Merge v8.1.1 #137

Since commit a937b6a (qapi: Reformat doc comments to conform to current conventions), a number of comments not conforming to the current formatting conventions were added. No problem, just sweep the entire documentation once more. To check the generated documentation does not change, I compared the generated HTML before and after this commit with "wdiff -3". Finds no differences. Comparing with diff is not useful, as the reflown paragraphs are visible there. Signed-off-by: Markus Armbruster <[email protected]> Message-ID: <[email protected]>

…into staging Miscellaneous fixes * Switch canokey license from Apache to GPLv2+ * Fix uninitialized variable in LUKS driver # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmS/91MACgkQvobrtBUQ # T9+WjA/9Gx02s4aZvLJ1gSpzPguIEjwEulVOBCTaxQ1Fuu/5RawWXmFMhQ/iwAbi # EnbeDpghG+Qk+4DCfQDMq0F8zkozvZOLW8NTZJW66dpV9PSwji39eIpVgvin2GXA # bGZBz6ZwXoTozplfY8LTzLIGyZNzGNjSO4ND1zsyXq57LXbWXhAdHvsxwi1h1rOc # FbNMeSPFlwPtCnpQgBDQmRmQ5UzwZiJOCp3zi9njMM/D6AfU/n275QzLvd/3ydBO # JW4q1IHyDs13g+SCnI4a2rqI7+Uf+Z7h2DfkwhoaGoGuTpZ6llTgM4asjUOFri66 # RzVWz6UK+uCUogq2wgfYJ5jyNwerU8DtyjSW3kxhLcaTTRUGG/+nQu9PV+aPy1xD # DZWo74KBtiRDFVS1XTLoDd+tNDqzNRdCmWqlc0CWgjUU68b61+GCDnkr+F0rJ59t # rL1Q+bgKDVnYVxbTVJQs9V6zdeu6o7x94moK2UCAUbGlaCcpkl/sZXqF586dMQAj # SvaGRYBxMvZvDVeIaINV/sW+vssoSdi7MKaUHAiHydnph/NFzC501bszh7RMyfAd # 4/PLsm4ezmSFBZ0BS6+zjMBwWEQYiJbl6DDZZI631qSC4G5yOm9TCW2I7ZPNdpRu # CveFHf8/dREd5o5iE6Vl5mWZF++dOcil64PnevqEv5/wjQcyHJs= # =+YRm # -----END PGP SIGNATURE----- # gpg: Signature made Tue 25 Jul 2023 09:24:51 AM PDT # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <[email protected]>" [full] # gpg: aka "Daniel P. Berrange <[email protected]>" [full] * tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu: hw/usb/canokey: change license to GPLv2+ crypto: Always initialize splitkeylen Signed-off-by: Richard Henderson <[email protected]>

…n.quintela/qemu into staging Migration Pull request Hi This is the migration PULL request. It is the same than yesterday with proper PULL headers. It pass CI. It contains: - Fabiano rosas trheadinfo cleanups - Hyman Huang dirtylimit changes - Part of my changes - Peter Xu documentation - Tejus updato to migration descriptions - Wei want improvements for postocpy and multifd setup Please apply. Thanks, Juan. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEGJn/jt6/WMzuA0uC9IfvGFhy1yMFAmTBCrgACgkQ9IfvGFhy # 1yPCphAAvZr6HqULECPv/g6gYIiNjl2WQxSgaOnJPnxSV3aaDMl4+rn3GowXbj1a # V7xQIxxyYR+4BOBPHc1Ey9z2huB6tr5YhzbHhdpOPOfTdGP4LzQogyBCM9elIGbg # GVnBX4k1yT2bE3qoKkD7FZ8GhQdFTq9NFXg/prAJm5fUnoUVVGhz4YSlWVXcpC19 # XJIAC4QA5LtQYKe9TAlLqECNHeOiMDIFa1QHtrz+52OUWgh8WOvAPtj1CK0pm9Qa # AsvN8HvKJ2PlCBct7c+E17O/xVihKVciEgu3KXjGHurUipUSD3XCHXOURlS1IrLK # ShegHFmMQjmS0m9mUy1+2K7DQ+ZcfScqSQCEuEOtTdnzs2him4c6p9VEGyQXa5bc # PChjihbYmxuz1GwrprtjUGyXgqhjnwGi1yRDl9L3mZc41vfO4m2sHnMZpdJZc+dt # 5f5oi69cXVmtzSNJqT/4nCa7g5PuaPLg34NdwpbZv7Dt0Hq1yzlkNgUNb9R0XGET # /BIpIuYYcNdmBUEVebMydndrzY8UDq0KC+e35OADSGkg6B6ZNwYaoungCb2gy6hM # WCcv+3UATb/oF7HoPmh1+f1MzUZENAdmDtddXOCvWBZQReByKR7eFZLUHR+yBODH # dVP9zOkPfrm8XVG4fSYhb/4BPK4XhBlibFsxxwOohTttTNHA5ew= # =J74B # -----END PGP SIGNATURE----- # gpg: Signature made Wed 26 Jul 2023 04:59:52 AM PDT # gpg: using RSA key 1899FF8EDEBF58CCEE034B82F487EF185872D723 # gpg: Good signature from "Juan Quintela <[email protected]>" [undefined] # gpg: aka "Juan Quintela <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 1899 FF8E DEBF 58CC EE03 4B82 F487 EF18 5872 D723 * tag 'migration-20230726-pull-request' of https://gitlab.com/juan.quintela/qemu: (25 commits) migration/rdma: Split qemu_fopen_rdma() into input/output functions qemu-file: Make qemu_file_get_error_obj() static qemu-file: Simplify qemu_file_shutdown() qemu_file: Make qemu_file_is_writable() static migration: Change qemu_file_transferred to noflush qemu-file: Rename qemu_file_transferred_ fast -> noflush qtest/migration-tests.c: use "-incoming defer" for postcopy tests migration: enforce multifd and postcopy preempt to be set before incoming migration: Update error description whenever migration fails docs/migration: Update postcopy bits migration: skipped field is really obsolete. migration-test: machine_opts is really arch specific migration-test: Create arch_opts migration-test: Make machine_opts regular with other options migration-test: Be consistent for ppc migration: Extend query-migrate to provide dirty page limit info migration: Implement dirty-limit convergence algo migration: Put the detection logic before auto-converge checking migration: Refactor auto-converge capability logic migration: Introduce dirty-limit capability ... Signed-off-by: Richard Henderson <[email protected]>

…into staging QAPI patches patches for 2023-07-26 # -----BEGIN PGP SIGNATURE----- # # iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmTBFvUSHGFybWJydUBy # ZWRoYXQuY29tAAoJEDhwtADrkYZTML4QAKhHciLnEudtZ6SFSqpOgt80IJnw8a+r # z1AowVYtgPhlZ8TtQJFXpBtAZtKu8xb/QdFxomm4bdNQnWX6CXCoheF5ZJ9V3Rrz # A3pA1wt5KTnRif6R9/Rs1dYXEr4cWagg1UNT3g2eOV3fvdDHvJMPOsqK/jWeXuC1 # T94yFMv1bZSLyiLgB7QQNYDZhIWQ06RGU6tZdWaZQReA8N8maXiZN5NnUISK32Rq # L2X0FtgzyJQ+dLHtbXOw6kIwZdOLNauOM78skZoiZUyFVaH2aDUIg3mnfRw36hN6 # feXGtw68PkTQGexKmonPDljIacfMDApmNBelLwsvB9MTrwVV+hKZPy1ZEwPIFDJ9 # yid63pp2CtQ1TZ3dSjZ1cGbRR+g2NI5X4g1DlcFPAxydMkv9/m5NwQx8OYqVIzqg # VXeS0++O2BM5+ORjlJxMx3RsyH2O1I8DCfwmifzYSo+3Xg/4nCV3f38czbavjCfJ # 4T3ooZx0+PRtjlOlfZTkgxV14TMV+XzQr3bsN4wbPdnjnueSE1tyoVGy8MwQ5aXi # 2oAsjrR8g7iqU6f+6PyRNn5F6D0ge+AYQ7bYS51i3Hyih/y2QUJECpL3XAgOxREb # /68SEtr4m/GJvmQNdwwwu6e1JFo8LknwMfkfzQAOCK1npAJGsWPmJ6iY7KtWgS8F # oDwqng/WOhvV # =mNMX # -----END PGP SIGNATURE----- # gpg: Signature made Wed 26 Jul 2023 05:52:05 AM PDT # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "[email protected]" # gpg: Good signature from "Markus Armbruster <[email protected]>" [undefined] # gpg: aka "Markus Armbruster <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * tag 'pull-qapi-2023-07-26-v2' of https://repo.or.cz/qemu/armbru: qapi: Reformat recent doc comments to conform to current conventions qapi/trace: Tidy up trace-event-get-state, -set-state documentation qapi/qdev: Tidy up device_add documentation qapi/block: Tidy up block-latency-histogram-set documentation qapi/block-core: Tidy up BlockLatencyHistogramInfo documentation Signed-off-by: Richard Henderson <[email protected]>

qemu_open() in blkio_virtio_blk_common_open() is used to open the character device (e.g. /dev/vhost-vdpa-0 or /dev/vfio/vfio) or in the future eventually the unix socket. In all these cases we cannot open the path in read-only mode, when the `read-only` option of blockdev is on, because the exchange of IOCTL commands for example will fail. In order to open the device read-only, we have to use the `read-only` property of the libblkio driver as we already do in blkio_file_open(). Fixes: cad2ccc ("block/blkio: use qemu_open() to support fd passing for virtio-blk") Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2225439 Reported-by: Qing Wang <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

Unfortunately commit 03b6762 Author: Denis V. Lunev <[email protected]> Date: Mon Jul 17 16:55:40 2023 +0200 qemu-nbd: pass structure into nbd_client_thread instead of plain char* has introduced a regression. struct NbdClientOpts resides on stack inside 'if' block. This specifically means that this stack space could be reused once the execution will leave that block of the code. This means that parameters passed into nbd_client_thread could be overwritten at any moment. The patch moves the data to the namespace of main() function effectively preserving it for the whole process lifetime. Signed-off-by: Denis V. Lunev <[email protected]> CC: Eric Blake <[email protected]> CC: Vladimir Sementsov-Ogievskiy <[email protected]> CC: <[email protected]> Reviewed-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Signed-off-by: Eric Blake <[email protected]>

The g_file_get_contents() function returns a g_boolean. If it fails, the returned value will be 0 instead of -1. Solve the issue by skipping assigning ret value. This issue was found by Matthew Rosato using virtio-blk-{pci,ccw} backed by an NVMe partition e.g. /dev/nvme0n1p1 on s390x. Signed-off-by: Sam Li <[email protected]> Reviewed-by: Matthew Rosato <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

bdrv_pad_request() relies on requests' lengths not to exceed SIZE_MAX, which bdrv_check_qiov_request() does not guarantee. bdrv_check_request32() however will guarantee this, and both of bdrv_pad_request()'s callers (bdrv_co_preadv_part() and bdrv_co_pwritev_part()) already run it before calling bdrv_pad_request(). Therefore, bdrv_pad_request() can safely call bdrv_check_request32() without expecting error, too. In effect, this patch will not change guest-visible behavior. It is a clean-up to tighten a condition to match what is guaranteed by our callers, and which exists purely to show clearly why the subsequent assertion (`assert(*bytes <= SIZE_MAX)`) is always true. Note there is a difference between the interfaces of bdrv_check_qiov_request() and bdrv_check_request32(): The former takes an errp, the latter does not, so we can no longer just pass &error_abort. Instead, we need to check the returned value. While we do expect success (because the callers have already run this function), an assert(ret == 0) is not much simpler than just to return an error if it occurs, so let us handle errors by returning them up the stack now. Reported-by: Peter Maydell <[email protected]> Signed-off-by: Hanna Czenczek <[email protected]> Message-id: [email protected] Fixes: 1874331 ("block: Collapse padded I/O vecs exceeding IOV_MAX") Signed-off-by: Hanna Czenczek <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]>

This is in preparation for the next patch, where for virtio-blk drivers we need to handle the failure of blkio_connect(). Let's also rename the *_open() functions to *_connect() to make the code reflect the changes applied. Signed-off-by: Stefano Garzarella <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

libblkio 1.3.0 added support of "fd" property for virtio-blk-vhost-vdpa driver. In QEMU, starting from commit cad2ccc ("block/blkio: use qemu_open() to support fd passing for virtio-blk") we are using `blkio_get_int(..., "fd")` to check if the "fd" property is supported for all the virtio-blk-* driver. Unfortunately that property is also available for those driver that do not support it, such as virtio-blk-vhost-user. So, `blkio_get_int()` is not enough to check whether the driver supports the `fd` property or not. This is because the virito-blk common libblkio driver only checks whether or not `fd` is set during `blkio_connect()` and fails with -EINVAL for those transports that do not support it (all except vhost-vdpa for now). So let's handle the `blkio_connect()` failure, retrying it using `path` directly. Fixes: cad2ccc ("block/blkio: use qemu_open() to support fd passing for virtio-blk") Suggested-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

qemu_open() fails if called with an unix domain socket in this way: -blockdev node-name=drive0,driver=virtio-blk-vhost-user,path=vhost-user-blk.sock,cache.direct=on: Could not open 'vhost-user-blk.sock': No such device or address Since virtio-blk-vhost-user does not support fd passing, let`s always fall back on using `path` if we fail the fd passing. Fixes: cad2ccc ("block/blkio: use qemu_open() to support fd passing for virtio-blk") Reported-by: Qing Wang <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

Setting the `fd` property fails with virtio-blk-* libblkio drivers that do not support fd passing since https://gitlab.com/libblkio/libblkio/-/merge_requests/208. Getting the `fd` property, on the other hand, always succeeds for virtio-blk-* libblkio drivers even when they don't support fd passing. This patch switches to setting the `fd` property because it is a better mechanism for probing fd passing support than getting the `fd` property. Signed-off-by: Stefano Garzarella <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

…to staging Pull request Please include these bug fixes in QEMU 8.1. Thanks! # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmTCzPUACgkQnKSrs4Gr # c8g1DAf/fPUQ4zRsCn079pHIyK9TFo4COm23p4kiusxj8otfjt8LH1Zsc9pGWC2+ # bl2RlnPID8JlyJFDRN7b/RCEhj45a83GtCmhDDmqVgy1eO5vwOKm2XyyWeD+pq/U # Hf2QLPLZZ7tCD8Njpty+gB3Ux4zqthKGXSg8FpJ3w0tl4me2efLvjMa6jHMwtnHT # aAbyQ3WMpT9w4XHLqRQDHzBqrTSY4od3nl9SrM/DQ2klLIcz8ECTEZVBY9B3pq6m # QvAg24tfb0QvS14YnZv/PMCfOaVuE87M9G4f93pCynnMxMYze+XczL0sGhIAS9wp # 03NgGlhGumOix6r2kHjlG6p3xywV8A== # =jMf8 # -----END PGP SIGNATURE----- # gpg: Signature made Thu 27 Jul 2023 01:00:53 PM PDT # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [full] # gpg: aka "Stefan Hajnoczi <[email protected]>" [full] * tag 'block-pull-request' of https://gitlab.com/stefanha/qemu: block/blkio: use blkio_set_int("fd") to check fd support block/blkio: fall back on using `path` when `fd` setting fails block/blkio: retry blkio_connect() if it fails using `fd` block/blkio: move blkio_connect() in the drivers functions block: Fix pad_request's request restriction block/file-posix: fix g_file_get_contents return path block/blkio: do not use open flags in qemu_open() block/blkio: enable the completion eventfd Signed-off-by: Richard Henderson <[email protected]>

… staging NBD patches for 2023-07-28 - Denis V. Lunev: Fix regression in 'qemu-nbd -c /dev/nbdN' # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEccLMIrHEYCkn0vOqp6FrSiUnQ2oFAmTD1ncACgkQp6FrSiUn # Q2pTJwf/ajrWlu3O6VF2xeavAbeBNpEtGkGRuuWAcY9l3XubKA6CYVOWXsXaqKiB # CzqaiiMpAU4EeRroOjM0REWbVr1VyHtxGV3neCxcbXoXvZXaYDaBU5KAalZv++os # +e0tit93LnJ+MYYx6r9z2MmD+A1yXqHo+K4lvI2hd3royYC0zn/1lFJxGqk8is8O # EHI9o40zMaQ2l+zrsC5tMuxQf6EGjtHm9rtRRASDnyf8V4zGEwWMQ30Xd31nFVGS # V9+XnIIWRNhY1DDNBnNrn6If+MiXeBfV7UPof7gMjAv7v4QdCdPELi7UBbkQU2d6 # y87w3KxgVlgDQ7IskA+Y1ykEFXCKAw== # =N00U # -----END PGP SIGNATURE----- # gpg: Signature made Fri 28 Jul 2023 07:53:43 AM PDT # gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A # gpg: Good signature from "Eric Blake <[email protected]>" [full] # gpg: aka "Eric Blake (Free Software Programmer) <[email protected]>" [full] # gpg: aka "[jpeg image of size 6874]" [full] * tag 'pull-nbd-2023-07-28' of https://repo.or.cz/qemu/ericb: qemu-nbd: regression with arguments passing into nbd_client_thread() Signed-off-by: Richard Henderson <[email protected]>

Use the stl/ldl pci dma api for writing/reading doorbells. This removes the explicit endian conversions. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Cédric Le Goater <[email protected]> Tested-by: Cédric Le Goater <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Signed-off-by: Klaus Jensen <[email protected]>

… into staging hw/nvme fixes - use the stl/ldl pci dma api # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTGuc8ACgkQTeGvMW1P # Dek41wgAwqgRmtUhmmaQJJpF5Pya3J7n3Zkbp+cULdnSp/su7W7yIUTcTzdbr34d # 9LbNHmWerXYinlIxG08ZWw2lq0TwApKj+8gv/wf8H7dG86/pBYfoQvOlkNx2QKyR # vtRNlILCEbJpbSfY3LbFNvRGOkArr6HkzT4hZprUIfCvRg58u5oIxEx/ZYa+m3WU # ED0y/46e7HbVbmbwJKrn4EK3k0zGdFyeINRZ5TB5DML3lCTX6eaZTLUXGIb7LLcK # Xyv6/TCkPTggDszTam24kx0A7DhC+3f2C8DsJg7H8jnWb1F+oq/2EJam/0HU22Uk # n348MrWOusuF7kbHMCP9h28gYT3aWw== # =KjVO # -----END PGP SIGNATURE----- # gpg: Signature made Sun 30 Jul 2023 12:28:15 PM PDT # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <[email protected]>" [unknown] # gpg: aka "Klaus Jensen <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu: hw/nvme: use stl/ldl pci dma api Signed-off-by: Richard Henderson <[email protected]>

When converting to decodetree, the code to rebuild mop for the pair only made it into trans_STP and not into trans_STGP. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1790 Fixes: 8c212eb ("target/arm: Convert load/store-pair to decodetree") Signed-off-by: Richard Henderson <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

Prcb may be set to 0 for some CPUs if the dump was taken before they start. The dump may still contain valuable information for started CPUs so don't abandon conversion in such a case. Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Viktor Prutyanov <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]>

In commit 0b188ea we changed the implementation of trans_CSEL() to use tcg_constant_i32(). However, this change was incorrect, because the implementation of the function sets up the TCGv_i32 rn and rm to be either zero or else a TCG temp created in load_reg(), and these TCG temps are then in both cases written to by the emitted TCG ops. The result is that we hit a TCG assertion: qemu-system-arm: ../../tcg/tcg.c:4455: tcg_reg_alloc_mov: Assertion `!temp_readonly(ots)' failed. (or on a non-debug build, just produce a garbage result) Adjust the code so that rn and rm are always writeable temporaries whether the instruction is using the special case "0" or a normal register as input. Cc: [email protected] Fixes: 0b188ea ("target/arm: Use tcg_constant in trans_CSEL") Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected]

Currently we list all the Arm decodetree files together and add them unconditionally to arm_ss. This means we build them for both qemu-system-aarch64 and qemu-system-arm. However, some of them are AArch64-specific, so there is no need to build them for qemu-system-arm. (Meson is smart enough to notice that the generated .c.inc file is not used by any objects that go into qemu-system-arm, so we only unnecessarily run decodetree, not anything more heavyweight like a recompile or relink, but it's still unnecessary work.) Split gen into gen_a32 and gen_a64, and only add gen_a64 for TARGET_AARCH64 compiles. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected]

Runs into core dump on arm64 and the backtrace extracted from the core dump is shown as below. It's caused by accessing uninitialized @kvm_state in kvm_flush_coalesced_mmio_buffer() due to commit 176d073 ("hw/arm/virt: Use machine_memory_devices_init()"), where the machine's memory region is added earlier than before. main qemu_init configure_accelerators qemu_opts_foreach do_configure_accelerator accel_init_machine kvm_init virt_kvm_type virt_set_memmap machine_memory_devices_init memory_region_add_subregion memory_region_add_subregion_common memory_region_update_container_subregions memory_region_transaction_begin qemu_flush_coalesced_mmio_buffer kvm_flush_coalesced_mmio_buffer Fix it by bailing early in kvm_flush_coalesced_mmio_buffer() on the uninitialized @kvm_state. With this applied, no crash is observed on arm64. Fixes: 176d073 ("hw/arm/virt: Use machine_memory_devices_init()") Signed-off-by: Gavin Shan <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]>

The gdb remote protocol has a special interrupt character (0x03) that is transmitted outside the regular packet processing, and represents a Ctrl-C pressed in the client. Despite not being a regular packet, it does expect a regular stop response if the stub successfully stops the running program. See: https://sourceware.org/gdb/onlinedocs/gdb/Interrupts.html Inhibiting the stop reply packet can lead to gdb client hang. So permit a stop response when receiving a character from gdb that stops the vm. Additionally, add a warning if that was not a 0x03 character, because the gdb session is likely to end up getting confused if this happens. Cc: [email protected] Fixes: 7583700 ("gdbstub: only send stop-reply packets when allowed to") Reported-by: Frederic Barrat <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> Tested-by: Joel Stanley <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]>

…/pmaydell/qemu-arm into staging target-arm queue: * Don't build AArch64 decodetree files for qemu-system-arm * Fix TCG assert in v8.1M CSEL etc * Fix MemOp for STGP * gdbstub: Fix client Ctrl-C handling * kvm: Fix crash due to access uninitialized kvm_state * elf2dmp: Don't abandon when Prcb is set to 0 # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmTHwb0ZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3uhwD/9d3RGbYGFi41DH6xmcm6KY # t1YZ4n/uf6/YnJMrpNuFHsuS1Qb2dpMucQ1mbjbC8/xxgc4OP04xSQX6FYSGKp8M # 5wGFJ4qwg+2CDXGHY9BzyaDiBZPUNoxvhTL2PwNchkRw1a1uqMOAunQjfXbKJVCB # c/qBNWEuDFRvbry3WAATxG7/SO96HVxqEkp5LlR8BAxL4w2QnvXrijzQxmgkQVWV # gZaKfEds0wXTvhhD6xCxVwat9IcszrtzcI7nVESbRTU/Ll1Zy6UayYPONSVhzGht # ZVTTc2NHTuYJxx8Zv1bRUygGUMjWNbIw3V2Nlb+SeT9oe8IZGLp5uUU1dk65IKtl # 40FCaVU02wtm3ueppcX58cvf9Xol+TdyAbwC+2cXnXkM84Ofnv9TaH8wExRBu9FR # iLu6Jxfthgr0WtcTrNCFxd+IUN7M+3zPI0KNct1lb67reQEyUp57abrrbNmXtD2f # a2M895OemHo1uUOi2Kdc7G6sDHEUHp3XTUefJ/35fr3ojIp8eMzoHlWRrBDgsLee # 3SjTs5SlTkQt5HpR1NAVdXaOP/fzqqHzhDdjprYzMpOpoaZmtME3f7qELjpgvvg9 # TTIggB5TjIodW+ghJzYTLJbVFbTKLX/CN0evMuUknvhZ/5bw0hEtCTi/4T1KUQ3L # JLdglSK7qOdQkjhAfmM/8A== # =mtWt # -----END PGP SIGNATURE----- # gpg: Signature made Mon 31 Jul 2023 07:14:21 AM PDT # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "[email protected]" # gpg: Good signature from "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [full] # gpg: aka "Peter Maydell <[email protected]>" [unknown] * tag 'pull-target-arm-20230731' of https://git.linaro.org/people/pmaydell/qemu-arm: gdbstub: Fix client Ctrl-C handling kvm: Fix crash due to access uninitialized kvm_state target/arm/tcg: Don't build AArch64 decodetree files for qemu-system-arm target/arm: Avoid writing to constant TCGv in trans_CSEL() elf2dmp: Don't abandon when Prcb is set to 0 target/arm: Fix MemOp for STGP Signed-off-by: Richard Henderson <[email protected]>

Fixes a race condition (generally without optimization) in which the subtree is re-read after the protecting if condition. Cc: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Ensure that the stores to rb_left and rb_right are complete before inserting the new node into the tree. Otherwise a concurrent reader could see garbage in the new leaf. Cc: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

While less susceptible to optimization problems than left and right, interval_tree_iter_next also reads rb_parent(), so make sure that stores and loads are atomic. This goes further than technically required, changing all loads to be atomic, rather than simply the ones in the iteration side. But it doesn't really affect the code generation on the rebalance side and is cleaner to handle everything the same. Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

On overflow of code_gen_buffer, we unlock the guest pages we had been translating, but failed to clear gen_tb. On restart, if we cannot allocate a TB, we exit to the main loop to perform the flush of all TBs as soon as possible. With garbage in gen_tb, we hit an assert: ../src/accel/tcg/tb-maint.c:348:page_unlock__debug: \ assertion failed: (page_is_locked(pd)) Fixes: deba787 ("accel/tcg: Always lock pages before translation") Signed-off-by: Richard Henderson <[email protected]>

With reserved_va, mmap.c expects to have pre-allocated host address space for the entire guest address space. When combined with the -B command-line option, ensure that the chosen address does not overlap anything else. Ensure that mmap_next_start is within reserved_va, as we use it within mmap.c without checking. Reviewed by: Warner Losh <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

We're hitting an assert when we pass in alignment == 0 since that's not a power of two. so pass in the ideal page size. Signed-off-by: Warner Losh <[email protected]> Message-Id: <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The change to use translator_use_goto_tb went too far, as the CF_SINGLE_STEP flag managed by the translator only handles gdb single stepping and not the architectural single stepping modeled in DisasContext.singlestep_enabled. Fixes: 6e9cc37 ("target/ppc: Use translator_use_goto_tb") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1795 Reviewed-by: Cédric Le Goater <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Commit 7f4f0d9 ("linux-user/arm: Implement __kernel_cmpxchg with host atomics") switched to use qatomic_cmpxchg() to swap a word with the memory content, but missed to endianess-swap the oldval and newval values when emulating an armeb CPU, which expects words to be stored in big endian in the guest memory. The bug can be verified with qemu >= v7.0 on any little-endian host, when starting the armeb binary of the upx program, which just hangs without this patch. Cc: [email protected] Signed-off-by: Helge Deller <[email protected]> Reported-by: "Markus F.X.J. Oberhumer" <[email protected]> Reported-by: John Reiser <[email protected]> Closes: upx/upx#687 Message-Id: <ZMQVnqY+F+5sTNFd@p100> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

This solves a problem in which the store to LowCore during tlb_fill triggers a clean-page TB invalidation for page0 during translation, which results in an assertion failure for locked pages. By delaying the store until after the exception has been raised, we will have unwound the pages locked for translation and the problem does not arise. There are plenty of other updates to LowCore while delivering an interrupt/exception; trans_exc_code does not need to be special. Reviewed-by: Ilya Leoshkevich <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The architecture specification calls for the EPCR to be set to "Address of next not executed instruction" when there is a floating point exception (FPE). This was not being done, so fix it by using the same pattern as syscall. Also, we move this logic down to be done for instructions not in the delay slot as called for by the architecture manual. Without this patch FPU exceptions will loop, as the exception handling will always return back to the failed floating point instruction. This was not noticed in earlier testing because: 1. The compiler usually generates code which clobbers the input operand such as: lf.div.s r19,r17,r19 2. The target will store the operation output before to the register before handling the exception. So an operation such as: float a = 100.0f; float b = 0.0f; float c = a / b; /* lf.div.s r19,r17,r19 */ Will first execute: 100 / 0 -> Store inf to c (r19) -> triggering divide by zero exception -> handle and return Then it will execute: 100 / inf -> Store 0 to c (no exception) To confirm the looping behavior and the fix I used the following: float fpu_div(float a, float b) { float c; asm volatile("lf.div.s %0, %1, %2" : "+r" (c) : "r" (a), "r" (b)); return c; } Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Stafford Horne <[email protected]>

… staging util/interval-tree: Access left/right/parent atomically accel/tcg: Clear gen_tb on buffer overflow bsd-user: Specify host page alignment if none specified bsd-user: Allocate guest virtual address space target/ppc: Disable goto_tb with architectural singlestep target/s390x: Move trans_exc_code update to do_program_interrupt # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmTIIQUdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV87JAf/ZgJTq26oniJ4TLkS # 2UVBEcxGnnA2L1n4zcXG1o0onT5dAqm/6YjSlVD7C+Ol8pzQMomJKcWLL/jrCEUp # rQXPV9ibD5bCtO47MY3ZS3aW3pqOhXOeKUFer1+YHWRRyi9Y6kEx0d2No3MSGo18 # S5A6zPwqduQvZPBPVualmtdIrpTasxhUdNfbqBW31pxYpCNg1wqIiwKoLcD5NJeX # epVhaUi/7TwqljrK7SGXmmfDWiTHIXDtvPrJQcSYGgqpVNFzRuq6jTXRJObeWen0 # DhOHqC0Z6OkZ2gU+eso/VRbcbawQNQohUHQzZ7c0643TxncPDKG82/MDRe2MTJnq # /z+jpw== # =Z8UY # -----END PGP SIGNATURE----- # gpg: Signature made Mon 31 Jul 2023 02:00:53 PM PDT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-tcg-20230731' of https://gitlab.com/rth7680/qemu: target/s390x: Move trans_exc_code update to do_program_interrupt linux-user/armeb: Fix __kernel_cmpxchg() for armeb target/ppc: Disable goto_tb with architectural singlestep bsd-user: Specify host page alignment if none specified bsd-user: Allocate guest virtual address space accel/tcg: Clear tcg_ctx->gen_tb on buffer overflow util/interval-tree: Use qatomic_read/set for rb_parent_color util/interval-tree: Introduce pc_parent util/interval-tree: Use qatomic_set_mb in rb_link_node util/interval-tree: Use qatomic_read for left/right while searching Signed-off-by: Richard Henderson <[email protected]>

Coverity was unhappy (CID 1508359) because we didn't check the return of init_walk_op() in transaction_commit(), despite doing so at every other call site. Strictly speaking, this is a false positive since it can never fail. It only fails for invalid user input (transaction ID or path), and both of those are hard-coded to known sane values in this invocation. But Coverity doesn't know that, and neither does the casual reader of the code. Returning an error here would be weird, since the transaction *is* committed by this point; all the walk_op is doing is firing watches on the newly-committed changed nodes. So make it a g_assert(!ret), since it really should never happen. Signed-off-by: David Woodhouse <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Message-Id: <[email protected]> Signed-off-by: Anthony PERARD <[email protected]>

Commit 1898293 ("xen-block: Use specific blockdev driver") introduced a new error path, without taking care of allocated resources. So only allocate the qdicts after the error check, and free both `filename` and `driver` when we are about to return and thus taking care of both success and error path. Coverity only spotted the leak of qdicts (*_layer variables). Reported-by: Peter Maydell <[email protected]> Fixes: Coverity CID 1508722, 1398649 Fixes: 1898293 ("xen-block: Use specific blockdev driver") Signed-off-by: Anthony PERARD <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Message-Id: <[email protected]> Signed-off-by: Anthony PERARD <[email protected]>

thread_pool_free() might have been called on the `pool`, which would be a reason for worker_thread() to quit. In this case, `pool->request_cond` is been destroyed. If worker_thread() didn't managed to signal `request_cond` before it been destroyed by thread_pool_free(), we got: util/qemu-thread-posix.c:198: qemu_cond_signal: Assertion `cond->initialized' failed. One backtrace: __GI___assert_fail (assertion=0x55555614abcb "cond->initialized", file=0x55555614ab88 "util/qemu-thread-posix.c", line=198, function=0x55555614ad80 <__PRETTY_FUNCTION__.17104> "qemu_cond_signal") at assert.c:101 qemu_cond_signal (cond=0x7fffb800db30) at util/qemu-thread-posix.c:198 worker_thread (opaque=0x7fffb800dab0) at util/thread-pool.c:129 qemu_thread_start (args=0x7fffb8000b20) at util/qemu-thread-posix.c:505 start_thread (arg=<optimized out>) at pthread_create.c:486 Reported here: https://lore.kernel.org/all/[email protected]/T/#u To avoid issue, keep lock while sending a signal to `request_cond`. Fixes: 900fa20 ("thread-pool: replace semaphore with condition variable") Signed-off-by: Anthony PERARD <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Message-Id: <[email protected]> Signed-off-by: Anthony PERARD <[email protected]>

Coverity points out (CID 1513106, 1513107) that MemoryListener is a 192 byte struct which we are passing around by value. Switch to passing a const pointer into xen_register_ioreq() and then to xen_do_ioreq_register(). We can also make the file-scope MemoryListener variables const, since nothing changes them. Signed-off-by: Peter Maydell <[email protected]> Acked-by: Anthony PERARD <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Anthony PERARD <[email protected]>

The IDE unplug function needs to reset the entire PCI device, to make sure all state is initialized to defaults. This is done by calling pci_device_reset, which resets not only the chip specific registers, but also all PCI state. This fixes "unplug" in a Xen HVM domU with the modular legacy xenlinux PV drivers. Commit ee358e9 ("hw/ide/piix: Convert reset handler to DeviceReset") changed the way how the the disks are unplugged. Prior this commit the PCI device remained unchanged. After this change, piix_ide_reset is exercised after the "unplug" command, which was not the case prior that commit. This function resets the command register. As a result the ata_piix driver inside the domU will see a disabled PCI device. The generic PCI code will reenable the PCI device. On the qemu side, this runs pci_default_write_config/pci_update_mappings. Here a changed address is returned by pci_bar_address, this is the address which was truncated in piix_ide_reset. In case of a Xen HVM domU, the address changes from 0xc120 to 0xc100. This truncation was a bug in piix_ide_reset, which was fixed in commit 230dfd9 ("hw/ide/piix: properly initialize the BMIBA register"). If pci_xen_ide_unplug had used pci_device_reset, the PCI registers would have been properly reset, and commit ee358e9 would have not introduced a regression for this specific domU environment. While the unplug is supposed to hide the IDE disks, the changed BMIBA address broke the UHCI device. In case the domU has an USB tablet configured, to recive absolute pointer coordinates for the GUI, it will cause a hang during device discovery of the partly discovered USB hid device. Reading the USBSTS word size register will fail. The access ends up in the QEMU piix-bmdma device, instead of the expected uhci device. Here a byte size request is expected, and a value of ~0 is returned. As a result the UCHI driver sees an error state in the register, and turns off the UHCI controller. Signed-off-by: Olaf Hering <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Message-Id: <[email protected]> Signed-off-by: Anthony PERARD <[email protected]>

…ple/aperard/qemu-dm into staging Misc fixes, for thread-pool, xen, and xen-emulate * fix an access to `request_cond` QemuCond in thread-pool * fix issue with PCI devices when unplugging IDE devices in Xen guest * several fixes for issues pointed out by Coverity # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEE+AwAYwjiLP2KkueYDPVXL9f7Va8FAmTI0qcACgkQDPVXL9f7 # Va9DVAgAlKGhkOhLiOtlwL05iI8/YiT7ekCSoMTWYO8iIyLCKGLVU5yyOAqYiAJD # dEgXNZOeulcLkn3LDCQYtZJmD42sUHv/xmdJ06zJ9jRvtLAJp5wuwaU9JFDhJPsG # eYPGBMdO39meUmgQe3X27CEKtht5Z8M9ZABdTLAxMyPANEzFmT7ni9wd/8Uc+tWg # BMsXQco8e1GSiBUjSky5nSW248FVDIyjkaYWk1poXEfm4gPQ0jf9gg/biEj44cSH # Tdz6de1kTwJfuYR+h+COQOrq0fUfz4SyVocKvtycZhKGXIqL74DiIGatxdVOwV9Y # NJ8g4oKDgDeMBZ66kXnTX4Y9nzhPpA== # =CdlZ # -----END PGP SIGNATURE----- # gpg: Signature made Tue 01 Aug 2023 02:38:47 AM PDT # gpg: using RSA key F80C006308E22CFD8A92E7980CF5572FD7FB55AF # gpg: Good signature from "Anthony PERARD <[email protected]>" [unknown] # gpg: aka "Anthony PERARD <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 5379 2F71 024C 600F 778A 7161 D8D5 7199 DF83 42C8 # Subkey fingerprint: F80C 0063 08E2 2CFD 8A92 E798 0CF5 572F D7FB 55AF * tag 'pull-xen-20230801' of https://xenbits.xen.org/git-http/people/aperard/qemu-dm: xen-platform: do full PCI reset during unplug of IDE devices xen: Don't pass MemoryListener around by value thread-pool: signal "request_cond" while locked xen-block: Avoid leaks on new error path hw/xen: Clarify (lack of) error handling in transaction_commit() Signed-off-by: Richard Henderson <[email protected]>

The TLS handshake make take some time to complete, during which time an I/O watch might be registered with the main loop. If the owner of the I/O channel invokes qio_channel_close() while the handshake is waiting to continue the I/O watch must be removed. Failing to remove it will later trigger the completion callback which the owner is not expecting to receive. In the case of the VNC server, this results in a SEGV as vnc_disconnect_start() tries to shutdown a client connection that is already gone / NULL. CVE-2023-3354 Reported-by: jiangyegen <[email protected]> Signed-off-by: Daniel P. Berrangé <[email protected]>

…ge/qemu into staging Fix crash during early close of TLS channel # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmTJRN4ACgkQvobrtBUQ # T9+jYBAAinW63Oj4PVXMD1hQr3r6aShr3O5YkUqZjWeOh0+VdJpfRwk39Cgagjp5 # WURcPIlE7NR78ZeHQmd4w+D36EyzqMajm+MuGnOUUdCUR/zCHmAzeClyDlEZoril # Fn6urO/qg+38vdyvnZUJ35KC5vtTn+uX0djEVJRwrOb0mXaeU6z3RY/XzIJcY9HZ # sL1yhyyAaQ2T5lX8kD3cJhyqjjpZHUXWFE0HoxxzcfR4dLOF45RevT8fPzrLl+wi # UrTMc8agylo2J/h6FD9niUNlgUjmeRp6j5q6bLGVx1gaoi6VTxA6wl074rMqW37V # bXqoYffGeA9pIGdXSqSnOeRkqONbgAoLzlNkLSgVEz96janqZYydkldS5YaOC8VM # qI0Je6fWFQIbg9acf6Wdb8aoqaM7chgU7tkSQ51wnj4ItIwfWJADm4/ZYDrgeFC6 # vj5I+aMyqneEbouzNFsYjEE5KSjqwe8Hdv9VLhfPI9uluzveMencYGPm4gufzO46 # t6yYi+SGvejDLE9dxExbD7xwt79VRTC5oPes6tZRv+C+ccKAXT/igquQsvBHehoo # Py1bi0Gi/PwkzvpXgdAfsWJDM8tFPsveicdNdYG4iqxDOrNWlbvbpdqNzjLOT9jt # 8gr8MY9fGMVeBi29I46AsAmE7K78yg88ZoNBhy6C0oIhGKCDK1s= # =qwqP # -----END PGP SIGNATURE----- # gpg: Signature made Tue 01 Aug 2023 10:46:06 AM PDT # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <[email protected]>" [full] # gpg: aka "Daniel P. Berrange <[email protected]>" [full] * tag 'io-tls-hs-crash-pull-request' of https://gitlab.com/berrange/qemu: io: remove io watch if TLS channel is closed during handshake Signed-off-by: Richard Henderson <[email protected]>

Coverity points out (CID 1508128) a bounds checking error. We need to check for gsi >= IOAPIC_NUM_PINS, not just greater-than. Also fix up an assert() that has the same problem, that Coverity didn't see. Fixes: 4f81baa ("hw/xen: Support GSI mapping to PIRQ") Signed-off-by: David Woodhouse <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Coverity points out (CID 1507534, 1507968) that we sometimes access env->xen_singleshot_timer_ns under the protection of env->xen_timers_lock and sometimes not. This isn't always an issue. There are two modes for the timers; if the kernel supports the EVTCHN_SEND capability then it handles all the timer hypercalls and delivery internally, and all we use the field for is to get/set the timer as part of the vCPU state via an ioctl(). If the kernel doesn't have that support, then we do all the emulation within qemu, and *those* are the code paths where we actually care about the locking. But it doesn't hurt to be a little bit more consistent and avoid having to explain *why* it's OK. Signed-off-by: David Woodhouse <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Fuzzing showed that a guest could bind an interdomain port to itself, by guessing the next port to be allocated and putting that as the 'remote' port number. By chance, that works because the newly-allocated port has type EVTCHNSTAT_unbound. It shouldn't. Signed-off-by: David Woodhouse <[email protected]> Reviewed-by: Paul Durrant <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1782 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

../ui/dbus-listener.c:236:9: error: expected expression Error *err = NULL; See: https://gitlab.com/qemu-project/qemu/-/issues/1782#note_1488517427 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Signed-off-by: Stefan Weil <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

A build of GCC 13.2 will have stack protector enabled by default if it was configured with --enable-default-ssp option. For such a compiler, it is necessary to explicitly disable stack protector when linking without standard libraries. Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Juan Quintela <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Instead of using R_ARG0 (the semihost function number), use R_ARG1 (the provided exit status). Signed-off-by: Keith Packard <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

The arguments for deposit64 are (value, start, length, fieldval); this appears to have thought they were (value, fieldval, start, length). Reorder the parameters to match the actual function. Signed-off-by: Keith Packard <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Fixes: d1e23cb ("target/nios2: Use semihosting/syscalls.h") Reviewed-by: Peter Maydell <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

The arguments for deposit64 are (value, start, length, fieldval); this appears to have thought they were (value, fieldval, start, length). Reorder the parameters to match the actual function. Cc: [email protected] Fixes: 9502725 ("target/m68k: Use semihosting/syscalls.h") Reported-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]>

Reformat the dirty-limit migration doc comments to conform to current conventions as commit a937b6a (qapi: Reformat doc comments to conform to current conventions). Signed-off-by: Hyman Huang(黄勇) <[email protected]> Message-ID: <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> [Whitespace tidied up] Signed-off-by: Markus Armbruster <[email protected]>

Signed-off-by: Hyman Huang(黄勇) <[email protected]> Message-ID: <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> Signed-off-by: Markus Armbruster <[email protected]>

I've built interests in dirty limit and dirty page rate features and also have been working on projects related to this subsystem. Add a section to the MAINTAINERS file for migration dirty limit and dirty page rate. Add myself as a maintainer for this subsystem so that I can help to improve the dirty limit algorithm and review the patches about dirty page rate. Signed-off-by: Hyman Huang(黄勇) <[email protected]> Acked-by: Peter Xu <[email protected]> Message-ID: <[email protected]> Acked-by: Markus Armbruster <[email protected]> Signed-off-by: Markus Armbruster <[email protected]>

…o staging Misc patches queue xen: Fix issues reported by fuzzer / Coverity misc: Fix some typos in documentation and comments ui/dbus: Build fixes for Clang/win32/!opengl linux-user: Semihosting fixes on m68k/nios2 tests/migration: Disable stack protector when linking without stdlib # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmTJfrQACgkQ4+MsLN6t # wN4Nqw/+NjoW2jdy9LNAgx7IeH2w+HfvvULpBOTDRRNahuXbGpzl6L57cS92r5a8 # UFJGfxbL2nlxrJbUdAWGONIweCvUb9jnpbT2id1dBp4wp+8aKFvPj1Al34OENNVS # 1lQT0G6mKx9itcXP9lVSBPhEbWIB9ZMaDG0R872bA6Ec3G7PWny+AOhMvJecieol # 2Qyv84ioA3N0xkYUB64KBVDmJOG0Tx+LYZfsXUybLKwfvBDLeVkHuHKtb94kh0G9 # MUsM/p9sHvfrC1bO+DQ9P1bzRI9zw2I2f4xMIs4QCMGPbJUrhv7edOc2PSO5XQoG # izcV9NSL0tl6LbXZvkE7sJw0tDuR6R9sQ9KJWoltJCGRGOWlC5CeSTUfLbH9HkFc # CXapKWth6cmOboGZNTlidn41oH7xE/kW6Em1XAD0M0eLUCUMzVjaSs1sIwKnbF7i # sz7HcgAAuAVhmR0n4zOkphJkek72J7atLNpqU0AdYH46LR92zSdh6YoD5YDBPwY8 # hoy7VFauSkF8+5Wi7CTTjtq+edkuFRcuNMCR0Fd2iolE8KKYvxHnwEGH/5T4s2m7 # 8f40AEyQRk0nFn44tqeyb14O8c2lZL3jmDEh+LYT/PPp/rCc/X7Ugplpau+bNZsx # OOZd0AxujbrK+Xn80Agc+3/vn4/2eAvz7OdGc/SmKuYLyseBQfo= # =5ZLa # -----END PGP SIGNATURE----- # gpg: Signature made Tue 01 Aug 2023 02:52:52 PM PDT # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <[email protected]>" [full] * tag 'misc-fixes-20230801' of https://github.com/philmd/qemu: target/m68k: Fix semihost lseek offset computation target/nios2: Fix semihost lseek offset computation target/nios2: Pass semihosting arg to exit tests/migration: Add -fno-stack-protector misc: Fix some typos in documentation and comments ui/dbus: fix clang compilation issue ui/dbus: fix win32 compilation when !opengl hw/xen: prevent guest from binding loopback event channel to itself i386/xen: consistent locking around Xen singleshot timers hw/xen: fix off-by-one in xen_evtchn_set_gsi() Signed-off-by: Richard Henderson <[email protected]>

…to staging QAPI patches patches for 2023-08-02 # -----BEGIN PGP SIGNATURE----- # # iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmTKB9wSHGFybWJydUBy # ZWRoYXQuY29tAAoJEDhwtADrkYZT5w4P/ReWCzwnNWDHAlInd91gQxmH5AB5VRMK # jnLLLxzMx3KIk2cjoHG7nvVBpHKaEzhwZoyjQvILnSoHVeHUteHNvfJAS/LG0bYw # ujpSem7C1LXT/+WPf/j2eIdfZ243Z1/WkJW4ZXWuUyZYea0Uc6M+eXgnw1VfZOPn # UmTXrJzV35KY2mB4EMdBON2P/0VnqoXH17Ke13JxI10NDgFzzhlltM5J4CBKFqPM # XcrpeuQdfk3NR1XxDIUIVNcYkbg1EMVrnZs1m8M8hcgnUKAxoPyYFdq2m+bVITmL # C4uxdqg6UUvtHzwdp/CbeXPBKuuZnR4TcFIW+4uJHoCJxhLjKhACbowz8fCHh8dg # 5999ZsmgCfK4P4KxcOYQpGG5qLm4G8L+cxx/b5Tu/UlguCwc6/CRs6njpzA0trDy # 4Qz+F7hSGQqSX5hZT6h94l88fZ+tfrSnXGRxhpwF2pFOzTZsIvE8X43KIXo1jMWf # M4mwb7TtMmBgF4Q6rfg1GxcYkJ7weFlro7nsWUOxPZXINJO17pDx8OI9bLkBV99x # UQ1pfGhhTncVGai/eNOtr+REXpW0mse5DAX8UlxiBJyerQhjbqq4cKHrbMvoRE1D # YJRt7h8t2mKwmdXpGRkVtLEvTKivhJ9x4/ZRmoKzWDlTucNN/gW5rUahbJ68d3Qf # tsq+a97nbfp4 # =/Xq1 # -----END PGP SIGNATURE----- # gpg: Signature made Wed 02 Aug 2023 12:38:04 AM PDT # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "[email protected]" # gpg: Good signature from "Markus Armbruster <[email protected]>" [undefined] # gpg: aka "Markus Armbruster <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * tag 'pull-qapi-2023-08-02' of https://repo.or.cz/qemu/armbru: MAINTAINERS: Add section "Migration dirty limit and dirty page rate" qapi: Craft the dirty-limit capability comment qapi: Reformat the dirty-limit migration doc comments Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

Clang complains: ../util/oslib-win32.c:483:56: error: omitting the parameter name in a function definition is a C2x extension [-Werror,-Wc2x-extensions] win32_close_exception_handler(struct _EXCEPTION_RECORD*, ^ Fix it by adding parameter names. Message-Id: <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

Although they share a common parent, the two msys jobs still have massive duplication in their script definitions that can easily be collapsed. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

It is hard to get visibility into where time is consumed in our Windows msys jobs. Adding a few log console messages with the timestamp will aid in our debugging. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

We current reference an msys installer binary from mid-2022, which means after installation, it immediately has to re-download a bunch of newer content. This wastes precious CI time. The msys project publishes an installer binary with a fixed URL that always references the latest content. We cache the downloads in gitlab though and so once downloaded we would never re-fetch the installer leading back to the same problem. To deal with this we also fetch the pgp signature for the installer on every run, and compare that to the previously cached signature. If the signature changes, we re-download the full installer. This ensures we always have the latest installer for msys, while also maximising use of the gitlab cache. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

The gitlab cache is limited to only handle content within the $CI_PROJECT_DIR hierarchy, and as such relative paths are always implicitly relative to $CI_PROJECT_DIR. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

The cache is used to hold the msys installer. Even if the build phase fails, we should still populate the cache as the installer will be valid for next time. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

This can be useful for setting some meson global options, such as the optimization level or debug state.xs Signed-off-by: Daniel P. Berrangé <[email protected]> Message-Id: <[email protected]> [thuth: Move the help text into the section with the other --... options] Signed-off-by: Thomas Huth <[email protected]>

Building at -O2, adds 33% to the build time, over -O2. IOW a build that takes 45 minutes at -O0, takes 60 minutes at -O2. Turning off debug symbols drops it further, down to 38 minutes. IOW, a "-O2 -g" build is 58% slower than a "-O0" build on msys in the gitlab CI windows shared runners. Signed-off-by: Daniel P. Berrangé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

The FF_SCRIPT_SECTIONS=1 variable should ordinarily cause output from each line of the job script to be presented in a collapsible section with execution time listed. While it works on Linux shared runners, when used with Windows runners with PowerShell, this option does not create any sections, and actually causes echo'ing of commands to be disabled, making it even worse to debug the jobs. Signed-off-by: Daniel P. Berrangé <[email protected]> Acked-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Signed-off-by: Thomas Huth <[email protected]>

…into staging * Fix timeout problems in the MSYS Gitlab CI jobs * Fix a problem when compiling with Clang on Windows # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmTLijMRHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbW+OQ/5ASeu4rx6jyE8JFqRtvP6NEZ+UgQMRoCg # NEfmSd9Y+tFewyuhLY5Pf6yUJWEljrdXp5ST6FId759l6DZ6mzQu809v427nN4Sb # CxcwRYtoT2eEU0zhJ5ShnCXsNCl7Yyco3elWWFL3kbw4X2ooeOPkkGqQ1Tdfym8m # /C+KVvFqFq4pnLnqMi7StylWtjYh/rAIMOw4kBDc3xU67eZiAd17+Hn9/t3Kca39 # 99A1JW0LiR0U1ZkX7R/q8YbICUtBsrPww9HmqlX7BoNy2vzr6jgKqo1dkm5QkDfK # ZEzvS1nssb3iiavIJbO7entWMcryzAiu6LF5imbI4e5T5uwerd3RVoHCsem2mu7Q # CUoCEYjCFYC7HTRLl80UKcbPC1tn6y6q+PGaFY0z2eJnaxHifbY0rVu3eKo/oJIb # Ba1ltlxlXKIey6usJcEjG7ZEgYsyxtmX0KJQgjWaKvuMx2ElcEMg4J/eE57NEmW/ # srfTrUpSZwplnEX8C8wQeqmzoBvUmubLiO7Z9l8yqMHcqXxn95fybxPFGafpAziF # hQ9Qs6YB81522V9JG6pt135vUXWA+L5UiptYc97PHZ66E2hZrfUrA1tm0lajcZI+ # GARvFLMfsNWIPPnS2iz8jMrkXtTc3xgTz2zEv2BL9s9sUH0+L6ggDY8DgbjITrjF # hM4vUezCa7E= # =K5Qb # -----END PGP SIGNATURE----- # gpg: Signature made Thu 03 Aug 2023 04:06:27 AM PDT # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "[email protected]" # gpg: Good signature from "Thomas Huth <[email protected]>" [undefined] # gpg: aka "Thomas Huth <[email protected]>" [undefined] # gpg: aka "Thomas Huth <[email protected]>" [unknown] # gpg: aka "Thomas Huth <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5 * tag 'pull-request-2023-08-03' of https://gitlab.com/thuth/qemu: gitlab: disable FF_SCRIPT_SECTIONS on msys jobs gitlab: disable optimization and debug symbols in msys build configure: support passthrough of -Dxxx args to meson gitlab: always populate cache for windows msys jobs gitlab: drop $CI_PROJECT_DIR from cache path gitlab: always use updated msys installer gitlab: print timestamps during windows msys jobs gitlab: remove duplication between msys jobs util/oslib-win32: Fix compiling with Clang from MSYS2 Signed-off-by: Richard Henderson <[email protected]>

libblkio drivers take ownership of `fd` only after a successful blkio_connect(), so if it fails, we are still the owners. Fixes: cad2ccc ("block/blkio: use qemu_open() to support fd passing for virtio-blk") Suggested-by: Hanna Czenczek <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Hanna Czenczek <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

As Hanna pointed out, it is not clear in the code why qemu_open() can fail, and why blkio_set_int("fd") is not enough to discover the `fd` property support. Let's fix them by adding more details in the code comments. Suggested-by: Hanna Czenczek <[email protected]> Reviewed-by: Hanna Czenczek <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]>

…to staging Pull request Fix for an fd leak in the blkio block driver. # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmTLzf0ACgkQnKSrs4Gr # c8hoGQf+KjsuChyk8/aoDP4MMkNB1/X3nsazCd3GY3uE+DRK8ieiRJeT6chMIey/ # sK3v/drkDmdjj30qbXGxjLVa5SNsP9N6pVoo8fnFJN7LmGBE/JLEYUYVNpHAKEzb # N7mgDBcTHZWKGwZsh109X5l3Cr6HR484m3qKI/49qlVuWJmp8/lDUbFJbp96I6g9 # ki9W0itwOrdtebYyUDml8eE/yLOxOTWx5Q7Q+qwSiEUNCwyd7yOS1QHQbnCgKw3m # c0Qzch2Z3dT61YbMrF6j0H7M1dXXcbNFdYVeMHYYJRkeN+bz4fWcUC4HkrL6YWf5 # GLIj5irTSnae4TevlYVZT+72v99QQQ== # =pQ96 # -----END PGP SIGNATURE----- # gpg: Signature made Thu 03 Aug 2023 08:55:41 AM PDT # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [full] # gpg: aka "Stefan Hajnoczi <[email protected]>" [full] * tag 'block-pull-request' of https://gitlab.com/stefanha/qemu: block/blkio: add more comments on the fd passing handling block/blkio: close the fd when blkio_connect() fails Signed-off-by: Richard Henderson <[email protected]>

…and() In the virtio_iommu_handle_command() when a PROBE request is handled, output_size takes a value greater than the tail size and on a subsequent iteration we can get a stack out-of-band access. Initialize the output_size on each iteration. The issue was found with ASAN. Credits to: Yiming Tao(Zhejiang University) Gaoning Pan(Zhejiang University) Fixes: 1733eeb ("virtio-iommu: Implement RESV_MEM probe request") Signed-off-by: Eric Auger <[email protected]> Reported-by: Mauro Matteo Cascella <[email protected]> Cc: [email protected] Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

In build_cdat_table() we do: *cdat_table = g_malloc0(sizeof(*cdat_table) * CXL_USP_CDAT_NUM_ENTRIES); This is wrong because: - cdat_table has type CDATSubHeader *** - so *cdat_table has type CDATSubHeader ** - so the array we're allocating here should be items of type CDATSubHeader * - but we pass sizeof(*cdat_table), which is sizeof(CDATSubHeader **), implying that we're allocating an array of CDATSubHeader ** It happens that sizeof(CDATSubHeader **) == sizeof(CDATSubHeader *) so nothing blows up, but this should be sizeof(**cdat_table). Avoid this excessively hard-to-understand code by using g_new0() instead, which will do the type checking for us. While we're here, we can drop the useless check against failure, as g_malloc0() and g_new0() never fail. This fixes Coverity issue CID 1508120. Signed-off-by: Peter Maydell <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]>

At several locations we compute the granule from the config page_size_mask using ctz() and then format it in traces using BIT(). As the page_size_mask is 64b we should use ctz64 and BIT_ULL() for formatting. We failed to be consistent. Note the page_size_mask is garanteed to be non null. The spec mandates the device to set at least one bit, so ctz64 cannot return 64. This is garanteed by the fact the device initializes the page_size_mask to qemu_target_page_mask() and then the page_size_mask is further constrained by virtio_iommu_set_page_size_mask() callback which can't result in a new mask being null. So if Coverity complains round those ctz64/BIT_ULL with CID 1517772 this is a false positive Signed-off-by: Eric Auger <[email protected]> Fixes: 94df5b2 ("virtio-iommu: Fix 64kB host page size VFIO device assignment") Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Jean-Philippe Brucker <[email protected]>

The QEMU CI fails in virtio-scmi test occasionally. As reported by Thomas Huth, this happens most likely when the system is loaded and it fails with the following error: qemu-system-aarch64: ../../devel/qemu/hw/pci/msix.c:659: msix_unset_vector_notifiers: Assertion `dev->msix_vector_use_notifier && dev->msix_vector_release_notifier' failed. ../../devel/qemu/tests/qtest/libqtest.c:200: kill_qemu() detected QEMU death from signal 6 (Aborted) (core dumped) As discovered by Fabiano Rosas, the cause is a duplicate invocation of msix_unset_vector_notifiers via duplicate vu_scmi_stop calls: msix_unset_vector_notifiers virtio_pci_set_guest_notifiers vu_scmi_stop vu_scmi_disconnect ... qemu_chr_write_buffer msix_unset_vector_notifiers virtio_pci_set_guest_notifiers vu_scmi_stop vu_scmi_set_status ... qemu_cleanup While vu_scmi_stop calls are protected by vhost_dev_is_started() check, it's apparently not enough. vhost-user-blk and vhost-user-gpio use an extra protection, see f5b22d0 (vhost: recheck dev state in the vhost_migration_log routine) for the motivation. Let's use the same in vhost-user-scmi, which fixes the failure above. Fixes: a5dab09 ("hw/virtio: Add boilerplate for vhost-user-scmi device") Signed-off-by: Milan Zamazal <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Tested-by: Thomas Huth <[email protected]> Reviewed-by: Fabiano Rosas <[email protected]>

Signed-off-by: Igor Mammedov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

… properly it seems that Windows is unable to handle variable references making it choke up when accessing ASUN during _DSM call when device is hotplugged (it lists package elements as DataAlias but despite that later on it misbehaves) with following error shown up in AMLI debugger (WS2012r2): Store(ShiftLeft(One,Arg1="ASUN",) AMLI_ERROR(c0140008): Unexpected argument type ValidateArgTypes: expected Arg1 to be type Integer (Type=String) Similar outcome with WS2022. Issue is not fatal but as result acpi-index/"PCI Label ID" property is either not shown in device details page or shows incorrect value. Fix it by doing assignment of BSEL/ASUN values to package elements manually after package declaration. Fix was tested with: WS2012r2, WS2022, RHEL9 Fixes: 467d099 (x86: acpi: _DSM: use Package to pass parameters) Signed-off-by: Igor Mammedov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

Following change is expected on each PCI slot with enabled ACPI PCI hotplug - BSEL, - ASUN + Zero, + Zero } + Local0 [Zero] = BSEL /* \_SB_.PCI0.BSEL */ + Local0 [One] = ASUN /* \_SB_.PCI0.S18_.ASUN */ Signed-off-by: Igor Mammedov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

Signed-off-by: Igor Mammedov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

ACPI spec (since 2.0a) says " A device object must contain either an _HID object or an _ADR object, but can contain both. " _ADR is used when device is attached to an ennumerable bus, however hostbridge is not and uses dedicated _HID for discovery, drop _ADR field. It doesn't seem that having _ADR has a negative effects OSes manage to tolerate that, but there is no point of having it there. (only pc/q35 has it hostbridge description, while others (microvm/arm) don't) Signed-off-by: Igor Mammedov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

Expected change is that _ADR object is removed from hostbridge descriptor in DSDT for PC and Q35 machines. Signed-off-by: Igor Mammedov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

Signed-off-by: David Edmondson <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]>

virtio_queue_packed_set_last_avail_idx() is used by vhost devices to set the internal queue indices to what has been reported by the vhost back-end through GET_VRING_BASE. For packed virtqueues, this 32-bit value is expected to contain both the device's internal avail and used indices, as well as their respective wrap counters. To get the used index, we shift the 32-bit value right by 16, and then apply a mask of 0x7ffff. That seems to be a typo, because it should be 0x7fff; first of all, the virtio specification says that the maximum queue size for packed virt queues is 2^15, so the indices cannot exceed 2^15 - 1 anyway, making 0x7fff the correct mask. Second, the mask clearly is wrong from context, too, given that (A) `idx & 0x70000` must be 0 at this point (`idx` is 32 bit and was shifted to the right by 16 already), (B) `idx & 0x8000` is the used_wrap_counter, so should not be part of the used index, and (C) `vq->used_idx` is a `uint16_t`, so cannot fit the 0x70000 part of the mask anyway. This most likely never produced any guest-visible bugs, though, because for a vhost device, qemu will probably not evaluate the used index outside of virtio_queue_packed_get_last_avail_idx(), where we reconstruct the 32-bit value from avail and used indices and their wrap counters again. There, it does not matter whether the highest bit of the used_idx is the used index wrap counter, because we put the wrap counter exactly in that position anyway. Signed-off-by: Hanna Czenczek <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: German Maglione <[email protected]>

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224964 In migration with VF failover, Windows guest and ACPI hot unplug we do not need to satisfy config requests, otherwise the guest immediately detects the device and brings up its driver. Many network VF's are stuck on the guest PCI bus after the migration. Signed-off-by: Yuri Benditovich <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

When the vhost-user reconnect to the backend, the notifer should be cleanup. Otherwise, the fd resource will be exhausted. Fixes: f9a09ca ("vhost: add support for configure interrupt") Signed-off-by: Li Feng <[email protected]> Reviewed-by: Raphael Norwitz <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Tested-by: Fiona Ebner <[email protected]>

After reading the guest memory with dma_memory_read(), we have to make sure that we byteswap the little endian data to the host's byte order. Signed-off-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Peter Xu <[email protected]>

…ntry The code already tries to do some endianness handling here, but currently fails badly: - While it already swaps the data when logging errors / tracing, it fails to byteswap the value before e.g. accessing entry->irte.present - entry->irte.source_id is swapped with le32_to_cpu(), though this is a 16-bit value - The whole union is apparently supposed to be swapped via the 64-bit data[2] array, but the struct is a mixture between 32 bit values (the first 8 bytes) and 64 bit values (the second 8 bytes), so this cannot work as expected. Fix it by converting the struct to two proper 64-bit bitfields, and by swapping the values only once for everybody right after reading the data from memory. Signed-off-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Peter Xu <[email protected]>

On big endian hosts, we need to reverse the bitfield order in the struct VTDInvDescIEC, just like it is already done for the other bitfields in the various structs of the intel-iommu device. Signed-off-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Peter Xu <[email protected]>

The values in "addr" are populated locally in this function in host endian byte order, so we must not swap the index_l field here. Signed-off-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Peter Xu <[email protected]>

…ge() The values in "msg" are assembled in host endian byte order (the other field are also not swapped), so we must not swap the __addr_head here. Signed-off-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Peter Xu <[email protected]>

…ian hosts The first bitfield here is supposed to be used as a 64-bit equivalent to the "uint64_t msi_addr" in the union. To make this work correctly on big endian hosts, too, the __addr_hi field has to be part of the bitfield, and the the bitfield members must be declared with "uint64_t" instead of "uint32_t" - otherwise the values are placed in the wrong bytes on big endian hosts. Same applies to the 32-bit "msi_data" field: __resved1 must be part of the bitfield, and the members must be declared with "uint32_t" instead of "uint16_t". Signed-off-by: Thomas Huth <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Peter Xu <[email protected]>

For symmetric algorithms, the length of ciphertext must be as same as the plaintext. The missing verification of the src_len and the dst_len in virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. This patch is originally written by Yiming Tao for QEMU-SECURITY, resend it(a few changes of error message) in qemu-devel. Fixes: CVE-2023-3180 Fixes: 04b9b37("virtio-crypto: add data queue processing handler") Cc: Gonglei <[email protected]> Cc: Mauro Matteo Cascella <[email protected]> Cc: Yiming Tao <[email protected]> Signed-off-by: zhenwei pi <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

Generally guest side should discover which services the device is able to offer, then do requests on device. However it's also possible to break this rule in a guest. Handle unexpected request here to avoid NULL pointer dereference. Fixes: e7a775f ('cryptodev: Account statistics') Cc: Gonglei <[email protected]> Cc: Mauro Matteo Cascella <[email protected]> Cc: Xiao Lei <[email protected]> Cc: Yongkang Jia <[email protected]> Reported-by: Yiming Tao <[email protected]> Signed-off-by: zhenwei pi <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]>

On hppa the Instruction Address Offset Queue (IAOQ) registers specifies the next to-be-executed instructions addresses. Each generated TB writes those registers at least once, so those registers are used heavily in generated code. Looking at the generated assembly, for a x86-64 host this code to write the address $0x7ffe826f into iaoq_f is generated: 0x7f73e8000184: c7 85 d4 01 00 00 6f 82 movl $0x7ffe826f, 0x1d4(%rbp) 0x7f73e800018c: fe 7f 0x7f73e800018e: c7 85 d8 01 00 00 73 82 movl $0x7ffe8273, 0x1d8(%rbp) 0x7f73e8000196: fe 7f With the trivial change, by moving the variables iaoq_f and iaoq_b to the top of struct CPUArchState, the offset to %rbp is reduced (from 0x1d4 to 0), which allows the x86-64 tcg to generate 3 bytes less of generated code per move instruction: 0x7fc1e800018c: c7 45 00 6f 82 fe 7f movl $0x7ffe826f, (%rbp) 0x7fc1e8000193: c7 45 04 73 82 fe 7f movl $0x7ffe8273, 4(%rbp) Overall this is a reduction of generated code (not a reduction of number of instructions). A test run with checks the generated code size by running "/bin/ls" with qemu-user shows that the code size shrinks from 1616767 to 1569273 bytes, which is ~97% of the former size. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Helge Deller <[email protected]> Cc: [email protected]

…st/qemu into staging pc,pci,virtio,crypto: bugfixes fixes all over the place. Signed-off-by: Michael S. Tsirkin <[email protected]> # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmTMJ90PHG1zdEByZWRo # YXQuY29tAAoJECgfDbjSjVRprTAH/1YxxP9Dhn71BjkwGQ18SmpNp0wlmP9GRJEy # 7aQNO7ativ8njAX1fLEo0ZRJ5qX1MCw+/ZuEvIUZD+0biwimsVCPjWVLs3Q8geUs # LzQWuvUoRGp136BtaZUrlS/cWr8TQY+4/lyK/xOBUOiI+5AP1Yi7eL9162RDQR3D # cV/0eH8QNY+93n+VnyFY6Y55YnHyH9EBkxdtnVkt7NOCms4qMRf9IBiWOMaktp4w # iTfvOfKbTCKhWDsNWIJEJUtWItRFp6OIRdO3KoMXBHuE8S/0C19fc2eBfbeN/bUK # I5b4xO181ibzoPGWkDfLYi1wFfvGDDxFe119EzvDKU8dDtNFBoY= # =FRdM # -----END PGP SIGNATURE----- # gpg: Signature made Thu 03 Aug 2023 03:19:09 PM PDT # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "[email protected]" # gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [undefined] # gpg: aka "Michael S. Tsirkin <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: (22 commits) cryptodev: Handle unexpected request to avoid crash virtio-crypto: verify src&dst buffer length for sym request include/hw/i386/x86-iommu: Fix struct X86IOMMU_MSIMessage for big endian hosts hw/i386/x86-iommu: Fix endianness issue in x86_iommu_irq_to_msi_message() hw/i386/intel_iommu: Fix index calculation in vtd_interrupt_remap_msi() hw/i386/intel_iommu: Fix struct VTDInvDescIEC on big endian hosts hw/i386/intel_iommu: Fix endianness problems related to VTD_IR_TableEntry hw/i386/intel_iommu: Fix trivial endianness problems vhost: fix the fd leak pci: do not respond config requests after PCI device eject virtio: Fix packed virtqueue used_idx mask hw/virtio: qmp: add RING_RESET to 'info virtio-status' tests: acpi: update expected blobs acpi: x86: remove _ADR on host bridges tests: acpi: whitelist expected blobs tests: acpi: x86: update expected blobs x86: acpi: workaround Windows not handling name references in Package properly tests: acpi: x86: whitelist expected blobs hw/virtio: Add a protection against duplicate vu_scmi_stop calls virtio-iommu: Standardize granule extraction and formatting ... Signed-off-by: Richard Henderson <[email protected]>

…m/hdeller/qemu-hppa into staging Generated code size reduction with linux-user for hppa Would you please consider pulling this trivial fix, which reduces the generated code on x86 by ~3% when running linux-user with the hppa target? Thanks, Helge # -----BEGIN PGP SIGNATURE----- # # iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCZMwriQAKCRD3ErUQojoP # X0oxAQC7HlQ4j23o4ylqbXTiZdOeY26TjWTlw38OkuSXcqgCMAD/UmwEDawEGTKv # SuRjrASdFzpjvjDss2nreahL9hGvrAI= # =eoAk # -----END PGP SIGNATURE----- # gpg: Signature made Thu 03 Aug 2023 03:34:49 PM PDT # gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F # gpg: Good signature from "Helge Deller <[email protected]>" [unknown] # gpg: aka "Helge Deller <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603 # Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F * tag 'hppa-linux-user-speedup-pull-request' of https://github.com/hdeller/qemu-hppa: target/hppa: Move iaoq registers and thus reduce generated code size Signed-off-by: Richard Henderson <[email protected]>

When CR0.TS=1, execution of x87 FPU, MMX, and some SSE instructions will cause a Device Not Available (DNA) exception (#NM). System software uses this exception event to lazily context switch FPU state. Before this patch, enter_mmx helpers may be generated just before #NM generation, prematurely resetting FPU state before the guest has a chance to save it. Signed-off-by: Matt Borgerson <[email protected]> Message-ID: <CADc=-s5F10muEhLs4f3mxqsEPAHWj0XFfOC2sfFMVHrk9fcpMg@mail.gmail.com> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]>

scripts/archive-source.sh needs meson in order to download the subprojects, therefore meson needs to be part of the host environment in which VM-based build jobs run. Fixes: 2019cab ("meson: subprojects: replace submodules with wrap files", 2023-06-06) Reported-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]>

The original non-free board firmware sets the command register of the USB functions to 7 and some guests rely on this for working USB. Match what the board firmware does when using VOF instead. Signed-off-by: BALATON Zoltan <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-ID: <06a2b864431425f23d1f2b5abf0c027819ac11c6.1689725688.git.balaton@eik.bme.hu> Signed-off-by: Daniel Henrique Barboza <[email protected]>

The register offset of the ROM BAR is 0x30 not 0x28. This fixes the reg property entry of the ROM region in the device tree. Signed-off-by: BALATON Zoltan <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-ID: <6abd73b1211f9d0776dfa5d71d6294f17eecb426.1689725688.git.balaton@eik.bme.hu> Signed-off-by: Daniel Henrique Barboza <[email protected]>

The board firmware names devices by their class so match that for common devices. Also make sure the /rtas node has a name. This is needed because VOF otherwise does not include it in results got by nextprop which is how AmigaOS queries it and fails if no name property is found. Signed-off-by: BALATON Zoltan <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-ID: <808ade37aa141563d1ee349254151672bf7a5d59.1689725688.git.balaton@eik.bme.hu> Signed-off-by: Daniel Henrique Barboza <[email protected]>

The board firmware handles this correctly following the Open Firmware standard which we missed. This fixes 64 bit BARs when using VOF. Signed-off-by: BALATON Zoltan <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-ID: <[email protected]> Signed-off-by: Daniel Henrique Barboza <[email protected]>

The ASDR register was introduced in ISA v3.0. It has not been implemented for HPT. With HPT, ASDR is the format of the slbmte RS operand (containing VSID), which matches the ppc_slb_t field. Fixes: 3367c62 ("target/ppc: Support for POWER9 native hash") Signed-off-by: Nicholas Piggin <[email protected]> Reviewed-by: Cédric Le Goater <[email protected]> Message-ID: <[email protected]> Signed-off-by: Daniel Henrique Barboza <[email protected]>

HDEC is defined to not wake from PM state. There is a check in the HDEC timer to avoid setting the interrupt if we are in a PM state, but no check on PM entry to lower HDEC if it already fired. This can cause a HDECR wake up and QEMU abort with unsupported exception in Power Save mode. Fixes: 4b236b6 ("ppc: Initial HDEC support") Signed-off-by: Nicholas Piggin <[email protected]> Reviewed-by: Cédric Le Goater <[email protected]> Message-ID: <[email protected]> Signed-off-by: Daniel Henrique Barboza <[email protected]>

Until v2.07s, the VRMA page size (L||LP) was encoded in LPCR[VRMASD]. In v3.0 that moved to the partition table PS field. The powernv machine can now run KVM HPT guests on POWER9/10 CPUs with this fix and the patch to add ASDR. Fixes: 3367c62 ("target/ppc: Support for POWER9 native hash") Signed-off-by: Nicholas Piggin <[email protected]> Reviewed-by: Cédric Le Goater <[email protected]> Message-ID: <[email protected]> Signed-off-by: Daniel Henrique Barboza <[email protected]>

…o staging ppc patch queue for 2023-08-04: This queue contains target/ppc register and VRMA fixes for 8.1. pegasos2 fixes are also included. # -----BEGIN PGP SIGNATURE----- # # iIwEABYKADQWIQQX6/+ZI9AYAK8oOBk82cqW3gMxZAUCZM0YohYcZGFuaWVsaGI0 # MTNAZ21haWwuY29tAAoJEDzZypbeAzFkuqAA/0QrRC8agLbSw1b8pN7bR9Yweqk8 # VKFotbyAH4QKO42KAP9GNeHU8iUcKk4l9eWip75mvwUsrLP/8INFWNGv1t76AQ== # =5m4V # -----END PGP SIGNATURE----- # gpg: Signature made Fri 04 Aug 2023 08:26:26 AM PDT # gpg: using EDDSA key 17EBFF9923D01800AF2838193CD9CA96DE033164 # gpg: issuer "[email protected]" # gpg: Good signature from "Daniel Henrique Barboza <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 17EB FF99 23D0 1800 AF28 3819 3CD9 CA96 DE03 3164 * tag 'pull-ppc-20230804' of https://gitlab.com/danielhb/qemu: target/ppc: Fix VRMA page size for ISA v3.0 target/ppc: Fix pending HDEC when entering PM state target/ppc: Implement ASDR register for ISA v3.0 for HPT ppc/pegasos2: Fix reg property of 64 bit BARs in device tree ppc/pegasos2: Fix naming of device tree nodes ppc/pegasos2: Fix reg property of ROM BARs ppc/pegasos2: Fix reset state of USB functions Signed-off-by: Richard Henderson <[email protected]>

* fix VM build jobs on CirrusCI * fix MMX instructions clobbering x87 state before raising #NM # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmTM6KwUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroOpMAf/TcfaZt5bffmcnvGmrOBGQfvt1KNM # QYhsNMZr3fyWoI7DpNgWg60P1iQ/2YgcTOjrH1yoKWnvxZqut4ZKyfxIbdnK84ns # J4Q5YfUmzrd7cf+HyfPaiMdfcuZE1wGxMpLWNFtNOWutr5Dq95rOUnuiWaja05bH # XUxwud3Jl1LWxmDIJaFs8fC+7q4s0le9S0Ws1KjejMiKs2epcTZW+5kS0jfRuLcB # Sxx4oABWEhGA4CY+W+rf59SOrgsb7ySkRZjoQyj30pD61O+UJ3unhWDgLMQau6oT # 2cP0Cv08PwhJQNByfOc6N+RH7CbPxsIBcainJ2Mf/b5oPoV5m/Kdlx5PzA== # =+Im7 # -----END PGP SIGNATURE----- # gpg: Signature made Fri 04 Aug 2023 05:01:48 AM PDT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "[email protected]" # gpg: Good signature from "Paolo Bonzini <[email protected]>" [undefined] # gpg: aka "Paolo Bonzini <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: ci: install meson in CirrusCI KVM build environment target/i386: Check CR0.TS before enter_mmx Signed-off-by: Richard Henderson <[email protected]>

Replace MMULookupPageData* with CPUTLBEntryFull, addr, size. Move QEMU_IOTHREAD_LOCK_GUARD to the caller. This simplifies the usage from do_ld16_beN and do_st16_leN, where we weren't locking the entire operation, and required hoop jumping for passing addr and size. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

If the address and size are aligned, send larger chunks to the memory subsystem. This will be required to make more use of these helpers. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

In the single-page case we were issuing misaligned i/o to the memory subsystem, which does not handle it properly. Split such accesses via do_{ld,st}_mmio_*. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1800 Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Apply save_iotlb_data() to io_readx() as well as to io_writex(). This fixes SEGFAULT on qemu_plugin_hwaddr_phys_addr() call plugins for addresses inside of MMIO region. Signed-off-by: Dmitriy Solovev <[email protected]> Signed-off-by: Mikhail Tyutin <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Previously, qemu-user would always report PID 1 to GDB. This was changed at dc14a7a (gdbstub: Report the actual qemu-user pid, 2023-06-30), but read_thread_id() still considers GDB packets with "no PID" as "PID 1", which is not the qemu-user PID. Fix that by parsing "no PID" as "0", which the GDB Remote Protocol defines as "any process". Note that this should have no effect for system emulation as, in this case, gdb_create_default_process() will assign PID 1 for the first process and that is what the gdbstub uses for GDB requests with no PID, or PID 0. This issue was found with hexagon-lldb, which sends a "Hg" packet with only the thread-id, but no process-id, leading to the invalid usage of "PID 1" by qemu-hexagon and a subsequent "E22" reply. Signed-off-by: Matheus Tavares Bernardino <[email protected]> Acked-by: Ilya Leoshkevich <[email protected]> Message-Id: <78a3b06f6ab90a7ff8e73ae14a996eb27ec76c85.1690904195.git.quic_mathbern@quicinc.com> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Mirror the host_arch variable from meson.build, so that we probe for the correct linux-user/include/host/ directory. Fixes: e3e477c ("configure: Fix cross-building for RISCV host") Signed-off-by: Richard Henderson <[email protected]>

Set V bit for hwcap if misa is set. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1793 Signed-off-by: Nathan Egge <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Tested-by: Daniel Henrique Barboza <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Passing MAP_FIXED_NOREPLACE to host will fail for reserved_va because the address space is reserved with mmap. Replace it with MAP_FIXED in that case. Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> [rth: Expand inline commentary.] Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The man page states: > Note that older kernels which do not recognize the MAP_FIXED_NOREPLACE > flag will typically (upon detecting a collision with a preexisting > mapping) fall back to a “non-MAP_FIXED” type of behavior: they will > return an address that is different from the requested address. > Therefore, backward-compatible software should check the returned > address against the requested address. https://man7.org/linux/man-pages/man2/mmap.2.html Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Later the returned value is compared with -1, and negated errno is not expected. Fixes: 00faf08 ("linux-user: Don't use MAP_FIXED in do_brk()") Reviewed-by: Helge Deller <[email protected]> Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

MAP_FIXED_NOREPLACE can ensure the mapped address is fixed without concerning that the new mapping overwrites something else. Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Linux 6.4.7 does nothing when a value smaller than the initial brk is specified. Fixes: 86f0473 ("linux-user: Fix brk() to release pages") Reviewed-by: Helge Deller <[email protected]> Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

do_brk() minimizes calls into target_mmap() by aligning the address with host page size, which is potentially larger than the target page size. However, the current implementation of this optimization has two bugs: - The start of brk is rounded up with the host page size while brk advertises an address aligned with the target page size as the beginning of brk. This makes the beginning of brk unmapped. - Content clearing after mapping is flawed. The size to clear is specified as HOST_PAGE_ALIGN(brk_page) - brk_page, but brk_page is aligned with the host page size so it is always zero. This optimization actually has no practical benefit. It makes difference when brk() is called multiple times with values in a range of the host page size. However, sophisticated memory allocators try to avoid to make such frequent brk() calls. For example, glibc 2.37 calls brk() to shrink the heap only when there is a room more than 128 KiB. It is rare to have a page size larger than 128 KiB if it happens. Let's remove the optimization to fix the bugs and make the code simpler. Fixes: 86f0473 ("linux-user: Fix brk() to release pages") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1616 Signed-off-by: Akihiko Odaki <[email protected]> Message-Id: <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The heap starts at "brk" not "start_brk". With this fixed, image_info.start_brk is unused and may be removed. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

This variable is unused. Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

This variable is unused. Signed-off-by: Richard Henderson <[email protected]>

…to staging accel/tcg: Do not issue misaligned i/o accel/tcg: Call save_iotlb_data from io_readx gdbstub: use 0 ("any process") on packets with no PID linux-user: Fixes for MAP_FIXED_NOREPLACE linux-user: Fixes for brk linux-user: Set V in ELF_HWCAP for RISC-V *-user: Remove last_brk as unused # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmTQMPsdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/rmQf/az6d6X4iom0Hch19 # U4BkoNP7NQB2Rue/avjP6Vy6yATDEPgIA5vcPcub+jYsCyEasRRCD1d4odxZp7Cr # MLoeX6dC+iGg0N7i3S1DSpZBqsRv/4+YE5ibPjYnZlv0F7re1L89yw4doj5OPN1w # 1p8bpTxA2+s/FOxgfKLSyZR4yMJ4jWKeH+em6qjEBXEAMSiE6u0S+Kt3bAO8amdo # 86e5d16F4sjs4kXMTEp9myNoXN/aRsWd1stzebQK+uV6qQQsdkIkMLZmZ8+o158A # QEuWpV8yoMxhXUsnjkNGbL5S3r2WDJpM6WbWxtjs1xOAaygYCOicXh+sqRefgyH/ # 0NQQRw== # =4I5/ # -----END PGP SIGNATURE----- # gpg: Signature made Sun 06 Aug 2023 04:47:07 PM PDT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-tcg-20230806-3' of https://gitlab.com/rth7680/qemu: bsd-user: Remove last_brk linux-user: Remove last_brk linux-user: Properly set image_info.brk in flatload linux-user: Do not align brk with host page size linux-user: Do nothing if too small brk is specified linux-user: Use MAP_FIXED_NOREPLACE for do_brk() linux-user: Do not call get_errno() in do_brk() linux-user: Fix MAP_FIXED_NOREPLACE on old kernels linux-user: Unset MAP_FIXED_NOREPLACE for host linux-user/elfload: Set V in ELF_HWCAP for RISC-V configure: Fix linux-user host detection for riscv64 gdbstub: use 0 ("any process") on packets with no PID accel/tcg: Call save_iotlb_data from io_readx as well accel/tcg: Do not issue misaligned i/o accel/tcg: Issue wider aligned i/o in do_{ld,st}_mmio_* accel/tcg: Adjust parameters and locking with do_{ld,st}_mmio_* Signed-off-by: Richard Henderson <[email protected]>

As reported by Trend Micro's Zero Day Initiative, an oob memory read vulnerability exists in nvme_fdp_events(). The host-provided offset is not verified. Fix this. This is only exploitable when Flexible Data Placement mode (fdp=on) is enabled. Fixes: CVE-2023-4135 Fixes: 73064ed ("hw/nvme: flexible data placement emulation") Reported-by: Trend Micro's Zero Day Initiative Signed-off-by: Klaus Jensen <[email protected]>

As of prior to this patch, the controller checks the value of CC.IOCQES and CC.IOSQES prior to enabling the controller. As reported by Ben in GitLab issue #1691, this is not spec compliant. The controller should only check these values when queues are created. This patch moves these checks to nvme_create_cq(). We do not need to check it in nvme_create_sq() since that will error out if the completion queue is not already created. Also, since the controller exclusively supports SQEs of size 64 bytes and CQEs of size 16 bytes, hard code that. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1691 Signed-off-by: Klaus Jensen <[email protected]>

The clock and data values were logged swapped. Correct the trace event text to match what is logged. Also fix a typo in a comment nearby. Signed-off-by: BALATON Zoltan <[email protected]> Signed-off-by: Michael Tokarev <[email protected]>

Signed-off-by: Michael Tokarev <[email protected]>

OpenRISC (or1k) has long long alignment to 4 bytes, but currently not defined in abitypes.h. This lead to incorrect packing of /epoll_event/ structure and eventually infinite loop while waiting for file descriptor[s] event[s]. Fixed also CRIS alignments (1 byte for all types). Signed-off-by: Luca Bonissi <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1770 Reviewed-by: Thomas Huth <[email protected]> Signed-off-by: Michael Tokarev <[email protected]>

This can help to debug connection issues. Related to: https://bugzilla.redhat.com/show_bug.cgi?id=2196182 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Message-Id: <[email protected]>

Acked-by: Dongwon Kim <[email protected]> Signed-off-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]>

Calling OpenGL from different threads can have bad consequences if not carefully reviewed. It's not generally supported. In my case, I was debugging a crash in glDeleteTextures from OPENGL32.DLL, where I asked qemu for gl=es, and thus ANGLE implementation was expected. libepoxy did resolution of the global pointer for glGenTexture to the GLES version from the main thread. But it resolved glDeleteTextures to the GL version, because it was done from a different thread without correct context. Oops. Let's stick to the main thread for GL calls by using a BH. Note: I didn't use atomics for reset_finished check, assuming the BQL will provide enough of sync, but I might be wrong. Acked-by: Dongwon Kim <[email protected]> Signed-off-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]>

The kdump-zlib data pages are not dumped from aarch64 host when the 'pvtime' is involved, that is, when the block->target_end is not aligned to page_size. In the below example, it is expected to dump two blocks. (qemu) info mtree -f ... ... 00000000090a0000-00000000090a0fff (prio 0, ram): pvtime KVM ... ... 0000000040000000-00000001bfffffff (prio 0, ram): mach-virt.ram KVM ... ... However, there is an issue with get_next_page() so that the pages for "mach-virt.ram" will not be dumped. At line 1296, although we have reached at the end of the 'pvtime' block, since it is not aligned to the page_size (e.g., 0x10000), it will not break at line 1298. 1255 static bool get_next_page(GuestPhysBlock **blockptr, uint64_t *pfnptr, 1256 uint8_t **bufptr, DumpState *s) ... ... 1294 memcpy(buf + addr % page_size, hbuf, n); 1295 addr += n; 1296 if (addr % page_size == 0) { 1297 /* we filled up the page */ 1298 break; 1299 } As a result, get_next_page() will continue to the next block ("mach-virt.ram"). Finally, when get_next_page() returns to the caller: - 'pfnptr' is referring to the 'pvtime' - but 'blockptr' is referring to the "mach-virt.ram" When get_next_page() is called the next time, "*pfnptr += 1" still refers to the prior 'pvtime'. It will exit immediately because it is out of the range of the current "mach-virt.ram". The fix is to break when it is time to come to the next block, so that both 'pfnptr' and 'blockptr' refer to the same block. Fixes: 94d7884 ("dump: fix kdump to work over non-aligned blocks") Cc: Joe Jin <[email protected]> Signed-off-by: Dongli Zhang <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-ID: <[email protected]>

The buttons value use macros instead of direct numbers. If request relative mode, have to add this for guest vmmouse driver to judge this is a relative packet. otherwise,vmmouse driver will not match the condition 'status & VMMOUSE_RELATIVE_PACKET', and can't report events on the correct(relative) input device, result to relative mode unuseful. Signed-off-by: Zongmin Zhou<[email protected]> Message-ID: <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]>

Fixing a regression (black screen) caused by a commit 92b5815 ("ui/gtk: set scanout-mode right before scheduling draw"). The commit 92b5815 was made with an assumption that the scanout mode needs to be set only if the guest scanout is a dmabuf but there are cases (e.g. virtio-gpu-virgl) where the scanout is still processed in a form of a texture but is not backed by dmabuf. So it is needed to put back the line that sets scanout mode in gd_egl_scanout_texture and gd_gl_area_scanout_texture. Fixes: 92b5815 ("ui/gtk: set scanout-mode right before scheduling draw) Reported-by: Volker Rümelin <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Marc-André Lureau <[email protected]> Cc: Vivek Kasireddy <[email protected]> Signed-off-by: Dongwon Kim <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-ID: <[email protected]>

… into staging hw/nvme fixes - two fixes for hw/nvme # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTQ2y4ACgkQTeGvMW1P # DenpWQf/WFgEljzgTcgxlfZhCyzWGwVNgKqRxlTuF6ELqm8BajCuCeA5ias6AXOr # x/gZ0VqrL91L5tRIH5Q0sdC+HBFC1yMs66jopdzc1oL1eYu1HTrLIqMDtkXp/K/P # PyGah2t4qEMtacSkad+hmB68ViUkkmhkxrWYIeufUQTfLNF5pBqNvB1kQON3jmXE # a1jI/PabYxi8Km0rfFJD6SUGmL9+m7MY/SyZAy+4EZZ1OEnp5jb3o9lbdwbhIU5e # dRX4NW4BEDiOJeIcNVDiQkXv2/Lna1B51RVMvM4owpk0eRvRXMSqs2DQ5/jp/nGb # 8uChUJ0QW68I4e9ptTfxmBsr4pSktg== # =0nwp # -----END PGP SIGNATURE----- # gpg: Signature made Mon 07 Aug 2023 04:53:18 AM PDT # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <[email protected]>" [unknown] # gpg: aka "Klaus Jensen <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu: hw/nvme: fix compliance issue wrt. iosqes/iocqes hw/nvme: fix oob memory read in fdp events log Signed-off-by: Richard Henderson <[email protected]>

…o staging trivial-patches for 2023-08-07 there are 3 trivial bugfixes in there, for 8.1 # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmTQzUsPHG1qdEB0bHMu # bXNrLnJ1AAoJEHAbT2saaT5Z438H/3MEc7pR3UllQ/9OFHR9JU8V14sCANgkEWMo # fYNoVPDli24Y5oxFnmC249YdbaO2PtLwxnarxRAXESi9r2PYjVfTMyJvkMYv0fMm # VNK2LE6Cs4pGivBhAFHvdceWlpLXVaea6jTGfoctSqXa0lMKy6ae44SbsJ8vOnPs # 9XXn+rrAtxRoaN10AKE8hRFDHaS4LIxVNhU3Y2aRijlzFRIf9kr8PGRtes56aZS1 # IOZ5YlmibgCh3ZLofj+/4NcT/l4ViKIKmUXv0mSY55VsfmVaANM98biQ55f+4lt7 # BlgI749QMuB7q+5eELOaZsDt7YTXp3Y0LLvGi7kBZIGIzUkSnXI= # =7luP # -----END PGP SIGNATURE----- # gpg: Signature made Mon 07 Aug 2023 03:54:03 AM PDT # gpg: using RSA key 7B73BAD68BE7A2C289314B22701B4F6B1A693E59 # gpg: issuer "[email protected]" # gpg: Good signature from "Michael Tokarev <[email protected]>" [undefined] # gpg: aka "Michael Tokarev <[email protected]>" [undefined] # gpg: aka "Michael Tokarev <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931 4B22 701B 4F6B 1A69 3E59 * tag 'trivial-patches-pull' of https://gitlab.com/mjt0k/qemu: Fixed incorrect LLONG alignment for openrisc and cris stubs/colo.c: spelling hw/i2c: Fix bitbang_i2c_data trace event Signed-off-by: Richard Henderson <[email protected]>

…/qemu into staging Fixes for 8.1 Hi, Here is a collection of ui, dump and chardev fixes that are worth for 8.1. thanks # -----BEGIN PGP SIGNATURE----- # # iQJQBAABCAA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmTRWDscHG1hcmNhbmRy # ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5eUrD/9BvqJ87XSKchV01jji # PmA+yFyI0JSG68oYbNPYJXxkLWdRCKp6GGcT8h1yiVtGH/SVey9spxDqbV+sK0uW # FmqIcmSBbjI4A6+Mne07Iyd0QtgL9H6YNenRXDFLIXLh84HP47Dg9vfgx4AsRY7O # efcCdi43/PoJOelVfn9wIkP/8DU4pZV6IsdtdUxZ3rtu/zwjW61rLzuxtLcAoCIE # rAYiTp699NH5fKBbMzm3puK4hpaPLj4GuGPrSaWVSCcgARqi7LWpgZC5i+a6FUfS # eWzK8WkdvHIPaUPRNl70LTWPKVxJ4PdSxFlIKgiH0bnpXHBvJnO2y1v4jaiGI0y2 # WSHKJWY513zTF4B+pMdQLjNiLotkiqtAXHw5rrjPTuVHxi1N5w6Z/BvWOSAvs8V6 # ijYmjksNoqwfpbPRTyu8psLcmj3fo2UIjQ739PgLN2lfC8d+nzdx4PIIq/ybQdZZ # 7QBJGhxP33Ou8c3ok43Jz3go6w0WOKM0ucG1K1iTVxQ27leMKTO5Zsm2TShG2pMG # CY6d/dumID8+G7sho8TmtTDjC5ZBkY5e27etkS+P4p+Buc60lqDrL+u6UadxWNZ1 # 3ifsQ1PhVTRuhZUJNMcX1Qo3PuEfAOH1ZuCbvXpubHwcUr4o/ZqlVrMaJtYB3ueo # 7SX8YistmktaEeN+Y50qoiEVgg== # =ANQg # -----END PGP SIGNATURE----- # gpg: Signature made Mon 07 Aug 2023 01:46:51 PM PDT # gpg: using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5 # gpg: issuer "[email protected]" # gpg: Good signature from "Marc-André Lureau <[email protected]>" [full] # gpg: aka "Marc-André Lureau <[email protected]>" [full] * tag 'fixes-pull-request' of https://gitlab.com/marcandre.lureau/qemu: ui/gtk: set scanout mode in gd_egl/gd_gl_area_scanout_texture hw/i386/vmmouse:add relative packet flag for button status dump: kdump-zlib data pages not dumped with pvtime/aarch64 virtio-gpu: reset gfx resources in main thread virtio-gpu: free BHs, by implementing unrealize chardev: report the handshake error Signed-off-by: Richard Henderson <[email protected]>

The nvme CRC64 generator expects the caller to pass inverted seed value. Pass inverted crc value for metadata buffer. Cc: [email protected] Fixes: 44219b6 ("hw/nvme: 64-bit pi support") Signed-off-by: Ankit Kumar <[email protected]> Signed-off-by: Klaus Jensen <[email protected]>

Add missing entry for pif ("protection information format"). Protection information size can be 8 or 16 bytes, Update the pil entry as per the NVM command set specification. Signed-off-by: Ankit Kumar <[email protected]> Signed-off-by: Klaus Jensen <[email protected]>

x32 uses the same signal handling fragments as x86_64, since host_arch is set to x86_64 when Meson runs. Remove the unnecessary forwarder and set the host_arch variable properly in configure. Reviewed-by: Richard Henderson <[email protected]> Acked-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Tested-by: Ilya Leoshkevich <[email protected]> Tested-by: Michael Tokarev <[email protected]> Message-ID: <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]>

Alpha and 31-bit s390 lack the assembly fragment to handle signals occurring at the same time as system calls, so they cannot run linux-user emulation anymore. Drop the host-signal.h files for them. Signed-off-by: Paolo Bonzini <[email protected]> Acked-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Tested-by: Ilya Leoshkevich <[email protected]> Tested-by: Michael Tokarev <[email protected]> Message-ID: <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]>

The CPU model has to be canonicalized to what Meson wants in the cross file, to what Linux uses for its asm-$ARCH directories, and to what QEMU uses for its user-mode emulation host/$ARCH directories. Do all three in a single case statement, and check that the Linux and QEMU directories actually exist. At a small cost in repeated lines, this ensures that there are no hidden ordering requirements between the case statements. In particular, commit 89e5b79 ("configure: Fix linux-user host detection for riscv64", 2023-08-06) broke ppc64le because it assigned host_arch based on a non-canonicalized version of $cpu. Reported-by: Joel Stanley <[email protected]> Fixes: 89e5b79 ("configure: Fix linux-user host detection for riscv64", 2023-08-06) Reviewed-by: Richard Henderson <[email protected]> Acked-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Tested-by: Ilya Leoshkevich <[email protected]> Tested-by: Michael Tokarev <[email protected]> Message-ID: <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]>

Ensure that the chosen values for mmap_next_start and task_unmapped_base are within the guest address space. Tested-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Provide default values that are as close as possible to the values used by the guest's kernel. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Copy each guest kernel's default value, then bound it against reserved_va or the host address space. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Use this as extra protection for the guest mapping over any qemu host mappings. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Follow the lead of the linux kernel in fs/binfmt_elf.c, in which an ET_DYN executable which uses an interpreter (usually a PIE executable) is loaded away from where the interpreter itself will be loaded. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

While we attempt to load a ET_DYN executable far away from TASK_UNMAPPED_BASE, we are not completely in control of the address space layout. If the interpreter lands close to the executable, leaving insufficient heap space, move brk. Tested-by: Helge Deller <[email protected]> Signed-off-by: Helge Deller <[email protected]> [rth: Re-order after ELF_ET_DYN_BASE patch so that we do not "temporarily break" tsan, and also to minimize the changes required. Remove image_info.reserve_brk as unused.] Reviewed-by: Akihiko Odaki <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Remove TARGET_ELF_EXEC_PAGESIZE, and 3 other TARGET_ELF_PAGE* macros based off of that. Rely on target_mmap to handle guest vs host page size mismatch. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Rely on target_mmap to handle guest vs host page size mismatch. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

If p_filesz == 0, then vaddr_ef == vaddr. We can reuse the code in zero_bss rather than incompletely duplicating it in load_elf_image. Tested-by: Helge Deller <[email protected]> Reviewed-by: Helge Deller <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

We will want to be able to search the set of mappings. For this patch, the two users iterate the tree in order. Signed-off-by: Richard Henderson <[email protected]>

The proper logging for probe_guest_base is in the main function. There is no need to duplicate that in the subroutines. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The three sets of checks are identical, logically. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Create a set of subroutines to collect a set of guest addresses, all of which must be mappable on the host. Use this within the renamed pgb_fixed subroutine to validate the user's choice of guest_base specified by the -B command-line option. Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Use pgb_addr_set to probe for all of the guest addresses, not just the main executable. Handle the identity map specially and separately from the search. If /proc/self/maps is available, utilize the full power of the interval tree search, rather than a linear search through the address list. If /proc/self/maps is not available, increase the skip between probes so that we do not probe every single page of the host address space. Choose 1 MiB for 32-bit hosts (max 4k probes) and 1 GiB for 64-bit hosts (possibly a large number of probes, but the large step makes it more likely to find empty space quicker). Tested-by: Alex Bennée <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

* cleanup architecture canonicalization once and for all # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmTSjQAUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroPc8Qf/XjwCmHzRm6VSengi5OywjeanKpO6 # yJ8mbA0tqx7DxH+ke3y0kH7QGbScnV7mh/s5SnjHDR38K0z604E773UVEk5JwtMb # b64jsaCiq0XhiPKHA0xtYo2F4W17LxIIcyG2d1Fgmngvnat3LpswXGEXJbKCnIV9 # KzgKNpCf6o+o1f/U6LaxInHbYRaDW03HSFfCHgNyYOBxgbPC/UYRuslqC8pIdp/5 # mGLhloJh/WKi8iL0Xsjl1GN/0d9UHC6bUAW+f1JjET5IjeOtdxh6hgDr9hAc3ZC+ # stTTri7pM6VeCv+lT5tSN+o7IdzpGjMXb0kozjkinoafhDfp8EvJyOdfrg== # =5Z/e # -----END PGP SIGNATURE----- # gpg: Signature made Tue 08 Aug 2023 11:44:16 AM PDT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "[email protected]" # gpg: Good signature from "Paolo Bonzini <[email protected]>" [undefined] # gpg: aka "Paolo Bonzini <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: configure: unify case statements for CPU canonicalization linux-user: cleanup unused linux-user/include/host directories configure: fix detection for x32 linux-user Signed-off-by: Richard Henderson <[email protected]>

…staging linux-user: Adjust guest image layout vs reserved_va linux-user: Do not adjust image mapping for host page size linux-user: Adjust initial brk when interpreter is close to executable util/selfmap: Rewrite using qemu/interval-tree.h linux-user: Rewrite probe_guest_base # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmTSrp4dHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9lTQf/W/Tbd6CFnZpVE8Sb # BPrhdmo+x6Jftt1Ha66b/4xnasX7DuVaI1ECDh4CQQKIOh9A4LETx6ue9/UGi4vT # Fe4UrrJcAjt/CPaZhwXniJM9CvEnw1gkl3AgKAtZOBEConuPnkTiSWjySmCt3T4r # EGQxDe0HLpWYavNtvyywak/sEbwOD4hNAunFpJB6PLZ+KEoCDZwtcQdl55kg5bIt # WBMgUSXnWhC45t+26OcSDeHovqxHoA647H10T0y0U6bNVkW0tRW51xCTvHt+iDyR # s8UOCe1Q+w8F18fN68HIWBJ6NCzUts/AmQrWwc/MWiK1z91/ht5mlKAuNYnoZ6jH # htCSEA== # =ERAI # -----END PGP SIGNATURE----- # gpg: Signature made Tue 08 Aug 2023 02:07:42 PM PDT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-lu-20230808' of https://gitlab.com/rth7680/qemu: linux-user: Rewrite non-fixed probe_guest_base linux-user: Rewrite fixed probe_guest_base linux-user: Consolidate guest bounds check in probe_guest_base linux-user: Remove duplicate CPU_LOG_PAGE from probe_guest_base util/selfmap: Rewrite using qemu/interval-tree.h linux-user: Use zero_bss for PT_LOAD with no file contents too linux-user: Do not adjust zero_bss for host page size linux-user: Do not adjust image mapping for host page size linux-user: Adjust initial brk when interpreter is close to executable linux-user: Use elf_et_dyn_base for ET_DYN with interpreter linux-user: Use MAP_FIXED_NOREPLACE for initial image mmap linux-user: Define ELF_ET_DYN_BASE in $guest/target_mman.h linux-user: Define TASK_UNMAPPED_BASE in $guest/target_mman.h linux-user: Adjust task_unmapped_base for reserved_va Signed-off-by: Richard Henderson <[email protected]>

… into staging hw/nvme fixes - fix for invalid protection information calculation # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTSREoACgkQTeGvMW1P # DekH6Qf/e3gi0KloAUpbTQvGmBA6XmkJFAtOdZn7IJXVCowjYTIKU84DrdPyT1c1 # rofL4w0klKG5c4Or/Cs4dH/ASxTWaQZRlFAYxsTW3nUX74MnaFDRZcN2geb30ws7 # ryejVEKeHNWH/YYY4Ny55wO3tmy2ILAKnbiadiXhj4dQfCK1GzZnrx10PWxLNlkZ # KRhiXLNBHpPnDlrLq7/nLs+/0cMrrqEz6ISm/Ju4iUczAH/wmqEbR/yD3pAwmH07 # PCaSeegOpwscovI5TWRelOJlzIXb6D8Xk9d3dGL5x/eeN7GlkgERX4MAcNYKwe8T # JNR8y2ErTEj2nLU/juES1EpiR2gYKw== # =vJlA # -----END PGP SIGNATURE----- # gpg: Signature made Tue 08 Aug 2023 06:34:02 AM PDT # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <[email protected]>" [unknown] # gpg: aka "Klaus Jensen <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-next-pull-request' of https://gitlab.com/birkelund/qemu: docs: update hw/nvme documentation for protection information hw/nvme: fix CRC64 for guard tag Signed-off-by: Richard Henderson <[email protected]>

In order for our emulation of MAP_FIXED_NOREPLACE to succeed within linux-user target_mmap, we require a non-zero value. This does not require host kernel support, merely the bit being defined. MAP_FIXED_NOREPLACE was added with glibc 2.28. From repology.org: Fedora 36: 2.35 CentOS 8 (RHEL-8): 2.28 Debian 11: 2.31 OpenSUSE Leap 15.4: 2.31 Ubuntu LTS 20.04: 2.31 Reported-by: Akihiko Odaki <[email protected]> Reviewed-by: Akihiko Odaki <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]>

nvme_directive_receive() does not check if an endurance group has been configured (set) prior to testing if flexible data placement is enabled or not. Fix this. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815 Fixes: 73064ed ("hw/nvme: flexible data placement emulation") Reviewed-by: Jesper Wendel Devantier <[email protected]> Signed-off-by: Klaus Jensen <[email protected]>

The Reclaim Unit Update operation in I/O Management Receive does not verify the presence of a configured endurance group prior to accessing it. Fix this. Cc: [email protected] Fixes: 73064ed ("hw/nvme: flexible data placement emulation") Reviewed-by: Jesper Wendel Devantier <[email protected]> Signed-off-by: Klaus Jensen <[email protected]>

New function that rejects unsupported map types and flags. In 4b840f9 we should not have accepted MAP_SHARED_VALIDATE without actually validating the rest of the flags. Fixes: 4b840f9 ("linux-user: Populate more bits in mmap_flags_tbl") Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Rather than using a zero tuple to end the table, use a macro to apply ARRAY_SIZE and pass that on to the convert functions. This fixes two bugs in which the conversion functions required that both the target and host masks be non-zero in order to continue, rather than require both target and host masks be zero in order to terminate. This affected mmap_flags_tbl when the host does not support all of the flags we wish to convert (e.g. MAP_UNINITIALIZED). Mapping these flags to zero is good enough, and matches how the kernel ignores bits that are unknown. Fixes: 4b840f9 ("linux-user: Populate more bits in mmap_flags_tbl") Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

This test fails when host page size != guest page size, because qemu may not be able to directly map the file. Fixes: a634148 ("tests/tcg: Add a test for info proc mappings") Acked-by: Ilya Leoshkevich <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Fix a crash in qemu-user when running cat /proc/self/maps in a chroot, where /proc isn't mounted. The problem was introduced by commit 3ce3dd8 ("util/selfmap: Rewrite using qemu/interval-tree.h") where in open_self_maps_1() the function read_self_maps() is called and which returns NULL if it can't read the hosts /proc/self/maps file. Afterwards that NULL is fed into interval_tree_iter_first() which doesn't check if the root node is NULL. Fix it by adding a check if root is NULL and return NULL in that case. Signed-off-by: Helge Deller <[email protected]> Fixes: 3ce3dd8 ("util/selfmap: Rewrite using qemu/interval-tree.h") Message-Id: <ZNOsq6Z7t/eyIG/9@p100> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

In qemu we catch accesses to files like /proc/cpuinfo or /proc/net/route and return to the guest contents which would be visible on a real system (instead what the host would show). This patch fixes a bug, where for example the accesses cat /proc////cpuinfo or cd /proc && cat cpuinfo will not be recognized by qemu and where qemu will wrongly show the contents of the host's /proc/cpuinfo file. Signed-off-by: Helge Deller <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Message-Id: <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

into staging hw/nvme: fixes # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmTTlmcACgkQTeGvMW1P # DemjjggAnhEvaJ4fgS9rsvtxCwtzLNc405xMpNxh6rPaxa+sL3RXPIrW6vWG13+W # VcHw8DI8EV4DzAFP919ZmTUq9/boRbgxx84bStlILUPHWol8+eGYVVfT75wFKszx # d4Vi3nyPSGlrxieSrosARqimcUDtFtDGGAxjvEcKgzhkcU3a8DVYAOmx/hdlWJJQ # KSk4h/E1pKItFbvv+w9yszsbToeZN65oIy7kQtFgx0JOULyWvEYSVygotw/AruF3 # FPQ0nrJuZ115w3cJWDszznVJ6+3EcWbD3luQc3zE1FOPp76EkAOkcnPh1XbBJrE2 # 2BsCX/XnXcZT7BWSJbEzGXLsHjqsPg== # =Zy0+ # -----END PGP SIGNATURE----- # gpg: Signature made Wed 09 Aug 2023 06:36:39 AM PDT # gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9 # gpg: Good signature from "Klaus Jensen <[email protected]>" [unknown] # gpg: aka "Klaus Jensen <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838 # Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9 * tag 'nvme-fixes-pull-request' of https://gitlab.com/birkelund/qemu: hw/nvme: fix null pointer access in ruh update hw/nvme: fix null pointer access in directive receive Signed-off-by: Richard Henderson <[email protected]>

…staging linux-user: Fixes for mmap syscall emulation linux-user: Correctly detect access to /proc in openat util/interval-tree: Check root for null in interval_tree_iter_first tests/tcg: Disable filename test for info proc mappings # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmTT0O4dHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9NeQf/SGtJsvcMdPPcOt1P # ZK9fBK+gS9XzWvkquSL2wehs0ZY61u2IHznIqsFxhhmPqNTZPKb27u6Cg8DCxYdw # Hc+YMtjx2MOBv2pXTCc14XWkTsclP2jJaf2VUFIR/MowBJb7Xcgbv53PvRnCn3xT # KC80Pm6eJZFT0EkQZwHbT8doakkjyIx8JIapdNFvD6Ne0CWCKOwDK9sF5ob1Tf5g # BXyCw5ZtnCiToYw+RpBnhZ1wsInV+o/MV7FwcgrxGWB+4ovwRLknBzAggHvhz3ZO # pdCqvobBtUk88+txMX6ewIDYU9BsuOnWDR+j99MD9/kPtbgSLlRYzxJ0PAjCMG6m # xu0Tyg== # =n1TD # -----END PGP SIGNATURE----- # gpg: Signature made Wed 09 Aug 2023 10:46:22 AM PDT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-lu-20230809' of https://gitlab.com/rth7680/qemu: linux-user: Fix openat() emulation to correctly detect accesses to /proc util/interval-tree: Check root for null in interval_tree_iter_first tests/tcg: Disable filename test for info proc mappings linux-user: Use ARRAY_SIZE with bitmask_transtbl linux-user: Split out do_mmap qemu/osdep: Remove fallback for MAP_FIXED_NOREPLACE Signed-off-by: Richard Henderson <[email protected]>

…n/qemu into staging OpenRISC FPU Fix for 8.1 A patch to pass the correct exception address when handling floating point exceptions. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE2cRzVK74bBA6Je/xw7McLV5mJ+QFAmTT95sACgkQw7McLV5m # J+TV2g/8CTpOm2bvyFF0YmRhmTBit0kqyDcX1Shi8/2SMO4++CCpIp1mlaxdHZKe # swdOqIqJeCl3+v+z4xN3ubNMis1Gac8DmXVpVmnUoocDS6m0zM3ly9kETKjYy2vn # +GLGzOJ+GnPeQ2oApWwOyCqdCwSx2ZuIYK+FRKIx8T1pRm4Nb1gGP6nRKYAy0+C9 # aINdaQEZrFMKl8mlEuGcNmw5YDVvT6M9+KAMaNG0AzG8N9oMCo8VZpeY4z0qkZVp # forksGucRoWVZ5JWl6kzcPAxxAf49olRx0njfbbUcUlyXtsVQpNhPPsdDGAE5gLu # 8kHqtRG5OIJUvsZUaedHmJW9BsISnKqIhB7keG72xeBCYPqsKkzpWotq79I50hWY # arTvAbyEwNCPEi1kpevveuGokoKsHKr/6yJRsA2VXM5AFhIy54DkLNz6Zh8W1OGA # Nst45kSt7tQsTwxXHTHWGO6gRK/7ZtSr/afsEYZCz9vRUnb4UMeBBAuM9u0W+WYZ # +hEZivQI7AEVuFbfzCTpw96jAPg4tpJ0JzC0o3Vh/EKIZahrPdzvmBlsV15geu4/ # xa5PBWRFpySLEO/6/I9XrIux8wjQ1NHOTC6NtJkH33tu9tJ9pfmyRs+jdUiNwWyd # mMz0jvDUhjGaqUYSbXDvBLcSAIKbpXpnay2StSt0S/Enr08KU+o= # =yZi9 # -----END PGP SIGNATURE----- # gpg: Signature made Wed 09 Aug 2023 01:31:23 PM PDT # gpg: using RSA key D9C47354AEF86C103A25EFF1C3B31C2D5E6627E4 # gpg: Good signature from "Stafford Horne <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: D9C4 7354 AEF8 6C10 3A25 EFF1 C3B3 1C2D 5E66 27E4 * tag 'or1k-pull-request-20230809' of https://github.com/stffrdhrn/qemu: target/openrisc: Set EPCR to next PC on FPE exceptions Signed-off-by: Richard Henderson <[email protected]>

When load_atom_extract_al16_or_al8 is inexpensive, we want to use it early, in order to avoid the overhead of required_atomicity. However, we must not read past the end of the page. If there are more than 8 bytes remaining, then both the "aligned 16" and "aligned 8" paths align down so that the read has at least 16 bytes remaining on the page. Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

Without -S we run into potential races with tests starting before the gdbstub attaches. We don't need to worry about user-mode as enabling the gdbstub implies we wait for the initial connection. Signed-off-by: Alex Bennée <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

The original fix caused problems with spurious characters on other system emulation. So: - instead of spamming output make the warning a trace point - ensure we only allow a stop reply if it was 0x3 Suggested-by: Matheus Tavares Bernardino <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <456ed3318421dd7946bdfb5ceda7e05332da368c.1690910333.git.quic_mathbern@quicinc.com> Reviewed-by: Richard Henderson <[email protected]> Tested-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

When starting a remote connection GDB sends an '+': /* Ack any packet which the remote side has already sent. */ remote_serial_write ("+", 1); which gets flagged as a garbage character in the gdbstub state machine. As gdb does send it out lets be permissive about the handling so we can better see real issues. Signed-off-by: Alex Bennée <[email protected]> Cc: [email protected] Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]>

… staging accel/tcg: Avoid reading too much in load_atom_{2,4} tests/tcg: ensure system-mode gdb tests start stopped gdbstub: more fixes for client Ctrl-C handling # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmTVJ4EdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV+/iAf9EUojONGO1FQCUokR # +8kfHFaGH5R5U4v6Zd6xlwHt94iagW8s+DdpM/YdmgZFxQ5jglCCsLOXQYtJ/HPu # McKRv86Yr264ysrwYzTuyOLIC585UU0KzYbGBQvjCSeQ43Au5bR/3ec35Lwgm7OO # eukLdpmuD4QoSgBmVgkbziKH1zaX8NjgPoWGfFqxfzzWUZBfU4VfyLgGKw2gtqoz # fMTORiqbnzSvQfYINNJ0qBTyXWm0YmydDzaK6zfBrsCzdMk3JYksxgneItvqgRar # A5UAYUPhBPftIyTAnI3PQo+siyuaDhFRU9BwHb25a/pkuOUg8PBFO2HruseLmmdl # bPcnhQ== # =7c0w # -----END PGP SIGNATURE----- # gpg: Signature made Thu 10 Aug 2023 11:08:01 AM PDT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-tcg-20230810' of https://gitlab.com/rth7680/qemu: gdbstub: don't complain about preemptive ACK chars gdbstub: more fixes for client Ctrl-C handling tests/tcg: ensure system-mode gdb tests start stopped accel/tcg: Avoid reading too much in load_atom_{2,4} Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

In pcie_bus_realize(), a root bus is realized as a PCIe bus and a non-root bus is realized as a PCIe bus if its parent bus is a PCIe bus. However, the child bus "dw-pcie" is realized before the parent bus "pcie" which is the root PCIe bus. Thus, the extended configuration space is not accessible on "dw-pcie". The issue can be resolved by adding the PCI_BUS_EXTENDED_CONFIG_SPACE flag to "pcie" before "dw-pcie" is realized. Signed-off-by: Jason Chien <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Frank Chang <[email protected]> Signed-off-by: Jason Chien <<a href="mailto:[email protected]" target="_blank">[email protected]</a>><br>

The PCI_COMMAND register is located at offset 4 within the PCI configuration space and occupies 2 bytes. The interrupt disable bit is at the 10th bit, which corresponds to the byte at offset 5 in the PCI configuration space. In our testing environment, the guest driver may directly updates the byte at offset 5 in the PCI configuration space. The backtrace looks like as following: at hw/pci/pci.c:1442 at hw/virtio/virtio-pci.c:605 val=5, len=1) at hw/pci/pci_host.c:81 In this situation, the range_covers_byte function called by the pci_default_write_config function will return false, resulting in the inability to handle the interrupt disable update event. To fix this issue, we can use the ranges_overlap function instead of range_covers_byte to determine whether the interrupt bit has been updated. Signed-off-by: Guoyi Tu <[email protected]> Signed-off-by: yuanminghao <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Fixes: b6981cb ("pci: interrupt disable bit support")

…st/qemu into staging pci: last minute bugfixes two fixes that seem very safe and important enough to sneak in before the release. Signed-off-by: Michael S. Tsirkin <[email protected]> # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmTWXvIPHG1zdEByZWRo # YXQuY29tAAoJECgfDbjSjVRpe7sH/0KteOBt324LUYZ+4NR6EQE5KDsCANGiySBK # r0B6lhcFHvNd2ej0g2hW7lL6nVVCQBkJLLzfNIR/aHkeCmOttfbhv4eF4S6Ho27d # DpkXCPZRT6F11gY7G1swFapNS/f0P7F5LGRjq4sbuw3FpyHBz0DqCQ0GOab2Qorq # VfuOfA01nYGNzHOKrEL7k9Io55oqPVcAe+5TaipNCQ4nW82i32ItTyFjQFdLIAay # qY4HEwP9vPuVwWNdQjXJNfirLMO5GQfEbyKDAjap2sL25zAV2w+mgn7xg/xkTfM6 # iMX2m14lKRMy2hr8dEVh/XdLf7loAN1jSE8/Wdt+PEaexolqxCM= # =1GLE # -----END PGP SIGNATURE----- # gpg: Signature made Fri 11 Aug 2023 09:16:50 AM PDT # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "[email protected]" # gpg: Good signature from "Michael S. Tsirkin <[email protected]>" [undefined] # gpg: aka "Michael S. Tsirkin <[email protected]>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: pci: Fix the update of interrupt disable bit in PCI_COMMAND register hw/pci-host: Allow extended config space access for Designware PCIe host Signed-off-by: Richard Henderson <[email protected]>

cpu->cfg.mvendorid is a 32 bit field and kvm_set_one_reg() always write a target_ulong val, i.e. a 64 bit field in a 64 bit host. Given that we're passing a pointer to the mvendorid field, the reg is reading 64 bits starting from mvendorid and going 32 bits in the next field, marchid. Here's an example: $ ./qemu-system-riscv64 -machine virt,accel=kvm -m 2G -smp 1 \ -cpu rv64,marchid=0xab,mvendorid=0xcd,mimpid=0xef(...) (inside the guest) # cat /proc/cpuinfo processor : 0 hart : 0 isa : rv64imafdc_zicbom_zicboz_zihintpause_zbb_sstc mmu : sv57 mvendorid : 0xab000000cd marchid : 0xab mimpid : 0xef 'mvendorid' was written as a combination of 0xab (the value from the adjacent field, marchid) and its intended value 0xcd. Fix it by assigning cpu->cfg.mvendorid to a target_ulong var 'reg' and use it as input for kvm_set_one_reg(). Here's the result with this patch applied and using the same QEMU command line: # cat /proc/cpuinfo processor : 0 hart : 0 isa : rv64imafdc_zicbom_zicboz_zihintpause_zbb_sstc mmu : sv57 mvendorid : 0xcd marchid : 0xab mimpid : 0xef This bug affects only the generic (rv64) CPUs when running with KVM in a 64 bit env since the 'host' CPU does not allow the machine IDs to be changed via command line. Fixes: 1fb5a62 ("target/riscv: handle mvendorid/marchid/mimpid for KVM CPUs") Signed-off-by: Daniel Henrique Barboza <[email protected]> Acked-by: Alistair Francis <[email protected]> Reviewed-by: Andrew Jones <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

The 'aclint' property is being conditioned with tcg acceleration in virt_machine_class_init(). But acceleration code starts later than the class init of the board, meaning that tcg_enabled() will be always be false during class_init(), and the option is never being declared even when declaring TCG accel: $ ./build/qemu-system-riscv64 -M virt,accel=tcg,aclint=on qemu-system-riscv64: Property 'virt-machine.aclint' not found Fix it by moving the check from class_init() to machine_init(). Tune the description to mention that the option is TCG only. Cc: Philippe Mathieu-Daudé <[email protected]> Fixes: c0716c8 ("hw/riscv/virt: Restrict ACLINT to TCG") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1823 Signed-off-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]>

…tair23/qemu into staging Sixth RISC-V PR for 8.1 This is a last minute PR for RISC-V. The main goal is to fix https://gitlab.com/qemu-project/qemu/-/issues/1823 which is a regression that means the aclint option cannot be enabled. While we are here we also fixup KVM issue. * KVM: fix mvendorid size * Fixup aclint check # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmTWfK0ACgkQr3yVEwxT # gBNDTw/9EnIjXKBCwSejcL3xYpwTDbUbwou3dkkSjnEkhmxvPPM3H0pWet+xYlPg # Lgt9b9clHZAjqGoHFxEdU8fS0MY4Jq5jDAinsS2TK6czLPBe5EEhyVjoDH5iRhTX # AymK1XgwQ2kAuw2lhcb74GDboajkC7hNhr2Km1hLtpYV7bCW/efAUSO7adG4KBlB # SCu06s9VdFtINW0mVN249JvRVQ1408HCQ5gwA0lLVdXhfHluVidwOjc//ELtdnQn # SeHdX1V+e+3fiYuqmr2UHaJXp9s0ZInOyLIDBPA97SOUdaO/oy+siZYRk25yV99h # Ec7tpNnYJjzppmc++GlzTNpUWVEBM6j+QyD7ioEj4yAGkMEjUlgLcImyGng1TT4i # uvABg91uzJyBoUga3GhZYt/sPW00Jft4VYH3QvGOOwjarIor8K0J7sox8eIOfEs4 # JqCIYX4kas+DwK4+i8WyjMeuihWFJ5ipKR7Gwhbe5uQ5szTXFYIT4TZH/78BWozI # dMu5HOyu5+l9yCy39NP7FjNJ6VQKBYGvlkUr5rLRS0yQWGThaK8wIBMXcuZCW96p # hSy/pratHQYaIRr0ZiqRcNyFNsTMua/C2DMPcjQR1ci8xdj010DoriyS0Vsh88xq # pVgC6gYn59gDUdBx0gB/ZSMu4O+F/+Z5htnucoTxvwpKxUU48Lg= # =x8Fl # -----END PGP SIGNATURE----- # gpg: Signature made Fri 11 Aug 2023 11:23:41 AM PDT # gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013 # gpg: Good signature from "Alistair Francis <[email protected]>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013 * tag 'pull-riscv-to-apply-20230811-3' of https://github.com/alistair23/qemu: hw/riscv/virt.c: change 'aclint' TCG check target/riscv/kvm.c: fix mvendorid size in vcpu_set_machine_ids() Signed-off-by: Richard Henderson <[email protected]>

Missing the segment prefix means that user-only fails to add guest_base for some 128-bit load/store. Fixes: 098d0fc ("tcg/i386: Support 128-bit load/store") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1763 Signed-off-by: Richard Henderson <[email protected]>

… staging tcg/i386: Output %gs prefix in tcg_out_vex_opc # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmTa3j0dHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/8QQf8DhuMzyl5obTahtBa # BaxC6tyuvsGrhgxnAzGLrQ/fexlLcCBXi5j61zPmNPecgMYDYWy+bwGd4XnGy/TM # xJVjb/g5c0xXKhDYRpqbsD8L0iLWl+aWZX4pmbu8/FutWSOq9LTqU/XOHrdUVxH2 # FArIiGKdaAA4nf8MD9N1/2EfXnOhrXmPtc+qAJGQvQ1fvEWT9X7WKCXaUd8x8p9h # gCtm0CEJ11kmOcgH/mdXGL/Uv6U6Tx/8O5NbrKarSbFcxNMT1eTNOY5fceJioa/Q # fEkhNGMYlPXGrKeDFWeIYyf6P+5BwJRCRijKwPU5lPuXUkGKspQt24DOJyld/sWh # jq2lHQ== # =+LFD # -----END PGP SIGNATURE----- # gpg: Signature made Mon 14 Aug 2023 07:09:01 PM PDT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "[email protected]" # gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate] * tag 'pull-tcg-20230814' of https://gitlab.com/rth7680/qemu: tcg/i386: Output %gs prefix in tcg_out_vex_opc Signed-off-by: Richard Henderson <[email protected]>

Signed-off-by: Richard Henderson <[email protected]>

Currently the emulation of VSTRS recognizes partial matches in presence of \0 in the haystack, which, according to PoP, is not correct: If the ZS flag is one and a zero byte was detected in the second operand, then there can not be a partial match ... Add a check for this. While at it, fold a number of explicitly handled special cases into the generic logic. Cc: [email protected] Reported-by: Claudio Fontana <[email protected]> Closes: https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg00633.html Fixes: 1d706f3 ("target/s390x: vxeh2: vector string search") Signed-off-by: Ilya Leoshkevich <[email protected]> Message-Id: <[email protected]> Tested-by: Claudio Fontana <[email protected]> Acked-by: David Hildenbrand <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 791b2b6a930273db694b9ba48bbb406e78715927) Signed-off-by: Michael Tokarev <[email protected]>

Unlike most other instructions that contain an immediate element index, VREP's one is 16-bit, and not 4-bit. The code uses only 8 bits, so using, e.g., 0x101 does not lead to a specification exception. Fix by checking all 16 bits. Cc: [email protected] Fixes: 28d0873 ("s390x/tcg: Implement VECTOR REPLICATE") Signed-off-by: Ilya Leoshkevich <[email protected]> Message-Id: <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 23e87d419f347b6b5f4da3bf70d222acc24cdb64) Signed-off-by: Michael Tokarev <[email protected]>

The length is always truncated to 16 bytes. Do not probe more than that. Cc: [email protected] Fixes: 0e0a5b4 ("s390x/tcg: Implement VECTOR STORE WITH LENGTH") Signed-off-by: Ilya Leoshkevich <[email protected]> Message-Id: <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 6db3518ba4fcddd71049718f138552999f0d97b4) Signed-off-by: Michael Tokarev <[email protected]>

VFMIN and VFMAX should raise a specification exceptions when bits 1-3 of M5 are set. Cc: [email protected] Fixes: da48075 ("s390x/tcg: Implement VECTOR FP (MAXIMUM|MINIMUM)") Signed-off-by: Ilya Leoshkevich <[email protected]> Message-Id: <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 6a2ea6151835aa4f5fee29382a421c13b0e6619f) Signed-off-by: Michael Tokarev <[email protected]>

…hosts Using "-device virtio-gpu,blob=true" currently does not work on big endian hosts (like s390x). The guest kernel prints an error message like: [drm:virtio_gpu_dequeue_ctrl_func [virtio_gpu]] *ERROR* response 0x1200 (command 0x10c) and the display stays black. When running QEMU with "-d guest_errors", it shows an error message like this: virtio_gpu_create_mapping_iov: nr_entries is too big (83886080 > 16384) which indicates that this value has not been properly byte-swapped. And indeed, the virtio_gpu_create_blob_bswap() function (that should swap the fields in the related structure) fails to swap some of the entries. After correctly swapping all missing values here, too, the virtio-gpu device is now also working with blob=true on s390x hosts. Fixes: e0933d9 ("virtio-gpu: Add virtio_gpu_resource_create_blob") Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2230469 Message-Id: <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit d194362910138776e8abd6bb3c9fb3693254e95f) Signed-off-by: Michael Tokarev <[email protected]>

kvm_arch_get_default_type() returns the default KVM type. This hook is particularly useful to derive a KVM type that is valid for "none" machine model, which is used by libvirt to probe the availability of KVM. For MIPS, the existing mips_kvm_type() is reused. This function ensures the availability of VZ which is mandatory to use KVM on the current QEMU. Cc: [email protected] Signed-off-by: Akihiko Odaki <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> [PMM: added doc comment for new function] Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit 5e0d65909c6f335d578b90491e165440c99adf81) Signed-off-by: Michael Tokarev <[email protected]>

Before this change, the default KVM type, which is used for non-virt machine models, was 0. The kernel documentation says: > On arm64, the physical address size for a VM (IPA Size limit) is > limited to 40bits by default. The limit can be configured if the host > supports the extension KVM_CAP_ARM_VM_IPA_SIZE. When supported, use > KVM_VM_TYPE_ARM_IPA_SIZE(IPA_Bits) to set the size in the machine type > identifier, where IPA_Bits is the maximum width of any physical > address used by the VM. The IPA_Bits is encoded in bits[7-0] of the > machine type identifier. > > e.g, to configure a guest to use 48bit physical address size:: > > vm_fd = ioctl(dev_fd, KVM_CREATE_VM, KVM_VM_TYPE_ARM_IPA_SIZE(48)); > > The requested size (IPA_Bits) must be: > > == ========================================================= > 0 Implies default size, 40bits (for backward compatibility) > N Implies N bits, where N is a positive integer such that, > 32 <= N <= Host_IPA_Limit > == ========================================================= > Host_IPA_Limit is the maximum possible value for IPA_Bits on the host > and is dependent on the CPU capability and the kernel configuration. > The limit can be retrieved using KVM_CAP_ARM_VM_IPA_SIZE of the > KVM_CHECK_EXTENSION ioctl() at run-time. > > Creation of the VM will fail if the requested IPA size (whether it is > implicit or explicit) is unsupported on the host. https://docs.kernel.org/virt/kvm/api.html#kvm-create-vm So if Host_IPA_Limit < 40, specifying 0 as the type will fail. This actually confused libvirt, which uses "none" machine model to probe the KVM availability, on M2 MacBook Air. Fix this by using Host_IPA_Limit as the default type when KVM_CAP_ARM_VM_IPA_SIZE is available. Cc: [email protected] Signed-off-by: Akihiko Odaki <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 1ab445af8cd99343f29032b5944023ad7d8edebf) Signed-off-by: Michael Tokarev <[email protected]>

A typo, noted in the bug report, resulting in an incorrect write offset. Cc: [email protected] Fixes: 7390e0e ("target/arm: Implement SME LD1, ST1") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1833 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 4b3520fd93cd49cc56dfcab45d90735cc2e35af7) Signed-off-by: Michael Tokarev <[email protected]>

Typo applied byte-wise shift instead of double-word shift. Cc: [email protected] Fixes: 631e565 ("target/arm: Create gen_gvec_[us]sra") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1737 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit cd1e4db73646006039f25879af3bff55b2295ff3) Signed-off-by: Michael Tokarev <[email protected]>

In early 2021 (see commit 2ad7843 "docs: update README to use GitLab repo URLs") almost all of the code base was converted to point to GitLab instead of git.qemu.org. During 2023, git.qemu.org switched from a git mirror to a http redirect to GitLab (see [1]). Update the LICENSE URL to match its previous content, displaying the file raw content similarly to gitweb 'blob_plain' format ([2]). [1] https://lore.kernel.org/qemu-devel/CABgObfZu3mFc8tM20K-yXdt7F-7eV-uKZN4sKDarSeu7DYoRbA@mail.gmail.com/ [2] https://git-scm.com/docs/gitweb#Documentation/gitweb.txt-blobplain Reviewed-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> Message-ID: <[email protected]> (cherry picked from commit 09a3fffae00b042bed8ad9c351b1a58c505fde37) Signed-off-by: Michael Tokarev <[email protected]>

Acked-by: Alex Bennée <[email protected]> Suggested-by: Alex Bennée <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 86e4f93d827d3c1efd00cd8a906e38a2c0f2b5bc) Signed-off-by: Michael Tokarev <[email protected]>

We can fail the blk_insert_bs() at init_blk_migration(), leaving the BlkMigDevState without a dirty_bitmap and BlockDriverState. Account for the possibly missing elements when doing cleanup. Fix the following crashes: Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359 359 BlockDriverState *bs = bitmap->bs; #0 0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359 #1 0x0000555555bba331 in unset_dirty_tracking () at ../migration/block.c:371 #2 0x0000555555bbad98 in block_migration_cleanup_bmds () at ../migration/block.c:681 Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073 7073 QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) { #0 0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073 #1 0x0000555555e9734a in bdrv_op_unblock_all (bs=0x0, reason=0x0) at ../block.c:7095 #2 0x0000555555bbae13 in block_migration_cleanup_bmds () at ../migration/block.c:690 Signed-off-by: Fabiano Rosas <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]> (cherry picked from commit f187609f27b261702a17f79d20bf252ee0d4f9cd) Signed-off-by: Michael Tokarev <[email protected]>

This is a mandatory feature for Armv8.1 architectures but we don't state the feature clearly in our emulation list. Also include FEAT_CRC32 comment in aarch64_max_tcg_initfn for ease of grepping. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-id: [email protected] Cc: [email protected] Message-Id: <[email protected]> [PMM: pluralize 'instructions' in docs] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 9e771a2fc68d98c5719b877e008d1dca64e6896e) Signed-off-by: Michael Tokarev <[email protected]>

PIE executables are usually linked at offset 0 and are relocated somewhere during load. The hiaddr needs to be adjusted to keep the brk next to the executable. Cc: [email protected] Fixes: 1f356e8 ("linux-user: Adjust initial brk when interpreter is close to executable") Tested-by: Helge Deller <[email protected]> Reviewed-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit aec338d63bc28f1f13d5e64c561d7f1dd0e4b07e) Signed-off-by: Michael Tokarev <[email protected]>

Otherwise tcg_handle_interrupt() triggers an assertion failure: #5 0x0000555555c97369 in tcg_handle_interrupt (cpu=0x555557434cb0, mask=2) at ../accel/tcg/tcg-accel-ops.c:83 #6 tcg_handle_interrupt (cpu=0x555557434cb0, mask=2) at ../accel/tcg/tcg-accel-ops.c:81 #7 0x0000555555b4d58b in pic_irq_request (opaque=<optimized out>, irq=<optimized out>, level=1) at ../hw/i386/x86.c:555 #8 0x0000555555b4f218 in gsi_handler (opaque=0x5555579423d0, n=13, level=1) at ../hw/i386/x86.c:611 #9 0x00007fffa42bde14 in code_gen_buffer () #10 0x0000555555c724bb in cpu_tb_exec (cpu=cpu@entry=0x555557434cb0, itb=<optimized out>, tb_exit=tb_exit@entry=0x7fffe9bfd658) at ../accel/tcg/cpu-exec.c:457 Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1808 Reported-by: NyanCatTW1 <https://gitlab.com/a0939712328> Co-developed-by: Richard Henderson <[email protected]>' Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit c1f27a0c6ae4059a1d809e9c2bc4d47b823c32a3) Signed-off-by: Michael Tokarev <[email protected]>

Fixes: 142ca62 ("ui: add a D-Bus display backend") Fixes: de9f844 ("ui/dbus: Expose a touch device interface") Signed-off-by: Bilal Elmoussaoui <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]> (cherry picked from commit cb6ccdc9ca705cd8c3ef50e51c16a3732c2fa734) Signed-off-by: Michael Tokarev <[email protected]>

Failing to reset the of_instance_last makes ihandle allocation continue to increase, which causes record-replay replay fail to match the recorded trace. Not resetting claimed_base makes VOF eventually run out of memory after some resets. Cc: Alexey Kardashevskiy <[email protected]> Fixes: fc8c745 ("spapr: Implement Open Firmware client interface") Signed-off-by: Nicholas Piggin <[email protected]> Reviewed-by: Alexey Kardashevskiy <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit 7b8589d7ce7e23f26ff53338d575a5cbd7818e28) Signed-off-by: Michael Tokarev <[email protected]>

ppce500_reset_device_tree is registered for system reset, but after c4b0753 this function rerandomizes rng-seed via qemu_guest_getrandom_nofail. And when loading a snapshot, it tries to read EVENT_RANDOM that doesn't exist, so we have an error: qemu-system-ppc: Missing random event in the replay log To fix this, use qemu_register_reset_nosnapshotload instead of qemu_register_reset. Reported-by: Vitaly Cheptsov <[email protected]> Fixes: c4b0753 ("hw/ppc: pass random seed to fdt ") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1634 Signed-off-by: Maksim Kostin <[email protected]> Reviewed-by: Nicholas Piggin <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit 6ec65b69ba17c954414fa23a397fb8a3fcfb4a43) Signed-off-by: Michael Tokarev <[email protected]>

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1779 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Nicholas Piggin <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit af03aeb631eeb81a44d2c0ff5b429cd4b5dc2799) Signed-off-by: Michael Tokarev <[email protected]>

LQ, STQ have the same register-pair ordering as LQARX/STQARX., which is the even (lower) register contains the most significant bits. This is not implemented correctly for big-endian. do_ldst_quad() has variables low_addr_gpr and high_addr_gpr which is confusing because they are low and high addresses, whereas LQARX/STQARX. and most such things use the low and high values for lo/hi variables. The conversion to native 128-bit memory access functions missed this strangeness. Fix this by changing the if condition, and change the variable names to hi/lo to match convention. Cc: [email protected] Reported-by: Ivan Warren <[email protected]> Fixes: 57b38ff ("target/ppc: Use tcg_gen_qemu_{ld,st}_i128 for LQARX, LQ, STQ") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1836 Signed-off-by: Nicholas Piggin <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit 718209358f2e4f231cbacf974c3299c4fe7beb83) Signed-off-by: Michael Tokarev <[email protected]>

Currently, the first time sending an unsupported command (e.g. READ LOG DMA EXT) will not have ERR_STAT set in the completion. Sending the unsupported command again, will correctly have ERR_STAT set. When ide_cmd_permitted() returns false, it calls ide_abort_command(). ide_abort_command() first calls ide_transfer_stop(), which will call ide_transfer_halt() and ide_cmd_done(), after that ide_abort_command() sets ERR_STAT in status. ide_cmd_done() for AHCI will call ahci_write_fis_d2h() which writes the current status in the FIS, and raises an IRQ. (The status here will not have ERR_STAT set!). Thus, we cannot call ide_transfer_stop() before setting ERR_STAT, as ide_transfer_stop() will result in the FIS being written and an IRQ being raised. The reason why it works the second time, is that ERR_STAT will still be set from the previous command, so when writing the FIS, the completion will correctly have ERR_STAT set. Set ERR_STAT before writing the FIS (calling cmd_done), so that we will raise an error IRQ correctly when receiving an unsupported command. Signed-off-by: Niklas Cassel <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit c3461c6264a7c8ca15b117e91fe5da786924a784) Signed-off-by: Michael Tokarev <[email protected]>

The way that BUSY + PxCI is cleared for NCQ (FPDMA QUEUED) commands is described in SATA 3.5a Gold: 11.15 FPDMA QUEUED command protocol DFPDMAQ2: ClearInterfaceBsy "Transmit Register Device to Host FIS with the BSY bit cleared to zero and the DRQ bit cleared to zero and Interrupt bit cleared to zero to mark interface ready for the next command." PxCI is currently cleared by handle_cmd(), but we don't write the D2H FIS to the FIS Receive Area that actually caused PxCI to be cleared. Similar to how ahci_pio_transfer() calls ahci_write_fis_pio() with an additional parameter to write a PIO Setup FIS without raising an IRQ, add a parameter to ahci_write_fis_d2h() so that ahci_write_fis_d2h() also can write the FIS to the FIS Receive Area without raising an IRQ. Change process_ncq_command() to call ahci_write_fis_d2h() without raising an IRQ (similar to ahci_pio_transfer()), such that the FIS Receive Area is in sync with the PxTFD shadow register. E.g. Linux reads status and error fields from the FIS Receive Area directly, so it is wise to keep the FIS Receive Area and the PxTFD shadow register in sync. Signed-off-by: Niklas Cassel <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit 2967dc8209dd27b61a6ab7bad78cf7c6ec58ddb4) Signed-off-by: Michael Tokarev <[email protected]>

The AHCI spec states that: For NCQ, PxCI is cleared on command queued successfully. For non-NCQ, PxCI is cleared on command completed successfully. (A non-NCQ command that completes with error does not clear PxCI.) The current QEMU implementation either clears PxCI in check_cmd(), or in ahci_cmd_done(). check_cmd() will clear PxCI for a command if handle_cmd() returns 0. handle_cmd() will return -1 if BUSY or DRQ is set. The QEMU implementation for NCQ commands will currently not set BUSY or DRQ, so they will always have PxCI cleared by handle_cmd(). ahci_cmd_done() will never even get called for NCQ commands. Non-NCQ commands are executed by ide_bus_exec_cmd(). Non-NCQ commands in QEMU are implemented either in a sync or in an async way. For non-NCQ commands implemented in a sync way, the command handler will return true, and when ide_bus_exec_cmd() sees that a command handler returns true, it will call ide_cmd_done() (which will call ahci_cmd_done()). For a command implemented in a sync way, ahci_cmd_done() will do nothing (since busy_slot is not set). Instead, after ide_bus_exec_cmd() has finished, check_cmd() will clear PxCI for these commands. For non-NCQ commands implemented in an async way (using either aiocb or pio_aiocb), the command handler will return false, ide_bus_exec_cmd() will not call ide_cmd_done(), instead it is expected that the async callback function will call ide_cmd_done() once the async command is done. handle_cmd() will set busy_slot, if and only if BUSY or DRQ is set, and this is checked _after_ ide_bus_exec_cmd() has returned. handle_cmd() will return -1, so check_cmd() will not clear PxCI. When the async callback calls ide_cmd_done() (which will call ahci_cmd_done()), it will see that busy_slot is set, and ahci_cmd_done() will clear PxCI. This seems racy, since busy_slot is set _after_ ide_bus_exec_cmd() has returned. The callback might come before busy_slot gets set. And it is quite confusing that ahci_cmd_done() will be called for all non-NCQ commands when the command is done, but will only clear PxCI in certain cases, even though it will always write a D2H FIS and raise an IRQ. Even worse, in the case where ahci_cmd_done() does not clear PxCI, it still raises an IRQ. Host software might thus read an old PxCI value, since PxCI is cleared (by check_cmd()) after the IRQ has been raised. Try to simplify this by always setting busy_slot for non-NCQ commands, such that ahci_cmd_done() will always be responsible for clearing PxCI for non-NCQ commands. For NCQ commands, clear PxCI when we receive the D2H FIS, but before raising the IRQ, see AHCI 1.3.1, section 5.3.8, states RegFIS:Entry and RegFIS:ClearCI. Signed-off-by: Niklas Cassel <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit e2a5d9b3d9c3d311618160603cc9bc04fbd98796) Signed-off-by: Michael Tokarev <[email protected]>

According to AHCI 1.3.1 definition of PxSACT: This field is cleared when PxCMD.ST is written from a '1' to a '0' by software. This field is not cleared by a COMRESET or a software reset. According to AHCI 1.3.1 definition of PxCI: This field is also cleared when PxCMD.ST is written from a '1' to a '0' by software. Clearing PxCMD.ST is part of the error recovery procedure, see AHCI 1.3.1, section "6.2 Error Recovery". If we don't clear PxCI on error recovery, the previous command will incorrectly still be marked as pending after error recovery. Signed-off-by: Niklas Cassel <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit d73b84d0b664e60fffb66f46e84d0db4a8e1c713) Signed-off-by: Michael Tokarev <[email protected]>

For NCQ, PxCI is cleared on command queued successfully. For non-NCQ, PxCI is cleared on command completed successfully. Successfully means ERR_STAT, BUSY and DRQ are all cleared. A command that has ERR_STAT set, does not get to clear PxCI. See AHCI 1.3.1, section 5.3.8, states RegFIS:Entry and RegFIS:ClearCI, and 5.3.16.5 ERR:FatalTaskfile. In the case of non-NCQ commands, not clearing PxCI is needed in order for host software to be able to see which command slot that failed. Signed-off-by: Niklas Cassel <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit 1a16ce64fda11bdf50f0c4ab5d9fdde72c1383a2) Signed-off-by: Michael Tokarev <[email protected]>

When there is an error, we need to raise a TFES error irq, see AHCI 1.3.1, 5.3.13.1 SDB:Entry. If ERR_STAT is set, we jump to state ERR:FatalTaskfile, which will raise a TFES IRQ unconditionally, regardless if the I bit is set in the FIS or not. Thus, we should never raise a normal IRQ after having sent an error IRQ. It is valid to signal successfully completed commands as finished in the same SDB FIS that generates the error IRQ. The important thing is that commands that did not complete successfully (e.g. commands that were aborted, do not get the finished bit set). Before this commit, there was never a TFES IRQ raised on NCQ error. Signed-off-by: Niklas Cassel <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit 7e85cb0db4c693b4e084a00e66fe73a22ed1688a) Signed-off-by: Michael Tokarev <[email protected]>

When encountering an NCQ error, you should not write the NCQ tag to the SError register. This is completely wrong. The SError register has a clear definition, where each bit represents a different error, see PxSERR definition in AHCI 1.3.1. If we write a random value (like the NCQ tag) in SError, e.g. Linux will read SError, and will trigger arbitrary error handling depending on the NCQ tag that happened to be executing. In case of success, ncq_cb() will call ncq_finish(). In case of error, ncq_cb() will call ncq_err() (which will clear ncq_tfs->used), and then call ncq_finish(), thus using ncq_tfs->used is sufficient to tell if finished should get set or not. Signed-off-by: Niklas Cassel <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Signed-off-by: John Snow <[email protected]> (cherry picked from commit 9f89423537653de07ca40c18b5ff5b70b104cc93) Signed-off-by: Michael Tokarev <[email protected]>

Fixed inconsistency between the regisiter bit field definition header file and the ast2600 datasheet. The reg name is I2CD1C:Pool Buffer Control Register in old register mode and I2CC0C: Master/Slave Pool Buffer Control Register in new register mode. They share bit field [12:8]:Transmit Data Byte Count and bit field [29:24]:Actual Received Pool Buffer Size according to the datasheet. According to the ast2600 datasheet,the actual Tx count is Transmit Data Byte Count plus 1, and the max Rx size is Receive Pool Buffer Size plus 1, both in Pool Buffer Control Register. The version before forgot to plus 1, and mistake Rx count for Rx size. Signed-off-by: Hang Yu <[email protected]> Fixes: 3be3d6c ("aspeed: i2c: Migrate to registerfields API") Reviewed-by: Cédric Le Goater <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit 97b8aa5ae9ff197394395eda5062ea3681e09c28) Signed-off-by: Michael Tokarev <[email protected]>

According to the ast2600 datasheet and the linux aspeed i2c driver, the TXBUF transmission start position should be TXBUF[0] instead of TXBUF[1],so the arg pool_start is useless,and the address is not included in TXBUF.So even if Tx Count equals zero,there is at least 1 byte data needs to be transmitted,and M_TX_CMD should not be cleared at this condition.The driver url is: https://github.com/AspeedTech-BMC/linux/blob/aspeed-master-v5.15/drivers/i2c/busses/i2c-ast2600.c Signed-off-by: Hang Yu <[email protected]> Fixes: 6054fc7 ("aspeed/i2c: Add support for pool buffer transfers") Reviewed-by: Cédric Le Goater <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit 961faf3ddbd8ffcdf776bbcf88af0bc97218114a) Signed-off-by: Michael Tokarev <[email protected]>

…ions The current description says that these options will create a device on the IDE bus, which is only true on x86. So rephrase these sentences a little bit to speak of "default bus" instead. Signed-off-by: Thomas Huth <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit bcd8e243083c878884e52d609deddbe6be17c730) Signed-off-by: Michael Tokarev <[email protected]>

docs/multi-thread-compression.txt uses parameter names with underscores instead of dashes. Wrong since day one. docs/rdma.txt, tests/qemu-iotests/181, and tests/qtest/test-hmp.c are wrong the same way since commit cbde7be (v6.0.0). Hard to see, as test-hmp doesn't check whether the commands work, and iotest 181 appears to be unaffected. Fixes: 263170e (docs: Add a doc about multiple thread compression) Fixes: cbde7be (migrate: remove QMP/HMP commands for speed, downtime and cache size) Signed-off-by: Markus Armbruster <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit b21a6e31a182a5ae7436a444f840d49aac07c94f) Signed-off-by: Michael Tokarev <[email protected]>

The assert() that checks for valid MTU sizes can be triggered by the guest (e.g. with the reproducer code from the bug ticket https://gitlab.com/qemu-project/qemu/-/issues/517 ). Let's avoid this problem by simply logging the error and refusing to activate the device instead. Fixes: d05dcd9 ("net: vmxnet3: validate configuration values during activate") Signed-off-by: Thomas Huth <[email protected]> Cc: [email protected] Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> [Mjt: change format specifier from %d to %u for uint32_t argument] (cherry picked from commit 90a0778421acdf4ca903be64c8ed19378183c944) Signed-off-by: Michael Tokarev <[email protected]>

If the PCI BAR isn't yet mapped or was unmapped, QXL_IO_SET_MODE will assert(). Instead, report a guest bug and keep going. This can be reproduced with: cat << EOF | ./qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio outl 0xcf8 0x8000101c outl 0xcfc 0xc000 outl 0xcf8 0x80001001 outl 0xcfc 0x01000000 outl 0xc006 0x00 EOF Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1829 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Cc: [email protected] Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 95bef686e490bc3afc3f51f5fc6e20bf260b938c) Signed-off-by: Michael Tokarev <[email protected]>

virtio_load() as a whole should run in coroutine context because it reads from the migration stream and we don't want this to block. However, it calls virtio_set_features_nocheck() and devices don't expect their .set_features callback to run in a coroutine and therefore call functions that may not be called in coroutine context. To fix this, drop out of coroutine context for calling virtio_set_features_nocheck(). Without this fix, the following crash was reported: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007efc738c05d3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007efc73873d26 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007efc738477f3 in __GI_abort () at abort.c:79 #4 0x00007efc7384771b in __assert_fail_base (fmt=0x7efc739dbcb8 "", assertion=assertion@entry=0x560aebfbf5cf "!qemu_in_coroutine()", file=file@entry=0x560aebfcd2d4 "../block/graph-lock.c", line=line@entry=275, function=function@entry=0x560aebfcd34d "void bdrv_graph_rdlock_main_loop(void)") at assert.c:92 #5 0x00007efc7386ccc6 in __assert_fail (assertion=0x560aebfbf5cf "!qemu_in_coroutine()", file=0x560aebfcd2d4 "../block/graph-lock.c", line=275, function=0x560aebfcd34d "void bdrv_graph_rdlock_main_loop(void)") at assert.c:101 #6 0x0000560aebcd8dd6 in bdrv_register_buf () #7 0x0000560aeb97ed97 in ram_block_added.llvm () #8 0x0000560aebb8303f in ram_block_add.llvm () #9 0x0000560aebb834fa in qemu_ram_alloc_internal.llvm () #10 0x0000560aebb2ac98 in vfio_region_mmap () #11 0x0000560aebb3ea0f in vfio_bars_register () #12 0x0000560aebb3c628 in vfio_realize () #13 0x0000560aeb90f0c2 in pci_qdev_realize () #14 0x0000560aebc40305 in device_set_realized () #15 0x0000560aebc48e07 in property_set_bool.llvm () #16 0x0000560aebc46582 in object_property_set () #17 0x0000560aebc4cd58 in object_property_set_qobject () #18 0x0000560aebc46ba7 in object_property_set_bool () #19 0x0000560aeb98b3ca in qdev_device_add_from_qdict () #20 0x0000560aebb1fbaf in virtio_net_set_features () #21 0x0000560aebb46b51 in virtio_set_features_nocheck () #22 0x0000560aebb47107 in virtio_load () #23 0x0000560aeb9ae7ce in vmstate_load_state () #24 0x0000560aeb9d2ee9 in qemu_loadvm_state_main () #25 0x0000560aeb9d45e1 in qemu_loadvm_state () #26 0x0000560aeb9bc32c in process_incoming_migration_co.llvm () #27 0x0000560aebeace56 in coroutine_trampoline.llvm () Cc: [email protected] Buglink: https://issues.redhat.com/browse/RHEL-832 Signed-off-by: Kevin Wolf <[email protected]> Message-ID: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit 92e2e6a867334a990f8d29f07ca34e3162fdd6ec) Signed-off-by: Michael Tokarev <[email protected]>

Due to recent KVM changes, QEMU is setting a ptimer offset resulting in unintended trap and emulate access and a consequent performance hit. Filter out the PTIMER_CNT register to restore trapless ptimer access. Quoting Andrew Jones: Simply reading the CNT register and writing back the same value is enough to set an offset, since the timer will have certainly moved past whatever value was read by the time it's written. QEMU frequently saves and restores all registers in the get-reg-list array, unless they've been explicitly filtered out (with Linux commit 680232a94c12, KVM_REG_ARM_PTIMER_CNT is now in the array). So, to restore trapless ptimer accesses, we need a QEMU patch to filter out the register. See https://lore.kernel.org/kvmarm/[email protected]/T/#m0770023762a821db2a3f0dd0a7dc6aa54e0d0da9 for additional context. Cc: [email protected] Signed-off-by: Andrew Jones <[email protected]> Signed-off-by: Colton Lewis <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Tested-by: Colton Lewis <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 682814e2a3c883b27f24b9e7cab47313c49acbd4) Signed-off-by: Michael Tokarev <[email protected]>

…hosts The character that should be printed is stored in the 64 bit "payload" variable. The code currently tries to print it by taking the address of the variable and passing this pointer to qemu_chr_fe_write(). However, this only works on little endian hosts where the least significant bits are stored on the lowest address. To do this in a portable way, we have to store the value in an uint8_t variable instead. Fixes: 5033606 ("RISC-V HTIF Console") Signed-off-by: Thomas Huth <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Bin Meng <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit c255946e3df4d9660e4f468a456633c24393d468) Signed-off-by: Michael Tokarev <[email protected]>

Values that have been read via cpu_physical_memory_read() from the guest's memory have to be swapped in case the host endianess differs from the guest. Fixes: a6e13e3 ("riscv_htif: Support console output via proxy syscall") Signed-off-by: Thomas Huth <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Bin Meng <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 058096f1c55ab688db7e1d6814aaefc1bcd87f7a) Signed-off-by: Michael Tokarev <[email protected]>

zmmul was promoted from experimental to ratified in commit 6d00ffa. Add a riscv,isa string for it. Fixes: 6d00ffa ("target/riscv: move zmmul out of the experimental properties") Signed-off-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Weiwei Li <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 50f9464962fb41f04fd5f42e7ee2cb60942aba89) Signed-off-by: Michael Tokarev <[email protected]>

Commit bef6f00(accel/tcg: Return bool from page_check_range) converts integer return value to bool type. However, it wrongly converted the use of the API in riscv fault-only-first, where page_check_range < = 0, should be converted to !page_check_range. Signed-off-by: LIU Zhiwei <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 4cc9f284d5971ecd8055d26ef74c23ef0be8b8f5) Signed-off-by: Michael Tokarev <[email protected]>

Commit a47842d ("riscv: Add support for the Zfa extension") implemented the zfa extension. However, it has some typos for fleq.d and fltq.d. Both of them misused the fltq.s helper function. Fixes: a47842d ("riscv: Add support for the Zfa extension") Signed-off-by: LIU Zhiwei <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Weiwei Li <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit eda633a534f8af4abe3a88731bba6dacdb973993) Signed-off-by: Michael Tokarev <[email protected]>

When writing the upper mtime, we should keep the original lower mtime whose value is given by cpu_riscv_read_rtc() instead of cpu_riscv_read_rtc_raw(). The same logic applies to writes to lower mtime. Signed-off-by: Jason Chien <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit e0922b73baf00c4c19d4ad30d09bb94f7ffea0f4) Signed-off-by: Michael Tokarev <[email protected]>

The variables whose values are given by cpu_riscv_read_rtc() should be named "rtc". The variables whose value are given by cpu_riscv_read_rtc_raw() should be named "rtc_r". Signed-off-by: Jason Chien <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 9382a9eafccad8dc6a487ea3a8d2bed03dc35db9) Signed-off-by: Michael Tokarev <[email protected]>

We should not use types dependend on host arch for target_ucontext. This bug is found when run rv32 applications. Signed-off-by: LIU Zhiwei <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit ae7d4d625cab49657b9fc2be09d895afb9bcdaf0) Signed-off-by: Michael Tokarev <[email protected]>

On a dtb dumped from the virt machine, dt-validate complains: soc: pmu: {'riscv,event-to-mhpmcounters': [[1, 1, 524281], [2, 2, 524284], [65561, 65561, 524280], [65563, 65563, 524280], [65569, 65569, 524280]], 'compatible': ['riscv,pmu']} should not be valid under {'type': 'object'} from schema $id: http://devicetree.org/schemas/simple-bus.yaml# That's pretty cryptic, but running the dtb back through dtc produces something a lot more reasonable: Warning (simple_bus_reg): /soc/pmu: missing or empty reg/ranges property Moving the riscv,pmu node out of the soc bus solves the problem. Signed-off-by: Conor Dooley <[email protected]> Acked-by: Alistair Francis <[email protected]> Reviewed-by: Daniel Henrique Barboza <[email protected]> Message-ID: <20230727-groom-decline-2c57ce42841c@spud> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 9ff31406312500053ecb5f92df01dd9ce52e635d) Signed-off-by: Michael Tokarev <[email protected]>

In the same emulated RISC-V host, the 'host' KVM CPU takes 4 times longer to boot than the 'rv64' KVM CPU. The reason is an unintended behavior of riscv_cpu_satp_mode_finalize() when satp_mode.supported = 0, i.e. when cpu_init() does not set satp_mode_max_supported(). satp_mode_max_from_map(map) does: 31 - __builtin_clz(map) This means that, if satp_mode.supported = 0, satp_mode_supported_max wil be '31 - 32'. But this is C, so satp_mode_supported_max will gladly set it to UINT_MAX (4294967295). After that, if the user didn't set a satp_mode, set_satp_mode_default_map(cpu) will make cfg.satp_mode.map = cfg.satp_mode.supported So satp_mode.map = 0. And then satp_mode_map_max will be set to satp_mode_max_from_map(cpu->cfg.satp_mode.map), i.e. also UINT_MAX. The guard "satp_mode_map_max > satp_mode_supported_max" doesn't protect us here since both are UINT_MAX. And finally we have 2 loops: for (int i = satp_mode_map_max - 1; i >= 0; --i) { Which are, in fact, 2 loops from UINT_MAX -1 to -1. This is where the extra delay when booting the 'host' CPU is coming from. Commit 43d1de3 already set a precedence for satp_mode.supported = 0 in a different manner. We're doing the same here. If supported == 0, interpret as 'the CPU wants the OS to handle satp mode alone' and skip satp_mode_finalize(). We'll also put a guard in satp_mode_max_from_map() to assert out if map is 0 since the function is not ready to deal with it. Cc: Alexandre Ghiti <[email protected]> Fixes: 6f23aae ("riscv: Allow user to set the satp mode") Signed-off-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Andrew Jones <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 3a2fc23563885c219c73c8f24318921daf02f3f2) Signed-off-by: Michael Tokarev <[email protected]>

When the rule-lock bypass (RLB) bit is set in the mseccfg CSR, the PMP configuration lock bits must not apply. While this behavior is implemented for the pmpcfgX CSRs, this bit is not respected for changes to the pmpaddrX CSRs. This patch ensures that pmpaddrX CSR writes work even on locked regions when the global rule-lock bypass is enabled. Signed-off-by: Leon Schuermann <[email protected]> Reviewed-by: Mayuresh Chitale <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 4e3adce1244e1ca30ec05874c3eca14911dc0825) Signed-off-by: Michael Tokarev <[email protected]>

riscv_trigger_init() had been called on reset events that can happen several times for a CPU and it allocated timers for itrigger. If old timers were present, they were simply overwritten by the new timers, resulting in a memory leak. Divide riscv_trigger_init() into two functions, namely riscv_trigger_realize() and riscv_trigger_reset() and call them in appropriate timing. The timer allocation will happen only once for a CPU in riscv_trigger_realize(). Fixes: 5a4ae64 ("target/riscv: Add itrigger support when icount is enabled") Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: LIU Zhiwei <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit a7c272df82af11c568ea83921b04334791dccd5e) Signed-off-by: Michael Tokarev <[email protected]>

Don't forget to unmap the resource memory. Fixes: commit 9462ff4 ("virtio-gpu/win32: allocate shareable 2d resources/images") Signed-off-by: Marc-André Lureau <[email protected]> (cherry picked from commit 04562ee88e99d71f4e6017f64123f726dd8b41e1) Signed-off-by: Michael Tokarev <[email protected]>

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 812 return con->hw_ops->ui_info != NULL; (gdb) bt #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585 #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607 #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635 Fixes: https://issues.redhat.com/browse/RHEL-2600 Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Albert Esteve <[email protected]> (cherry picked from commit 48a35e12faf90a896c5aa4755812201e00d60316) Signed-off-by: Michael Tokarev <[email protected]>

A subsystem reset contains a reset of AP resources which has been missing. Adding the AP bridge to the list of device types that need reset fixes this issue. Reviewed-by: Jason J. Herne <[email protected]> Reviewed-by: Tony Krowiak <[email protected]> Signed-off-by: Janosch Frank <[email protected]> Fixes: a51b315 ("s390x/ap: base Adjunct Processor (AP) object model") Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 297ec01f0b9864ea8209ca0ddc6643b4c0574bdb) Signed-off-by: Michael Tokarev <[email protected]>

qemu 8.1.0 breaks on illumos platforms due to _XOPEN_SOURCE and others no longer being set correctly, leading to breakage such as: https://us-central.manta.mnx.io/pkgsrc/public/reports/trunk/tools/20230908.1404/qemu-8.1.0/build.log This is a result of meson conversion which incorrectly matches against 'solaris' instead of 'sunos' for uname. First time submitting a patch here, hope I did it correctly. Thanks. Signed-off-by: Jonathan Perkin <[email protected]> Message-ID: <[email protected]> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit fb0a8b0e238277296907ffe765bf76874cfc1df6) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: omit net/meson.build change before v8.1.0-279-g73258b3864, adjust context befor v8.1.0-288-g2fc36530de)

Replace select() with poll() to fix a crash when QEMU has a large number of FDs. Also use RETRY_ON_EINTR to avoid unnecessary errors due to EINTR. Cc: [email protected] Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2020133 Fixes: 56a3c24 ("tpm: Probe for connected TPM 1.2 or TPM 2") Signed-off-by: Marc-André Lureau <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Reviewed-by: Stefan Berger <[email protected]> Signed-off-by: Stefan Berger <[email protected]> (cherry picked from commit 8e32ddff69b6b4547cc00592ad816484e160817a) Signed-off-by: Michael Tokarev <[email protected]>

Signed-off-by: Michael Tokarev <[email protected]>

v8.1.1 release

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge v8.1.1 #137

Merge v8.1.1 #137

Commits on Jul 26, 2023

Commits on Jul 27, 2023

Commits on Jul 28, 2023

Commits on Jul 30, 2023

Commits on Jul 31, 2023

Commits on Aug 1, 2023

Commits on Aug 2, 2023

Commits on Aug 3, 2023

Commits on Aug 4, 2023

Commits on Aug 5, 2023

Commits on Aug 6, 2023

Commits on Aug 7, 2023

Commits on Aug 8, 2023

Commits on Aug 9, 2023

Commits on Aug 10, 2023

Commits on Aug 11, 2023

Commits on Aug 12, 2023

Commits on Aug 15, 2023

Commits on Aug 16, 2023

Commits on Aug 22, 2023

Commits on Aug 23, 2023

Commits on Aug 24, 2023

Commits on Aug 30, 2023

Commits on Sep 21, 2023

Commits on Oct 1, 2023

Commits on Oct 2, 2023

Merge v8.1.1 #137

Are you sure you want to change the base?

Merge v8.1.1 #137

Commits on Jul 26, 2023

Commits on Jul 27, 2023

Commits on Jul 28, 2023

Commits on Jul 30, 2023

Commits on Jul 31, 2023

Commits on Aug 1, 2023

Commits on Aug 2, 2023

Commits on Aug 3, 2023

Commits on Aug 4, 2023

Commits on Aug 5, 2023

Commits on Aug 6, 2023

Commits on Aug 7, 2023

Commits on Aug 8, 2023

Commits on Aug 9, 2023

Commits on Aug 10, 2023

Commits on Aug 11, 2023

Commits on Aug 12, 2023

Commits on Aug 15, 2023

Commits on Aug 16, 2023

Commits on Aug 22, 2023

Commits on Aug 23, 2023

Commits on Aug 24, 2023

Commits on Aug 30, 2023

Commits on Sep 21, 2023

Commits on Oct 1, 2023

Commits on Oct 2, 2023