Update to QEMU v9.0.2 #63
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…coroutine()' failed. bdrv_activate_all() should not be called from the coroutine context, move it to the QEMU thread colo_process_incoming_thread() with the bql_lock protected. The backtrace is as follows: eurecom-s3#4 0x0000561af7948362 in bdrv_graph_rdlock_main_loop () at ../block/graph-lock.c:260 eurecom-s3#5 0x0000561af7907a68 in graph_lockable_auto_lock_mainloop (x=0x7fd29810be7b) at /patch/to/qemu/include/block/graph-lock.h:259 eurecom-s3#6 0x0000561af79167d1 in bdrv_activate_all (errp=0x7fd29810bed0) at ../block.c:6906 eurecom-s3#7 0x0000561af762b4af in colo_incoming_co () at ../migration/colo.c:935 eurecom-s3#8 0x0000561af7607e57 in process_incoming_migration_co (opaque=0x0) at ../migration/migration.c:793 eurecom-s3#9 0x0000561af7adbeeb in coroutine_trampoline (i0=-106876144, i1=22042) at ../util/coroutine-ucontext.c:175 eurecom-s3#10 0x00007fd2a5cf21c0 in () at /lib64/libc.so.6 Cc: [email protected] Cc: Fabiano Rosas <[email protected]> Closes: https://gitlab.com/qemu-project/qemu/-/issues/2277 Fixes: 2b3912f ("block: Mark bdrv_first_blk() and bdrv_is_root_node() GRAPH_RDLOCK") Signed-off-by: Li Zhijian <[email protected]> Reviewed-by: Zhang Chen <[email protected]> Tested-by: Zhang Chen <[email protected]> Reviewed-by: Fabiano Rosas <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 2cc637f) Signed-off-by: Michael Tokarev <[email protected]>
This setsockopt accepts zero-lengh optlen (current qemu implementation does not allow this). Also, there's no need to make a copy of the key, it is enough to use lock_user() (which accepts zero length already). Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2197 Fixes: f31dddd "linux-user: Add support for setsockopt() option SOL_ALG" Signed-off-by: Michael Tokarev <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 04f6fb8) Signed-off-by: Michael Tokarev <[email protected]>
Commit e4e98c7 ("pc: q35: Bump max_cpus to 4096 vcpus") increases the supported CPUs for PC Q35 machine. Update maximum CPU numbers for PC Q35 in the document. Signed-off-by: Zhao Liu <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 838f824) Signed-off-by: Michael Tokarev <[email protected]>
Coroutines are not supposed to block. Instead, they should yield. The client performs TLS upgrade outside of an AIOContext, during synchronous handshake; this still requires g_main_loop. But the server responds to TLS upgrade inside a coroutine, so a nested g_main_loop is wrong. Since the two callbacks no longer share more than the setting of data.complete and data.error, it's just as easy to use static helpers instead of trying to share a common code path. It is also possible to add assertions that no other code is interfering with the eventual path to qio reaching the callback, whether or not it required a yield or main loop. Fixes: f95910f ("nbd: implement TLS support in the protocol negotiation") Signed-off-by: Zhu Yangyang <[email protected]> [eblake: move callbacks to their use point, add assertions] Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]> (cherry picked from commit ae6d91a) Signed-off-by: Michael Tokarev <[email protected]>
nbd_negotiate() is already marked coroutine_fn. And given the fix in the previous patch to have nbd_negotiate_handle_starttls not create and wait on a g_main_loop (as that would violate coroutine constraints), it is worth marking the rest of the related static functions reachable only during option negotiation as also being coroutine_fn. Suggested-by: Vladimir Sementsov-Ogievskiy <[email protected]> Signed-off-by: Eric Blake <[email protected]> Message-ID: <[email protected]> Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]> [eblake: drop one spurious coroutine_fn marking] Signed-off-by: Eric Blake <[email protected]> (cherry picked from commit 4fa333e) Signed-off-by: Michael Tokarev <[email protected]>
It seems that this error does not need to be propagated to the upper, directly output the error to avoid the leaks Closes: https://gitlab.com/qemu-project/qemu/-/issues/2283 Fixes: 2fda101 ("virtio-crypto: Support asynchronous mode") Signed-off-by: Li Zhijian <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: zhenwei pi <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 06479db) Signed-off-by: Michael Tokarev <[email protected]>
Fixes: 1590154 ("target/loongarch: Fix qemu-system-loongarch64 assert failed with the option '-d int'") Signed-off-by: Michael Tokarev <[email protected]> Reviewed-by: Richard Henderson <[email protected]> (cherry picked from commit 0cbb322) Signed-off-by: Michael Tokarev <[email protected]>
Commit d424db2 excluded some strerrorname_np() instances because they break musl libc builds. Another instance happened to slip by via commit d4ff3da. Remove it before it causes trouble again. Fixes: d4ff3da (target/riscv/kvm: initialize 'vlenb' via get-reg-list) Signed-off-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit e442635) Signed-off-by: Michael Tokarev <[email protected]>
For cpus using PMSA, when the MPU is disabled, the default memory type is Normal, Non-cachable. This means that it should not have alignment restrictions enforced. Cc: [email protected] Fixes: 59754f8 ("target/arm: Do memory type alignment check when translation disabled") Reported-by: Clément Chigot <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Clément Chigot <[email protected]> Message-id: [email protected] [PMM: trivial comment, commit message tweaks] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 7b19a35) Signed-off-by: Michael Tokarev <[email protected]>
The Linux kernel 5.10.16 binary for sunxi has been removed from apt.armbian.com. This means that the avocado tests for these machines will be skipped (status CANCEL) if the old binary isn't present in the avocado cache. Update to 6.6.16, in the same way we did in commit e384db4 when we moved to 5.10.16 in 2021. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2284 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Strahinja Jankovic <[email protected]> Reviewed-by: Niek Linnenbank <[email protected]> Tested-by: Niek Linnenbank <[email protected]> Message-id: [email protected] (cherry picked from commit dcc5c01) Signed-off-by: Michael Tokarev <[email protected]>
… jobs Cirrus-CI introduced limitations to the free CI minutes. To avoid that we are consuming them too fast, let's drop the usual targets that are not that important since they are either a subset of another target (like i386 or ppc being a subset of x86_64 or ppc64 respectively), or since there is still a similar target with the opposite endianness (like xtensa/xtensael, microblaze/microblazeel etc.). Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit a88a049) Signed-off-by: Michael Tokarev <[email protected]>
It fixes the buffer overflow vulnerability in the ufs device. The bug was detected by sanitizers. You can reproduce it by: cat << EOF |\ qemu-system-x86_64 \ -display none -machine accel=qtest -m 512M -M q35 -nodefaults -drive \ file=null-co://,if=none,id=disk0 -device ufs,id=ufs_bus -device \ ufs-lu,drive=disk0,bus=ufs_bus -qtest stdio outl 0xcf8 0x80000810 outl 0xcfc 0xe0000000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0000058 0x1 0xa7 write 0xa 0x1 0x50 EOF Resolves: #2299 Fixes: 329f166 ("hw/ufs: Support for Query Transfer Requests") Reported-by: Zheyu Ma <[email protected]> Signed-off-by: Jeuk Kim <[email protected]> (cherry picked from commit f2c8aeb) Signed-off-by: Michael Tokarev <[email protected]>
The DMA descriptor structures for this device have a set of "address extension" fields which extend the 32 bit source addresses with an extra 16 bits to give a 48 bit address: https://docs.amd.com/r/en-US/ug1085-zynq-ultrascale-trm/ADDR_EXT-Field However, we misimplemented this address extension in several ways: * we only extracted 12 bits of the extension fields, not 16 * we didn't shift the extension field up far enough * we accidentally did the shift as 32-bit arithmetic, which meant that we would have an overflow instead of setting bits [47:32] of the resulting 64-bit address Add a type cast and use extract64() instead of extract32() to avoid integer overflow on addition. Fix bit fields extraction according to documentation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: [email protected] Fixes: d3c6369 ("introduce xlnx-dpdma") Signed-off-by: Alexandra Diupina <[email protected]> Message-id: [email protected] [PMM: adjusted commit message] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 4b00855) Signed-off-by: Michael Tokarev <[email protected]>
Use little endian for derivative OTP fuse key. Cc: [email protected] Fixes: c752bb0 ("hw/nvram: NPCM7xx OTP device model") Suggested-by: Avi Fishman <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit eb656a6) Signed-off-by: Michael Tokarev <[email protected]>
The documentation says: ADDV Rm, Rn Rn + Rm -> Rn, overflow -> T But QEMU implementation was: ADDV Rm, Rn Rn + Rm -> Rm, overflow -> T Fix by filling the correct Rm register. Add tests provided by Paul Cercueil. Cc: [email protected] Fixes: ad8d25a ("target-sh4: implement addv and subv using TCG") Reported-by: Paul Cercueil <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2317 Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Yoshinori Sato <[email protected]> Message-Id: <[email protected]> (cherry picked from commit c365e6b) Signed-off-by: Michael Tokarev <[email protected]>
The documentation says: SUBV Rm, Rn Rn - Rm -> Rn, underflow -> T The overflow / underflow can be calculated as: T = ((Rn ^ Rm) & (Result ^ Rn)) >> 31 However we were using the incorrect: T = ((Rn ^ Rm) & (Result ^ Rm)) >> 31 Fix by using the Rn register instead of Rm. Add tests provided by Paul Cercueil. Cc: [email protected] Fixes: ad8d25a ("target-sh4: implement addv and subv using TCG") Reported-by: Paul Cercueil <[email protected]> Suggested-by: Paul Cercueil <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2318 Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Yoshinori Sato <[email protected]> Message-Id: <[email protected]> (cherry picked from commit e88a856) Signed-off-by: Michael Tokarev <[email protected]>
"plugin_mask" was renamed as "event_mask" in commit c006147 ("plugins: create CPUPluginState and migrate plugin_mask"). Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> (cherry picked from commit e096d37) Signed-off-by: Michael Tokarev <[email protected]>
When emulated with QEMU, interrupts will never come in the following
loop. However, if the NOP instruction is uncommented, interrupts will
fire as normal.
loop:
cli
call do_sti
jmp loop
do_sti:
sti
# nop
ret
This behavior is different from that of a real processor. For example,
if KVM is enabled, interrupts will always fire regardless of whether the
NOP instruction is commented or not. Also, the Intel Software Developer
Manual states that after the STI instruction is executed, the interrupt
inhibit should end as soon as the next instruction (e.g., the RET
instruction if the NOP instruction is commented) is executed.
This problem is caused because the previous code may choose not to end
the TB even if the HF_INHIBIT_IRQ_MASK has just been reset (e.g., in the
case where the STI instruction is immediately followed by the RET
instruction), so that IRQs may not have a change to trigger. This commit
fixes the problem by always terminating the current TB to give IRQs a
chance to trigger when HF_INHIBIT_IRQ_MASK is reset.
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Ruihan Li <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 6a5a63f)
Signed-off-by: Michael Tokarev <[email protected]>
This is a 2-operand instruction, not 3-operand. Worse, we took the source from the wrong operand. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Mark Cave-Ayland <[email protected]> (cherry picked from commit 7b616f3) Signed-off-by: Michael Tokarev <[email protected]>
This instruction has f32 as source1, which alters the decoding of the register number, which means we've been passing the wrong data for odd register numbers. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Mark Cave-Ayland <[email protected]> (cherry picked from commit 9157dcc) Signed-off-by: Michael Tokarev <[email protected]>
These instructions have f32 inputs, which changes the decode of the register numbers. While we're fixing things, use a common helper for both insns, extracting the 16-bit scalar in tcg beforehand. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Mark Cave-Ayland <[email protected]> (cherry picked from commit a859602) Signed-off-by: Michael Tokarev <[email protected]>
Not only do these instructions have f32 inputs, they also do not perform rounding. Since these are relatively simple, implement them properly inline. Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Signed-off-by: Mark Cave-Ayland <[email protected]> (cherry picked from commit be8998e) Signed-off-by: Michael Tokarev <[email protected]>
This instruction has f32 inputs, which changes the decode of the register numbers. Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Mark Cave-Ayland <[email protected]> (cherry picked from commit d3ef26a) Signed-off-by: Michael Tokarev <[email protected]>
Match the extra inserts of INDEX_op_insn_start, fixing the db->num_insns != 1 assert in translator_loop. Fixes: dcd092a ("accel/tcg: Improve can_do_io management") Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit ca51921) Signed-off-by: Michael Tokarev <[email protected]>
The char pointer 'ramName' point to a block of memory, but never free it. Use 'g_autofree' to automatically free it. Resolves: Coverity CID 1544773 Fixes: 0cf1478 ("hw/loongarch: Add numa support") Signed-off-by: Song Gao <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit 54c52ec) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: context fixup in hw/loongarch/virt.c due to missing-in-9.0 v9.0.0-266-gd771ca1c10 "hw/loongarch: Move boot functions to boot.c")
PCI config space is little-endian, so on a big-endian host we need to perform byte swaps for values as they are passed to and received from the generic PCI config space access machinery. Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Jagannathan Raman <[email protected]> Signed-off-by: Mattias Nissler <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit e6578f1) Signed-off-by: Michael Tokarev <[email protected]>
According to the manual, 32-bit vs 64-bit is governed by REX.W
and REX ignores the 0x66 prefix. This can be confirmed with this
program:
#include <stdio.h>
int main()
{
int x = 0x12340000;
int y;
asm("popcntl %1, %0" : "=r" (y) : "r" (x)); printf("%x\n", y);
asm("mov $-1, %0; .byte 0x66; popcntl %1, %0" : "+r" (y) : "r" (x)); printf("%x\n", y);
asm("mov $-1, %0; .byte 0x66; popcntq %q1, %q0" : "+r" (y) : "r" (x)); printf("%x\n", y);
}
which prints 5/ffff0000/5 on real hardware and 5/ffff0000/ffff0000
on QEMU.
Cc: [email protected]
Reviewed-by: Zhao Liu <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 41c685d)
Signed-off-by: Michael Tokarev <[email protected]>
(Mjt: drop removal of mo_64_32() helper function in target/i386/tcg/translate.c
due to missing-in-9.0 v9.0.0-542-gaef4f4affde2
"target/i386: remove now-converted opcodes from old decoder"
which removed other user of it)
Reject 0x66/0xf3/0xf2 in front of them. Cc: [email protected] Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 40a3ec7) Signed-off-by: Michael Tokarev <[email protected]>
The VMX feature bit depends on general availability of WAITPKG, not the other way round. Fixes: 33cc882 ("target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE", 2023-08-28) Cc: [email protected] Reviewed-by: Zhao Liu <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit fe01af5) Signed-off-by: Michael Tokarev <[email protected]>
Ensure that they go through unmodified, instead of removing one layer of quoting. -D is a pretty specialized option and most options that can have spaces do not need it (for example, c_args is covered by --extra-cflags). Therefore it's unlikely that this causes actual trouble. However, a somewhat realistic failure case would be with -Dpkg_config_path and a pkg-config directory that contains spaces. Cc: [email protected] Reviewed-by: Thomas Huth <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 23b1f53) Signed-off-by: Michael Tokarev <[email protected]>
The calculation of FrameTemp is done using the size indicated by mo_pushpop() before being written back to EBP, but the final writeback to EBP is done using the size indicated by mo_stacksize(). In the case where mo_pushpop() is MO_32 and mo_stacksize() is MO_16 then the final writeback to EBP is done using MO_16 which can leave junk in the top 16-bits of EBP after executing ENTER. Change the writeback of EBP to use the same size indicated by mo_pushpop() to ensure that the full value is written back. Signed-off-by: Mark Cave-Ayland <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2198 Message-ID: <[email protected]> Cc: [email protected] Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 3973615) Signed-off-by: Michael Tokarev <[email protected]>
Reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1451 creates small packet (1 segment, len = 10 == n->guest_hdr_len), then destroys queue. "if (n->host_hdr_len != n->guest_hdr_len)" is triggered, if body creates zero length/zero segment packet as there is nothing after guest header. qemu_sendv_packet_async() tries to send it. slirp discards it because it is smaller than Ethernet header, but returns 0 because tx hooks are supposed to return total length of data. 0 is propagated upwards and is interpreted as "packet has been sent" which is terrible because queue is being destroyed, nobody is waiting for TX to complete and assert it triggered. Fix is discard such empty packets instead of sending them. Length 1 packets will go via different codepath: virtqueue_push(q->tx_vq, elem, 0); virtio_notify(vdev, q->tx_vq); g_free(elem); and aren't problematic. Signed-off-by: Alexey Dobriyan <[email protected]> Signed-off-by: Jason Wang <[email protected]> (cherry picked from commit 2c3e4e2) Signed-off-by: Michael Tokarev <[email protected]>
Draw routine needs to be manually invoked in the next refresh if there is a scanout blob from the guest. This is to prevent a situation where there is a scheduled draw event but it won't happen bacause the window is currently in inactive state (minimized or tabified). If draw is not done for a long time, gl_block timeout and/or fence timeout (on the guest) will happen eventually. v2: Use gd_gl_area_draw(vc) in gtk-gl-area.c Suggested-by: Vivek Kasireddy <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Marc-André Lureau <[email protected]> Cc: Daniel P. Berrangé <[email protected]> Signed-off-by: Dongwon Kim <[email protected]> Acked-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 77bf310) Signed-off-by: Michael Tokarev <[email protected]>
Commit 1f25c17 ("monitor: use aio_co_reschedule_self()") was a code cleanup that uses aio_co_reschedule_self() instead of open coding coroutine rescheduling. Bug RHEL-34618 was reported and Kevin Wolf <[email protected]> identified the root cause. I missed that aio_co_reschedule_self() -> qemu_get_current_aio_context() only knows about qemu_aio_context/IOThread AioContexts and not about iohandler_ctx. It does not function correctly when going back from the iohandler_ctx to qemu_aio_context. Go back to open coding the AioContext transitions to avoid this bug. This reverts commit 1f25c17. Cc: [email protected] Buglink: https://issues.redhat.com/browse/RHEL-34618 Signed-off-by: Stefan Hajnoczi <[email protected]> Message-ID: <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit 719c681) Signed-off-by: Michael Tokarev <[email protected]>
The VIRTIO Sound Device conforms with the Virtio spec v1.2, thus only use little endianness. Remove the suspicious target_words_bigendian() noticed during code review. Cc: [email protected] Fixes: eb9ad37 ("virtio-sound: handle control messages and streams") Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Message-Id: <[email protected]> (cherry picked from commit a276ec8) Signed-off-by: Michael Tokarev <[email protected]>
In case the display surface uses a shared buffer (i.e. uses vga vram directly instead of a shadow) go unshare the buffer before clearing it. This avoids vga memory corruption, which in turn fixes unblanking not working properly with X11. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2067 Signed-off-by: Gerd Hoffmann <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit b1cf266) Signed-off-by: Michael Tokarev <[email protected]>
For TBs crossing page boundaries, the 2nd page will never be recorded/removed, as the index of the 2nd page is computed from the address of the 1st page. This is due to a typo, fix it. Cc: [email protected] Fixes: deba787 ("accel/tcg: Always lock pages before translation") Signed-off-by: Anton Johansson <[email protected]> Reviewed-by: Manos Pitsidianakis <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 3b279f7) Signed-off-by: Michael Tokarev <[email protected]>
Like TARGET_NR_setuid, TARGET_NR_setgroups should affect only the calling thread, and not the entire process. Therefore, implement it using a syscall, and not a libc call. Cc: [email protected] Fixes: 19b84f3 ("added setgroups and getgroups syscalls") Signed-off-by: Ilya Leoshkevich <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 54b2792) Signed-off-by: Michael Tokarev <[email protected]>
The result has to be done with the signed denominator (b32) instead of the unsigned value passed in argument (b). Cc: [email protected] Fixes: 1326010 ("target/sparc: Remove CC_OP_DIV") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2319 Signed-off-by: Clément Chigot <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 6b49653) Signed-off-by: Michael Tokarev <[email protected]>
Simplify the logic for two-part, 32-bit pc-relative addresses. Rather than assume all such fit in int32_t, do some arithmetic and assert a result, do some arithmetic first and then check to see if the pieces are in range. Cc: [email protected] Fixes: dacc517 ("tcg/loongarch64: Implement tcg_out_mov and tcg_out_movi") Reviewed-by: Song Gao <[email protected]> Reported-by: Song Gao <[email protected]> Signed-off-by: Richard Henderson <[email protected]> (cherry picked from commit 521d7fb) Signed-off-by: Michael Tokarev <[email protected]>
When the "file:" migration support was added we missed the special case in the qemu_open_old implementation that allows for a particular file name format to be used to refer to a set of file descriptors that have been previously provided to QEMU via the add-fd QMP command. When using this fdset feature, we should not truncate the migration file because being given an fd means that the management layer is in control of the file and will likely already have some data written to it. This is further indicated by the presence of the 'offset' argument, which indicates the start of the region where QEMU is allowed to write. Fix the issue by replacing the O_TRUNC flag on open by an ftruncate call, which will take the offset into consideration. Fixes: 385f510 ("migration: file URI offset") Suggested-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Prasad Pandit <[email protected]> Reviewed-by: Peter Xu <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Fabiano Rosas <[email protected]> (cherry picked from commit 6d32796) Signed-off-by: Michael Tokarev <[email protected]>
RHEL 9 (and thus also the derivatives) have been available since two years now, so according to QEMU's support policy, we can drop the active support for the previous major version 8 now. Another reason for doing this is that Centos Stream 8 will go EOL soon: https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/ "After May 31, 2024, CentOS Stream 8 will be archived and no further updates will be provided." Thus upgrade our CentOS Stream container to major version 9 now. Reviewed-by: Daniel P. Berrangé <[email protected]> Message-ID: <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 641b1ef) Signed-off-by: Michael Tokarev <[email protected]>
…physical package When QEMU is started with: -cpu host,host-cache-info=on,l3-cache=off \ -smp 2,sockets=1,dies=1,cores=1,threads=2 Guest can't acquire maximum number of addressable IDs for processor cores in the physical package from CPUID[04H]. When creating a CPU topology of 1 core per package, host-cache-info only uses the Host's addressable core IDs field (CPUID.04H.EAX[bits 31-26]), resulting in a conflict (on the multicore Host) between the Guest core topology information in this field and the Guest's actual cores number. Fix it by removing the unnecessary condition to cover 1 core per package case. This is safe because cores_per_pkg will not be 0 and will be at least 1. Fixes: d7caf13 ("x86: cpu: fixup number of addressable IDs for logical processors sharing cache") Signed-off-by: Guixiong Wei <[email protected]> Signed-off-by: Yipeng Yin <[email protected]> Signed-off-by: Chuang Xu <[email protected]> Reviewed-by: Zhao Liu <[email protected]> Message-ID: <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 903916f) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: fixup for 9.0 due to other changes in this area past 9.0)
The inner loop, bounded by eltspersegment, must not be larger than the outer loop, bounded by elements. Cc: [email protected] Fixes: 18fc240 ("target/arm: Implement SVE fp complex multiply add (indexed)") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2376 Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 76bccf3) Signed-off-by: Michael Tokarev <[email protected]>
Input denormals cause the Javascript inexact bit (output to Z) to be set. Cc: [email protected] Fixes: 6c1f6f2 ("target/arm: Implement ARMv8.3-JSConv") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2375 Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Message-id: [email protected] [PMM: fixed hardcoded tab in test case] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 7619129) Signed-off-by: Michael Tokarev <[email protected]>
This effectively reverts commit 54c4ea8 Author: Zhao Liu <[email protected]> Date: Sat Mar 9 00:01:37 2024 +0800 hw/core/machine-smp: Deprecate unsupported "parameter=1" SMP configurations but is not done as a 'git revert' since the part of the changes to the file hw/core/machine-smp.c which add 'has_XXX' checks remain desirable. Furthermore, we have to tweak the subsequently added unit test to account for differing warning message. The rationale for the original deprecation was: "Currently, it was allowed for users to specify the unsupported topology parameter as "1". For example, x86 PC machine doesn't support drawer/book/cluster topology levels, but user could specify "-smp drawers=1,books=1,clusters=1". This is meaningless and confusing, so that the support for this kind of configurations is marked deprecated since 9.0." There are varying POVs on the topic of 'unsupported' topology levels. It is common to say that on a system without hyperthreading, that there is always 1 thread. Likewise when new CPUs introduced a concept of multiple "dies', it was reasonable to say that all historical CPUs before that implicitly had 1 'die'. Likewise for the more recently introduced 'modules' and 'clusters' parameter'. From this POV, it is valid to set 'parameter=1' on the -smp command line for any machine, only a value > 1 is strictly an error condition. It doesn't cause any functional difficulty for QEMU, because internally the QEMU code is itself assuming that all "unsupported" parameters implicitly have a value of '1'. At the libvirt level, we've allowed applications to set 'parameter=1' when configuring a guest, and pass that through to QEMU. Deprecating this creates extra difficulty for because there's no info exposed from QEMU about which machine types "support" which parameters. Thus, libvirt can't know whether it is valid to pass 'parameter=1' for a given machine type, or whether it will trigger deprecation messages. Since there's no apparent functional benefit to deleting this deprecated behaviour from QEMU, and it creates problems for consumers of QEMU, remove this deprecation. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Zhao Liu <[email protected]> Reviewed-by: Ján Tomko <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit 9d7950e) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: remove hunk about modules in hw/core/machine-smp.c introduced in v9.0.0-155-g8ec0a4634798 "hw/core/machine: Support modules in -smp")
Validate that it is possible to pass 'parameter=1' for any SMP topology parameter, since unsupported parameters are implicitly considered to always have a value of 1. Signed-off-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Zhao Liu <[email protected]> Reviewed-by: Ján Tomko <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit e68dcbb) Signed-off-by: Michael Tokarev <[email protected]>
One use case for 'qemu-img info' is verifying that untrusted images don't reference an unwanted external file, be it as a backing file or an external data file. To make sure that calling 'qemu-img info' can't already have undesired side effects with a malicious image, just don't open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do I/O, we don't need to have it open. This changes the output of iotests case 061, which used 'qemu-img info' to show that opening an image with an invalid data file fails. After this patch, it succeeds. Replace this part of the test with a qemu-io call, but keep the final 'qemu-img info' to show that the invalid data file is correctly displayed in the output. Fixes: CVE-2024-4467 Cc: [email protected] Signed-off-by: Kevin Wolf <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Hanna Czenczek <[email protected]> (cherry picked from commit bd385a5) Signed-off-by: Michael Tokarev <[email protected]>
We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options. Cc: [email protected] Signed-off-by: Kevin Wolf <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Hanna Czenczek <[email protected]> (cherry picked from commit 2eb42a7) Signed-off-by: Michael Tokarev <[email protected]>
We want to disable filename parsing for data files because it's too easy to abuse in malicious image files. Make the test ready for the change by passing the data file explicitly in command line options. Cc: [email protected] Signed-off-by: Kevin Wolf <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Hanna Czenczek <[email protected]> (cherry picked from commit 7e11106) Signed-off-by: Michael Tokarev <[email protected]>
When handling image filenames from legacy options such as -drive or from
tools, these filenames are parsed for protocol prefixes, including for
the json:{} pseudo-protocol.
This behaviour is intended for filenames that come directly from the
command line and for backing files, which may come from the image file
itself. Higher level management tools generally take care to verify that
untrusted images don't contain a bad (or any) backing file reference;
'qemu-img info' is a suitable tool for this.
However, for other files that can be referenced in images, such as
qcow2 data files or VMDK extents, the string from the image file is
usually not verified by management tools - and 'qemu-img info' wouldn't
be suitable because in contrast to backing files, it already opens these
other referenced files. So here the string should be interpreted as a
literal local filename. More complex configurations need to be specified
explicitly on the command line or in QMP.
This patch changes bdrv_open_inherit() so that it only parses filenames
if a new parameter parse_filename is true. It is set for the top level
in bdrv_open(), for the file child and for the backing file child. All
other callers pass false and disable filename parsing this way.
Cc: [email protected]
Signed-off-by: Kevin Wolf <[email protected]>
Reviewed-by: Eric Blake <[email protected]>
Reviewed-by: Stefan Hajnoczi <[email protected]>
Reviewed-by: Hanna Czenczek <[email protected]>
(cherry picked from commit 7ead946)
Signed-off-by: Michael Tokarev <[email protected]>
Argument ordering for setcond2 is: output, a_low, a_high, b_low, b_high, cond The test is supposed to be against b_low, not a_high. Cc: [email protected] Fixes: ceb9ee0 ("tcg/optimize: Handle TCG_COND_TST{EQ,NE}") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2413 Signed-off-by: Richard Henderson <[email protected]> Tested-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit a71d9df) Signed-off-by: Michael Tokarev <[email protected]>
In function kvm_virtio_pci_vector_use_one(), the function will only use the irqfd/vector for itself. Therefore, in the undo label, the failing process is incorrect. To fix this, we can just remove this label. Fixes: f9a09ca ("vhost: add support for configure interrupt") Cc: [email protected] Signed-off-by: Cindy Lu <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> (cherry picked from commit a113d04) Signed-off-by: Michael Tokarev <[email protected]>
Commit d152cdd ("virtio: use virtio accessor to access packed event") switched using of address_space_read_cached() to virito_lduw_phys_cached() to access packed descriptor event. When we used address_space_read_cached(), we needed to call virtio_tswap16s() to handle the endianess of the field, but virito_lduw_phys_cached() already handles it internally, so we no longer need to call virtio_tswap16s() (as the commit had done for `off_wrap`, but forgot for `flags`). Fixes: d152cdd ("virtio: use virtio accessor to access packed event") Cc: [email protected] Cc: [email protected] Reported-by: Xoykie <[email protected]> Link: https://lore.kernel.org/qemu-devel/CAFU8RB_pjr77zMLsM0Unf9xPNxfr_--Tjr49F_eX32ZBc5o2zQ@mail.gmail.com Signed-off-by: Stefano Garzarella <[email protected]> Message-Id: <[email protected]> Acked-by: Jason Wang <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Eugenio Pérez <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> (cherry picked from commit 7aa6492) Signed-off-by: Michael Tokarev <[email protected]>
qemu_chr_open_fd() sets stdout into non-blocking mode. Restore the old fd flags on exit to avoid breaking unsuspecting applications that run on the same terminal after qemu and don't expect to get EAGAIN. While at at, also ensure term_exit is called once (at the moment it's called both from char_stdio_finalize() and as the atexit() hook. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2423 Signed-off-by: Maxim Mikityanskiy <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit a0124e3) Signed-off-by: Michael Tokarev <[email protected]>
When a command's arguments are specified as an explicit type T,
generated documentation points to the members of T.
Example:
##
# @announce-self:
#
# Trigger generation of broadcast RARP frames to update network
[...]
##
{ 'command': 'announce-self', 'boxed': true,
'data' : 'AnnounceParameters'}
generates
"announce-self" (Command)
-------------------------
Trigger generation of broadcast RARP frames to update network
[...]
Arguments
~~~~~~~~~
The members of "AnnounceParameters"
Except when the command takes its arguments unboxed , i.e. it doesn't
have 'boxed': true, we generate *nothing*. A few commands have a
reference in their doc comment to compensate, but most don't.
Example:
##
# @blockdev-snapshot-sync:
#
# Takes a synchronous snapshot of a block device.
#
# For the arguments, see the documentation of BlockdevSnapshotSync.
[...]
##
{ 'command': 'blockdev-snapshot-sync',
'data': 'BlockdevSnapshotSync',
'allow-preconfig': true }
generates
"blockdev-snapshot-sync" (Command)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Takes a synchronous snapshot of a block device.
For the arguments, see the documentation of BlockdevSnapshotSync.
[...]
Same for event data.
Fix qapidoc.py to generate the reference regardless of boxing. Delete
now redundant references in the doc comments.
Fixes: 4078ee5 (docs/sphinx: Add new qapi-doc Sphinx extension)
Cc: [email protected]
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: John Snow <[email protected]>
(cherry picked from commit e389929)
Signed-off-by: Michael Tokarev <[email protected]>
The number of PIDs is in the upper 16 bits of cdw10. So we need to right-shift by 16 bits instead of only a single bit. Fixes: 73064ed ("hw/nvme: flexible data placement emulation") Cc: [email protected] Signed-off-by: Vincent Fu <[email protected]> Reviewed-by: Klaus Jensen <[email protected]> Signed-off-by: Klaus Jensen <[email protected]> (cherry picked from commit 3936bbd) Signed-off-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
v9.0.2 release
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.