: f9d6dbf0bf6e ("virtio-net: remove virtio queues if the guest doesn't
support multiqueue")
Buglink: https://issues.redhat.com/browse/RHEL-73842
Cc: qemu-sta...@nongnu.org
Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com>
Message-Id: <20250421-reset-v2-1-e4c1ead88...@daynix.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 0caed25cd171c611781589b5402161d27d57229c)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 5fee5c68229da7ee259d8430603867a2104d2f76
https://github.com/qemu/qemu/commit/5fee5c68229da7ee259d8430603867a2104d2f76
Author: Icenowy Zheng <u...@icenowy.me>
Date: 2025-05-20 (Tue, 20 May 2025)
Changed paths:
M common-user/host/riscv/safe-syscall.inc.S
Log Message:
-----------
common-user/host/riscv: use tail pseudoinstruction for calling tail
The j pseudoinstruction maps to a JAL instruction, which can only handle
a jump to somewhere with a signed 20-bit destination. In case of static
linking and LTO'ing this easily leads to "relocation truncated to fit"
error.
Switch to use tail pseudoinstruction, which is the standard way to
tail-call a function in medium code model (emits AUIPC+JALR).
Signed-off-by: Icenowy Zheng <u...@icenowy.me>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-ID: <20250417072206.364008-1-...@icenowy.me>
Signed-off-by: Alistair Francis <alistair.fran...@wdc.com>
Cc: qemu-sta...@nongnu.org
(cherry picked from commit 22b448ccc6611a59d4aa54419f4d88c1f343cb35)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 700e6e768af0b5ff91613bf528f00334f10e1b89
https://github.com/qemu/qemu/commit/700e6e768af0b5ff91613bf528f00334f10e1b89
Author: Zhao Liu <zhao1....@intel.com>
Date: 2025-05-22 (Thu, 22 May 2025)
Changed paths:
M qapi/misc-target.json
Log Message:
-----------
qapi/misc-target: Fix the doc to distinguish query-sgx and
query-sgx-capabilities
There're 2 QMP commands: query-sgx and query-sgx-capabilities, but
their outputs are very similar and the documentation lacks clear
differentiation.
>From the codes, query-sgx is used to gather guest's SGX capabilities
(including SGX related CPUIDs and EPC sections' size, in SGXInfo), and
if guest doesn't have SGX, then QEMU will report the error message.
On the other hand, query-sgx-capabilities is used to gather host's SGX
capabilities (descripted by SGXInfo as well). And if host doesn't
support SGX, then QEMU will also report the error message.
Considering that SGXInfo is already documented and both these 2 commands
have enough error messages (for the exception case in their codes).
Therefore the QAPI documentation for these two commands only needs to
emphasize that one of them applies to the guest and the other to the
host.
Fix their documentation to reflect this difference.
Reported-by: Markus Armbruster <arm...@redhat.com>
Suggested-by: Paolo Bonzini <pbonz...@redhat.com>
Signed-off-by: Zhao Liu <zhao1....@intel.com>
Acked-by: Markus Armbruster <arm...@redhat.com>
Link: https://lore.kernel.org/r/20250513143131.2008078-3-zhao1....@intel.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 7f2131c35c1781ca41c62dc26fd93282e1351323)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/d2d2524b48df...700e6e768af0
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
