On Wed, Apr 10, 2024 at 1:48 PM Jason Wang wrote:
>
> On Wed, Apr 10, 2024 at 1:29 PM Cindy Lu wrote:
> >
> > When the guest triggers vhost_stop and then virtio_reset, the vector will
> > the
> > IRQFD for this vector will be released and change to VIRTIO_NO_VECTOR.
> > After that, the guest
On 09.04.24 18:49, Eric Blake wrote:
On Tue, Apr 09, 2024 at 09:30:39AM +0300, Vladimir Sementsov-Ogievskiy wrote:
On 08.04.24 19:00, Eric Blake wrote:
nbd_negotiate() is already marked coroutine_fn. And given the fix in
the previous patch to have nbd_negotiate_handle_starttls not create
and
On 09/04/2024 09.47, Shaoqin Huang wrote:
Hi Thmoas,
On 4/9/24 13:33, Thomas Huth wrote:
+ assert_has_feature(qts, "host", "kvm-pmu-filter");
So you assert here that the feature is available ...
assert_has_feature(qts, "host", "kvm-steal-time");
On 4/9/24 06:43, Paolo Bonzini wrote:
Create a new temporary whenever flags have to use one, instead of using
s->tmp0 or s->tmp4. NULL can now be passed as the scratch register
to gen_prepare_*.
Signed-off-by: Paolo Bonzini
---
target/i386/tcg/translate.c | 54
On 2024/04/10 3:04, Philippe Mathieu-Daudé wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
On 10/4/24 08:53, Akihiko Odaki wrote:
On 2024/04/10 3:04, Philippe Mathieu-Daudé wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine
From: Richard Henderson
>From
>https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms
When passing an argument with 16-byte alignment in integer registers,
Apple platforms allow the argument to start in an odd-numbered xN
register. The standard ABI
From: Sven Schnelle
Netbsd isn't happy with qemu lsi53c895a emulation:
cd0(esiop0:0:2:0): command with tag id 0 reset
esiop0: autoconfiguration error: phase mismatch without command
esiop0: autoconfiguration error: unhandled scsi interrupt, sist=0x80 sstat1=0x0
DSA=0x23a64b1 DSP=0x50
This is
From: Peter Maydell
The sun4v RTC device model added under commit a0e893039cf2ce0 in 2016
was unfortunately added with a license of GPL-v3-or-later, which is
not compatible with other QEMU code which has a GPL-v2-only license.
Relicense the code in the .c and the .h file to GPL-v2-or-later,
to
From: Richard Henderson
While the 8-bit input elements are sequential in the input vector,
the 32-bit output elements are not sequential in the output matrix.
Do not attempt to compute 2 32-bit outputs at the same time.
Cc: qemu-sta...@nongnu.org
Fixes: 23a5e3859f5 ("target/arm: Implement SME
From: Richard Henderson
The assertion was never correct, because the alignment is a composite
of the image alignment and SHMLBA. Even if the image alignment didn't
match the image address, an assertion would not be correct -- more
appropriate would be an error message about an ill formed image.
From: Paolo Bonzini
Commit 39fb3cfc28b ("configure: clean up plugin option handling", 2023-10-18)
dropped the CONFIG_PLUGIN line from tests/tcg/config-host.mak, due to confusion
caused by the shadowing of $config_host_mak. However, TCG tests were still
expecting it. Oops.
Put it back, in the
From: David Parsons
macOS Sonoma changes the NSView.clipsToBounds to false by default
where it was true in earlier version of macOS. This causes the window
contents to be occluded by the frame at the top of the window. This
fixes the issue by conditionally compiling the clipping on Sonoma to
From: Daniel P. Berrangé
The 13.2 images have been deleted from gcloud
Cc: qemu-sta...@nongnu.org
Signed-off-by: Daniel P. Berrangé
Reviewed-by: Peter Maydell
Message-id: 20240304144456.3825935-3-berra...@redhat.com
Signed-off-by: Peter Maydell
(cherry picked from commit
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
-device igb,netdev=net0 \
On Wed, Apr 10, 2024 at 1:36 PM Jason Wang wrote:
>
> On Wed, Apr 10, 2024 at 1:29 PM Cindy Lu wrote:
> >
> > When the guest triggers vhost_stop and then virtio_reset, the vector will
> > the
> > IRQFD for this vector will be released and change to VIRTIO_NO_VECTOR.
> > After that, the guest
On 2024/04/10 16:04, Philippe Mathieu-Daudé wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
The following patches are queued for QEMU stable v8.2.3:
https://gitlab.com/qemu-project/qemu/-/commits/staging-8.2
Patch freeze is 2024-04-20, and the release is planned for 2024-04-22:
https://wiki.qemu.org/Planning/8.2
Please respond here or CC qemu-sta...@nongnu.org on any additional
If the binary loaded via -kernel is *not* a linux kernel (in which
case protocol == 0), do not patch the linux kernel header fields.
It's (a) pointless and (b) might break binaries by random patching
and (c) changes the binary hash which in turn breaks secure boot
verification.
Background: OVMF
Ping.
On 2024/4/7 16:17, Jinjie Ruan wrote:
> This patch set implements FEAT_NMI and FEAT_GICv3_NMI for ARMv8. These
> introduce support for a new category of interrupts in the architecture
> which we can use to provide NMI like functionality.
>
> There are two modes for using this FEAT_NMI.
From: Klaus Jensen
The number of logical blocks within a source range is converted into a
1s based number at the time of parsing. However, when verifying the copy
length we add one again, causing the check against MCL to fail in error.
Cc: qemu-sta...@nongnu.org
Fixes: 381ab99d8587 ("hw/nvme:
From: Daniel P. Berrangé
This commit results in unexpected termination of the TLS connection.
When 'fd_can_read' returns 0, the code goes on to pass a zero length
buffer to qio_channel_read. The TLS impl calls into gnutls_recv()
with this zero length buffer, at which point GNUTLS returns an
From: Yajun Wu
When vhost-user or vhost-kernel is handling virtio net datapath,
QEMU should not touch used ring.
But with vhost-user socket reconnect scenario, in a very rare case
(has pending kick event). VRING_USED_F_NO_NOTIFY is set by QEMU in
following code path:
#0
Hi,
On Wed, Apr 10, 2024 at 9:05 AM Philippe Mathieu-Daudé
wrote:
>
> If a fragmented packet size is too short, do not try to
> calculate its checksum.
This was assigned CVE-2024-3567.
Thanks,
> Reproduced using:
>
> $ cat << EOF | qemu-system-i386 -display none -nodefaults \
>
From: Stefan Reiter
Some operations, e.g. block-stream, perform reads while discarding the
results (only copy-on-read matters). In this case, they will pass NULL
as the target QEMUIOVector, which will however trip bdrv_pad_request,
since it wants to extend its passed vector. In particular, this
From: Yuquan Wang
Fix the unit typo of interleave-granularity of CXL Fixed Memory
Window in qemu-option.hx.
Fixes: 03b39fcf64 ("hw/cxl: Make the CFMW a machine parameter.")
Signed-off-by: Yuquan Wang wangyuquan1...@phytium.com.cn
Message-ID:
Per "SD Host Controller Standard Specification Version 3.00":
* 2.2.5 Transfer Mode Register (Offset 00Ch)
Writes to this register shall be ignored when the Command
Inhibit (DAT) in the Present State register is 1.
Do not update the TRNMOD register when Command Inhibit (DAT)
bit is
QDev core layer always call DeviceReset() after DeviceRealize(),
no need to do it manually. Remove the extra call.
Signed-off-by: Philippe Mathieu-Daudé
Reviewed-by: Peter Maydell
Message-Id: <20240408095217.57239-2-phi...@linaro.org>
---
hw/misc/applesmc.c | 1 -
1 file changed, 1 deletion(-)
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
-device igb,netdev=net0 \
Reviewed-by: Richard Henderson
Reviewed-by: Kevin Wolf
Signed-off-by: Philippe Mathieu-Daudé
Message-Id: <20240409135944.24997-2-phi...@linaro.org>
---
hw/block/nand.c | 35 ++-
1 file changed, 22 insertions(+), 13 deletions(-)
diff --git a/hw/block/nand.c
The magic 2048 is explained in the LAN9211 datasheet (DS2414A)
in chapter 1.4, "10/100 Ethernet MAC":
The MAC Interface Layer (MIL), within the MAC, contains a
2K Byte transmit and a 128 Byte receive FIFO which is separate
from the TX and RX FIFOs. [...]
Note, the use of the constant
Coverity reported:
>>> CID 1542933: Code maintainability issues (UNUSED_VALUE)
>>> CID 1542934: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "NULL" to "stream" here, but that stored
value is overwritten before it can be used.
Simply remove the
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest \
On Wed, 10 Apr 2024, Nicholas Piggin wrote:
On Wed Apr 10, 2024 at 9:55 AM AEST, BALATON Zoltan wrote:
Real 460EX SoC apparently does not expose a bridge device and having
it appear on PCI bus confuses an AmigaOS file system driver that uses
this to detect which machine it is running on. Since
On Tue, Feb 27, 2024 at 11:37 PM Vikram Garhwal
wrote:
> From: Juergen Gross
>
> qemu_map_ram_ptr() and qemu_ram_ptr_length() share quite some code, so
> modify qemu_ram_ptr_length() a little bit and use it for
> qemu_map_ram_ptr(), too.
>
> Signed-off-by: Juergen Gross
> Signed-off-by: Vikram
Add qtests to perform postcopy live migration by having list of
'channels' argument as the starting point instead of uri string.
(Note: length of the list is restricted to 1 for now)
Signed-off-by: Het Gala
---
tests/qtest/migration-test.c | 38 ++--
1 file
Already have a migrate_incoming_qmp helper function to initiate
'migrate-incoming' QMP command with some additional checks.
Replace 'migrate-incoming' qtest_qmp_assert_success command with
calling migrate_incoming_qmp helper function for postcopy qtests.
Signed-off-by: Het Gala
---
From: Song Gao
qemu-system-loongarch64 assert failed with the option '-d int',
the helper_idle() raise an exception EXCP_HLT, but the exception name is
undefined.
Signed-off-by: Song Gao
Reviewed-by: Philippe Mathieu-Daudé
Message-Id: <20240321123606.1704900-1-gaos...@loongson.cn>
(cherry
From: Lorenz Brun
The io_timeout property, introduced in c9b6609 (part of 6.0) is
silently overwritten by the hardcoded default value of 30 seconds
(DEFAULT_IO_TIMEOUT) in scsi_generic_realize because that function is
being called after the properties have already been applied.
The property
From: Richard Henderson
Along this path we have already skipped the insn to be
nullified, so the subsequent insn should be executed.
Cc: qemu-sta...@nongnu.org
Reported-by: Sven Schnelle
Tested-by: Sven Schnelle
Reviewed-by: Philippe Mathieu-Daudé
Signed-off-by: Richard Henderson
(cherry
From: Yong-Xuan Wang
The timebase-frequency of guest OS should be the same with host
machine. The timebase-frequency value in DTS should be got from
hypervisor when using KVM acceleration.
Signed-off-by: Yong-Xuan Wang
Message-ID: <20240314061510.9800-1-yongxuan.w...@sifive.com>
Reviewed-by:
From: Peter Maydell
The HSTR_EL2 register allows the hypervisor to trap AArch32 EL1 and
EL0 accesses to cp15 registers. We incorrectly implemented this so
they trap to EL1 when we detect the need for a HSTR trap at code
generation time. (The check in access_check_cp_reg() which we do at
On 10/4/24 09:35, Mauro Matteo Cascella wrote:
Hi,
On Wed, Apr 10, 2024 at 9:05 AM Philippe Mathieu-Daudé
wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
This was assigned CVE-2024-3567.
Thanks for the quick reaction!
Reproduced using:
$ cat
nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.
In order to fix:
- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if blk_load() failed.
Reproducer:
$ cat << EOF |
Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded()
but using the transport memory guard, instead of the device one
(there can only be one virtio device per virtio bus).
Inspired-by: Gerd Hoffmann
Reviewed-by: Gerd Hoffmann
Acked-by: Michael S. Tsirkin
Signed-off-by: Philippe
When the MAC Interface Layer (MIL) transmit FIFO is full,
truncate the packet, and raise the Transmitter Error (TXE)
flag.
Broken since model introduction in commit 2a42499017
("LAN9118 emulation").
When using the reproducer from
https://gitlab.com/qemu-project/qemu/-/issues/2267 we get:
On Wed, Apr 10, 2024 at 03:26:29AM -0400, Michael S. Tsirkin wrote:
> On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> > If the binary loaded via -kernel is *not* a linux kernel (in which
> > case protocol == 0), do not patch the linux kernel header fields.
> >
> > It's (a)
On Fri, Mar 1, 2024 at 6:08 PM Alex Bennée wrote:
> Vikram Garhwal writes:
>
> > From: Juergen Gross
> >
> > Today xen_ram_addr_from_mapcache() will either abort() or return 0 in
> > case it can't find a matching entry for a pointer value. Both cases
> > are bad, so change that to return an
On Wed, Apr 10, 2024 at 3:06 PM Akihiko Odaki wrote:
>
> On 2024/04/10 16:04, Philippe Mathieu-Daudé wrote:
> > If a fragmented packet size is too short, do not try to
> > calculate its checksum.
> >
> > Reproduced using:
> >
> >$ cat << EOF | qemu-system-i386 -display none -nodefaults \
> >
Negative offset is meaningless, use unsigned type.
Return a boolean value indicating success.
Reviewed-by: Richard Henderson
Reviewed-by: Kevin Wolf
Signed-off-by: Philippe Mathieu-Daudé
Message-Id: <20240409135944.24997-3-phi...@linaro.org>
---
hw/block/nand.c | 14 ++
1 file
AppleSMCData is allocated with g_new0() in applesmc_add_key():
release it with g_free().
Leaked since commit 1ddda5cd36 ("AppleSMC device emulation").
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272
Reported-by: Zheyu Ma
Signed-off-by: Philippe
Instead of aborting when a session ID is invalid,
return VIRTIO_CRYPTO_INVSESS ("Invalid session id").
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none \
-machine q35,accel=qtest -m 512M -nodefaults \
-object cryptodev-backend-builtin,id=cryptodev0 \
-device
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.
Fixes: CVE-2024-3446
Cc: qemu-sta...@nongnu.org
Suggested-by: Alexander Bulekov
Reviewed-by: Gerd Hoffmann
Acked-by: Michael S. Tsirkin
tests/vm: update openbsd to release 7.5
Signed-off-by: Brad Smith
---
This exposes a further issue with Clang 16 and
the ROP exploits flag usage at the moment..
https://gitlab.com/qemu-project/qemu/-/issues/2278
tests/vm/openbsd | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
From: Kevin Wolf
This replicates the scenario in which the bug was reported.
Unfortunately this relies on actually executing a guest (so that the
firmware initialises the virtio-blk device and moves it to its
configured iothread), so this can't make use of the qtest accelerator
like most other
From: Laurent Vivier
On resume e1000e_vm_state_change() always calls e1000e_autoneg_resume()
that sets link_down to false, and thus activates the link even
if we have disabled it.
The problem can be reproduced starting qemu in paused state (-S) and
then set the link to down. When we resume the
From: Peng Fan
xen_invalidate_map_cache_entry is not expected to run in a
coroutine. Without this, there is crash:
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
threadid=) at pthread_kill.c:78
at /usr/src/debug/glibc/2.38+git-r0/sysdeps/posix/raise.c:26
From: Nick Briggs
There is no guarantee that the PCNetState is allocated such that
csr[8] is allocated on an 8-byte boundary. Since not all hosts are
capable of unaligned fetches the 16-bit elements need to be fetched
individually to avoid a potential fault. Closes issue #2143
Resolves:
From: Volker Rümelin
The payload size returned by command VIRTIO_SND_R_PCM_INFO is
wrong. The code in process_cmd() assumes that all commands
return only a virtio_snd_hdr payload, but some commands like
VIRTIO_SND_R_PCM_INFO may return an additional payload.
Add a zero initialized payload_size
From: Cédric Le Goater
The block .save_setup() handler calls a helper routine
init_blk_migration() which builds a list of block devices to take into
account for migration. When one device is found to be empty (sectors
== 0), the loop exits and all the remaining devices are ignored. This
is a
From: Stefan Hajnoczi
NBDClient has a number of fields that are accessed by both the export
AioContext and the main loop thread. When the AioContext lock is removed
these fields will need another form of protection.
Add NBDClient->lock and protect fields that are accessed by both
threads. Also
From: Richard Henderson
Tested-by: Helge Deller
Reviewed-by: Helge Deller
Reported-by: Sven Schnelle
Signed-off-by: Richard Henderson
(cherry picked from commit 4768c28edd4097ebef42822e15b4a43026b15376)
Signed-off-by: Michael Tokarev
diff --git a/target/hppa/insns.decode
From: Kevin Wolf
We're seeing timeouts for this test on CI runs (specifically for
ubuntu-20.04-s390x-all). It doesn't fail consistently, but even the
successful runs take about 27 or 28 seconds, which is not very far from
the 30 seconds timeout.
Bump the timeout a bit to make failure less
From: Jonathan Cameron
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing
On Fri, Mar 1, 2024 at 12:34 AM Stefano Stabellini
wrote:
> On Tue, 27 Feb 2024, Vikram Garhwal wrote:
> > From: Juergen Gross
> >
> > Add the callbacks for mapping/unmapping guest memory via grants to the
> > special grant memory region.
> >
> > Signed-off-by: Juergen Gross
> > Signed-off-by:
For a long time, we provide two compression formats in the
download area, .bz2 and .xz. There's absolutely no reason
to provide two in parallel, .xz compresses better, and all
the links we use points to .xz. Downstream distributions
mostly use .xz too.
For the release maintenance providing two
From: Dmitrii Gavrilov
Original goal of addition of drain_call_rcu to qmp_device_add was to cover
the failure case of qdev_device_add. It seems call of drain_call_rcu was
misplaced in 7bed89958bfbf40df what led to waiting for pending RCU callbacks
under happy path too. What led to overall
From: Sven Schnelle
When the guest modifies the tb it is currently executing from,
it executes a fic instruction. Exit the tb on such instruction,
otherwise we might execute stale code.
Signed-off-by: Sven Schnelle
Message-Id: <20240319161921.487080-5-sv...@stackframe.org>
Signed-off-by:
From: Richard Henderson
Reported-by: Sven Schnelle
Reviewed-by: Helge Deller
Signed-off-by: Richard Henderson
(cherry picked from commit 72bace2d13cb427fde3bb50ae1a71a2abe9acc0f)
Signed-off-by: Michael Tokarev
diff --git a/target/hppa/insns.decode b/target/hppa/insns.decode
index
From: Thomas Huth
When running the tests in slow mode on a very loaded system and with
--enable-debug, the test-crypto-block can take longer than 4 minutes.
Bump the timeout to 5 minutes to make sure that it also passes in
such situations.
Signed-off-by: Thomas Huth
Message-Id:
From: Paolo Bonzini
Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and
MMU_PHYS_IDX) from mmu_translate(). This will make it possible to split
32-bit and 64-bit MMU indexes.
Signed-off-by: Paolo Bonzini
(cherry picked from commit 5f97afe2543f09160a8d123ab6e2e8c6d98fa9ce)
From: Zheyu Ma
This modification ensures that in scenarios where the buffer size is
insufficient for a zone report, the function will now properly set an
error status and proceed to a cleanup label, instead of merely
returning.
The following ASAN log reveals it:
==1767400==ERROR:
From: Frank Chang
Currently, QEMU only sets the iforce register to 0 and returns early
when claiming the iforce register. However, this may leave mip.meip
remains at 1 if a spurious external interrupt triggered by iforce
register is the only pending interrupt to be claimed, and the interrupt
From: Thomas Huth
The macOS jobs in our CI recently started failing, complaining that
the distutils module is not available anymore. And indeed, according to
https://peps.python.org/pep-0632/ it's been deprecated since a while
and now likely got removed in recent Python versions.
Fortunately,
From: Wafer
In the event of writing many chains of descriptors, the device must
write just the id of the last buffer in the descriptor chain, skip
forward the number of descriptors in the chain, and then repeat the
operations for the rest of chains.
Current QEMU code writes all the buffer ids
From: Peter Maydell
When we do an AT address translation operation, the page table walk
is supposed to be performed in the context of the EL we're doing the
walk for, so for instance an AT S1E2R walk is done for EL2. In the
pseudocode an EL is passed to AArch64.AT(), which calls
From: Irina Ryapolova
Need to convert mmu_idx to privilege mode for PMP function.
Signed-off-by: Irina Ryapolova
Fixes: b297129ae1 ("target/riscv: propagate PMP permission to TLB page")
Reviewed-by: Alistair Francis
Reviewed-by: Daniel Henrique Barboza
Message-ID:
From: Fiona Ebner
Previously, bdrv_pad_request() could not deal with a NULL qiov when
a read needed to be aligned. During prefetch, a stream job will pass a
NULL qiov. Add a test case to cover this scenario.
By accident, also covers a previous race during shutdown, where block
graph changes
From: lyx634449800
The set_config callback function vhost_vdpa_device_get_config in
vdpa-dev does not fetch the current device status from the hardware
device, causing the guest os to not receive the latest device status
information.
The hardware updates the config status of the vdpa device and
On 4/2/2024 4:44 PM, Li Feng wrote:
*External email: Use caution opening links or attachments*
Hi,
I tested it today and there is indeed a problem in this scenario.
It seems that the first version of the patch is the best and can
handle all scenarios.
With this patch, the previously
On 10/4/24 07:37, Philippe Mathieu-Daudé wrote:
Coverity reported:
>>> CID 1542933: Code maintainability issues (UNUSED_VALUE)
>>> CID 1542934: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "NULL" to "stream" here, but that stored
value is
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.
Fixes: CVE-2024-3446
Cc: qemu-sta...@nongnu.org
Suggested-by: Alexander Bulekov
Reviewed-by: Gerd Hoffmann
Acked-by: Michael S. Tsirkin
The following changes since commit 927284d65bce63ab1495d3febe7c7b5b6d563874:
Merge tag 'edk2-20240409-pull-request' of https://gitlab.com/kraxel/qemu into
staging (2024-04-09 17:36:40 +0100)
are available in the Git repository at:
https://github.com/philmd/qemu.git tags/hw-misc-20240410
The guest may have overlapped memory regions, where different GPA leads
to the same HVA. This causes a problem when overlapped regions
(different GPA but same translated HVA) exists in the tree, as looking
them by HVA will return them twice.
To solve this, track GPA in the DMA entry that acs as
From: Laurent Vivier
On resume igb_vm_state_change() always calls igb_autoneg_resume()
that sets link_down to false, and thus activates the link even
if we have disabled it.
The problem can be reproduced starting qemu in paused state (-S) and
then set the link to down. When we resume the
From: Sven Schnelle
mfia should return only the iaoq bits without privilege
bits.
Fixes: 98a9cb792c8 ("target-hppa: Implement system and memory-management insns")
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Reviewed-by: Helge Deller
Message-Id:
From: Sven Schnelle
PA2.0 provides 8 instead of 4 PID registers.
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Message-Id: <20240319161921.487080-4-sv...@stackframe.org>
Signed-off-by: Richard Henderson
(cherry picked from commit ae157fc25053917830c3b581bc282f906e6d95d3)
From: Yu Zhang
In commit 3fa9642ff7 change was made to convert the RDMA backend to
accept MigrateAddress struct. However, the assignment of "host" leads
to data corruption on the target host and the failure of migration.
isock->host = rdma->host;
By allocating the memory explicitly for it
From: Gregory Price
CXL emulation of interleave requires read and write hooks due to
requirement for subpage granularity. The Linux kernel stack now enables
using this memory as conventional memory in a separate NUMA node. If a
process is deliberately forced to run from that node
$ numactl
From: Marc-André Lureau
Building dbus-display1.c explicitly as a static library drops -fPIC by
default, which may not be correct if it ends up linked to a shared
library.
Let the target decide how to build the unit, with or without -fPIC. This
makes commit 186acfbaf7 ("tests/qtest: Depend on
From: Sven Schnelle
Fixes: 96d6407f363 ("target-hppa: Implement loads and stores")
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Message-Id: <20240319161921.487080-2-sv...@stackframe.org>
Signed-off-by: Richard Henderson
(cherry picked from commit
From: Thomas Huth
When running the tests in slow mode on a very loaded system and with
--enable-debug, the test-aio-multithread can take longer than 1 minute.
Bump the timeout to two minutes to make sure that it also passes in
such situations.
Signed-off-by: Thomas Huth
Message-Id:
From: Yao Xingtao
In qemu monitor mode, when we use gpa2hva command to print the host
virtual address corresponding to a guest physical address, if the gpa is
not in RAM, the error message is below:
(qemu) gpa2hva 0x75000
Memory at address 0x75000is not RAM
A space is missed
From: Peter Maydell
If the group of the highest priority pending interrupt is disabled
via ICC_IGRPEN*, the ICC_HPPIR* registers should return
INTID_SPURIOUS, not the interrupt ID. (See the GIC architecture
specification pseudocode functions ICC_HPPIR1_EL1[] and
From: Akihiko Odaki
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.
Cc: qemu-sta...@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization
(SR/IOV)")
Signed-off-by: Akihiko Odaki
From: Akihiko Odaki
It is incorrect to have the VIRTIO_NET_HDR_F_NEEDS_CSUM set when
checksum offloading is disabled so clear the bit.
TCP/UDP checksum is usually offloaded when the peer requires virtio
headers because they can instruct the peer to compute checksum. However,
igb disables TX
Commit ab72522797 "gitlab: switch from 'stable' to
'latest' docker container tags" switched most tags
to 'latest' but missed cirrus image. Fix this now.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2256
Signed-off-by: Michael Tokarev
Message-id:
From: Richard Henderson
The 'sign' computation is attempting to locate the sign bit that has
been repeated, so that we can test if that bit is known zero. That
computation can be zero if there are no known sign repetitions.
Cc: qemu-sta...@nongnu.org
Fixes: 93a967fbb57 ("tcg/optimize:
From: Manos Pitsidianakis
The current handling of invalid virtqueue elements inside the TX/RX virt
queue handlers is wrong.
They are added in a per-stream invalid queue to be processed after the
handler is done examining each message, but the invalid message might
not be specifying any
From: Paolo Bonzini
Accesses from a 32-bit environment (32-bit code segment for instruction
accesses, EFER.LMA==0 for processor accesses) have to mask away the
upper 32 bits of the address. While a bit wasteful, the easiest way
to do so is to use separate MMU indexes. These days, QEMU anyway
1 - 100 of 198 matches
Mail list logo
