Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 8608ed356ef90815cc5bcf04fcdbde987fd24bca
https://github.com/qemu/qemu/commit/8608ed356ef90815cc5bcf04fcdbde987fd24bca
Author: Kuan-Wei Chiu <[email protected]>
Date: 2026-02-22 (Sun, 22 Feb 2026)
Changed paths:
M hw/misc/virt_ctrl.c
Log Message:
-----------
hw/misc/virt_ctrl: Fix incorrect trace event in read operation
The virt_ctrl_read() function currently invokes trace_virt_ctrl_write()
instead of trace_virt_ctrl_read(). This results in read operations
appearing as write operations in the trace output, which is misleading
during debugging and analysis.
Replace the incorrect trace call with the proper read-specific trace
event to accurately reflect the hardware behavior.
Fixes: 0791bc02b8fb ("m68k: add a system controller")
Signed-off-by: Kuan-Wei Chiu <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 2622a178b6a7c9425f00d28a3b6543375f365308
https://github.com/qemu/qemu/commit/2622a178b6a7c9425f00d28a3b6543375f365308
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-22 (Sun, 22 Feb 2026)
Changed paths:
M include/hw/virtio/virtio.h
Log Message:
-----------
hw/virtio: Constify virtio_is_big_endian() argument
VirtIODevice argument is accessed read-only, make it const.
Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Commit: 6325407f67d279801b59bbde113fe6cfe6623b83
https://github.com/qemu/qemu/commit/6325407f67d279801b59bbde113fe6cfe6623b83
Author: Pierrick Bouvier <[email protected]>
Date: 2026-02-22 (Sun, 22 Feb 2026)
Changed paths:
M hw/net/virtio-net.c
M hw/virtio/vhost.c
M hw/virtio/virtio-pci.c
M include/hw/virtio/virtio-access.h
M include/hw/virtio/virtio.h
Log Message:
-----------
hw/virtio: rename virtio_is_big_endian to virtio_vdev_is_big_endian
Renaming this function removes the confusion with
existing virtio_is_big_endian cpu ops.
Indeed, virtio_vdev_is_big_endian is *not* calling cpu
virtio_is_big_endian everytime.
Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 730d049c4b65646cb9fbfd789505d985859e83b6
https://github.com/qemu/qemu/commit/730d049c4b65646cb9fbfd789505d985859e83b6
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/char/virtio-serial-bus.c
Log Message:
-----------
hw/char/virtio-serial-bus: Fix Heap-buffer-overflow in set_config()
When removing the 'emergency-write' property in commit d0660e5b7fc
we neglected to remove the code reducing the virtio_console_config
structure size, allowing to access up to the unallocated 'emerg_wr'
field.
Can be reproduced running:
$ cat << EOF | qemu-system-i386 -nodefaults \
-machine q35 -m 512M \
-device virtio-serial \
-display none \
-machine accel=qtest -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000804
outw 0xcfc 0x01
outl 0xc014 0x00
EOF
==3210206==ERROR: AddressSanitizer: heap-buffer-overflow
on address 0x502000090858 at pc 0x5638f1300a9b bp 0x7fff6b525b80 sp
0x7fff6b525b70
READ of size 4 at 0x502000090858 thread T0
#0 0x5638f1300a9a in set_config hw/char/virtio-serial-bus.c:590
#1 0x5638f0bccdcf in virtio_config_writel hw/virtio/virtio-config-io.c:104
#2 0x5638f0bd0c89 in virtio_pci_config_write hw/virtio/virtio-pci.c:637
#3 0x5638f0cf90cf in memory_region_write_accessor system/memory.c:491
#4 0x5638f0cf975b in access_with_adjusted_size system/memory.c:567
#5 0x5638f0d01d3f in memory_region_dispatch_write system/memory.c:1547
#6 0x5638f0d2fa1e in address_space_stm_internal
system/memory_ldst.c.inc:85
#7 0x5638f0d30013 in address_space_stl_le
system/memory_ldst_endian.c.inc:53
#8 0x5638f0ceb568 in cpu_outl system/ioport.c:79
#9 0x5638f0d3c0f9 in qtest_process_command system/qtest.c:483
0x502000090858 is located 0 bytes to the right of 8-byte region
[0x502000090850,0x502000090858)
allocated by thread T0 here:
#0 0x7f0dc32cba57 in __interceptor_calloc
src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f0dc2382c50 in g_malloc0
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
#2 0x5638f1303c27 in virtio_serial_device_realize
hw/char/virtio-serial-bus.c:1046
#3 0x5638f1396a9c in virtio_device_realize hw/virtio/virtio.c:4053
#4 0x5638f13ea370 in device_set_realized hw/core/qdev.c:523
#5 0x5638f13fdaf6 in property_set_bool qom/object.c:2376
#6 0x5638f13f9098 in object_property_set qom/object.c:1450
#7 0x5638f140283c in object_property_set_qobject qom/qom-qobject.c:28
#8 0x5638f13f9616 in object_property_set_bool qom/object.c:1520
#9 0x5638f13e91cc in qdev_realize hw/core/qdev.c:276
#10 0x5638f0c3d94b in virtio_serial_pci_realize
hw/virtio/virtio-serial-pci.c:69
#11 0x5638f0bda886 in virtio_pci_realize hw/virtio/virtio-pci.c:2351
#12 0x5638f09bc2ae in pci_qdev_realize hw/pci/pci.c:2310
#13 0x5638f0bdb2f2 in virtio_pci_dc_realize hw/virtio/virtio-pci.c:2473
#14 0x5638f13ea370 in device_set_realized hw/core/qdev.c:523
SUMMARY: AddressSanitizer: heap-buffer-overflow
hw/char/virtio-serial-bus.c:590 in set_config
Fixes: d0660e5b7fc ("hw/char/virtio-serial: Do not expose the 'emergency-write'
property")
Reported-by: Alexander Bulekov <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3303
Buglink: https://issues.oss-fuzz.com/issues/484647006
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Alexander Bulekov <[email protected]>
Message-Id: <[email protected]>
Commit: 10b63551b623ba9c22f6796aea4f6837fb579d76
https://github.com/qemu/qemu/commit/10b63551b623ba9c22f6796aea4f6837fb579d76
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/display/macfb.c
Log Message:
-----------
hw/display/macfb: Constify macfb_sense_table[] array
macfb_sense_table[] is only read, never updated, so can be const.
Update the single call site, macfb_sense_read().
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Commit: ee567616072e2b9861e8fc67921ad30612bcaf47
https://github.com/qemu/qemu/commit/ee567616072e2b9861e8fc67921ad30612bcaf47
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/display/macfb.c
M hw/m68k/q800.c
M include/hw/display/macfb.h
Log Message:
-----------
hw/display/macfb: Constify macfb_mode_table[] array
macfb_mode_table[] is only read, never updated, so can be const.
Update the call sites accordingly.
Make the MacfbState::mode pointer to const.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Commit: 3445dd26ecbd7a731f73e586dae3410a24b576d1
https://github.com/qemu/qemu/commit/3445dd26ecbd7a731f73e586dae3410a24b576d1
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/m68k/q800.c
Log Message:
-----------
hw/m68k/q800: Use MacFbMode fields in q800_machine_init()
Once the Mac Frame Buffer device is realized on the NuBus,
its MacFbMode might be different of the global graphic_depth
and graphic_width globals. Prefer the device MacFbMode fields
to initialize the BootInfo structure.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Message-Id: <[email protected]>
Commit: 6c72922fe53851ba3f109b0b0f2312e0df9d5c5a
https://github.com/qemu/qemu/commit/6c72922fe53851ba3f109b0b0f2312e0df9d5c5a
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/display/macfb.c
M hw/m68k/q800.c
Log Message:
-----------
hw/m68k/q800: Set MACFB_DISPLAY_APPLE_21_COLOR within MacFrameBuffer
The MACFB_DISPLAY_APPLE_21_COLOR mode is not specific to the Q800
machine. Check and set it once in the MacFB DeviceRealize handler.
No need to explicitly set the MACFB_DISPLAY_VGA mode since this is
the default value.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Message-Id: <[email protected]>
Commit: 7207a9c3a95a240585e21d08ecc88a6b6ce62faf
https://github.com/qemu/qemu/commit/7207a9c3a95a240585e21d08ecc88a6b6ce62faf
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/m68k/q800.c
M system/globals-target.c
Log Message:
-----------
hw/m68k: Set graphic display dimensions generically
If a dimension is not set, have the machine init code
(q800_machine_init) set the default values.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Message-Id: <[email protected]>
Commit: 37ad735f6b4ebdaaa952927ab9f96c9b857b7785
https://github.com/qemu/qemu/commit/37ad735f6b4ebdaaa952927ab9f96c9b857b7785
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/sparc/sun4m.c
M hw/sparc64/sun4u.c
M system/globals-target.c
Log Message:
-----------
hw/sparc: Set graphic display dimensions generically
If a dimension is not set, have the machine init code
set the default values.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Message-Id: <[email protected]>
Commit: af2f0774cc43fc3055f8e90a50163095d3cdf998
https://github.com/qemu/qemu/commit/af2f0774cc43fc3055f8e90a50163095d3cdf998
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/ppc/mac_newworld.c
M hw/ppc/mac_oldworld.c
M hw/ppc/prep.c
M hw/ppc/spapr.c
M system/globals-target.c
Log Message:
-----------
hw/ppc: Set graphic display dimensions generically
If a dimension is not set, have the machine init code set
the default values.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Commit: 32a38529c46e84c22b8d00dc26917f4695a416c3
https://github.com/qemu/qemu/commit/32a38529c46e84c22b8d00dc26917f4695a416c3
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
R system/globals-target.c
M system/globals.c
M system/meson.build
Log Message:
-----------
system/globals: Build as common code
Now that all targets have the graphic dimension variables
initialized the same way, we can move them to the common
file unit, having them built once. Remove the now empty
globals-target.c file. The command line '-g WxH[xD]' option
is not changed and behaves the same.
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Commit: fe25b9213ca36074f038a5ad8a3c1474f69eb632
https://github.com/qemu/qemu/commit/fe25b9213ca36074f038a5ad8a3c1474f69eb632
Author: Pierrick Bouvier <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M include/hw/ppc/spapr.h
A include/hw/ppc/spapr_common.h
Log Message:
-----------
hw/ppc/spapr: extract SPAPR_MAX_RAM_SLOTS in a new header
Allow to include it from common code (vhost-user, in next commit),
else it pulls ppc/cpu.h which has target specifics.
Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 029125efe47d977ccc2684921a7400b42d644090
https://github.com/qemu/qemu/commit/029125efe47d977ccc2684921a7400b42d644090
Author: Alex Bennée <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/alpha/dp264.c
Log Message:
-----------
hw/alpha: remove unused includes
Signed-off-by: Alex Bennée <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 703bc80f553f19993eaaee249f53386d38f42122
https://github.com/qemu/qemu/commit/703bc80f553f19993eaaee249f53386d38f42122
Author: Alex Bennée <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M include/hw/core/cpu.h
Log Message:
-----------
hw/core/cpu: expand cpu_reset function docs
Add a hint to the developer that this should only be called from a
reset chain.
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Alex Bennée <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: fa084473179a17b7baf92d47d7171386bfbd35eb
https://github.com/qemu/qemu/commit/fa084473179a17b7baf92d47d7171386bfbd35eb
Author: BALATON Zoltan <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
hw/net/rtl8139: Remove ineffective parameter
The do_interrupt parameter for rtl8139_do_receive was originally added
in commit 6cadb320c7 to avoid generating interrupt when receiving in
loopback mode. Later commit 5311fb805a changed this so that this
parameter became ineffective and now this parameter is unused and
always 1. If this turns out to be a problem maybe there's a better way
to fix this so remove the do_interrupt parameter for now to simplify
code.
Signed-off-by: BALATON Zoltan <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 387ee5d2be300b104c317aa7f86a4c24652c6f3e
https://github.com/qemu/qemu/commit/387ee5d2be300b104c317aa7f86a4c24652c6f3e
Author: Peter Maydell <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/net/rocker/rocker_of_dpa.c
Log Message:
-----------
hw/net/rocker: Don't keep pointer to h_proto as uint16_t* in
OfDpaFlowPktFields
In rocker_of_dpa.c we assume that the h_proto field in an eth_header
struct is aligned, and we copy its address into a uint16_t* in the
OfDpaFlowPktFields struct which we then dereference later. This
isn't a safe assumption; it will also result in compilation failures
with gcc if we mark the eth_header struct as QEMU_PACKED because gcc
will not let you take the address of an unaligned struct field.
Make the h_proto field in OfDpaFlowPktFields a void*, and make all
the places where we previously read through that pointer instead use
a new accessor function which allows for the possible lack of
alignment.
(Compare commit 5814c084679
"hw/net/virtio-net.c: Don't assume IP length field is aligned"
which fixed a similar problem elsewhere for an ip_header field.)
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 3609630e7910f04a007e48e4520c04fbb942658e
https://github.com/qemu/qemu/commit/3609630e7910f04a007e48e4520c04fbb942658e
Author: Peter Maydell <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M net/eth.c
Log Message:
-----------
hw/net/rocker: Don't assume h_proto is aligned in eth_strip_vlan_ex()
In eth_strip_vlan_ex() we take a pointer to the eth_header h_proto
field into a local uint16_t* variable, and then later in the function
we dereference that pointer. This isn't safe, because the eth_header
struct may not be aligned, and if we mark the struct as QEMU_PACKED
then gcc will complain about taking the address of a field in a
packed struct.
Instead, make the local variable be a void* and use the appropriate
functions for accessing 16 bits of possibly unaligned data through
it.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 42ada5daf959bc60beb4b4335dfbdc9eb8ee9b41
https://github.com/qemu/qemu/commit/42ada5daf959bc60beb4b4335dfbdc9eb8ee9b41
Author: Peter Maydell <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M include/net/eth.h
Log Message:
-----------
net: mark struct eth_header as QEMU_PACKED
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:78:47: runtime error: member access within misaligned
address 0x561f52f35011 for type 'struct eth_header', which requires 2 byte
alignment
0x561f52f35011: note: pointer points here
00 00 00 00 33 33 00 00 00 16 52 54 00 12 34 56 86 dd 60 00 00 00 00 24 00
01 00 00 00 00 00 00
^
#0 0x561f20608459 in net_checksum_calculate
/home/pm215/qemu/build/clang/../../net/checksum.c:78:47
#1 0x561f20117bfa in gem_transmit
/home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x561f20115c61 in gem_write
/home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../../net/checksum.c:78:47
Fix this by marking the eth_header struct as QEMU_PACKED, so that the
compiler knows it might be unaligned and will generate the right code
for accessing fields.
This is similar to commit f8b94b4c520 ("net: mark struct ip_header as
QEMU_PACKED") where we fixed this for a different struct defined in
this file.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 2ca81b0eb3249f66efba6707cc9d6577830e2329
https://github.com/qemu/qemu/commit/2ca81b0eb3249f66efba6707cc9d6577830e2329
Author: Peter Maydell <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M include/net/eth.h
Log Message:
-----------
net: mark struct udp_header as QEMU_PACKED
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:168:24: runtime error: member access within misaligned
address 0x5b7a7f829033 for type 'udp_header' (aka 'struct udp_header'), which
requires 2 byte alignment
0x5b7a7f829033: note: pointer points here
ff ff ff ff 00 44 00 43 01 34 58 54 01 01 06 00 85 95 80 60 00 00 00 00 00
00 00 00 00 00 00 00
^
#0 0x5b7a71a5887e in net_checksum_calculate
/home/pm215/qemu/build/clang/../../net/checksum.c:168:24
#1 0x5b7a7156819a in gem_transmit
/home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x5b7a71566201 in gem_write
/home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the udp_header struct as QEMU_PACKED,
so that the compiler knows it might be unaligned and will
generate the right code for accessing fields.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: 7de8587b5317f0bb5f839e2f55855d6c9ee62835
https://github.com/qemu/qemu/commit/7de8587b5317f0bb5f839e2f55855d6c9ee62835
Author: Peter Maydell <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M include/net/eth.h
Log Message:
-----------
net: mark struct tcp_header as QEMU_PACKED
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:144:24: runtime error: member access within misaligned
address 0x619a74c32033 for type 'tcp_header' (aka 'struct tcp_header'), which
requires 4 byte alignment
0x619a74c32033: note: pointer points here
0a 00 02 02 86 aa 00 16 52 c1 d3 70 00 00 00 00 a0 02 fa f0 00 00 00 00 02
04 05 b4 04 02 08 0a
^
#0 0x619a6ba84794 in net_checksum_calculate
/home/pm215/qemu/build/clang/../../net/checksum.c:144:24
#1 0x619a6b5940da in gem_transmit
/home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x619a6b592141 in gem_write
/home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the tcp_header struct as QEMU_PACKED.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Commit: a6ec632dca8c7d10743aff29345e5e9e5324228b
https://github.com/qemu/qemu/commit/a6ec632dca8c7d10743aff29345e5e9e5324228b
Author: Peter Maydell <[email protected]>
Date: 2026-02-23 (Mon, 23 Feb 2026)
Changed paths:
M hw/alpha/dp264.c
M hw/char/virtio-serial-bus.c
M hw/display/macfb.c
M hw/m68k/q800.c
M hw/misc/virt_ctrl.c
M hw/net/rocker/rocker_of_dpa.c
M hw/net/rtl8139.c
M hw/net/virtio-net.c
M hw/ppc/mac_newworld.c
M hw/ppc/mac_oldworld.c
M hw/ppc/prep.c
M hw/ppc/spapr.c
M hw/sparc/sun4m.c
M hw/sparc64/sun4u.c
M hw/virtio/vhost.c
M hw/virtio/virtio-pci.c
M include/hw/core/cpu.h
M include/hw/display/macfb.h
M include/hw/ppc/spapr.h
A include/hw/ppc/spapr_common.h
M include/hw/virtio/virtio-access.h
M include/hw/virtio/virtio.h
M include/net/eth.h
M net/eth.c
R system/globals-target.c
M system/globals.c
M system/meson.build
Log Message:
-----------
Merge tag 'hw-misc-20260223' of https://github.com/philmd/qemu into staging
Misc HW & Net patches
- Fix trace event name in m68k system controller
- Constify and rename virtio_is_big_endian()
- Fix heap buffer overflow in virtio-serial-bus
- Set graphic display dimensions generically (removing system/globals-target.c)
- Mark eth_header, udp_header, tcp_header as packed structures
- Minor doc / header cleanups
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmmbj2wACgkQ4+MsLN6t
# wN7LqBAAq30ShByylpAJ7DvekgGOHCXeHSdVPZKB8eDC5aVULQfPKp8Ij0v7WpwD
# RzZZWL35nSAqLiMLxxpP/VSY1T+PopoaHtKuZfVc5J/J/mr6lvpbsMlo6jRe/lvT
# r2m5MYGyUnAPsm/t44nG7E53xIqvT5eFMMjMQSYQXgi1RztNGepE5acrOHk2RrWc
# X0NqORf6SeAvo6FX8lIQTQq9/4ePH9f3+DXiM48OaKNVDshARd8C7l3Q2aAC0UWi
# sP0oL7Re0mmCJ4820/tTqsKs9D+4U3Hu5lW0FPdXU6uLoNr70T2g29pRLE4o5mP5
# UV91+x6FdUm7o0oDJ6fxqa0Acdc14QObNeNKkFPIJetvWCOyLdk6tJA6sb6XfPnd
# t2JNvBDJonoUrSSaSp6ZiPP3pOzHyoa/NJUJ7HbRrTPzGHPf3ffwKtG53NkSqP4i
# Py1kFVJW3Ykyq1SUlQ/7UD/N5SPg1RLv8lTqdYXuY6cig7D1XDOPapUtvhKjb+H0
# GIouskPOF/nfB8vBiPDnM+LAC3RwFUi03U3IEEUfRPPvjSflwsNho7j6g+tU7IXk
# DfCwgfyMxvbTJAcalH0EufIDEsCrQ3HvH0oMnidP5Jz4VXCEocb/0zOrBTxbScKH
# Gk4UDN2eqqsbecnAeF7kOE9VOfSSZDrA7ZdvWGD6ofPL0b9wytk=
# =VJig
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun Feb 22 23:21:16 2026 GMT
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <[email protected]>"
[full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20260223' of https://github.com/philmd/qemu: (21 commits)
net: mark struct tcp_header as QEMU_PACKED
net: mark struct udp_header as QEMU_PACKED
net: mark struct eth_header as QEMU_PACKED
hw/net/rocker: Don't assume h_proto is aligned in eth_strip_vlan_ex()
hw/net/rocker: Don't keep pointer to h_proto as uint16_t* in
OfDpaFlowPktFields
hw/net/rtl8139: Remove ineffective parameter
hw/core/cpu: expand cpu_reset function docs
hw/alpha: remove unused includes
hw/ppc/spapr: extract SPAPR_MAX_RAM_SLOTS in a new header
system/globals: Build as common code
hw/ppc: Set graphic display dimensions generically
hw/sparc: Set graphic display dimensions generically
hw/m68k: Set graphic display dimensions generically
hw/m68k/q800: Set MACFB_DISPLAY_APPLE_21_COLOR within MacFrameBuffer
hw/m68k/q800: Use MacFbMode fields in q800_machine_init()
hw/display/macfb: Constify macfb_mode_table[] array
hw/display/macfb: Constify macfb_sense_table[] array
hw/char/virtio-serial-bus: Fix Heap-buffer-overflow in set_config()
hw/virtio: rename virtio_is_big_endian to virtio_vdev_is_big_endian
hw/virtio: Constify virtio_is_big_endian() argument
...
Signed-off-by: Peter Maydell <[email protected]>
Compare: https://github.com/qemu/qemu/compare/05de1b53094c...a6ec632dca8c
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
