aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-10-04target/i386: generalize operand size "ph" for use in CVTPS2PDPaolo Bonzini
CVTPS2PD only loads a half-register for memory, like CVTPH2PS. It can reuse the "ph" packed half-precision size to load a half-register, but rename it to "xh" because it is now a variation of "x" (it is not used only for half-precision values). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a48b26978a090fe1f3f3e54319902d4ab56a6b3a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-04subprojects/berkeley-testfloat-3: Update to fix a problem with compiler warningsThomas Huth
Update the berkeley-testfloat-3 wrap to include a patch provided by Olaf Hering. This fixes a problem with "control reaches end of non-void function [-Werror=return-type]" compiler warning/errors that are now enabled by default in certain versions of GCC. Reported-by: Olaf Hering <olaf@aepfle.de> Message-Id: <20230816091522.1292029-1-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit c01196bdddc280ae3710912e98e78f3103155eaf) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03scsi-disk: ensure that FORMAT UNIT commands are terminatedMark Cave-Ayland
Otherwise when a FORMAT UNIT command is issued, the SCSI layer can become confused because it can find itself in the situation where it thinks there is still data to be transferred which can cause the next emulated SCSI command to fail. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Fixes: 6ab71761 ("scsi-disk: add FORMAT UNIT command") Tested-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230913204410.65650-4-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit be2b619a17345d007bcf9987a3e4afd1edea3e4f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03esp: restrict non-DMA transfer length to that of available dataMark Cave-Ayland
In the case where a SCSI layer transfer is incorrectly terminated, it is possible for a TI command to cause a SCSI buffer overflow due to the expected transfer data length being less than the available data in the FIFO. When this occurs the unsigned async_len variable underflows and becomes a large offset which writes past the end of the allocated SCSI buffer. Restrict the non-DMA transfer length to be the smallest of the expected transfer length and the available FIFO data to ensure that it is no longer possible for the SCSI buffer overflow to occur. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810 Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 77668e4b9bca03a856c27ba899a2513ddf52bb52) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03esp: use correct type for esp_dma_enable() in sysbus_esp_gpio_demux()Mark Cave-Ayland
The call to esp_dma_enable() was being made with the SYSBUS_ESP type instead of the ESP type. This meant that when GPIO 1 was being used to trigger a DMA request from an external DMA controller, the setting of ESPState's dma_enabled field would clobber unknown memory whilst the dma_cb callback pointer would typically return NULL so the DMA request would never start. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230913204410.65650-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit b86dc5cb0b4105fa8ad29e822ab5d21c589c5ec5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03optionrom: Remove build-id sectionFabiano Rosas
Our linker script for optionroms specifies only the placement of the .text section, leaving the linker free to place the remaining sections at arbitrary places in the file. Since at least binutils 2.39, the .note.gnu.build-id section is now being placed at the start of the file, which causes label addresses to be shifted. For linuxboot_dma.bin that means that the PnP header (among others) will not be found when determining the type of ROM at optionrom_setup(): (0x1c is the label _pnph, where the magic "PnP" is) $ xxd /usr/share/qemu/linuxboot_dma.bin | grep "PnP" 00000010: 0000 0000 0000 0000 0000 1c00 2450 6e50 ............$PnP $ xxd pc-bios/optionrom/linuxboot_dma.bin | grep "PnP" 00000010: 0000 0000 0000 0000 0000 4c00 2450 6e50 ............$PnP ^bad Using a freshly built linuxboot_dma.bin ROM results in a broken boot: SeaBIOS (version rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org) Booting from Hard Disk... Boot failed: could not read the boot disk Booting from Floppy... Boot failed: could not read the boot disk No bootable device. We're not using the build-id section, so pass the --build-id=none option to the linker to remove it entirely. Note: In theory, this same issue could happen with any other section. The ideal solution would be to have all unused sections discarded in the linker script. However that would be a larger change, specially for the pvh rom which uses the .bss and COMMON sections so I'm addressing only the immediate issue here. Reported-by: Vasiliy Ulyanov <vulyanov@suse.de> Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230926192502.15986-1-farosas@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 35ed01ba5448208695ada5fa20a13c0a4689a1c1) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (mjt: remove unrelated stable@vger)
2023-10-03target/tricore: Fix RCPW/RRPW_INSERT insns for width = 0Bastian Koppelmann
we would crash if width was 0 for these insns, as tcg_gen_deposit() is undefined for that case. For TriCore, width = 0 is a mov from the src reg to the dst reg, so we special case this here. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Message-ID: <20230828112651.522058-9-kbastian@mail.uni-paderborn.de> (cherry picked from commit 23fa6f56b33f8fddf86ba4d027fb7d3081440cd9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: Always require can_do_ioRichard Henderson
Require i/o as the last insn of a TranslationBlock always, not only with icount. This is required for i/o that alters the address space, such as a pci config space write. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1866 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 18a536f1f8d6222e562f59179e837fdfd8b92718) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: Always set CF_LAST_IO with CF_NOIRQRichard Henderson
Without this we can get see loops through cpu_io_recompile, in which the cpu makes no progress. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 200c1f904f46c209cb022e711a48b89e46512902) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: Improve setting of can_do_io at start of TBRichard Henderson
Initialize can_do_io to true if this the TB has CF_LAST_IO and will consist of a single instruction. This avoids a set to 0 followed immediately by a set to 1. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit a2f99d484c54adda13e62bf75ba512618a3fe470) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: Track current value of can_do_io in the TBRichard Henderson
Simplify translator_io_start by recording the current known value of can_do_io within DisasContextBase. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 0ca41ccf1c555f97873b8e02a47390fd6af4b18f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: Hoist CF_MEMI_ONLY check outside translation loopRichard Henderson
The condition checked is loop invariant; check it only once. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 5d97e94638100fd3e5b8d76ab30e1066cd4b1823) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: Avoid load of icount_decr if unusedRichard Henderson
With CF_NOIRQ and without !CF_USE_ICOUNT, the load isn't used. Avoid emitting it. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit f47a90dacca8f74210a2675bdde7ab3856872b94) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03softmmu: Use async_run_on_cpu in tcg_commitRichard Henderson
After system startup, run the update to memory_dispatch and the tlb_flush on the cpu. This eliminates a race, wherein a running cpu sees the memory_dispatch change but has not yet seen the tlb_flush. Since the update now happens on the cpu, we need not use qatomic_rcu_read to protect the read of memory_dispatch. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1826 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1834 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1846 Tested-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 0d58c660689f6da1e3feff8a997014003d928b3b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Move return path cleanup to main migration threadFabiano Rosas
Now that the return path thread is allowed to finish during a paused migration, we can move the cleanup of the QEMUFiles to the main migration thread. Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-9-farosas@suse.de> (cherry picked from commit 36e9aab3c569d4c9ad780473596e18479838d1aa) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Replace the return path retry logicFabiano Rosas
Replace the return path retry logic with finishing and restarting the thread. This fixes a race when resuming the migration that leads to a segfault. Currently when doing postcopy we consider that an IO error on the return path file could be due to a network intermittency. We then keep the thread alive but have it do cleanup of the 'from_dst_file' and wait on the 'postcopy_pause_rp' semaphore. When the user issues a migrate resume, a new return path is opened and the thread is allowed to continue. There's a race condition in the above mechanism. It is possible for the new return path file to be setup *before* the cleanup code in the return path thread has had a chance to run, leading to the *new* file being closed and the pointer set to NULL. When the thread is released after the resume, it tries to dereference 'from_dst_file' and crashes: Thread 7 "return path" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffd1dbf700 (LWP 9611)] 0x00005555560e4893 in qemu_file_get_error_obj (f=0x0, errp=0x0) at ../migration/qemu-file.c:154 154 return f->last_error; (gdb) bt #0 0x00005555560e4893 in qemu_file_get_error_obj (f=0x0, errp=0x0) at ../migration/qemu-file.c:154 #1 0x00005555560e4983 in qemu_file_get_error (f=0x0) at ../migration/qemu-file.c:206 #2 0x0000555555b9a1df in source_return_path_thread (opaque=0x555556e06000) at ../migration/migration.c:1876 #3 0x000055555602e14f in qemu_thread_start (args=0x55555782e780) at ../util/qemu-thread-posix.c:541 #4 0x00007ffff38d76ea in start_thread (arg=0x7fffd1dbf700) at pthread_create.c:477 #5 0x00007ffff35efa6f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Here's the race (important bit is open_return_path happening before migration_release_dst_files): migration | qmp | return path --------------------------+-----------------------------+--------------------------------- qmp_migrate_pause() shutdown(ms->to_dst_file) f->last_error = -EIO migrate_detect_error() postcopy_pause() set_state(PAUSED) wait(postcopy_pause_sem) qmp_migrate(resume) migrate_fd_connect() resume = state == PAUSED open_return_path <-- TOO SOON! set_state(RECOVER) post(postcopy_pause_sem) (incoming closes to_src_file) res = qemu_file_get_error(rp) migration_release_dst_files() ms->rp_state.from_dst_file = NULL post(postcopy_pause_rp_sem) postcopy_pause_return_path_thread() wait(postcopy_pause_rp_sem) rp = ms->rp_state.from_dst_file goto retry qemu_file_get_error(rp) SIGSEGV ------------------------------------------------------------------------------------------- We can keep the retry logic without having the thread alive and waiting. The only piece of data used by it is the 'from_dst_file' and it is only allowed to proceed after a migrate resume is issued and the semaphore released at migrate_fd_connect(). Move the retry logic to outside the thread by waiting for the thread to finish before pausing the migration. Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-8-farosas@suse.de> (cherry picked from commit ef796ee93b313ed2f0b427ef30320417387d2ad5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Consolidate return path closing codeFabiano Rosas
We'll start calling the await_return_path_close_on_source() function from other parts of the code, so move all of the related checks and tracepoints into it. Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-7-farosas@suse.de> (cherry picked from commit d50f5dc075cbb891bfe4a9378600a4871264468a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Remove redundant cleanup of postcopy_qemufile_srcFabiano Rosas
This file is owned by the return path thread which is already doing cleanup. Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-6-farosas@suse.de> (cherry picked from commit b3b101157d4651f12e6b3361af2de6bace7f9b4a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Fix possible race when shutting down to_dst_fileFabiano Rosas
It's not safe to call qemu_file_shutdown() on the to_dst_file without first checking for the file's presence under the lock. The cleanup of this file happens at postcopy_pause() and migrate_fd_cleanup() which are not necessarily running in the same thread as migrate_fd_cancel(). Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-5-farosas@suse.de> (cherry picked from commit 7478fb0df914f0a5ab551ff74b1df62dd250500e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Fix possible races when shutting down the return pathFabiano Rosas
We cannot call qemu_file_shutdown() on the return path file without taking the file lock. The return path thread could be running it's cleanup code and have just cleared the from_dst_file pointer. Checking ms->to_dst_file for errors could also race with migrate_fd_cleanup() which clears the to_dst_file pointer. Protect both accesses by taking the file lock. This was caught by inspection, it should be rare, but the next patches will start calling this code from other places, so let's do the correct thing. Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-4-farosas@suse.de> (cherry picked from commit 639decf529793fc544c8055b82be8abe77fa48fa) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Fix possible race when setting rp_state.errorFabiano Rosas
We don't need to set the rp_state.error right after a shutdown because qemu_file_shutdown() always sets the QEMUFile error, so the return path thread would have seen it and set the rp error itself. Setting the error outside of the thread is also racy because the thread could clear it after we set it. Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-3-farosas@suse.de> (cherry picked from commit 28a8347281e24c2e7bba6d3301472eda41d4c096) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03migration: Fix race that dest preempt thread close too earlyPeter Xu
We hit intermit CI issue on failing at migration-test over the unit test preempt/plain: qemu-system-x86_64: Unable to read from socket: Connection reset by peer Memory content inconsistency at 5b43000 first_byte = bd last_byte = bc current = 4f hit_edge = 1 ** ERROR:../tests/qtest/migration-test.c:300:check_guests_ram: assertion failed: (bad == 0) (test program exited with status code -6) Fabiano debugged into it and found that the preempt thread can quit even without receiving all the pages, which can cause guest not receiving all the pages and corrupt the guest memory. To make sure preempt thread finished receiving all the pages, we can rely on the page_requested_count being zero because preempt channel will only receive requested page faults. Note, not all the faulted pages are required to be sent via the preempt channel/thread; imagine the case when a requested page is just queued into the background main channel for migration, the src qemu will just still send it via the background channel. Here instead of spinning over reading the count, we add a condvar so the main thread can wait on it if that unusual case happened, without burning the cpu for no good reason, even if the duration is short; so even if we spin in this rare case is probably fine. It's just better to not do so. The condvar is only used when that special case is triggered. Some memory ordering trick is needed to guarantee it from happening (against the preempt thread status field), so the main thread will always get a kick when that triggers correctly. Closes: https://gitlab.com/qemu-project/qemu/-/issues/1886 Debugged-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230918172822.19052-2-farosas@suse.de> (cherry picked from commit cf02f29e1e3843784630d04783e372fa541a77e5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03ui/vnc: fix handling of VNC_FEATURE_XVPPaolo Bonzini
VNC_FEATURE_XVP was not shifted left before adding it to vs->features, so it was never enabled; but it was also checked the wrong way with a logical AND instead of vnc_has_feature. Fix both places. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 477b301000d665313217f65e3a368d2cb7769c42) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03ui/vnc: fix debug output for invalid audio messagePaolo Bonzini
The debug message was cut and pasted from the invalid audio format case, but the audio message is at bytes 2-3. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 0cb9c5880e6b8dedc4e20026ce859dd1ea9aac84) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]Thomas Huth
We are doing things like nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes with a division by 0 exception. Thus disallow block sizes of 256 bytes to avoid this situation. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 CVE: 2023-42467 Signed-off-by: Thomas Huth <thuth@redhat.com> Message-ID: <20230925091854.49198-1-thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 7cfcc79b0ab800959716738aff9419f53fc68c9c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03accel/tcg: mttcg remove false-negative halted assertionNicholas Piggin
mttcg asserts that an execution ending with EXCP_HALTED must have cpu->halted. However between the event or instruction that sets cpu->halted and requests exit and the assertion here, an asynchronous event could clear cpu->halted. This leads to crashes running AIX on ppc/pseries because it uses H_CEDE/H_PROD hcalls, where H_CEDE sets self->halted = 1 and H_PROD sets other cpu->halted = 0 and kicks it. H_PROD could be turned into an interrupt to wake, but several other places in ppc, sparc, and semihosting follow what looks like a similar pattern setting halted = 0 directly. So remove this assertion. Reported-by: Ivan Warren <ivan@vmfacility.fr> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Message-Id: <20230829010658.8252-1-npiggin@gmail.com> [rth: Keep the case label and adjust the comment.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit 0e5903436de712844b0e6cdd862b499c767e09e9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03meson.build: Make keyutils independent from keyringThomas Huth
Commit 0db0fbb5cf ("Add conditional dependency for libkeyutils") tried to provide a possibility for the user to disable keyutils if not required by makeing it depend on the keyring feature. This looked reasonable at a first glance (the unit test in tests/unit/ needs both), but the condition in meson.build fails if the feature is meant to be detected automatically, and there is also another spot in backends/meson.build where keyutils is used independently from keyring. So let's remove the dependency on keyring again and introduce a proper meson build option instead. Cc: qemu-stable@nongnu.org Fixes: 0db0fbb5cf ("Add conditional dependency for libkeyutils") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1842 Message-ID: <20230824094208.255279-1-thuth@redhat.com> Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit c64023b0ba677cfa6b878e82ea8e18507a597396) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03target/arm: Don't skip MTE checks for LDRT/STRT at EL0Peter Maydell
The LDRT/STRT "unprivileged load/store" instructions behave like normal ones if executed at EL0. We handle this correctly for the load/store semantics, but get the MTE checking wrong. We always look at s->mte_active[is_unpriv] to see whether we should be doing MTE checks, but in hflags.c when we set the TB flags that will be used to fill the mte_active[] array we only set the MTE0_ACTIVE bit if UNPRIV is true (i.e. we are not at EL0). This means that a LDRT at EL0 will see s->mte_active[1] as 0, and will not do MTE checks even when MTE is enabled. To avoid the translate-time code having to do an explicit check on s->unpriv to see if it is OK to index into the mte_active[] array, duplicate MTE_ACTIVE into MTE0_ACTIVE when UNPRIV is false. (This isn't a very serious bug because generally nobody executes LDRT/STRT at EL0, because they have no use there.) Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20230912140434.1333369-2-peter.maydell@linaro.org (cherry picked from commit 903dbefc2b6918c10d12d9aafa0168cee8d287c7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03hw/arm/boot: Set SCR_EL3.FGTEn when booting kernelFabian Vogt
Just like d7ef5e16a17c sets SCR_EL3.HXEn for FEAT_HCX, this commit handles SCR_EL3.FGTEn for FEAT_FGT: When we direct boot a kernel on a CPU which emulates EL3, we need to set up the EL3 system registers as the Linux kernel documentation specifies: https://www.kernel.org/doc/Documentation/arm64/booting.rst > For CPUs with the Fine Grained Traps (FEAT_FGT) extension present: > - If EL3 is present and the kernel is entered at EL2: > - SCR_EL3.FGTEn (bit 27) must be initialised to 0b1. Cc: qemu-stable@nongnu.org Signed-off-by: Fabian Vogt <fvogt@suse.de> Message-id: 4831384.GXAFRqVoOG@linux-e202.suse.de Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 32b214384e1e1472ddfa875196c57f6620172301) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03include/exec: Widen tlb_hit/tlb_hit_page()Anton Johansson
tlb_addr is changed from target_ulong to uint64_t to match the type of a CPUTLBEntry value, and the addressed is changed to vaddr. Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230807155706.9580-8-anjo@rev.ng> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> (cherry picked from commit c78edb563942ce80c9c6c03b07397725b006b625) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03tests/file-io-error: New testHanna Czenczek
This is a regression test for https://bugzilla.redhat.com/show_bug.cgi?id=2234374. All this test needs to do is trigger an I/O error inside of file-posix (specifically raw_co_prw()). One reliable way to do this without requiring special privileges is to use a FUSE export, which allows us to inject any error that we want, e.g. via blkdebug. Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20230824155345.109765-6-hreitz@redhat.com> [hreitz: Fixed test to be skipped when there is no FUSE support, to suppress fusermount's allow_other warning, and to be skipped with $IMGOPTSSYNTAX enabled] Signed-off-by: Hanna Czenczek <hreitz@redhat.com> (cherry picked from commit 380448464dd89291cf7fd7434be6c225482a334d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03file-posix: Simplify raw_co_prw's 'out' zone codeHanna Czenczek
We duplicate the same condition three times here, pull it out to the top level. Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20230824155345.109765-5-hreitz@redhat.com> Reviewed-by: Sam Li <faithilikerun@gmail.com> (cherry picked from commit d31b50a15dd25a560749b25fc40b6484fd1a57b7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03file-posix: Fix zone update in I/O error pathHanna Czenczek
We must check that zone information is present before running update_zones_wp(). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2234374 Fixes: Coverity CID 1512459 Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20230824155345.109765-4-hreitz@redhat.com> Reviewed-by: Sam Li <faithilikerun@gmail.com> (cherry picked from commit deab5c9a4ed74f76a713008a42527762b30a7e84) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03file-posix: Check bs->bl.zoned for zone infoHanna Czenczek
Instead of checking bs->wps or bs->bl.zone_size for whether zone information is present, check bs->bl.zoned. That is the flag that raw_refresh_zoned_limits() reliably sets to indicate zone support. If it is set to something other than BLK_Z_NONE, other values and objects like bs->wps and bs->bl.zone_size must be non-null/zero and valid; if it is not, we cannot rely on their validity. Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20230824155345.109765-3-hreitz@redhat.com> Reviewed-by: Sam Li <faithilikerun@gmail.com> (cherry picked from commit 4b5d80f3d02096a9bb1f651f6b3401ba40877159) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03file-posix: Clear bs->bl.zoned on errorHanna Czenczek
bs->bl.zoned is what indicates whether the zone information is present and valid; it is the only thing that raw_refresh_zoned_limits() sets if CONFIG_BLKZONED is not defined, and it is also the only thing that it sets if CONFIG_BLKZONED is defined, but there are no zones. Make sure that it is always set to BLK_Z_NONE if there is an error anywhere in raw_refresh_zoned_limits() so that we do not accidentally announce zones while our information is incomplete or invalid. This also fixes a memory leak in the last error path in raw_refresh_zoned_limits(). Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20230824155345.109765-2-hreitz@redhat.com> Reviewed-by: Sam Li <faithilikerun@gmail.com> (cherry picked from commit 56d1a022a77ea2125564913665eeadf3e303a671) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03hw/cxl: Fix out of bound array accessDmitry Frolov
According to cxl_interleave_ways_enc(), fw->num_targets is allowed to be up to 16. This also corresponds to CXL r3.0 spec. So, the fw->target_hbs[] array is iterated from 0 to 15. But it is statically declared of length 8. Thus, out of bound array access may occur. Fixes: c28db9e000 ("hw/pci-bridge: Make PCIe and CXL PXB Devices inherit from TYPE_PXB_DEV") Signed-off-by: Dmitry Frolov <frolov@swemel.ru> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Link: https://lore.kernel.org/r/20230913101055.754709-1-frolov@swemel.ru Cc: qemu-stable@nongnu.org Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit de5bbfc602ef1b9b79c494a914c6083a1a23cca2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03hw/cxl: Fix CFMW config memory leakLi Zhijian
Allocate targets and targets[n] resources when all sanity checks are passed to avoid memory leaks. Cc: qemu-stable@nongnu.org Suggested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Fan Ni <fan.ni@samsung.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 7b165fa164022b756c2b001d0a1525f98199d3ac) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03linux-user/hppa: lock both words of function descriptorMikulas Patocka
The code in setup_rt_frame reads two words at haddr, but locks only one. This patch fixes it to lock both. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Helge Deller <deller@gmx.de> Cc: qemu-stable@nongnu.org Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 5b1270ef1477bb7f240c3bfe2cd8b0fe4721fd51) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-03linux-user/hppa: clear the PSW 'N' bit when delivering signalsMikulas Patocka
qemu-hppa may crash when delivering a signal. It can be demonstrated with this program. Compile the program with "hppa-linux-gnu-gcc -O2 signal.c" and run it with "qemu-hppa -one-insn-per-tb a.out". It reports that the address of the flag is 0xb4 and it crashes when attempting to touch it. #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <signal.h> sig_atomic_t flag; void sig(int n) { printf("&flag: %p\n", &flag); flag = 1; } int main(void) { struct sigaction sa; struct itimerval it; sa.sa_handler = sig; sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; if (sigaction(SIGALRM, &sa, NULL)) perror("sigaction"), exit(1); it.it_interval.tv_sec = 0; it.it_interval.tv_usec = 100; it.it_value.tv_sec = it.it_interval.tv_sec; it.it_value.tv_usec = it.it_interval.tv_usec; if (setitimer(ITIMER_REAL, &it, NULL)) perror("setitimer"), exit(1); while (1) { } } The reason for the crash is that the signal handling routine doesn't clear the 'N' flag in the PSW. If the signal interrupts a thread when the 'N' flag is set, the flag remains set at the beginning of the signal handler and the first instruction of the signal handler is skipped. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Helge Deller <deller@gmx.de> Cc: qemu-stable@nongnu.org Signed-off-by: Helge Deller <deller@gmx.de> (cherry picked from commit 2529497cb6b298e732e8dbe5212da7925240b4f4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25hw/ppc: Read time only once to perform decrementer writeNicholas Piggin
Reading the time more than once to perform an operation always increases complexity and fragility due to introduced deltas. Simplify the decrementer write by reading the clock once for the operation. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit ea62f8a5172cf5fcd97df143b758730f6865a625) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25hw/ppc: Reset timebase facilities on machine resetNicholas Piggin
Lower interrupts, delete timers, and set time facility registers back to initial state on machine reset. This is not so important for record-replay since timebase and decrementer are migrated, but it gives a cleaner reset state. Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> [ clg: checkpatch.pl fixes ] Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 30d0647bcfa99d4a141eaa843a9fb5b091ddbb76) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25hw/ppc: Always store the decrementer valueNicholas Piggin
When writing a value to the decrementer that raises an exception, the irq is raised, but the value is not stored so the store doesn't appear to have changed the register when it is read again. Always store the write value to the register. Fixes: e81a982aa53 ("PPC: Clean up DECR implementation") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit febb71d543a8f747b2f8aaf0182d0a385c6a02c3) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25target/ppc: Sign-extend large decrementer to 64-bitsNicholas Piggin
When storing a large decrementer value with the most significant implemented bit set, it is to be treated as a negative and sign extended. This isn't hit for book3s DEC because of another bug, fixing it in the next patch exposes this one and can cause additional problems, so fix this first. It can be hit with HDECR and other edge triggered types. Fixes: a8dafa52518 ("target/ppc: Implement large decrementer support for TCG") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> [ clg: removed extra cpu and pcc variables shadowing local variables ] Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit c8fbc6b9f2f3c732ee3307093c1c5c367eaa64ae) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25hw/ppc: Avoid decrementer rounding errorsNicholas Piggin
The decrementer register contains a relative time in timebase units. When writing to DECR this is converted and stored as an absolute value in nanosecond units, reading DECR converts back to relative timebase. The tb<->ns conversion of the relative part can cause rounding such that a value writen to the decrementer can read back a different, with time held constant. This is a particular problem for a deterministic icount and record-replay trace. Fix this by storing the absolute value in timebase units rather than nanoseconds. The math before: store: decr_next = now_ns + decr * ns_per_sec / tb_per_sec load: decr = (decr_next - now_ns) * tb_per_sec / ns_per_sec load(store): decr = decr * ns_per_sec / tb_per_sec * tb_per_sec / ns_per_sec After: store: decr_next = now_ns * tb_per_sec / ns_per_sec + decr load: decr = decr_next - now_ns * tb_per_sec / ns_per_sec load(store): decr = decr Fixes: 9fddaa0c0cab ("PowerPC merge: real time TB and decrementer - faster and simpler exception handling (Jocelyn Mayer)") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 8e0a5ac87800ccc6dd5013f89f27652f4480ab33) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25hw/ppc: Round up the decrementer interval when converting to nsNicholas Piggin
The rule of timers is typically that they should never expire before the timeout, but some time afterward. Rounding timer intervals up when doing conversion is the right thing to do. Under most circumstances it is impossible observe the decrementer interrupt before the dec register has triggered. However with icount timing, problems can arise. For example setting DEC to 0 can schedule the timer for now, causing it to fire before any more instructions have been executed and DEC is still 0. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit eab0888418ab44344864965193cf6cd194ab6858) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25host-utils: Add muldiv64_round_upNicholas Piggin
This will be used for converting time intervals in different base units to host units, for the purpose of scheduling timers to emulate target timers. Timers typically must not fire before their requested expiry time but may fire some time afterward, so rounding up is the right way to implement these. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> [ clg: renamed __muldiv64() to muldiv64_rounding() ] Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 47de6c4c287079744ceb96f606b3c0457addf380) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-25hw/ppc: Introduce functions for conversion between timebase and nanosecondsNicholas Piggin
These calculations are repeated several times, and they will become a little more complicated with subsequent changes. Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org> (cherry picked from commit 7798f5c576d898e7e10c4a2518f3f16411dedeb9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-21Update version for 8.1.1 releasev8.1.1Michael Tokarev
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-21tpm: fix crash when FD >= 1024 and unnecessary errors due to EINTRMarc-André Lureau
Replace select() with poll() to fix a crash when QEMU has a large number of FDs. Also use RETRY_ON_EINTR to avoid unnecessary errors due to EINTR. Cc: qemu-stable@nongnu.org Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2020133 Fixes: 56a3c24ffc ("tpm: Probe for connected TPM 1.2 or TPM 2") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> (cherry picked from commit 8e32ddff69b6b4547cc00592ad816484e160817a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-09-21meson: Fix targetos match for illumos and Solaris.Jonathan Perkin
qemu 8.1.0 breaks on illumos platforms due to _XOPEN_SOURCE and others no longer being set correctly, leading to breakage such as: https://us-central.manta.mnx.io/pkgsrc/public/reports/trunk/tools/20230908.1404/qemu-8.1.0/build.log This is a result of meson conversion which incorrectly matches against 'solaris' instead of 'sunos' for uname. First time submitting a patch here, hope I did it correctly. Thanks. Signed-off-by: Jonathan Perkin <jonathan@perkin.org.uk> Message-ID: <ZPtdxtum9UVPy58J@perkin.org.uk> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit fb0a8b0e238277296907ffe765bf76874cfc1df6) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: omit net/meson.build change before v8.1.0-279-g73258b3864, adjust context befor v8.1.0-288-g2fc36530de)