A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:
> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599 for (;;) {
> ...
> 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616 if (unlikely(sz != sizeof(head))) {
> 617 tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618 goto out;
> 619 }
> ...
> 639 buf = g_malloc0(output_size);
> ...
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
>
> We can fix it by set ‘buf‘ to NULL after freeing it:
>
>
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
> +++ buf = NULL;
> 660 }
Fix as suggested by the reporter.
Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu:
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
vmstate_acpi_pcihp_use_acpi_index() was expecting AcpiPciHpState
as state but it actually received PIIX4PMState, because
VMSTATE_PCI_HOTPLUG is a macro and not another struct.
So it ended up accessing random pointer, which resulted
in 'false' return value and acpi_index field wasn't ever
sent.
However in 7.0 that pointer de-references to value > 0, and
destination QEMU starts to expect the field which isn't
sent in migratioon stream from older QEMU (6.2 and older).
As result migration fails with:
qemu-system-x86_64: Missing section footer for 0000:00:01.3/piix4_pm
qemu-system-x86_64: load of migration failed: Invalid argument
In addition with QEMU-6.2, destination due to not expected
state, also never expects the acpi_index field in migration
stream.
Q35 is not affected as it always sends/expects the field as
long as acpi based PCI hotplug is enabled.
Fix issue by introducing compat knob to never send/expect
acpi_index in migration stream for 6.2 and older PC machine
types and always send it for 7.0 and newer PC machine types.
Diagnosed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Fixes: b32bd76 ("pci: introduce acpi-index property for PCI device")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/932 Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
docs/system/i386: Add measurement calculation details to amd-memory-encryption
qga/vss-win32: fix compilation with clang++
coverity: update model for latest tools
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-qapi-2022-04-05' of git://repo.or.cz/qemu/armbru:
qapi: Fix calc-dirty-rate example
qapi: fix example of query-memdev command
qapi: fix example of query-cpus-fast command
qapi: fix example of trace-event-get-state command
qapi: fix example of query-colo-status command
qapi: fix example of query-vnc command
qapi: fix example of query-spice command
qapi: fix example of query-named-block-nodes command
qapi: fix examples: replay-break and replay-seek
qapi: fix example of netdev_add command
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-target-arm-20220405' of https://git.linaro.org/people/pmaydell/qemu-arm:
docs/system/devices/can.rst: correct links to CTU CAN FD IP core documentation.
xlnx-bbram: hw/nvram: Fix uninitialized Error *
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The example shows {"command": ...}, which is wrong. Fix it to
{"execute": ...}.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20220401082028.3583296-1-armbru@redhat.com> Reviewed-by: Victor Toso <victortoso@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:33 +0000 (21:06 +0200)]
qapi: fix example of query-memdev command
Example output is missing mandatory argument @share for the return
JSON object. Add it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-10-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:32 +0000 (21:06 +0200)]
qapi: fix example of query-cpus-fast command
Example output contains member @arch that was removed in 445a5b4087
"machine: remove 'arch' field from 'query-cpus-fast' QMP command". Fix
it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-9-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:31 +0000 (21:06 +0200)]
qapi: fix example of trace-event-get-state command
The example output is missing the mandatory member @vcpu. Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-8-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:30 +0000 (21:06 +0200)]
qapi: fix example of query-colo-status command
The example output is missing the mandatory member @last-mode in the
return value. Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-7-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:29 +0000 (21:06 +0200)]
qapi: fix example of query-vnc command
The return value is missing the mandatory member @websocket. Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-6-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:28 +0000 (21:06 +0200)]
qapi: fix example of query-spice command
Example output is missing mandatory members @migrated and @mouse-mode.
Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-5-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:27 +0000 (21:06 +0200)]
qapi: fix example of query-named-block-nodes command
Example output is missing mandatory member @detect_zeroes. Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-4-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Thu, 31 Mar 2022 19:06:26 +0000 (21:06 +0200)]
qapi: fix examples: replay-break and replay-seek
Both examples outputs are using @data member for the arguments. This
is wrong. The expected member for the QMP is @arguments. Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220331190633.121077-3-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Fri, 1 Apr 2022 11:07:12 +0000 (13:07 +0200)]
qapi: fix example of netdev_add command
Example output has the optional member @dnssearch as string type. It
should be an array of String objects instead. Fix it.
For reference, see NetdevUserOptions.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220401110712.26911-1-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
[Commit message tweaked for precision] Signed-off-by: Markus Armbruster <armbru@redhat.com>
Dov Murik [Thu, 17 Feb 2022 11:00:59 +0000 (11:00 +0000)]
docs/system/i386: Add measurement calculation details to amd-memory-encryption
Add a section explaining how the Guest Owner should calculate the
expected guest launch measurement for SEV and SEV-ES.
Also update the name and links to the SEV API Spec document.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20220217110059.2320497-1-dovmurik@linux.ibm.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Helge Konetzka [Wed, 16 Mar 2022 13:54:07 +0000 (14:54 +0100)]
qga/vss-win32: fix compilation with clang++
This fixes:
qga/vss-win32/install.cpp:49:24: error: cannot initialize a variable of
type 'char *' with an rvalue of type 'const char *'
char *msg = NULL, *nul = strchr(text, '(');
^ ~~~~~~~~~~~~~~~~~
Signed-off-by: Helge Konetzka <hk@zapateado.de> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Message-Id: <39400817-3dc9-516d-9096-bc1f68862531@zapateado.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Thu, 31 Mar 2022 06:24:09 +0000 (08:24 +0200)]
coverity: update model for latest tools
Coverity is now rejecting incomplete types in the modeling file.
Just use a random number (in the neighborhood of the actual one)
for the size of a GIOChannel.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Pavel Pisa [Sat, 2 Apr 2022 20:45:23 +0000 (22:45 +0200)]
docs/system/devices/can.rst: correct links to CTU CAN FD IP core documentation.
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20220402204523.32643-1-pisa@cmp.felk.cvut.cz Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tong Ho [Fri, 1 Apr 2022 19:06:31 +0000 (12:06 -0700)]
xlnx-bbram: hw/nvram: Fix uninitialized Error *
This adds required initialization of Error * variable.
Signed-off-by: Tong Ho <tong.ho@xilinx.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 4 Apr 2022 14:48:55 +0000 (15:48 +0100)]
Merge tag 'pull-ppc-20220404' of https://github.com/legoater/qemu into staging
ppc-7.0 queue:
* Coverity fixes
* Fix for a memory leak issue
# gpg: Signature made Mon 04 Apr 2022 09:45:51 BST
# gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@kaod.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B 0B60 51A3 43C7 CFFB ECA1
* tag 'pull-ppc-20220404' of https://github.com/legoater/qemu:
linux-user/ppc: Narrow type of ccr in save_user_regs
ppc/pnv: Fix number of registers in the PCIe controller on POWER9
hw/ppc: free env->tb_env in spapr_unrealize_vcpu()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
ppc/pnv: Fix number of registers in the PCIe controller on POWER9
The spec defines 3 registers, even though only index 0 and 2 are valid
on POWER9. The same model is used on POWER10. Register 1 is defined
there but we currently don't use it in skiboot. So we can keep
reporting an error on write.
hw/ppc: free env->tb_env in spapr_unrealize_vcpu()
The timebase is allocated during spapr_realize_vcpu() and it's not
freed. This results in memory leaks when doing vcpu unplugs:
==636935==
==636935== 144 (96 direct, 48 indirect) bytes in 1 blocks are definitely lost in loss record 6
,461 of 8,135
==636935== at 0x4897468: calloc (vg_replace_malloc.c:760)
==636935== by 0x5077213: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6400.4)
==636935== by 0x507757F: g_malloc0_n (in /usr/lib64/libglib-2.0.so.0.6400.4)
==636935== by 0x93C3FB: cpu_ppc_tb_init (ppc.c:1066)
==636935== by 0x97BC2B: spapr_realize_vcpu (spapr_cpu_core.c:268)
==636935== by 0x97C01F: spapr_cpu_core_realize (spapr_cpu_core.c:337)
==636935== by 0xD4626F: device_set_realized (qdev.c:531)
==636935== by 0xD55273: property_set_bool (object.c:2273)
==636935== by 0xD523DF: object_property_set (object.c:1408)
==636935== by 0xD588B7: object_property_set_qobject (qom-qobject.c:28)
==636935== by 0xD52897: object_property_set_bool (object.c:1477)
==636935== by 0xD4579B: qdev_realize (qdev.c:333)
==636935==
This patch adds a cpu_ppc_tb_free() helper in hw/ppc/ppc.c to allow us
to free the timebase. This leak is then solved by calling
cpu_ppc_tb_free() in spapr_unrealize_vcpu().
Fixes: 6f4b5c3ec590 ("spapr: CPU hot unplug support") Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20220329124545.529145-2-danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
* tag 'pull-request-2022-04-01' of https://gitlab.com/thuth/qemu:
trace: fix compilation with lttng-ust >= 2.13
9p: move P9_XATTR_SIZE_MAX from 9p.h to 9p.c
meson.build: Fix dependency of page-vary-common.c to config-poison.h
target/s390x: Fix determination of overflow condition code after subtraction
target/s390x: Fix determination of overflow condition code after addition
misc: Fixes MAINTAINERS's path .github/workflows/lockdown.yml
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-target-arm-20220401' of https://git.linaro.org/people/pmaydell/qemu-arm:
target/arm: Don't use DISAS_NORETURN in STXP !HAVE_CMPXCHG128 codegen
MAINTAINERS: change Fred Konrad's email address
target/arm: Determine final stage 2 output PA space based on original IPA
target/arm: Take VSTCR.SW, VTCR.NSW into account in final stage 2 walk
target/arm: Check VSTCR.SW when assigning the stage 2 output PA space
target/arm: Fix MTE access checks for disabled SEL2
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 1 Apr 2022 15:01:10 +0000 (16:01 +0100)]
Merge tag 'pull-riscv-to-apply-20220401' of github.com:alistair23/qemu into staging
Sixth RISC-V PR for QEMU 7.0
This is a last minute RISC-V PR for 7.0.
It includes a fix to avoid leaking no translation TLB entries. This
incorrectly cached uncachable baremetal entries. This would break Linux
boot while single stepping. As the fix is pretty straight forward (flush
the cache more often) it's being pulled in for 7.0.
At the same time I have included a RISC-V vector extension fixup patch.
# gpg: Signature made Fri 01 Apr 2022 00:33:58 BST
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [full]
# Primary key fingerprint: F6C4 AC46 D493 4868 D3B8 CE8F 21E1 0D29 DF97 7054
* tag 'pull-riscv-to-apply-20220401' of github.com:alistair23/qemu:
target/riscv: rvv: Add missing early exit condition for whole register load/store
target/riscv: Avoid leaking "no translation" TLB entries
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 1 Apr 2022 14:35:49 +0000 (15:35 +0100)]
target/arm: Don't use DISAS_NORETURN in STXP !HAVE_CMPXCHG128 codegen
In gen_store_exclusive(), if the host does not have a cmpxchg128
primitive then we generate bad code for STXP for storing two 64-bit
values. We generate a call to the exit_atomic helper, which never
returns, and set is_jmp to DISAS_NORETURN. However, this is
forgetting that we have already emitted a brcond that jumps over this
call for the case where we don't hold the exclusive. The effect is
that we don't generate any code to end the TB for the
exclusive-not-held execution path, which falls into the "exit with
TB_EXIT_REQUESTED" code that gen_tb_end() emits. This then causes an
assert at runtime when cpu_loop_exec_tb() sees an EXIT_REQUESTED TB
return that wasn't for an interrupt or icount.
In particular, you can hit this case when using the clang sanitizers
and trying to run the xlnx-versal-virt acceptance test in 'make
check-acceptance'. This bug was masked until commit 848126d11e93ff
("meson: move int128 checks from configure") because we used to set
CONFIG_CMPXCHG128=1 and avoid the buggy codepath, but after that we
do not.
Fix the bug by not setting is_jmp. The code after the exit_atomic
call up to the fail_label is dead, but TCG is smart enough to
eliminate it. We do need to set 'tmp' to some valid value, though
(in the same way the exit_atomic-using code in tcg/tcg-op.c does).
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/953 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220331150858.96348-1-peter.maydell@linaro.org
target/arm: Determine final stage 2 output PA space based on original IPA
As per the AArch64.S2Walk() pseudo-code in the ARMv8 ARM, the final
decision as to the output address's PA space based on the SA/SW/NSA/NSW
bits needs to take the input IPA's PA space into account, and not the
PA space of the result of the stage 2 walk itself.
Signed-off-by: Idan Horowitz <idan.horowitz@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220327093427.1548629-4-idan.horowitz@gmail.com
[PMM: fixed commit message typo] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Take VSTCR.SW, VTCR.NSW into account in final stage 2 walk
As per the AArch64.SS2InitialTTWState() psuedo-code in the ARMv8 ARM the
initial PA space used for stage 2 table walks is assigned based on the SW
and NSW bits of the VSTCR and VTCR registers.
This was already implemented for the recursive stage 2 page table walks
in S1_ptw_translate(), but was missing for the final stage 2 walk.
Signed-off-by: Idan Horowitz <idan.horowitz@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220327093427.1548629-3-idan.horowitz@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Check VSTCR.SW when assigning the stage 2 output PA space
As per the AArch64.SS2OutputPASpace() psuedo-code in the ARMv8 ARM when the
PA space of the IPA is non secure, the output PA space is secure if and only
if all of the bits VTCR.<NSW, NSA>, VSTCR.<SW, SA> are not set.
Signed-off-by: Idan Horowitz <idan.horowitz@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220327093427.1548629-2-idan.horowitz@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Fix MTE access checks for disabled SEL2
While not mentioned anywhere in the actual specification text, the
HCR_EL2.ATA bit is treated as '1' when EL2 is disabled at the current
security state. This can be observed in the psuedo-code implementation
of AArch64.AllocationTagAccessIsEnabled().
Signed-off-by: Idan Horowitz <idan.horowitz@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220328173107.311267-1-idan.horowitz@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
On Fedora 36, with lttng-ust 2.13.1, compilation fails with:
In file included from trace/trace-ust-all.h:49085,
from trace/trace-ust-all.c:13:
/usr/include/lttng/tracepoint-event.h:67:10: error: #include expects "FILENAME" or <FILENAME>
67 | #include LTTNG_UST_TRACEPOINT_INCLUDE
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
In lttng-ust commit 41858e2b6e8 ("Fix: don't do macro expansion in
tracepoint file name") from 2012, starting from lttng-ust 2.1, the API
was changed to expect TRACEPOINT_INCLUDE to be defined as a string.
In lttng-ust commit d2966b4b0b2 ("Remove TRACEPOINT_INCLUDE_FILE
macro"), in 2021, the compatibility macro was removed.
Use the "new" API from 2012, and bump the version requirement to 2.1 to
fix compilation with >= 2.13.
According to repology, all distributions we support have >= 2.1 (centos
8 has oldest with 2.8.1 afaict)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20220328084717.367993-2-marcandre.lureau@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Will Cohen [Thu, 31 Mar 2022 18:26:51 +0000 (14:26 -0400)]
9p: move P9_XATTR_SIZE_MAX from 9p.h to 9p.c
The patch set adding 9p functionality to darwin introduced an issue
where limits.h, which defines XATTR_SIZE_MAX, is included in 9p.c,
though the referenced constant is needed in 9p.h. This commit fixes that
issue by moving the definition of P9_XATTR_SIZE_MAX, which uses
XATTR_SIZE_MAX, to also be in 9p.c.
Additionally, this commit moves the location of the system headers
include in 9p.c to occur before the project headers (except osdep.h).
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/950 Fixes: 38d7fd68b0 ("9p: darwin: Move XATTR_SIZE_MAX->P9_XATTR_SIZE_MAX") Signed-off-by: Will Cohen <wwcohen@gmail.com>
Message-Id: <20220331182651.887-1-wwcohen@gmail.com>
[thuth: Adjusted placement of osdep.h] Signed-off-by: Thomas Huth <thuth@redhat.com>
Bruno Haible [Wed, 23 Mar 2022 16:26:21 +0000 (17:26 +0100)]
target/s390x: Fix determination of overflow condition code after subtraction
Reported by Paul Eggert in
https://lists.gnu.org/archive/html/bug-gnulib/2021-09/msg00050.html
This program currently prints different results when run with TCG instead
of running on real s390x hardware:
#include <stdio.h>
int overflow_32 (int x, int y)
{
int sum;
return __builtin_sub_overflow (x, y, &sum);
}
int overflow_64 (long long x, long long y)
{
long sum;
return __builtin_sub_overflow (x, y, &sum);
}
int a1 = 0;
int b1 = -2147483648;
long long a2 = 0L;
long long b2 = -9223372036854775808L;
int main ()
{
{
int a = a1;
int b = b1;
printf ("a = 0x%x, b = 0x%x\n", a, b);
printf ("no_overflow = %d\n", ! overflow_32 (a, b));
}
{
long long a = a2;
long long b = b2;
printf ("a = 0x%llx, b = 0x%llx\n", a, b);
printf ("no_overflow = %d\n", ! overflow_64 (a, b));
}
}
Signed-off-by: Bruno Haible <bruno@clisp.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/618
Message-Id: <20220323162621.139313-3-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Bruno Haible [Wed, 23 Mar 2022 16:26:20 +0000 (17:26 +0100)]
target/s390x: Fix determination of overflow condition code after addition
This program currently prints different results when run with TCG instead
of running on real s390x hardware:
#include <stdio.h>
int overflow_32 (int x, int y)
{
int sum;
return ! __builtin_add_overflow (x, y, &sum);
}
int overflow_64 (long long x, long long y)
{
long sum;
return ! __builtin_add_overflow (x, y, &sum);
}
int a1 = -2147483648;
int b1 = -2147483648;
long long a2 = -9223372036854775808L;
long long b2 = -9223372036854775808L;
int main ()
{
{
int a = a1;
int b = b1;
printf ("a = 0x%x, b = 0x%x\n", a, b);
printf ("no_overflow = %d\n", overflow_32 (a, b));
}
{
long long a = a2;
long long b = b2;
printf ("a = 0x%llx, b = 0x%llx\n", a, b);
printf ("no_overflow = %d\n", overflow_64 (a, b));
}
}
Signed-off-by: Bruno Haible <bruno@clisp.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/616
Message-Id: <20220323162621.139313-2-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Yonggang Luo <luoyonggang@gmail.com>
Message-Id: <20220323080755.156-4-luoyonggang@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
* tag 'trivial-branch-for-7.0-pull-request' of https://gitlab.com/laurent_vivier/qemu:
tests/lcitool: Do not use a hard-coded /usr/bin/python3 as python interpreter
vhost-vdpa: fix typo in a comment
target/sh4: Remove old README.sh4 file
linux-user/sh4/termbits: Silence warning about TIOCSER_TEMT double definition
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/riscv: rvv: Add missing early exit condition for whole register load/store
According to v-spec (section 7.9):
The instructions operate with an effective vector length, evl=NFIELDS*VLEN/EEW,
regardless of current settings in vtype and vl. The usual property that no
elements are written if vstart ≥ vl does not apply to these instructions.
Instead, no elements are written if vstart ≥ evl.
Signed-off-by: eop Chen <eop.chen@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <164762720573.18409.3931931227997483525-0@git.sr.ht> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Palmer Dabbelt [Wed, 30 Mar 2022 16:59:13 +0000 (09:59 -0700)]
target/riscv: Avoid leaking "no translation" TLB entries
The ISA doesn't allow bare mappings to be cached, as the caches are
translations and bare mppings are not translated. We cache these
translations in QEMU in order to utilize the TLB code, but that leaks
out to the guest.
Suggested-by: phantom@zju.edu.cn # no name in the From field Fixes: 1e0d985fa9 ("target/riscv: Only flush TLB if SATP.ASID changes") Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20220330165913.8836-1-palmer@rivosinc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Thomas Huth [Tue, 29 Mar 2022 06:39:58 +0000 (08:39 +0200)]
tests/lcitool: Do not use a hard-coded /usr/bin/python3 as python interpreter
When running "make lcitool-refresh", this currently uses the hard-coded
/usr/bin/python3 from the script's shebang line for running Python.
That's bad, since neither /usr/bin/python3 is guaranteed to exist, nor
does it honor the python interpreter that the user might have chosen
while running the "configure" script. Thus let's rather use $(PYTHON)
in the Makefile, and improve the shebang line in the script in case
someone runs this directly.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220329063958.262669-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Thomas Huth [Tue, 29 Mar 2022 15:19:55 +0000 (17:19 +0200)]
target/sh4: Remove old README.sh4 file
This file didn't have any non-trivial update since it was initially
added in 2006, and looking at the content, it seems incredibly outdated,
saying e.g. "The sh4 target is not ready at all yet for integration in
qemu" or "A sh4 user-mode has also somewhat started but will be worked
on afterwards"... Sounds like nobody is interested in this README file
anymore, so let's simply remove it now.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Message-Id: <20220329151955.472306-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Thomas Huth [Wed, 30 Mar 2022 13:43:02 +0000 (15:43 +0200)]
linux-user/sh4/termbits: Silence warning about TIOCSER_TEMT double definition
Seen while compiling on Alpine:
In file included from ../linux-user/strace.c:17:
In file included from ../linux-user/qemu.h:11:
In file included from ../linux-user/syscall_defs.h:1247:
../linux-user/sh4/termbits.h:276:10: warning: 'TIOCSER_TEMT' macro redefined
[-Wmacro-redefined]
# define TIOCSER_TEMT 0x01 /* Transmitter physically empty */
^
/usr/include/sys/ioctl.h:50:9: note: previous definition is here
#define TIOCSER_TEMT 1
^
1 warning generated.
Add the TARGET_ prefix here, too, like we do it on the other architectures.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Message-Id: <20220330134302.979686-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
tcg/aarch64: Use 'ull' suffix to force 64-bit constant
Typo used only 'ul' suffix, which is still 32-bits for windows host.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/947 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Thu, 31 Mar 2022 10:56:52 +0000 (11:56 +0100)]
Merge tag 'pull-qapi-2022-03-31' of git://repo.or.cz/qemu/armbru into staging
QAPI patches patches for 2022-03-31
# gpg: Signature made Thu 31 Mar 2022 11:51:34 BST
# gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg: issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* tag 'pull-qapi-2022-03-31' of git://repo.or.cz/qemu/armbru:
qapi: fix example of dump-guest-memory
qapi: fix example of ACPI_DEVICE_OST event
qapi: ui examples: add missing @websocket member
qapi: fix example of MEMORY_FAILURE
qapi: run-state examples: add missing @timestamp
qapi: fix examples: SHUTDOWN and RESET events
qapi: fix example of FAILOVER_NEGOTIATED event
qapi: fix example of UNPLUG_PRIMARY event
qapi: fix example of MEMORY_DEVICE_SIZE_CHANGE event
qapi: fix example of DUMP_COMPLETED event
qapi: fix example of BLOCK_JOB_PENDING event
qapi: fix example of BLOCK_IO_ERROR event
qapi: fix example of BLOCK_IMAGE_CORRUPTED event
qapi: BlockExportRemoveMode: move comments to TODO
schemas: add missing vim modeline
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Victor Toso [Mon, 28 Mar 2022 14:06:04 +0000 (16:06 +0200)]
qapi: fix example of dump-guest-memory
Example output lacks mandatory member @paging. Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-15-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:06:03 +0000 (16:06 +0200)]
qapi: fix example of ACPI_DEVICE_OST event
Example output lacks mandatory member @timestamp. Provide it.
Event's @data member is missing @info object. Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-14-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:06:02 +0000 (16:06 +0200)]
qapi: ui examples: add missing @websocket member
The examples were missing mandatory member @websocket. Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-13-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:06:00 +0000 (16:06 +0200)]
qapi: run-state examples: add missing @timestamp
The changed examples were lacking mandatory member @timestamp.
Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-11-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:59 +0000 (16:05 +0200)]
qapi: fix examples: SHUTDOWN and RESET events
Example output lacks mandatory member @reason. Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-10-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:58 +0000 (16:05 +0200)]
qapi: fix example of FAILOVER_NEGOTIATED event
Example output lacks mandatory member @timestamp. Provide it.
Event's documentation is not properly formatted. Fix it by:
- Adding @ to "device-id"
- Adding extra line for "Since" section
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-9-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:57 +0000 (16:05 +0200)]
qapi: fix example of UNPLUG_PRIMARY event
Example output lacks mandatory member @timestamp. Provide it.
Example output is not properly formatted. Fixing it by:
- Adding '<-' to signalize it is receiving the data;
- Breaking lines similar to the other examples.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-8-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:56 +0000 (16:05 +0200)]
qapi: fix example of MEMORY_DEVICE_SIZE_CHANGE event
Example output lacks mandatory member @qom-path. Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20220328140604.41484-7-victortoso@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:55 +0000 (16:05 +0200)]
qapi: fix example of DUMP_COMPLETED event
Example output lacks mandatory member @timestamp. Provide it.
Example output is not properly formatted. Fixing it by:
- Adding '<-' to signalize it is receiving the data;
- Adding extra spaces around members @result, @total and @completed
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-6-victortoso@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:54 +0000 (16:05 +0200)]
qapi: fix example of BLOCK_JOB_PENDING event
Example output has the wrong event's name in it. Fix it.
Example output shows incorrect member @device. Fix it.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20220328140604.41484-5-victortoso@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:53 +0000 (16:05 +0200)]
qapi: fix example of BLOCK_IO_ERROR event
Example output lacks mandatory member @reason. Provide it.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220328140604.41484-4-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:52 +0000 (16:05 +0200)]
qapi: fix example of BLOCK_IMAGE_CORRUPTED event
Example output lacks mandatory member @fatal. Provide it.
Example output shows a value of @msg no version of the code
produces. No big deal, but replace it anyway by one that
today's code does produce.
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220328140604.41484-3-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Mon, 28 Mar 2022 14:05:51 +0000 (16:05 +0200)]
qapi: BlockExportRemoveMode: move comments to TODO
@hide and @soft are potential additions which fits the TODO section
perfectly.
The main motivation is to avoid this whole block of comment entering
the wrong section in the python parser.
Signed-off-by: Victor Toso <victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com>
Message-Id: <20220328140604.41484-2-victortoso@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Victor Toso [Fri, 25 Mar 2022 22:16:05 +0000 (23:16 +0100)]
schemas: add missing vim modeline
This is the last qapi schema that is missing the modeline.
Fixes 7e7237cd2b "schemas: add missing vim modeline"
Signed-off-by: Victor Toso <victortoso@redhat.com>
Message-Id: <20220325221605.53995-1-victortoso@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
tests/tcg: really fix path to target configuration
virtio: fix --enable-vhost-user build on non-Linux
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 29 Mar 2022 19:53:05 +0000 (20:53 +0100)]
Merge tag 'pull-block-2022-03-29' of https://gitlab.com/hreitz/qemu into staging
Block patches for 7.0-rc2:
- Disable GLOBAL_STATE_CODE() assertion for the 7.0 release: We got
another bug report for this, and we do not have the time to
investigate before 7.0, so disable the assertion for the release, to
re-enable and continue investigation in the 7.1 cycle
- stream job fix (regarding interaction with concurrent block jobs)
- iotests fixes
# gpg: Signature made Tue 29 Mar 2022 15:55:33 BST
# gpg: using RSA key CB62D7A0EE3829E45F004D34A1FA40D098019CDF
# gpg: issuer "hreitz@redhat.com"
# gpg: Good signature from "Hanna Reitz <hreitz@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: CB62 D7A0 EE38 29E4 5F00 4D34 A1FA 40D0 9801 9CDF
* tag 'pull-block-2022-03-29' of https://gitlab.com/hreitz/qemu:
iotests: Fix status checks
block/stream: Drain subtree around graph change
main-loop: Disable GLOBAL_STATE_CODE() assertions
iotests: update test owner contact information
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Hanna Reitz [Thu, 24 Mar 2022 18:02:21 +0000 (19:02 +0100)]
iotests: Fix status checks
An iotest's 'paused' condition is fickle; it will be reported as true
whenever the job is drained, for example, or when it is in the process
of completing.
030 and 041 contain such checks, we should replace them by checking the
job status instead. (As was done for 129 in commit f9a6256b48f29c2816
for the 'busy' condition.)
Additionally, when we want to test that a job is paused on error, we
might want to give it some time to actually switch to the paused state.
Do that by waiting on the corresponding JOB_STATUS_CHANGE event. (But
only if they are not already paused; the loops these places are in fetch
all VM events, so they may have already fetched that event from the
queue.)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220324180221.24508-1-hreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Hanna Reitz [Thu, 24 Mar 2022 14:09:07 +0000 (15:09 +0100)]
block/stream: Drain subtree around graph change
When the stream block job cuts out the nodes between top and base in
stream_prepare(), it does not drain the subtree manually; it fetches the
base node, and tries to insert it as the top node's backing node with
bdrv_set_backing_hd(). bdrv_set_backing_hd() however will drain, and so
the actual base node might change (because the base node is actually not
part of the stream job) before the old base node passed to
bdrv_set_backing_hd() is installed.
This has two implications:
First, the stream job does not keep a strong reference to the base node.
Therefore, if it is deleted in bdrv_set_backing_hd()'s drain (e.g.
because some other block job is drained to finish), we will get a
use-after-free. We should keep a strong reference to that node.
Second, even with such a strong reference, the problem remains that the
base node might change before bdrv_set_backing_hd() actually runs and as
a result the wrong base node is installed.
Both effects can be seen in 030's TestParallelOps.test_overlapping_5()
case, which has five nodes, and simultaneously streams from the middle
node to the top node, and commits the middle node down to the base node.
As it is, this will sometimes crash, namely when we encounter the
above-described use-after-free.
Taking a strong reference to the base node, we no longer get a crash,
but the resuling block graph is less than ideal: The expected result is
obviously that all middle nodes are cut out and the base node is the
immediate backing child of the top node. However, if stream_prepare()
takes a strong reference to its base node (the middle node), and then
the commit job finishes in bdrv_set_backing_hd(), supposedly dropping
that middle node, the stream job will just reinstall it again.
Therefore, we need to keep the whole subtree drained in
stream_prepare(), so that the graph modification it performs is
effectively atomic, i.e. that the base node it fetches is still the base
node when bdrv_set_backing_hd() sets it as the top node's backing node.
Verify this by asserting in said 030's test case that the base node is
always the top node's immediate backing child when both jobs are done.
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220324140907.17192-1-hreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Acked-by: Vladimir Sementsov-Ogievskiy <v.sementsov-og@mail.ru>
Hanna Reitz [Tue, 29 Mar 2022 09:35:45 +0000 (11:35 +0200)]
main-loop: Disable GLOBAL_STATE_CODE() assertions
These assertions are very useful for developers to find bugs, and so
they have indeed pointed us towards bugs already. For users, it is not
so useful to find these bugs. We should probably not enable them in
releases until we are sufficiently certain that they will not fire
during normal operation, unless something is going seriously wrong.
For example, we have received a bug report that you cannot add an NBD
server on a BDS in an I/O thread with `-incoming defer`. I am sure this
is a real bug that needs investigation, but we do not really have that
time right now, so close to release, and so I would rather disable the
assertions to get time to investigate such reports.
(I am just putting the link as "buglink" below, not "closes", because
disabling the assertion will not fix the likely underlying bug.)
Buglink: https://gitlab.com/qemu-project/qemu/-/issues/945 Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220329093545.52114-1-hreitz@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
John Snow [Tue, 22 Mar 2022 17:42:12 +0000 (13:42 -0400)]
iotests: update test owner contact information
Quite a few of these tests have stale contact information. This patch
updates the stale ones that I happen to be aware of at the moment.
Signed-off-by: John Snow <jsnow@redhat.com>
Message-Id: <20220322174212.1169630-1-jsnow@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Peter Maydell [Tue, 29 Mar 2022 14:17:53 +0000 (15:17 +0100)]
Merge tag 'darwin-20220329' of https://github.com/philmd/qemu into staging
Darwin patches
- UI fixes
# gpg: Signature made Mon 28 Mar 2022 23:42:21 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'darwin-20220329' of https://github.com/philmd/qemu:
ui/console: Check console before emitting GL event
ui/cocoa: Respect left-command-key option
main-loop: Disable block backend global state assertion on Cocoa
gitattributes: Cover Objective-C source files
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paolo Bonzini [Tue, 29 Mar 2022 10:44:39 +0000 (12:44 +0200)]
tests/tcg: really fix path to target configuration
This was attempted in commit 533b0a1a41 ("tests/tcg: Fix target-specific
Makefile variables path for user-mode", 2022-01-12) but it also used the
wrong path; default.mak is used for config/devices, not config/targets.
While at it, explain what the inclusion is about.
Cc: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 28 Mar 2022 15:58:27 +0000 (17:58 +0200)]
virtio: fix --enable-vhost-user build on non-Linux
The vhost-shadow-virtqueue.c build requires include files from
linux-headers/, so it cannot be built on non-Linux systems.
Fortunately it is only needed by vhost-vdpa, so move it there.
Acked-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Peter Maydell [Tue, 29 Mar 2022 11:53:15 +0000 (12:53 +0100)]
Merge tag 'mips-20220329' of https://github.com/philmd/qemu into staging
MIPS patches queue
- ABI fixes (Xuerui, Andreas)
- Memory API alias fix (David)
# gpg: Signature made Tue 29 Mar 2022 11:34:42 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'mips-20220329' of https://github.com/philmd/qemu:
qemu-binfmt-conf.sh: mips: allow nonzero EI_ABIVERSION, distinguish o32 and n32
target/mips: Fix address space range declaration on n32
memory: Make memory_region_readd_subregion() properly handle mapped aliases
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
qemu-binfmt-conf.sh: mips: allow nonzero EI_ABIVERSION, distinguish o32 and n32
With the command line flag -mplt and a recent toolchain, ELF binaries
generated by gcc can obtain EI_ABIVERSION=1, which makes, e.g., gcc
three-stage bootstrap in a mips-unknown-linux-gnu qemu-user chroot
fail since the binfmt-misc magic does not match anymore. Also other
values are technically possible. qemu executes these binaries just
fine, so relax the mask for the EI_ABIVERSION byte at offset 0x08.
In addition, extend magic string to distinguish mips o32 and n32 ABI.
This information is given by the EF_MIPS_ABI2 (0x20) bit in the
e_flags field of the ELF header (a 4-byte value at offset 0x24 for
the here applicable ELFCLASS32).
See-also: ace3d65459 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: WANG Xuerui <xen0n@gentoo.org> Cc: Laurent Vivier <laurent@vivier.eu> Cc: WANG Xuerui <xen0n@gentoo.org> Cc: Richard Henderson <richard.henderson@linaro.org> Cc: Alex Bennee <alex.bennee@linaro.org> Cc: Philippe Mathieu-Daudé <f4bug@amsat.org> Closes: https://gitlab.com/qemu-project/qemu/-/issues/843
Message-Id: <20220328204900.3914990-1-dilfridge@gentoo.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
WANG Xuerui [Mon, 28 Mar 2022 03:59:42 +0000 (11:59 +0800)]
target/mips: Fix address space range declaration on n32
This bug is probably lurking there for so long, I cannot even git-blame
my way to the commit first introducing it.
Anyway, because n32 is also TARGET_MIPS64, the address space range
cannot be determined by looking at TARGET_MIPS64 alone. Fix this by only
declaring 48-bit address spaces for n64, or the n32 user emulation will
happily hand out memory ranges beyond the 31-bit limit and crash.
Confirmed to make the minimal reproducing example in the linked issue
behave.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/939 Cc: Philippe Mathieu-Daudé <f4bug@amsat.org> Cc: Aurelien Jarno <aurelien@aurel32.net> Cc: Jiaxun Yang <jiaxun.yang@flygoat.com> Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com> Signed-off-by: WANG Xuerui <xen0n@gentoo.org> Tested-by: Andreas K. Huettel <dilfridge@gentoo.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220328035942.3299661-1-xen0n@gentoo.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
memory: Make memory_region_readd_subregion() properly handle mapped aliases
memory_region_readd_subregion() wants to readd a region by first
removing it and then readding it. For readding, it doesn't use one of
the memory_region_add_*() variants, which is why fail to re-increment the
mr->mapped_via_alias counters, resulting in the
assert(alias->mapped_via_alias >= 0) in memory_region_del_subregion()
triggering the next time we call memory_region_readd_subregion().
Fix it by using memory_region_add_subregion_common() for readding the
region.
Reported-by: Niek Linnenbank <nieklinnenbank@gmail.com> Fixes: 5ead62185d23 ("memory: Make memory_region_is_mapped() succeed when mapped via an alias") Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Peter Xu <peterx@redhat.com> Cc: "Philippe Mathieu-Daudé" <f4bug@amsat.org> Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20220201100940.47788-1-david@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
As we are in passed release 7.0 hard freeze, disable the block
backend assertion which, while being valuable during development,
is not helpful to users. We'll restore this assertion immediately
once 7.0 is released and work on a fix.
Suggested-by: Akihiko Odaki <akihiko.odaki@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20220325183707.85733-1-philippe.mathieu.daude@gmail.com>
Apple's Git distribution actually carries a similar file which
annotates *.m:
https://github.com/apple-opensource/Git/blob/73/gitattributes
See comments in commit 29cf16db23 ("buildsys: Help git-diff
adding .gitattributes config file") for details.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20220317130326.39188-1-philippe.mathieu.daude@gmail.com>
Peter Maydell [Mon, 28 Mar 2022 09:16:33 +0000 (10:16 +0100)]
Merge tag 'pull-ppc-20220326' of https://github.com/legoater/qemu into staging
ppc-7.0 queue:
* target/ppc: fix helper_xvmadd* argument order
# gpg: Signature made Sat 26 Mar 2022 12:57:54 GMT
# gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@kaod.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B 0B60 51A3 43C7 CFFB ECA1
* tag 'pull-ppc-20220326' of https://github.com/legoater/qemu:
target/ppc: fix helper_xvmadd* argument order
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Matheus Ferst [Sat, 26 Mar 2022 12:52:37 +0000 (13:52 +0100)]
target/ppc: fix helper_xvmadd* argument order
When the xsmadd* insns were moved to decodetree, the helper arguments
were reordered to better match the PowerISA description. The same macro
is used to declare xvmadd* helpers, but the translation macro of these
insns was not changed accordingly.
* tag 'pull-target-arm-20220325' of https://git.linaro.org/people/pmaydell/qemu-arm:
hw/intc/arm_gicv3_its: Add missing newlines to process_mapc() logging
target/arm: Fix sve_ld1_z and sve_st1_z vs MMIO
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 25 Mar 2022 14:41:06 +0000 (14:41 +0000)]
hw/intc/arm_gicv3_its: Add missing newlines to process_mapc() logging
In commit 84d43d2e82da we rearranged the logging of errors in
process_mapc(), and inadvertently dropped the trailing newlines
from the log messages. Restore them. The same commit also
attempted to switch the ICID printing to hex (which is how we
print ICIDs elsewhere) but only did half the job, adding the
0x prefix but leaving the format string at %d; correct to %x.
Fixes: 84d43d2e82da ("hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase field") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
build: disable fcf-protection on -march=486 -m16
target/i386: properly reset TSC on reset
target/i386: tcg: high bits SSE cmp operation must be ignored
configure: remove dead int128 test
KVM: x86: workaround invalid CPUID[0xD,9] info on some AMD processors
i386: Set MCG_STATUS_RIPV bit for mce SRAR error
target/i386/kvm: Free xsave_buf when destroying vCPU
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 24 Mar 2022 20:08:39 +0000 (20:08 +0000)]
Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging
Pull request
Philippe found cases where the 0x%d format string was used, leading to
misleading output. The patches look harmless and could save people time, so I
think it's worth including them in 7.0.
# gpg: Signature made Thu 24 Mar 2022 17:15:20 GMT
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full]
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu:
hw: Fix misleading hexadecimal format
block: Fix misleading hexadecimal format
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Some of the roms build with -march=i486 -m16 which is incompatible
with -fcf-protection. That in turn is can be set by default, for
example in Ubuntu [1].
That causes:
cc1: error: ‘-fcf-protection’ is not compatible with this target
This won't work on -march=i486 -m16 and no matter if set or not we can
override it to "none" if the option is known to the compiler to be
able to build reliably.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220323090713.1002588-1-christian.ehrhardt@canonical.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Thu, 24 Mar 2022 08:21:41 +0000 (09:21 +0100)]
target/i386: properly reset TSC on reset
Some versions of Windows hang on reboot if their TSC value is greater
than 2^54. The calibration of the Hyper-V reference time overflows
and fails; as a result the processors' clock sources are out of sync.
The issue is that the TSC _should_ be reset to 0 on CPU reset and
QEMU tries to do that. However, KVM special cases writing 0 to the
TSC and thinks that QEMU is trying to hot-plug a CPU, which is
correct the first time through but not later. Thwart this valiant
effort and reset the TSC to 1 instead, but only if the CPU has been
run once.
For this to work, env->tsc has to be moved to the part of CPUArchState
that is not zeroed at the beginning of x86_cpu_reset.
Reported-by: Vadim Rozenfeld <vrozenfe@redhat.com>
Supersedes: <20220324082346.72180-1-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
"0x%u" format is very misleading, replace by "0x%x".
Found running:
$ git grep -E '0x%[0-9]*([lL]*|" ?PRI)[dDuU]' hw/
Inspired-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20220323114718.58714-3-philippe.mathieu.daude@gmail.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Inspired-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Hanna Reitz <hreitz@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Denis V. Lunev <den@openvz.org>
Message-id: 20220323114718.58714-2-philippe.mathieu.daude@gmail.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
projects / thirdparty / qemu.git / log
