Stefan Hajnoczi [Sat, 6 Jun 2026 18:47:04 +0000 (14:47 -0400)]
Merge tag 'qom-tests-pr-v2' of https://gitlab.com/marcandre.lureau/qemu into staging
Fix various QOM object life-cycle issues
This series adds a new "qom-tests" qtest command that exercises basic QOM
object life-cycle: it instantiates all non-abstract object types, gets/sets
their properties, and unrefs them. This quickly surfaces leaks and crashes
that could otherwise be triggered at runtime via QMP qom commands.
* tag 'qom-tests-pr-v2' of https://gitlab.com/marcandre.lureau/qemu: (23 commits)
qtest: add "qom-tests" command
hw/i2c/pmbus: fix undefined behavior in pmbus_direct_mode2data
target/riscv: use hash table as set for user_options
target/riscv: fix general_user_opts hash table leak
hw/ppc/spapr: free host_model and host_serial on finalization
hw/loongarch/virt: free flash devices and OEM strings on finalization
hw/tpm: free PPI buffer on finalization
hw/i386/pc: free pcspk on finalization
hw/i386/nitro_enclave: add instance finalize
target/i386/kvm/tdx: free strings in tdx_guest_finalize
target/i386/sev: add finalize functions and fix leaking setters
net/filter: free old values in property setters
hw/core/machine: free shim_filename on finalization
system/ioport: minor code simplification
backends/cryptodev-lkcf: skip cleanup when not initialized
hw/intc/apic: move checks to realize()
hw/xlnx_dp: reject NULL 'dpdma' property rather than crash
hw/ipmi: reject NULL 'bmc' property rather than crash
hw/pci-host/q35: handle NULL bus in pci-hole64 getters
hw/pci-host/i440fx: handle NULL bus in pci-hole64 getters
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Sat, 6 Jun 2026 18:46:04 +0000 (14:46 -0400)]
Merge tag 's390x-20260605' of https://gitlab.com/cohuck/qemu into staging
s390x updates:
- several fixes, mostly pci related, also in the STSI implementation
- fix up some file patterns in MAINTAINERS
- stop looking for ESA/390 (pre-64 bit zArch) hosts
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQRpo7U29cv8ZSCAJsHeiLtWQd5mwQUCaiLhyBIcY29odWNrQHJl
# ZGhhdC5jb20ACgkQ3oi7VkHeZsGWiwD9FBIWXkKmaiGHf9ZExaUQIOJQhwz6E3rY
# mePjnFxbxXcBALq/ODbmy38XDHLzXTzPFIiSXA6Y5xM02IA2zqd0GOQO
# =okD7
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 05 Jun 2026 10:48:40 EDT
# gpg: using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1
# gpg: issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg: aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
# Subkey fingerprint: 69A3 B536 F5CB FC65 2080 26C1 DE88 BB56 41DE 66C1
* tag 's390x-20260605' of https://gitlab.com/cohuck/qemu:
buildsys: Stop checking for ESA/390 host
MAINTAINERS: Fix tcg/s390x/ path
MAINTAINERS: Fix s390x storage key/attribute device paths
s390x/pci: Fix interrupt forwarding disable for interpreted devices
hw/s390x/ccw: Mark virtio-pci disable-legacy property as optional
target/s390x: Make container ids in SysIB_15x 1-based
hw/s390x: Fix memory leaks after removing elements with QTAILQ_REMOVE
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
hw/i2c/pmbus: fix undefined behavior in pmbus_direct_mode2data
The intermediate result of (Y * 10^-R - b) / m can be negative when
the bias (b) is large and the raw register value is small (e.g. zero
on an uninitialized device). Assigning that negative double to uint32_t
is undefined behavior, caught by UBSan/clang.
Use a double intermediate and clamp negative results to zero (suggested
by Daniel Berrangé)
Fixes: 3746d5c15e70 ("hw/i2c: add support for PMBus") Reviewed-by: Titus Rwantare <titusr@google.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
target/riscv: use hash table as set for user_options
The values stored in user_options are never retrieved, only key
presence is checked. Use g_hash_table_add() instead of
g_hash_table_insert() and drop the unused value parameter.
Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/loongarch/virt: free flash devices and OEM strings on finalization
Flash devices created in virt_initfn() via qdev_new() hold an extra
reference that is only dropped on sysbus_realize_and_unref(). When the
machine is destroyed before realization, the flash objects leak. Also,
the oem_id and oem_table_id strings from g_strndup() are never freed.
Fixes: 445c9c645 ("hw/loongarch/virt: Allow user to customize OEM ID and OEM table ID") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The PPI buffer is allocated with qemu_memalign() in instance_init but
never freed when the device is destroyed.
Fixes: 46cd2c1050f0 ("hw/tpm: add PPI support to tpm-tis-device for ARM64 virt") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Property setter strings (vsock, id, parent_role, parent_id) were
never freed because nitro_enclave_machine_info had no
instance_finalize.
Fixes: f1826463d2e8 ("machine/nitro-enclave: New machine type for AWS Nitro Enclaves") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
target/i386/kvm/tdx: free strings in tdx_guest_finalize
tdx_guest_finalize was empty, so mrconfigid, mrowner, and
mrownerconfig set by property setters were never freed.
Fixes: d05a0858cf87 ("i386/tdx: Support user configurable mrconfigid/mrowner/mrownerconfig") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
target/i386/sev: add finalize functions and fix leaking setters
None of the three SEV types (sev-common, sev-guest, sev-snp-guest)
had instance_finalize functions, so all string fields allocated
during init or by property setters were leaked on object destruction.
Add sev_common_finalize, sev_guest_finalize, and
sev_snp_guest_finalize to free the allocated fields.
Also fix sev_common_set_sev_device, sev_guest_set_dh_cert_file,
and sev_guest_set_session_file to free the old value before
replacing it.
netfilter_set_position and netfilter_set_netdev_id overwrote their
respective fields with g_strdup without freeing the previous value,
leaking memory on each property write.
Fixes: fdccce459621 ("init/cleanup of netfilter object") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
backends/cryptodev-lkcf: skip cleanup when not initialized
cryptodev_lkcf_cleanup() locks a mutex that is only initialized
during the init vfunc (called at realize time). When the backend
is destroyed without ever being realized, the mutex is uninitialized
and the lock aborts.
Return early from cleanup when the backend was never started.
Note: it looks like cryptodev init/cleanup callbacks should rather be
regular complete/finalize overrides (calling the parent method).
Fixes: 39fff6f3e8b3 ("cryptodev: Add a lkcf-backend for cryptodev") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
apic_common_set_id() dereferences s->cpu to check for x2APIC support
when the APIC ID is >= 255. On a standalone APIC object that has not
been attached to a CPU, s->cpu is NULL, causing a segfault.
To solve this, move validation during realize().
Fixes: b5ee0468e9d2 ("apic: add support for x2APIC mode") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/pci-host/q35: handle NULL bus in pci-hole64 getters
When called on an unrealized Q35 host bridge (e.g. from
qmp_qom_list_properties), h->bus is NULL since the root bus is only
created during realize. Guard against this in both the
pci_hole64_start and pci_hole64_end getters.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/pci-host/i440fx: handle NULL bus in pci-hole64 getters
When called on an unrealized i440FX host bridge (e.g. from
qmp_qom_list_properties), h->bus is NULL since the root bus is only
created during realize. Guard against this in both
pci_hole64_start and pci_hole64_end getters, reporting an error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
hw/pci-bridge: handle missing parent in prop_pxb_uid_get
When called on an unrealized pxb bus (e.g. from
qmp_qom_list_properties), bus->parent_dev is NULL. The pxb_bus_num()
callback dereferences it unconditionally. Check for this to avoid a
NULL dereference.
Fixes: 97b9cb066e5f ("hw/pci-bridge: Add acpi_uid property to TYPE_PXB_BUS") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
When called on an unrealized device (e.g. from
qmp_qom_list_properties), pci_get_bus() returns NULL since the device
has no parent bus. Check for this to avoid a NULL dereference in
pci_bus_num().
Fixes: df9ac7254fd9 ("hw/pci: Add a busnr property to pci_props and use for acpi/gi") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
We still build QEMU tools on 32-bit hosts (see commit cf634dfcd8f), however no OS supported by QEMU still runs
on ESA/390 (Linux dropped support in release 4.1 in 2015).
Remove the configure check, directly checking for the 64-bit
z/Architecture.
Farhan Ali [Thu, 21 May 2026 18:29:46 +0000 (11:29 -0700)]
s390x/pci: Fix interrupt forwarding disable for interpreted devices
Remove the FH_MASK_ENABLE check when disabling interrupt forwarding
during device reset. This check was broken for the default case in
the switch statement above, preventing proper cleanup of interrupt
forwarding.
The pbdev->aif check in s390_pci_kvm_aif_disable() already guards
against double-disabling of interrupt forwarding.
Jaehoon Kim [Wed, 20 May 2026 18:33:58 +0000 (13:33 -0500)]
hw/s390x/ccw: Mark virtio-pci disable-legacy property as optional
The s390-ccw-virtio-11.0 compatibility property for TYPE_VIRTIO_PCI
"disable-legacy" causes QEMU to abort when instantiating
vhost-user-fs-pci devices:
Unexpected error in object_property_find_err() at
../qom/object.c:1284:
qemu-system-s390x: -device vhost-user-fs-pci: can't apply
global virtio-pci.disable-legacy=off: Property
'vhost-user-fs-pci.disable-legacy' not found
The issue occurs because some vhost-user devices like
vhost-user-fs-pci only implement the non-transitional variant
and do not define a generic device type. Non-transitional
devices have disable-legacy hardcoded to "on" and do not
expose it as a property, while only generic device types have
the "disable-legacy" property. This affects users running
older machine versions (11.0 and earlier) even when using the
latest QEMU version.
Mark the global property as optional so it only applies to
devices that actually have the property, allowing vhost-user
devices without a generic variant to be instantiated
successfully on older machine versions.
Fixes: 26103c13cff0 ("hw/s390x/ccw: Disable legacy virtio-pci by default (v11.1+)") Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260520183403.223983-1-jhkim@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Alexandra Winter [Mon, 11 May 2026 13:49:09 +0000 (15:49 +0200)]
target/s390x: Make container ids in SysIB_15x 1-based
The Container Id in a container-type TLE of SysIB_15x is defined as 8-bit
unsigned nonzero integer. Make stsi fc 15 emulation architecture compliant,
by starting the container ids at 1 for the lowest numbered container.
The qemu misbehaviour without this patch becomes obvious due to a recently
proposed kernel fix. Older linux kernels pass the container ids from stsi
fc15 unchanged to sysfs, i.e. starting at 1 on s390 hardware. This resulted
in off-by-one values when compared to the values from HMC. A Linux kernel
fix is being proposed to correct the sysfs topology ids by -1, so they
start at 0, e.g. when displayed by 'lscpu -ye'. In case a KVM guest with a
fixed kernel runs on a host with a qemu without this fix, this can result
in container ids erroneously being shown as 255.
Example (Fixed guest on unfixed qemu):
$ lscpu -ye
CPU NODE DRAWER BOOK SOCKET CORE L1d:L1i:L2 ONLINE CONFIGURED POLARIZATION ADDRESS
0 0 255 255 255 0 0:0:0 yes yes vert-medium 0
1 0 255 255 0 1 1:1:1 yes yes vert-medium 1
After this fix:
$ lscpu -ye
CPU NODE DRAWER BOOK SOCKET CORE L1d:L1i:L2 ONLINE CONFIGURED POLARIZATION ADDRESS
0 0 0 0 0 0 0:0:0 yes yes vert-medium 0
1 0 0 0 1 1 1:1:1 yes yes vert-medium 1
Fixes: f4f54b582f ("target/s390x/cpu topology: handle STSI(15) and build the SYSIB") Signed-off-by: Alexandra Winter <wintera@linux.ibm.com> Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com> Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Gautam Gala <ggala@linux.ibm.com>
Message-ID: <20260511134909.43802-1-wintera@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Stefan Hajnoczi [Tue, 2 Jun 2026 16:24:54 +0000 (12:24 -0400)]
gitlab: remove x64-freebsd-14-build Cirrus job
Cirrus has shut down and the x64-freebsd-14-build is failing:
https://gitlab.com/qemu-project/qemu/-/jobs/14656732122
Remove the x64-freebsd-14-build job to get the CI pipeline passing
again. The next commit will be to remove Cirrus integration from the
GitLab YAML and lcitool since it is no longer used.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
Message-id: 20260602162457.828969-2-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 21:26:28 +0000 (23:26 +0200)]
tests/unit: add test-envlist covering setenv/unsetenv name matching
util/envlist had no test coverage. Add tests/unit/test-envlist
exercising the public envlist API and pinning down the prefix-match
hazard fixed in the previous commit:
- envlist_unsetenv("FOO") must not remove an entry named "FOOBAR";
- envlist_setenv("FOO=...") must not replace an existing "FOOBAR=..."
entry placed earlier in the list (envlist_setenv() inserts at the
head, so the first prefix match wins under the old strncmp rule).
Also cover the rest of the contract: head-insertion order observed
through envlist_to_environ(), replacement of an existing variable,
the count argument of envlist_to_environ(), and the documented EINVAL
paths (NULL inputs, setenv without '=', unsetenv with '=').
Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20260520212628.479772-3-den@openvz.org Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 21:26:27 +0000 (23:26 +0200)]
util/envlist: fix prefix-match in envlist_unsetenv() name lookup
envlist_unsetenv() looked up the entry to remove with
strncmp(entry->ev_var, env, strlen(env)). The comparison length is
the requested name's length, so any stored entry whose name *starts*
with that name compares equal. envlist_setenv() inserts at the head
of the list, so the first hit wins: with FOO=... stored first and
FOOBAR=... stored afterward, envlist_unsetenv("FOO") iterates from
the head, matches FOOBAR=... on the prefix, and drops it instead of
FOO=...
linux-user and bsd-user reach this code via the -U command-line
switch, so the bug is reachable from a normal qemu-user invocation.
envlist_setenv() used the same strncmp pattern but with
envname_len = (eq_sign - env + 1), so the '=' byte sat inside the
compared window and acted as an implicit boundary. setenv was
therefore not buggy -- but the safety lived in the byte layout of
ev_var rather than in the entry, so a future edit could easily
drift the two sites apart again.
Store the name length on each entry at insertion time and compare
with explicit length equality plus memcmp via a small helper. Use
the helper at both lookup sites so the boundary becomes a
structural property of the entry: envlist_unsetenv() stops
prefix-matching, and envlist_setenv()'s self-search no longer
depends on the '=' byte serving as a sentinel.
Fixes: 04a6dfebb6b5 ("linux-user: Add generic env variable handling") Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20260520212628.479772-2-den@openvz.org Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Tue, 2 Jun 2026 15:34:55 +0000 (11:34 -0400)]
Merge tag 'pull-tpm-2026-06-01-1' of https://github.com/stefanberger/qemu-tpm into staging
Merge tpm 2026/06/01 v1
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEuBi5yt+QicLVzsZrda1lgCoLQhEFAmod/1EACgkQda1lgCoL
# QhGFmwf/SDA8DQGekVksB+TiDV11a+2I8FzBHJmQ2RhKbSGxY77ZbWei+Z45fU9/
# 2e0aDizw7GDRPGthKChjOYA5SAVf7gwUaSkhv21xDNgsddcdCr05y1RljOfShtbw
# S55XOk6Tx2zX/00nTqskyw9bqz2YwnAh5vPjfDWy6TV5k7Q3BlMyooFeJu/19pU7
# RnMLfHdJHlYSQ2Bn4ZT6agXsoQIvnJK51Poq0TJQo0PW8kWFwcp13Ic+uyvRfkF3
# U6JdTGBXJxCHMgIkO4EG4o5PT7Dy8miKFepJCUgyjHesi7iFYQlIAnsJth9anMjL
# zoqnMVNN1jVrcuzVLG9oNHB7+hZ/Eg==
# =Wlez
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 01 Jun 2026 17:53:21 EDT
# gpg: using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* tag 'pull-tpm-2026-06-01-1' of https://github.com/stefanberger/qemu-tpm:
tpm_emulator: Disconnect if response exceeds negotiated buffer size
tpm_emulator: Reject a buffer size different than what was requested
hw/tpm: Add support for VM migration with TPM CRB chunking
test/qtest: Add test for tpm crb chunking
hw/tpm: Implement TPM CRB chunking logic
hw/tpm: Add internal buffer state for chunking
hw/tpm: Refactor CRB_CTRL_START register access
hw/tpm: Add TPM CRB chunking fields
ui/vdagent: Use VMSTATE_GBYTEARRAY to safely migrate outbuf
migration/vmstate: Add VMState support for GByteArray
tests: Add a TPM TIS I2C swtpm test
tests: Check whether the I2C master flag is set
tests: Rename id of tpmdev to tpm0
tests: Convert string arrays to byte arrays
tests: Have TPM I2C read/write functions take QTestState as first parameter
tests: Move TPM I2C bus read/write functions to common files
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Tue, 2 Jun 2026 15:34:42 +0000 (11:34 -0400)]
Merge tag 'pull-11.1-testing-hotfix-010626-1' of https://gitlab.com/stsquad/qemu into staging
testing updates:
- revert test/Makefile.include move due to regression
- work-around move with explicit targets for MacOS gitlab
- use debian-all-test-cross for MIPS TCG tests
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmodsKwACgkQ+9DbCVqe
# KkQ8jQf/Xydd5C6H5WOjLMk0i+fbiiFeZUVZ0uIwWrWEjDNGVdbT575/bS39PKeh
# 2UTANzcePKP3VLsWYw8E/8fWSkdUFi47lGRZHjQN6cbPo7cC3NskkOTkumvE9Fr9
# NuGmbw2FVFnmn6xkZCYSHdj2MQeGf9dy9hyGlivTfsmj8ypw92uMzp1/vvfC5wH1
# la1RIPDRUngQmHK+PUQQTVdWgpWETier7QGqCyBWbk6Gc26O8L9xeiwR8Dhi+dPv
# 1cY8BvAWC+nOvDtCClahmEpTfiWALKtE8c+/EqP3QLCWDdAcUg7XGtTlX3iYIy+u
# 8nCt/HOpKynpuuxHrIoUs9q8FE9OuA==
# =SUZJ
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 01 Jun 2026 12:17:48 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.1-testing-hotfix-010626-1' of https://gitlab.com/stsquad/qemu:
configure: use debian-all-test-cross for mipsel tcg tests
gitlab: work around the inability to build targets for MacOS
Revert "Makefile: include tests/Makefile.include before ninja calculation"
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Berger [Mon, 11 May 2026 14:22:18 +0000 (14:22 +0000)]
tpm_emulator: Disconnect if response exceeds negotiated buffer size
Disconnect from the emulator if a response was to exceed the negotiated
buffer size.
The TPM TIS and SPAPR use 4096 bytes and the CRB 3968 bytes. There are
currently no TPM 2 responses using this size of a buffer and therefore
no response will be sent that is exceeding this size.
Stefan Berger [Mon, 11 May 2026 14:22:17 +0000 (14:22 +0000)]
tpm_emulator: Reject a buffer size different than what was requested
When the TIS, SPAPR, or CRB frontends negotiate a buffer size with the
TPM backend, then the tpm_emulator (swtpm) could still adjust this size
of the buffer to within bounds supported by swtpm+libtpms if the chosen
size was outside the acceptable range. This could theoretically lead to
the TPM 2 using a bigger buffer than what was requested and memory
allocated for. In practice this would not happend since the requested size
of 4096 bytes for TIS and SPAPR and 3968 bytes for CRB happen in the
(currently) supported range of ~2.5kb to 4096 bytes. With PQC support
the range will have an upper bound of 8kb and a lower bound that will
support the (pre-PQC) CRB with 3968 bytes.
Arun Menon [Wed, 6 May 2026 07:58:13 +0000 (13:28 +0530)]
hw/tpm: Add support for VM migration with TPM CRB chunking
- Add subsection in VMState for TPM CRB with the newly introduced
command and response buffer GByteArrays, along with a needed callback,
so that newer QEMU only sends the buffers if it is necessary.
- Implement a migration blocker to prevent migration of the VM if the
user manually enables chunking capability, cap-chunk, but the machine
type does not support it, using a new hw_compat property called
allow_chunk_migration.
- Add a post_load_errp hook so that during a migration, the buffers are
validated before destination VM is started.
Arun Menon [Wed, 6 May 2026 07:58:12 +0000 (13:28 +0530)]
test/qtest: Add test for tpm crb chunking
- New test case added to the swtpm test. Data is written and read from
the buffer in chunks.
- The chunk size is dynamically calculated by reading the
CRB_CTRL_CMD_SIZE address. This can be changed manually to test.
- Add a helper function tpm_wait_till_bit_clear()
- Note that this commit does not yet exercise the chunked read/write
logic, as current transfer sizes remain small. Testing for large
transfers is introduced in a subsequent patch: 'tests: Use ML-DSA-87
operations to cause large TPM transfers with CRB'
Arun Menon [Wed, 6 May 2026 07:58:11 +0000 (13:28 +0530)]
hw/tpm: Implement TPM CRB chunking logic
- Add logic to populate internal TPM command request and response
buffers and to toggle the control registers after each operation.
- The chunk size is limited to CRB_CTRL_CMD_SIZE which is
(TPM_CRB_ADDR_SIZE - A_CRB_DATA_BUFFER). This comes out as 3968 bytes
(4096 - 128 or 0x1000 - 0x80), because 128 bytes are reserved for
control and status registers. In other words, only 3968 bytes are
available for the TPM data.
- With this feature, guests can send commands larger than 3968 bytes.
- Refer section 6.5.3.9 of [1] for implementation details.
Arun Menon [Wed, 6 May 2026 07:58:08 +0000 (13:28 +0530)]
hw/tpm: Add TPM CRB chunking fields
- Add new fields to the CRB Interface Identifier and the CRB
Control Start registers.
- CRB_CTRL_START now has 2 new settings, that can be toggled using the
nextChunk and crbRspRetry bits.
- CapCRBChunk bit (10) was Reserved1 previously. The field is reused in
this revision of the specification. Refer to section 6.4.2.2 of [1]
- Add hw_compat global property called cap-chunk because the chunking
feature is only supported for machine type 11.1 and higher.
ui/vdagent: Use VMSTATE_GBYTEARRAY to safely migrate outbuf
Migrating a GLib GByteArray is now possible directly using the newly
introduced VMSTATE_GBYTEARRAY. It uses the standard GLib API calls to
create the array, or resize it.
This is safer than implementing a C struct and manually updating the
data and len fields. This commit uses the VMSTATE_GBYTEARRAY in vdagent
to store the outbuf variable.
migration/vmstate: Add VMState support for GByteArray
In GLib, GByteArray is an object managed by the library. Currently,
migrating a GByteArray requires treating it as a raw C struct and using
VMSTATE_VBUFFER_ALLOC_UINT32. For example, see vmstate_vdba in
ui/vdagent.c
QEMU cannot pretend that GByteArray is a C struct and simply use
VMS_ALLOC to g_malloc() the buffer. This is because, VMS_ALLOC blindly
overwrites the data pointer with a newly allocated buffer, thereby
leaking the previous memory. Besides, GLib tracks the array's capacity
in a hidden alloc field. Bypassing GLib APIs leave this capacity out of
sync with the newly allocated buffer, potentially leading to heap buffer
overflows during subsequent g_byte_array_append() calls.
This commit introduces VMSTATE_GBYTEARRAY which uses specific library
API calls (g_byte_array_set_size()) to safely resize and populate the
buffer.
Alex Bennée [Mon, 1 Jun 2026 14:31:29 +0000 (15:31 +0100)]
configure: use debian-all-test-cross for mipsel tcg tests
Although we have had the mips compilers in all-test-cross for a while
we had been surviving using the mipsel cross compiler image. However
when that was removed we missed updating the container to use.
Fixes: 366bb88e785 (buildsys: Remove MIPS cross containers) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Tested-by: Cornelia Huck <cohuck@redhat.com> # running tests on an s390x
Message-ID: <20260601143129.144786-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Mon, 1 Jun 2026 14:31:28 +0000 (15:31 +0100)]
gitlab: work around the inability to build targets for MacOS
Unfortunately a previous fix to ensure .ninja-goals was set for the
TCG tests broken the ability to run check-functional-FOO. As we have
now reverted we need a solution for the MacOS gitlab run. The simplest
is to add an explicit make invocation to build the signed binaries
before we run the tests.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Tested-by: Cornelia Huck <cohuck@redhat.com> # running tests on an s390x
Message-ID: <20260601143129.144786-3-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
* tag 'pull-9p-20260601' of https://github.com/cschoenebeck/qemu:
9pfs: fix missing rename lock in v9fs_co_readdir_many (CVE-2026-48004)
tests/9pfs: add deep absolute path test
tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors
hw/9pfs: add error handling to v9fs_fix_path()
hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type
hw/9pfs: add NULL check in v9fs_path_is_ancestor()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQTKRzxE1qCcGJoZP81FK5aFKyaCFgUCah0tmwAKCRBFK5aFKyaC
# Fht2BACdtjM7Kod8mgVJVOsJ5M9jRR4DiOfHuo60MNlQ4xE8oYk/g50FMrquoGFt
# lq7KsiWV2CAv0ERi2KDtOtZdfUODdmgI2qOsXEtTwkGIe1Kx4NqEqwAasiiQMTcz
# WwAd9mCsK+Cezs4TJUzeir4xoek/T6mSITUTmjHKUoVe81ZDEQ==
# =Mq/l
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 01 Jun 2026 02:58:35 EDT
# gpg: using RSA key CA473C44D6A09C189A193FCD452B96852B268216
# gpg: Good signature from "Song Gao <gaosong@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CA47 3C44 D6A0 9C18 9A19 3FCD 452B 9685 2B26 8216
* tag 'pull-loongarch-20260601' of https://github.com/gaosong715/qemu:
target/loongarch/kvm: Include missing exec/target_long.h header
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Mon, 1 Jun 2026 12:43:24 +0000 (08:43 -0400)]
Merge tag 'pull-hex-20260529' of https://github.com/qualcomm/qemu into staging
Hexagon cross-toolchain container update
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEPWaq5HRZSCTIjOD4GlSvuOVkbDIFAmoaJP8ACgkQGlSvuOVk
# bDKJ2g/+MTJnhD/YLM7q6sYpRuQJv0kJd3cIuQ1HbFskJo2sJFPdNLTAhWmfggST
# J8OvnQwsWg3QCLQ92YaYZ/jYSVsmF3S8cbQW4fKG18FgCRQkARGmOZmoQM+POCvP
# Tjfw9m8d4uQUCUV8yByK0nosY+0Iy+rXHVoJMBsKeRK1zLtKKLPe1hRkcpN7anaB
# Nskce1nKmI6T/CU1RPPPBDJkzse/+l4BUTmnVIu6Brir3f2/6TbAIceP9pybYjDw
# i+LchG04MWVXZcfe4D0/ihazDWoy8xWjBixLON+aw9zSjLGznRHj8IEZojmW018G
# 2ifqUHkRPw6LBtUf1JGs+2ldonwRaerE4ik2yc48N73oOn5nNNcV5/kVdMsxfRYS
# O/FCihJzNoZQJ64KvL5vVxrx6x4kgI3bZi1k5sIYAKzSg6LUfxE6NW3bUVihrO5a
# s9qV+cofc03Sv1a7A4jrUvdvwQILblUTB2GQrYnREioVEm/X4eK4I5xUaqd1p00t
# IH9VpzDX+O2q72HjQ224OnTnPsUkuHiOfZj+X2Zqy1647WwGd+DYjbu9P8ht78W2
# klWPhD0gsEluZu/PV4AdxjajH1V/KtMIDZcYZWjclf1/M0RV1Y2OLGeDIjld7PQi
# HdSBRrKQanyQu97/qa3TEKo6ot1aIiI13SX24cpOx70hspcyIJo=
# =/CUP
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 19:45:03 EDT
# gpg: using RSA key 3D66AAE474594824C88CE0F81A54AFB8E5646C32
# gpg: Good signature from "Brian Cain (OSS Qualcomm) <brian.cain@oss.qualcomm.com>" [unknown]
# gpg: aka "Brian Cain <bcain@kernel.org>" [unknown]
# gpg: aka "Brian Cain (QuIC) <bcain@quicinc.com>" [unknown]
# gpg: aka "Brian Cain (CAF) <bcain@codeaurora.org>" [unknown]
# gpg: aka "bcain" [unknown]
# gpg: aka "Brian Cain (QUIC) <quic_bcain@quicinc.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6350 20F9 67A7 7164 79EF 49E0 175C 464E 541B 6D47
# Subkey fingerprint: 3D66 AAE4 7459 4824 C88C E0F8 1A54 AFB8 E564 6C32
* tag 'pull-hex-20260529' of https://github.com/qualcomm/qemu:
tests/docker: Update hexagon cross toolchain to 22.1.0
tests/tcg/hexagon: fix check_rev_gating with newer toolchain
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Mon, 1 Jun 2026 12:43:12 +0000 (08:43 -0400)]
Merge tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa into staging
linux user patches
A series of patches for linux-user, specifically many FPU fixes in signal
handling code for sh4, mips, ppc and s390x (from Matt Turner), a madvise()
improvement (from me), and qemu header cleanups (from Peter Maydell).
---
v3: Fix build failure due to unknown MADV_COLLAPSE constant in madivise() patch
v2: Dropped the "ARM cortex-m55 program loading fix" and the FPU alpha patch
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCahoKTQAKCRD3ErUQojoP
# XxTMAPwP1hvkA5oV+NCS4y15eTTwycxsEKiSBV0cysz6pkgVGgEA3njxgnnH9iqM
# AxeLtQWJAb3WHNyfDpnj+RLo/xUehQY=
# =jFvz
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 17:51:09 EDT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa:
linux-user: Move cpu_copy() to user-internals.h
linux-user: Move init_main_thread() prototype to user-internals.h
linux-user: Fix typo in function documentation for pgb_addr_set()
linux-user: Implement finer grained madivse() syscall
linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
target/sh4: sync fp_status when gdb writes FPSCR
linux-user/sh4: restore FP rounding mode on sigreturn
linux-user/sh4: preserve T/M/Q bits across signal delivery
linux-user/mips: save/restore FCSR across signal delivery
linux-user/ppc: restore fp_status from FPSCR on sigreturn
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-tcg-20260529' of https://gitlab.com/rth7680/qemu:
tcg: Optimize INDEX_op_mul[us]2 for 0 and 1
tcg: Massage fold_multiply2()
docs/devel/tcg-ops: Fix reStructuredText format
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
sin99xx [Wed, 20 May 2026 17:11:25 +0000 (19:11 +0200)]
9pfs: fix missing rename lock in v9fs_co_readdir_many (CVE-2026-48004)
v9fs_co_readdir_many() dispatches do_readdir_many() to a worker thread
that reads V9fsFidState's path.data without holding a rename lock.
A concurrent rename request, e.g. of its parent dir, causes the FID's
absolute path to be altered by freeing the old path string and
assigning a new one. This causes a heap-use-after-free race condition
while do_readdir_many() is still accessing the old object.
This allows a DoS by an unprivileged guest user.
Fix this by wrapping the worker thread dispatch block within a pair of
v9fs_path_read_lock() and v9fs_path_unlock() calls, like it's done at
other places.
Fixes: 2149675b195f ("9pfs: add new function v9fs_co_readdir_many()") Fixes: CVE-2026-48004 Reported-by: sin99xx <sin99xx@proton.me> Signed-off-by: sin99xx <sin99xx@proton.me>
[Christian Schoenebeck: add commit log message] Link: https://lore.kernel.org/qemu-devel/E1wPkYi-000adH-4E@kylie.crudebyte.com Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Add fs_deep_absolute_path test that creates a deep directory
structure with an absolute path length exceeding 16-bit range
(i.e. >65536) to verify the previous buffer overflow fix.
This is a slow test (may take several seconds) and therefore
registered as "slow" test and not running by default.
tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
Add a function to reset the virtqueue descriptor pool state without
reinitializing the device. This is useful for tests that issue a high
number of requests and are limited by the simplified virtio test
driver's descriptor tracking, which decrements num_free but never
increments it back.
The function is safe for synchronous test code where requests are
sent and completed before the next request is issued.
hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors
This patch mitigates issues with very large absolute paths.
- Add error handling to all v9fs_path_sprintf() calls in
local_name_to_path()
- Update callers of v9fs_fix_path() to check return values.
- When path formatting fails, clunk the affected FIDs to prevent use of
invalid paths.
- Use g_autofree for temporary variables to simplify code.
Even though paths are usually limited to PATH_MAX (typically 4k) on guest,
this limitation can be circumvented by using *at() functions on guest and
creating very deep directory structures. This was a problem for QEMU 9p
server, as it currently tracks the absolute path for each FID internally
that always requires assembly of a (potentially ver large) absolute path.
A true long-term fix would be getting rid of storing an absolute path for
each FID internally. However that would likely be a massive change with
uncertain implications.
This patch therefore just mitigates the problem by immediately clunking
(i.e. closing) all FIDs whose path exceed a limit that we could handle.
As this only accounts to very unusual large absolute paths not ever been
reported on (sane) production machines, this is currently considered an
acceptable mitigation that should only (counter)affect malicious attempts.
hw/9pfs: add NULL check in v9fs_path_is_ancestor()
Add NULL check for s1->data and s2->data before using them in
string operations. This prevents potential crashes when dealing
with uninitialized paths.
This is just a defensive measure. We are currently never passing
NULL to this function.
Qiang Ma [Mon, 1 Jun 2026 01:46:01 +0000 (09:46 +0800)]
target/loongarch/kvm: Include missing exec/target_long.h header
After commit 71cab1a42d2 removed the indirect include of
exec/cpu-defs.h from target/loongarch/cpu.h, the TARGET_FMT_lx
macro is no longer visible in kvm.c, causing build failures:
error: expected ')' before TARGET_FMT_lx
Add the missing exec/target_long.h to fix it.
Cc: qemu-stable@nongnu.org Fixes: 71cab1a42d2 ("target/cpu: Do not include 'exec/cpu-defs.h' anymore") Signed-off-by: Qiang Ma <maqianga@uniontech.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260601014601.4047201-1-gaosong@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Brian Cain [Wed, 20 May 2026 16:27:27 +0000 (09:27 -0700)]
tests/docker: Update hexagon cross toolchain to 22.1.0
Update the hexagon cross-compiler Docker container to use toolchain
version 22.1.0, replacing the previous 12.Dec.2023 release.
Changes to accommodate the new toolchain:
- Add libc++1, libc++abi1, libunwind-19 runtime deps for the new
LLVM-based toolchain
- Add zstd for the new .tar.zst archive format
- Update artifact URL domain to artifacts.codelinaro.org
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Brian Cain [Wed, 20 May 2026 16:27:23 +0000 (09:27 -0700)]
tests/tcg/hexagon: fix check_rev_gating with newer toolchain
The check_rev_gating test is compiled with -mv66, but the final linkage
step does not specify the CPU version. The v22.1.0 toolchain contains a
crt1.o compiled for v68, so the linker resolves the v66 + v68 linkage by
selecting the highest version. The resulting binary then executes v68
instructions without gating, leading to a segfault.
Fix this by passing -cpu v66 to QEMU when running the test, so that the
emulated CPU matches the intended v66 target and the revision gating
mechanism works as expected.
Peter Maydell [Tue, 26 May 2026 15:17:57 +0000 (16:17 +0100)]
linux-user: Move cpu_copy() to user-internals.h
We only use cpu_copy() inside linux-user, so we don't need to have
the prototype in qemu.h available to code outside linux-user; move it
to user-internals.h.
Peter Maydell [Tue, 26 May 2026 15:17:56 +0000 (16:17 +0100)]
linux-user: Move init_main_thread() prototype to user-internals.h
The init_main_thread() prototype is needed only by code internal to
linux-user/, so it doesn't need to be in qemu.h (which is also pulled
in by various files outside linux-user/).
Move the prototype to user-internals.h, and give it a documentation
comment.
Although most madvise() values are hints, some are important and are
checked by userspace, especially by security-relevant applications like
BoringSLL. So, return -EINVAL for those functions which we don't emulate.
Matt Turner [Tue, 26 May 2026 15:05:33 +0000 (11:05 -0400)]
linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
QEMU keeps the s390x floating-point control register (FPC) in env->fpc.
The rounding mode bits [2:0] of FPC are reflected into the derived
env->fpu_status via set_float_rounding_mode(); every architectural
write to FPC goes through HELPER(sfpc) which keeps the two in sync.
restore_sigregs() restored FPC with a direct assignment:
__get_user(env->fpc, &sc->fpregs.fpc);
This wrote env->fpc correctly but never updated env->fpu_status, so on
sigreturn the interrupted code resumed with whatever rounding mode the
signal handler last installed in fpu_status.
Factor the two-step "write fpc + sync fpu_status" logic out of
HELPER(sfpc) into cpu_s390x_load_fpc(), declare it in cpu.h, and call
it from restore_sigregs() in place of the direct assignment.
cpu_s390x_load_fpc() partially reuses the sanity check from
HELPER(sfpc): if the FPC value has an invalid rounding mode or reserved
bits set, it falls back to 0, matching the kernel's fpu_lfpc_safe()
behavior where a corrupt signal frame value causes a specification
exception and 0 is used instead.
HELPER(sfpc) now calls cpu_s390x_load_fpc() after its full
specification-exception check, including the FEAT_FLOATING_POINT_EXT
test that is not needed for the signal restore path.
Fixes: 2941e0fa05 ("linux-user/s390x: Save/restore fpc when handling a signal") Cc: qemu-stable@nongnu.org Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:42 +0000 (11:26 -0400)]
target/sh4: sync fp_status when gdb writes FPSCR
sh4_cpu_gdb_write_register() wrote the incoming FPSCR value straight
into env->fpscr, leaving the derived env->fp_status (rounding mode and
flush-to-zero) stale, so a gdb-initiated FPSCR change did not take
effect for subsequent FP operations. Use cpu_load_fpscr() instead, the
same way the adjacent case already uses cpu_write_sr() for SR.
Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:41 +0000 (11:26 -0400)]
linux-user/sh4: restore FP rounding mode on sigreturn
The SH4 FPSCR rounding-mode (RM) and denormal (DN) bits are not held
only in env->fpscr: they are also reflected into the derived
env->fp_status via set_float_rounding_mode()/set_flush_to_zero(). The
guest keeps the two in sync by routing every write to FPSCR through
helper_ld_fpscr().
restore_sigcontext() wrote the saved value straight into env->fpscr and
never touched env->fp_status, so on sigreturn the interrupted code
resumed with whatever FP rounding mode and flush-to-zero setting the
signal handler last installed. (regs->flags = 0 forces the FR/SZ/PR TB
flags to be recomputed, but fp_status is runtime float state, not a TB
flag, so it was left stale.) This is the FP analogue of the T/M/Q bit
problem just fixed for the integer status register.
Factor the FPSCR -> fp_status synchronisation out of helper_ld_fpscr()
into cpu_load_fpscr() and use it from restore_sigcontext() so the
rounding mode round-trips correctly across signal delivery.
Fixes: c3b5bc8ab3 ("SH4: Signal handling for the user space emulator, by Magnus Damm.") Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:40 +0000 (11:26 -0400)]
linux-user/sh4: preserve T/M/Q bits across signal delivery
QEMU keeps the SH4 T, M and Q status-register bits outside env->sr, in
the dedicated env->sr_t, env->sr_m and env->sr_q fields; cpu_read_sr()
folds them back into the architectural SR value and cpu_write_sr()
splits them back out.
setup_sigcontext() saved the bare env->sr (so the T/M/Q bits were always
zero in the signal frame) and restore_sigcontext() wrote the value
straight back into env->sr without updating sr_t/sr_m/sr_q. As a result
the T bit was never preserved across signal delivery: on sigreturn the
interrupted code resumed with whatever T value the signal handler last
left behind. Any conditional branch (or addc/subc/rotcl/div1, etc.)
immediately following the interrupted instruction could then take the
wrong path.
This is the cause of the long-standing intermittent failures of the
tests/tcg/multiarch/signals.c test on sh4, which was marked BROKEN. With
a SIGRTMIN timer firing every millisecond across many threads, the race
was hit a few percent of the time and corrupted the guest heap, surfacing
as a SIGSEGV in memset, a malloc assertion, or an rseq registration abort.
Traced on a deterministic rr recording: a cmp/hi set T=0, the timer
signal interrupted the very next instruction (a bf), the handler left
T=1, and the resumed bf took glibc calloc's MORECORE_CLEARS branch,
using the old top-chunk size as the clear length for a freshly split
small chunk and running memset off the end of the heap.
Fix setup_sigcontext()/restore_sigcontext() to use cpu_read_sr() and
cpu_write_sr() so the T, M and Q bits round-trip correctly, and drop the
BROKEN annotation on the sh4 signals test.
Fixes: c3b5bc8ab3 ("SH4: Signal handling for the user space emulator, by Magnus Damm.") Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:24:27 +0000 (11:24 -0400)]
linux-user/mips: save/restore FCSR across signal delivery
QEMU keeps the MIPS FPU control/status register (FCSR, fcr31) in
env->active_fpu.fcr31. The rounding mode, flush-to-zero (FS), and
NaN-2008 mode bits in fcr31 are reflected into the derived
env->active_fpu.fp_status via set_float_rounding_mode() and friends;
every architectural write to FCSR goes through helper_ctc1() which
calls restore_fp_status() to keep the two in sync.
Both target_sigcontext variants (O32 and N32/N64) have an sc_fpc_csr
field that holds FCSR, but setup_sigcontext() never wrote it and
restore_sigcontext() never read it. As a result:
- The signal frame always delivered sc_fpc_csr == 0 to the handler,
so sigaction(SA_SIGINFO) handlers that inspect the interrupted
context see the wrong FCSR.
- On sigreturn, active_fpu.fcr31 retained whatever value the signal
handler last installed (if any), and active_fpu.fp_status was
never resynced. Interrupted code resumed with the wrong rounding
mode, FS flag, and NaN-2008 semantics.
Fix setup_sigcontext() to save fcr31 into sc_fpc_csr. Fix
restore_sigcontext() to read it back (masked to fcr31_rw_bitmask as
the kernel does) and call cpu_mips_restore_fp_status() to resync
fp_status from the restored fcr31.
Add cpu_mips_restore_fp_status() in target/mips/fpu.c (which already
defines ieee_rm and includes fpu_helper.h), and declare it in cpu.h.
Fixes: 084d0497a0 ("mips-linux-user: Save and restore fpu and dsp from sigcontext") Cc: qemu-stable@nongnu.org Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:23:12 +0000 (11:23 -0400)]
linux-user/ppc: restore fp_status from FPSCR on sigreturn
restore_user_regs() restores the PPC FPSCR with a direct assignment:
env->fpscr = (uint32_t) fpscr;
ppc_store_fpscr() exists precisely to write FPSCR and keep the derived
env->fp_status in sync: it calls fpscr_set_rounding_mode() to update
the softfloat rounding mode, and set_float_rebias_overflow/underflow()
to reflect the FP_OE/FP_UE enable bits. The direct assignment bypasses
all of this.
On sigreturn, interrupted code resumes with whatever rounding mode and
overflow/underflow-rebias state the signal handler last installed in
fp_status, rather than the state that was saved at signal delivery.
Replace the direct assign with ppc_store_fpscr(). The FPSCR_MTFS_MASK
applied inside ppc_store_fpscr() only excludes the computed FP_FEX and
FP_VX bits, which it re-derives correctly from the exception and enable
bits in the restored value.
Fixes: bcd4933a23 ("linux-user: ppc signal handling") Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Zero operands produce a zero high and low product. One operands produce
a copy of the other operand and a zero or sign extension in the high
half.
Fold those cases during TCG optimization so wide-multiply idioms used by
target translators can collapse before code generation.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260520125139.13352-3-philmd@linaro.org>
In order to ease next commit review, check arg2 constness
in the inner loop.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260520125139.13352-2-philmd@linaro.org>
In the standard reStructuredText inline markup, italic
text is surrounded by one asterisk.
Fix incomplete style from commits 5e97a28a8b9 ("tcg: convert
tcg/README to rst") and 76f42780292 ("tcg: Add add/sub with
carry opcodes and infrastructure").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260519210019.11665-1-philmd@linaro.org>
* tag 'pull-target-arm-20260529' of https://gitlab.com/pm215/qemu: (21 commits)
hw/dma/omap_dma: Fix indentation after ifdef removal
hw/dma/omap_dma: Fix coding style in omap_dma_transfer_setup()
hw/dma/omap_dma: Remove unused ifdeffed out code
target/arm: advertise FEAT_RNG_TRAP on cortex-max
target/arm: implement FEAT_RNG_TRAP for RNDR/RNDRRS
target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
target/arm: Enable FEAT_CMPBR for -cpu max
target/arm: Implement CB (immediate)
target/arm: Implement CB, CBB, CBH
target/arm: Add feature predicate for FEAT_CMPBR
hw/arm/xilinx_zynq: Split xilinx_zynq into header and implementation files
hw/block/m25p80: Add HAS_SR_TB flag for is25lp016d
hw/misc/zynq_slcr: Add logic for DCI configuration
hw/misc: Add dummy ZYNQ DDR controller
hw/dma/zynq-devcfg: Indicate power-up status of PL
hw/dma/zynq-devcfg: Simulate dummy PL reset
hw/dma/zynq: Ensure PCFG_DONE bit remains set to indicate PL is in user mode
hw/arm/zynq-devcfg: Prevent unintended unlock during initialization
hw/dma/zynq-devcfg: Handle bitstream loading via DMA to 0xffffffff
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 29 May 2026 16:58:13 +0000 (12:58 -0400)]
Merge tag 'pull-11.1-testing-macos-and-misc-280526-1' of https://gitlab.com/stsquad/qemu into staging
testing updates (gitlab, MacOS, MAINTAINERS)
- move tests/Makefile.include earlier in order
- add binary deps to .ninja-goals.run-tcg-tests-FOO
- clean-up jit locking around do_tb_phys_invalidate
- drop deprecated cirrus MacOS builds
- add gitlab MacOS builds
- update the gitlab issue template around binary test cases
- fix-up MAINTAINERS for dockerfiles
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmoYp8EACgkQ+9DbCVqe
# KkRL3wf+LmazWrTWC0hkP0KcFEvBVYNin87BnYFEcXYfo/dkNEXMQeHNHpkEGm1J
# dTwWrmlDLIuvSowrCT5J597t9ssmsy8e2djo7yYx2aKBZvjyfVF/AadA4xSYz7XV
# P0EaxYlGcN7CRyCSRMswFUJB7UwCopwjgaitITCGR6tb80nQRnbzzVTd/13Ne8qd
# E1qeOT3G/+10uL0iOAGBUXgxT4tTsbdwrm0hk6vvEX4oGGwg11WpTZFAKVUwm3kK
# 5CTUF4sJTy2Y2yht0AqSMteuUoTbvp5xKKJQ1yuDYFByma0d0K2MRtcdxSmdx7eO
# rp4gGzXafPY/sXF2QYCXv/8VaCXEoA==
# =p5gv
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 28 May 2026 16:38:25 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.1-testing-macos-and-misc-280526-1' of https://gitlab.com/stsquad/qemu:
MAINTAINERS: Cover python.docker with Python library section
MAINTAINERS: Cover debian-tricore-cross.docker with TriCore section
MAINTAINERS: Cover debian-xtensa-cross.docker with Xtensa section
MAINTAINERS: Cover debian-loongarch-cross.docker with LoongArch section
MAINTAINERS: Fix docker/dockerfiles/debian-hexagon-cross.docker path
gitlab: update issue template for binary test cases
gitlab: add MacOS 26 job on gitlab runner
gitlab: add initial MacOS 15 on gitlab runner
ci: drop cirrus MacOS build
accel/tcg: move jit thread manipulation into do_tb_phys_invalidate
tests/Makefile.include: add binary dependency to run-tcg-tests-% rules
tests/Makefile.include: fix typo in comment
Makefile: include tests/Makefile.include before ninja calculation
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 29 May 2026 16:58:03 +0000 (12:58 -0400)]
Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmoZHBQACgkQ7wSWWzmN
# YhH7ywf/WZdieTiWCoi1XI2rZ6XCjdJRqTSmp+WENDDQt4tBnXXJ6PxyitFqZh7g
# oZnN1+WXgIAO0SZRPbzjspe9mFsXrFkE/7y9XijOF4F/bhbWPA/AL8SICxnjoyaC
# nOs1QU2hE7yhOqgnUHweUjNbgpUO8mIgLdSIbKYDgZq1vRFsXy2kkKbeiJkbPCfe
# 0ILqltFjS5MeCl2fV0WwUquWr7VXEXb0vGPQKAzRbygmbDC+qYRF100cTrSCxnOe
# LSW8c1nf2AHZkQJmj2HWc2DUwxynAr8N8jSRPgp4JSC6B2caSQygKHGtKe19Y/Be
# u4hm+k5+HB25xkA4czheMcNvefnzoQ==
# =JjfR
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 00:54:44 EDT
# gpg: using RSA key 215D46F48246689EC77F3562EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [full]
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* tag 'net-pull-request' of https://github.com/jasowang/qemu:
hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
net/tap: check that user tries to define zero queues
net/tap: net_init_tap(): relax QEMU hubs check
net/tap: net_init_tap(): merge fd=, fds= and helper= cases into one
net/tap: fix vhostfds/vhostfd parameters API
net/tap: move fds parameters handling to separate functions
net: introduce net_parse_fds()
net/tap: net_init_tap_one(): drop model parameter
net/tap: net_init_tap_one() refactor to get vhostfd param
net/tap: net_init_tap(): common fail label
net/tap: net_init_tap(): refactor parameter checking
net/tap: net_init_tap(): drop extra vhostfdname variable
net/tap: net_init_tap_one(): add return value
net/af-xdp: fix type overflow
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'single-binary-20260528' of https://github.com/philmd/qemu: (22 commits)
hw/core: Remove SysemuCPUOps::get_phys_addr_attrs_debug
target/i386: Convert to translate_for_debug
target/microblaze: Convert to translate_for_debug
accel/common: Remove last bit of target-specific code
hw/tpm/tpm_tis_sysbus: defer resource allocation to realize
mailmap: Update email addresses for Andrew Jones
mailmap: Update email addresses for Daniel Henrique Barboza
hw/vfio: use stub_ss for iommufd-stubs.c
hw/net: use stub_ss for vhost_net-stub.c
net: use stub_ss for vhost-user-stub.c and vhost-vdpa-stub.c
migration: use stub_ss for vfio-stub.c
target/arm: move whpx-stub to arm_stubs_ss
target/arm: move kvm-stub to arm_stubs_ss
meson.build: move some subdir before system lib creation
meson: fix close_range detection on older glibc
system/qtest: Fix length parameter in the b64write code
system/vl: Free allocate memory for pid file name in case realpath() failed
docs/devel/tcg-ops: List more vector opcodes
docs/devel/tcg-ops: Stop listing dup2_vec()
monitor: fix missing spaces in screendump help text
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
No targets use the SysemuCPUOps::get_phys_addr_attrs_debug method
any more, so we can remove it, together with the handling of it
in cpu_translate_for_debug().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528161450.3564396-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 16:14:49 +0000 (17:14 +0100)]
target/i386: Convert to translate_for_debug
The get_phys_addr_attrs_debug method of SysemuCPUOps is used only by
x86 and microblaze. Convert x86 to the newer translate_for_debug
method, as a step towards being able to remove
get_phys_addr_attrs_debug.
The new API allows us to tell the caller the actual size of the
mapping via lg_page_size, so we do that, although no caller will care
since it's always at least TARGET_PAGE_BITS.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528161450.3564396-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 16:14:48 +0000 (17:14 +0100)]
target/microblaze: Convert to translate_for_debug
The get_phys_addr_attrs_debug method of SysemuCPUOps is used only by
x86 and microblaze. Convert microblaze to the newer
translate_for_debug method, as a step towards being able to remove
get_phys_addr_attrs_debug.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260528161450.3564396-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
accel/common: Remove last bit of target-specific code
Initialize the TypeInfo structure at runtime using the TargetInfo
API to resolve TYPE_ACCEL_CPU, replacing CPU_RESOLVING_TYPE by
target_cpu_type(). Since the code is no more target-specific, move
it to accel-common.c, removing the need for accel-target.c.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-Id: <20260528140857.44130-1-philmd@linaro.org>
hw/tpm/tpm_tis_sysbus: defer resource allocation to realize
Calling memory_region_init_ram_device_ptr() and
memory_region_init_io() from tpm_tis_sysbus_initfn() crashes
when the device is introspected without being realized, because
the memory subsystem has not been initialized at that point.
So running:
$ qemu-system-aarch64 -device tpm-tis-device,help
triggers qdev_device_help() which creates the device object
to list its properties, calling instance_init, but never
realizefn. The memory region calls in instance_init then hit
uninitialized subsystems:
With CONFIG_DEBUG_TCG:
Assertion 'target_page.decided' failed. (physmem.c:2524)
Without CONFIG_DEBUG_TCG:
Assertion 'mutex->initialized' failed. (qemu-thread-posix.c:107)
Since realizefn is only called when the device is actually
used in a running VM, moving resource allocation there avoids
the crash without breaking introspection.
This also fixes a memory leak that is reported by the address
sanitizer during 'make check', because we currently allocate
ppi.buf during instance_init and never free it. "Allocate in
realize and never free" is less bad, because we don't currently
support "unrealize and destroy a sysbus device".
Fixes: 46cd2c1050f ("hw/tpm: add PPI support to tpm-tis-device for ARM64 virt") Signed-off-by: Mohammadfaiz Bawa <mbawa@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528093123.55403-1-mbawa@redhat.com>
Message-ID: <CAFEAcA8fEYODmPhbh1W=oPGvju-P=qWvN_dyWrPqAr-E9FK7UA@mail.gmail.com>
[PMD: Amend Peter comment from previous mail in description] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 15:28:52 +0000 (16:28 +0100)]
hw/dma/omap_dma: Fix indentation after ifdef removal
Some of the ifdefs in omap_dma_transfer_setup() which we just
removed had if() blocks in them. Now that the code inside them
is always unconditional it has an extra unnecessary layer of
indentation; fix this, as a whitespace only change.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260528152852.3349928-4-peter.maydell@linaro.org
Peter Maydell [Thu, 28 May 2026 15:28:51 +0000 (16:28 +0100)]
hw/dma/omap_dma: Fix coding style in omap_dma_transfer_setup()
We're about to fix indent in a section of the
omap_dma_transfer_setup() function, which will make checkpatch
complain. Since we're touching the code anyway, fix the uses of if()
with no braces and wrongly formatted multiline comments.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260528152852.3349928-3-peter.maydell@linaro.org
Peter Maydell [Thu, 28 May 2026 15:28:50 +0000 (16:28 +0100)]
hw/dma/omap_dma: Remove unused ifdeffed out code
The OMAP DMA device includes a lot of code which has been disabled
via ifdefs for over a decade. Whatever this unfinished development
work was, all knowledge of it is long gone, and we're unlikely to
be doing any serious work on this device model in future. If we
did, we'd likely have to start from scratch.
Remove all the ifdeffed out code. We will fix up the indentation
in a followup commit that has only whitespace changes.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260528152852.3349928-2-peter.maydell@linaro.org
Jason Wright [Thu, 28 May 2026 18:19:25 +0000 (18:19 +0000)]
target/arm: advertise FEAT_RNG_TRAP on cortex-max
Set ID_AA64PFR1.RNDR_TRAP=1 on the max CPU model so guests and
firmware detect FEAT_RNG_TRAP, per the Arm Architecture Reference
Manual for A-profile architecture (DDI 0487), and document the feature
as emulated in docs/system/arm/emulation.rst.
Signed-off-by: Jason Wright <wrigjl@proton.me> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jason Wright [Thu, 28 May 2026 18:19:19 +0000 (18:19 +0000)]
target/arm: implement FEAT_RNG_TRAP for RNDR/RNDRRS
Add an .accessfn to the RNDR and RNDRRS system registers that traps
reads to EL3 when SCR_EL3.TRNDR is set, as required by FEAT_RNG_TRAP.
Mark SCR_EL3.TRNDR (bit 40) as a writable field in scr_write() when
the CPU advertises the feature. The pseudocode in DDI0487 revision M.b
shows the trap firing from EL0, EL1, EL2, and EL3, so there is no
check of arm_current_el().
When FEAT_RNG_TRAP is implemented without FEAT_RNG, an RNDR/RNDRRS read
with SCR_EL3.TRNDR=0 should UNDEF rather than succeed; handle that case
in access_rndr(). Register the rndr_reginfo CP reg entries whenever either
FEAT_RNG or FEAT_RNG_TRAP is implemented, so the accessfn fires even on a
FEAT_RNG_TRAP-only CPU.
When SCR_EL3.TRNDR is set, ID_AA64ISAR0_EL1.RNDR reads as 1 regardless
of whether FEAT_RNG is implemented; give ID_AA64ISAR0_EL1 a readfn so it
reports this at runtime, as we already do for ID_AA64PFR0_EL1.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wright <wrigjl@proton.me> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 5 May 2026 18:51:57 +0000 (19:51 +0100)]
hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
_of_dpa_flow_match() tries to do masked comparisons of OfDpaFlowkey
structs by casting pointers to them to uint64_t* and then doing the
memory accesses as 64-bit. This is undefined behaviour because the
pointers might not be 64-bit aligned, and the UB sanitizer spots this:
We do know that OfDpaFlowKey structs must be at least aligned enough
for uint32_t accesses, because that's the type of the first field.
Switch to using uint32_t accesses in the loop.
Because the "width" field is always set via the FLOW_KEY_WIDTH macro
and not exposed to the guest, we can adjust the macro to store the
number of uint32_t to be checked rather than needing to change the
loop boundary in the match function.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
projects / thirdparty / qemu.git / log
