aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-03-05linux-user: Remove pgb_dynamic alignment assertionRichard Henderson
The assertion was never correct, because the alignment is a composite of the image alignment and SHMLBA. Even if the image alignment didn't match the image address, an assertion would not be correct -- more appropriate would be an error message about an ill formed image. But the image cannot be held to SHMLBA under any circumstances. Fixes: ee94743034b ("linux-user: completely re-write init_guest_space") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2157 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reported-by: Alexey Sheplyakov <asheplyakov@yandex.ru> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit b816e1b5ba58a986b10cd830d6617f351979ab91) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-05tcg/aarch64: Apple does not align __int128_t in even registersRichard Henderson
From https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms When passing an argument with 16-byte alignment in integer registers, Apple platforms allow the argument to start in an odd-numbered xN register. The standard ABI requires it to begin in an even-numbered xN register. Cc: qemu-stable@nongnu.org Fixes: 5427a9a7604 ("tcg: Add TCG_TARGET_CALL_{RET,ARG}_I128") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2169 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <9fc0c2c7-dd57-459e-aecb-528edb74b4a7@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 7f89fdf8ebe6ef8df48f0a05f44e1020c713a94e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-05configure: run plugin TCG tests againPaolo Bonzini
Commit 39fb3cfc28b ("configure: clean up plugin option handling", 2023-10-18) dropped the CONFIG_PLUGIN line from tests/tcg/config-host.mak, due to confusion caused by the shadowing of $config_host_mak. However, TCG tests were still expecting it. Oops. Put it back, in the meanwhile the shadowing is gone so it's clear that it goes in the tests/tcg configuration. Cc: <alex.bennee@linaro.org> Fixes: 39fb3cfc28b ("configure: clean up plugin option handling", 2023-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240124115332.612162-1-pbonzini@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240207163812.3231697-4-alex.bennee@linaro.org> (cherry picked from commit 15cc103362499bd94c5aec5fa66543d0de3bf4b5) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup for 8.2.x - $config_host_mak without tests/tcg/ prefix - for before v8.2.0-142-g606c3ba7a2 "configure: remove unnecessary subshell")
2024-03-05Revert "configure: run plugin TCG tests again"Michael Tokarev
This reverts commit 6eeeb8733177db7bc23fb2e7271dea759b47e4f9. This commit has been wrongly back-ported to 8.2.x, $config_host_mak in master didn't include the tests/tcg/ prefix, while 8.2.0 did it. The result of this "backport" is this message during configure: ../configure: 1679: cannot create tests/tcg/tests/tcg/config-host.mak: Directory nonexistent Let's revert the change and try again. Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-04Update version for 8.2.2 releasev8.2.2Michael Tokarev
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-01chardev/char-socket: Fix TLS io channels sending too much data to the backendThomas Huth
Commit ffda5db65a ("io/channel-tls: fix handling of bigger read buffers") changed the behavior of the TLS io channels to schedule a second reading attempt if there is still incoming data pending. This caused a regression with backends like the sclpconsole that check in their read function that the sender does not try to write more bytes to it than the device can currently handle. The problem can be reproduced like this: 1) In one terminal, do this: mkdir qemu-pki cd qemu-pki openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem # enter some dummy value for the cert openssl genrsa 2048 > server-key.pem openssl req -new -x509 -nodes -days 365000 -key server-key.pem \ -out server-cert.pem # enter some other dummy values for the cert gnutls-serv --echo --x509cafile ca-cert.pem --x509keyfile server-key.pem \ --x509certfile server-cert.pem -p 8338 2) In another terminal, do this: wget https://download.fedoraproject.org/pub/fedora-secondary/releases/39/Cloud/s390x/images/Fedora-Cloud-Base-39-1.5.s390x.qcow2 qemu-system-s390x -nographic -nodefaults \ -hda Fedora-Cloud-Base-39-1.5.s390x.qcow2 \ -object tls-creds-x509,id=tls0,endpoint=client,verify-peer=false,dir=$PWD/qemu-pki \ -chardev socket,id=tls_chardev,host=localhost,port=8338,tls-creds=tls0 \ -device sclpconsole,chardev=tls_chardev,id=tls_serial QEMU then aborts after a second or two with: qemu-system-s390x: ../hw/char/sclpconsole.c:73: chr_read: Assertion `size <= SIZE_BUFFER_VT220 - scon->iov_data_len' failed. Aborted (core dumped) It looks like the second read does not trigger the chr_can_read() function to be called before the second read, which should normally always be done before sending bytes to a character device to see how much it can handle, so the s->max_size in tcp_chr_read() still contains the old value from the previous read. Let's make sure that we use the up-to-date value by calling tcp_chr_read_poll() again here. Fixes: ffda5db65a ("io/channel-tls: fix handling of bigger read buffers") Buglink: https://issues.redhat.com/browse/RHEL-24614 Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com> Message-ID: <20240229104339.42574-1-thuth@redhat.com> Reviewed-by: Antoine Damhet <antoine.damhet@blade-group.com> Tested-by: Antoine Damhet <antoine.damhet@blade-group.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 462945cd22d2bcd233401ed3aa167d83a8e35b05) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-01tests/unit/test-util-sockets: Remove temporary file after testThomas Huth
test-util-sockets leaves the temporary socket files around in the temporary files folder. Let's better remove them at the end of the testing. Fixes: 4d3a329af5 ("tests/util-sockets: add abstract unix socket cases") Message-ID: <20240226082728.249753-1-thuth@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit f0cb6828ae34fb56fbb869bb3147a636d1c984ce) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-01hw/usb/bus.c: PCAP adding 0xA in Windows versionBenjamin David Lunt
Since Windows text files use CRLFs for all \n, the Windows version of QEMU inserts a CR in the PCAP stream when a LF is encountered when using USB PCAP files. This is due to the fact that the PCAP file is opened as TEXT instead of BINARY. To show an example, when using a very common protocol to USB disks, the BBB protocol uses a 10-byte command packet. For example, the READ_CAPACITY(10) command will have a command block length of 10 (0xA). When this 10-byte command (part of the 31-byte CBW) is placed into the PCAP file, the Windows file manager inserts a 0xD before the 0xA, turning the 31-byte CBW into a 32-byte CBW. Actual CBW: 0040 55 53 42 43 01 00 00 00 08 00 00 00 80 00 0a 25 USBC...........% 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... PCAP CBW 0040 55 53 42 43 01 00 00 00 08 00 00 00 80 00 0d 0a USBC............ 0050 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 %.............. I believe simply opening the PCAP file as BINARY instead of TEXT will fix this issue. Resolves: https://bugs.launchpad.net/qemu/+bug/2054889 Signed-off-by: Benjamin David Lunt <benlunt@fysnet.net> Message-ID: <000101da6823$ce1bbf80$6a533e80$@fysnet.net> [thuth: Break long line to avoid checkpatch.pl error] Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 5e02a4fdebc442e34c5bb05e4540f85cc6e802f0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-03-01hw/intc/Kconfig: Fix GIC settings when using "--without-default-devices"Thomas Huth
When using "--without-default-devices", the ARM_GICV3_TCG and ARM_GIC_KVM settings currently get disabled, though the arm virt machine is only of very limited use in that case. This also causes the migration-test to fail in such builds. Let's make sure that we always keep the GIC switches enabled in the --without-default-devices builds, too. Message-ID: <20240221110059.152665-1-thuth@redhat.com> Tested-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 8bd3f84d1f6fba0edebc450be6fa2c7630584df9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-29gitlab: force allow use of pip in Cirrus jobsDaniel P. Berrangé
Python is transitioning to a world where you're not allowed to use 'pip install' outside of a virutal env by default. The rationale is to stop use of pip clashing with distro provided python packages, which creates a major headache on distro upgrades. All our CI environments, however, are 100% disposable so the upgrade headaches don't exist. Thus we can undo the python defaults to allow pip to work. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Thomas Huth <thuth@redhat.com> Message-id: 20240222114038.2348718-1-berrange@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit a8bf9de2f4f398315ac5340e4b88c478d5457731) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-28tests/vm: avoid re-building the VM images all the timeAlex Bennée
The main problem is that "check-venv" is a .PHONY target will always evaluate and trigger a full re-build of the VM images. While its tempting to drop it from the dependencies that does introduce a breakage on freshly configured builds. Fortunately we do have the otherwise redundant --force flag for the script which up until now was always on. If we make the usage of --force conditional on dependencies other than check-venv triggering the update we can avoid the costly rebuild and still run cleanly on a fresh checkout. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2118 Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-4-alex.bennee@linaro.org> (cherry picked from commit 151b7dba391fab64cc008a1fdba6ddcf6f8c39c8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-28tests/vm: update openbsd image to 7.4Alex Bennée
The old links are dead so even if we have the ISO cached we can't finish the install. Update to the current stable and tweak the install strings. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2192 Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-5-alex.bennee@linaro.org> (cherry picked from commit 8467ac75b3b7207a49a1c6c7b87f0f7d2d0cea18) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-28target/i386: leave the A20 bit set in the final NPT walkPaolo Bonzini
The A20 mask is only applied to the final memory access. Nested page tables are always walked with the raw guest-physical address. Unlike the previous patch, in this one the masking must be kept, but it was done too early. Cc: qemu-stable@nongnu.org Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit b5a9de3259f4c791bde2faff086dd5737625e41e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-28target/i386: remove unnecessary/wrong application of the A20 maskPaolo Bonzini
If ptw_translate() does a MMU_PHYS_IDX access, the A20 mask is already applied in get_physical_address(), which is called via probe_access_full() and x86_cpu_tlb_fill(). If ptw_translate() on the other hand does a MMU_NESTED_IDX access, the A20 mask must not be applied to the address that is looked up in the nested page tables; it must be applied only to the addresses that hold the NPT entries (which is achieved via MMU_PHYS_IDX, per the previous paragraph). Therefore, we can remove A20 masking from the computation of the page table entry's address, and let get_physical_address() or mmu_translate() apply it when they know they are returning a host-physical address. Cc: qemu-stable@nongnu.org Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a28fe7dc1939333c81b895cdced81c69eb7c5ad0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-28target/i386: Fix physical address truncationPaolo Bonzini
The address translation logic in get_physical_address() will currently truncate physical addresses to 32 bits unless long mode is enabled. This is incorrect when using physical address extensions (PAE) outside of long mode, with the result that a 32-bit operating system using PAE to access memory above 4G will experience undefined behaviour. The truncation code was originally introduced in commit 33dfdb5 ("x86: only allow real mode to access 32bit without LMA"), where it applied only to translations performed while paging is disabled (and so cannot affect guests using PAE). Commit 9828198 ("target/i386: Add MMU_PHYS_IDX and MMU_NESTED_IDX") rearranged the code such that the truncation also applied to the use of MMU_PHYS_IDX and MMU_NESTED_IDX. Commit 4a1e9d4 ("target/i386: Use atomic operations for pte updates") brought this truncation into scope for page table entry accesses, and is the first commit for which a Windows 10 32-bit guest will reliably fail to boot if memory above 4G is present. The truncation code however is not completely redundant. Even though the maximum address size for any executed instruction is 32 bits, helpers for operations such as BOUND, FSAVE or XSAVE may ask get_physical_address() to translate an address outside of the 32-bit range, if invoked with an argument that is close to the 4G boundary. Likewise for processor accesses, for example TSS or IDT accesses, when EFER.LMA==0. So, move the address truncation in get_physical_address() so that it applies to 32-bit MMU indexes, but not to MMU_PHYS_IDX and MMU_NESTED_IDX. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2040 Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Cc: qemu-stable@nongnu.org Co-developed-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit b1661801c184119a10ad6cbc3b80330fc22e7b2c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: drop unrelated change in target/i386/cpu.c)
2024-02-28target/i386: check validity of VMCB addressesPaolo Bonzini
MSR_VM_HSAVE_PA bits 0-11 are reserved, as are the bits above the maximum physical address width of the processor. Setting them to 1 causes a #GP (see "15.30.4 VM_HSAVE_PA MSR" in the AMD manual). The same is true of VMCB addresses passed to VMRUN/VMLOAD/VMSAVE, even though the manual is not clear on that. Cc: qemu-stable@nongnu.org Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit d09c79010ffd880dc69e7a21e3cfdef90b928fb8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-28target/i386: mask high bits of CR3 in 32-bit modePaolo Bonzini
CR3 bits 63:32 are ignored in 32-bit mode (either legacy 2-level paging or PAE paging). Do this in mmu_translate() to remove the last where get_physical_address() meaningfully drops the high bits of the address. Cc: qemu-stable@nongnu.org Suggested-by: Richard Henderson <richard.henderson@linaro.org> Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 68fb78d7d5723066ec2cacee7d25d67a4143b42f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-27pl031: Update last RTCLR value on write in case it's read backJessica Clarke
The PL031 allows you to read RTCLR, which is meant to give you the last value written. PL031State has an lr field which is used when reading from RTCLR, and is present in the VM migration state, but we never actually update it, so it always reads as its initial 0 value. Cc: qemu-stable@nongnu.org Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 20240222000341.1562443-1-jrtc27@jrtc27.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 4d28d57c9f2eb1cdf70b29cea6e50282e010075b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-27hw/nvme: fix invalid endian conversionKlaus Jensen
numcntl is one byte and so is max_vfs. Using cpu_to_le16 on big endian hosts results in numcntl being set to 0. Fix by dropping the endian conversion. Fixes: 99f48ae7ae ("hw/nvme: Add support for Secondary Controller List") Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Minwoo Im <minwoo.im@samsung.com> Message-ID: <20240222-fix-sriov-numcntl-v1-1-d60bea5e72d0@samsung.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit d2b5bb860e6c17442ad95cc275feb07c1665be5c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-27update edk2 binaries to edk2-stable202402Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 658178c3d4e95b3f4106e25ec5a209356e339032) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-27update edk2 submodule to edk2-stable202402Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 9c996f3d11f8582ac5d4daf5d17453ac09d4acf8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-24target/ppc: Fix crash on machine check caused by ifetchNicholas Piggin
is_prefix_insn_excp() loads the first word of the instruction address which caused an exception, to determine whether or not it was prefixed so the prefix bit can be set in [H]SRR1. This works if the instruction image can be loaded, but if the exception was caused by an ifetch, this load could fail and cause a recursive exception and crash. Machine checks caused by ifetch are not excluded from the prefix check and can crash (see issue 2108 for an example). Fix this by excluding machine checks caused by ifetch from the prefix check. Cc: qemu-stable@nongnu.org Acked-by: Cédric Le Goater <clg@kaod.org> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2108 Fixes: 55a7fa34f89 ("target/ppc: Machine check on invalid real address access on POWER9/10") Fixes: 5a5d3b23cb2 ("target/ppc: Add SRR1 prefix indication to interrupt handlers") Signed-off-by: Nicholas Piggin <npiggin@gmail.com> (cherry picked from commit c8fd9667e5975fe2e70a906e125a758737eab707) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-24target/ppc: Fix lxv/stxv MSR facility checkNicholas Piggin
The move to decodetree flipped the inequality test for the VEC / VSX MSR facility check. This caused application crashes under Linux, where these facility unavailable interrupts are used for lazy-switching of VEC/VSX register sets. Getting the incorrect interrupt would result in wrong registers being loaded, potentially overwriting live values and/or exposing stale ones. Cc: qemu-stable@nongnu.org Reported-by: Joel Stanley <joel@jms.id.au> Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769 Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Tested-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com> (cherry picked from commit 2cc0e449d17310877fb28a942d4627ad22bb68ea) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-22.gitlab-ci.d/windows.yml: Drop msys2-32bit jobPeter Maydell
MSYS2 is dropping support for 32-bit Windows. This shows up for us as various packages we were using in our CI job no longer being available to install, which causes the job to fail. In commit 8e31b744fdf we dropped the dependency on libusb and spice, but the dtc package has also now been removed. For us as QEMU upstream, "32 bit x86 hosts for system emulation" have already been deprecated as of QEMU 8.0, so we are ready to drop them anyway. Drop the msys2-32bit CI job, as the first step in doing this. This is cc'd to stable, because this job will also be broken for CI on the stable branches. We can't drop 32-bit support entirely there, but we will still be covering at least compilation for 32-bit Windows via the cross-win32-system job. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 20240220165602.135695-1-peter.maydell@linaro.org (cherry picked from commit 5cd3ae4903e33982e7a9bbd04674af517e796d6e) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-22system/vl: Update description for input grab keyTianlan Zhou
Input grab key should be Ctrl-Alt-g, not just Ctrl-Alt. Fixes: f8d2c9369b ("sdl: use ctrl-alt-g as grab hotkey") Signed-off-by: Tianlan Zhou <bobby825@126.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 185311130f54ead75c407cdf83004d575829b5d2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-22docs/system: Update description for input grab keyTianlan Zhou
Input grab key should be Ctrl-Alt-g, not just Ctrl-Alt. Fixes: f8d2c9369b ("sdl: use ctrl-alt-g as grab hotkey") Signed-off-by: Tianlan Zhou <bobby825@126.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 4a20ac400ff0753f159071764826b20e5320cde9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-22hw/hppa/Kconfig: Fix building with "configure --without-default-devices"Thomas Huth
When running "configure" with "--without-default-devices", building of qemu-system-hppa currently fails with: /usr/bin/ld: libqemu-hppa-softmmu.fa.p/hw_hppa_machine.c.o: in function `machine_HP_common_init_tail': hw/hppa/machine.c:399: undefined reference to `usb_bus_find' /usr/bin/ld: hw/hppa/machine.c:399: undefined reference to `usb_create_simple' /usr/bin/ld: hw/hppa/machine.c:400: undefined reference to `usb_bus_find' /usr/bin/ld: hw/hppa/machine.c:400: undefined reference to `usb_create_simple' collect2: error: ld returned 1 exit status ninja: build stopped: subcommand failed. make: *** [Makefile:162: run-ninja] Error 1 And after fixing this, the qemu-system-hppa binary refuses to run due to the missing 'pci-ohci' and 'pci-serial' devices. Let's add the right config switches to fix these problems. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 04b86ccb5dc8a1fad809753cfbaafd4bb13283d4) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20tests/qtest: Depend on dbus_display1_depAkihiko Odaki
It ensures dbus-display1.c will not be recompiled. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20240214-dbus-v7-3-7eff29f04c34@daynix.com> (cherry picked from commit 186acfbaf7f325833702f50f75ef5116dc29e233) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20meson: Explicitly specify dbus-display1.h dependencyAkihiko Odaki
Explicitly specify dbus-display1.h as a dependency so that files depending on it will not get compiled too early. Fixes: 1222070e7728 ("meson: ensure dbus-display generated code is built before other units") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20240214-dbus-v7-2-7eff29f04c34@daynix.com> (cherry picked from commit 7aee57df930da2cf6361c5183aff96468ae4027d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20audio: Depend on dbus_display1_depAkihiko Odaki
dbusaudio needs dbus_display1_dep. Fixes: 739362d4205c ("audio: add "dbus" audio backend") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20240214-dbus-v7-1-7eff29f04c34@daynix.com> (cherry picked from commit d67611907590a1e6c998b7c5a5cb4394acf84329) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20ui/console: Fix console resize with placeholder surfaceTianlan Zhou
In `qemu_console_resize()`, the old surface of the console is keeped if the new console size is the same as the old one. If the old surface is a placeholder, and the new size of console is the same as the placeholder surface (640*480), the surface won't be replace. In this situation, the surface's `QEMU_PLACEHOLDER_FLAG` flag is still set, so the console won't be displayed in SDL display mode. This patch fixes this problem by forcing a new surface if the old one is a placeholder. Signed-off-by: Tianlan Zhou <bobby825@126.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20240207172024.8-1-bobby825@126.com> (cherry picked from commit 95b08fee8f68d284a5028d37fd28be7a70c8e92b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20ui/clipboard: add asserts for update and requestFiona Ebner
Should an issue like CVE-2023-6683 ever appear again in the future, it will be more obvious which assumption was violated. Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-ID: <20240124105749.204610-2-f.ebner@proxmox.com> (cherry picked from commit 9c416582611b7495bdddb4c5456c7acb64b78938) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20ui/clipboard: mark type as not available when there is no dataFiona Ebner
With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT message with len=0. In qemu_clipboard_set_data(), the clipboard info will be updated setting data to NULL (because g_memdup(data, size) returns NULL when size is 0). If the client does not set the VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then the 'request' callback for the clipboard peer is not initialized. Later, because data is NULL, qemu_clipboard_request() can be reached via vdagent_chr_write() and vdagent_clipboard_recv_request() and there, the clipboard owner's 'request' callback will be attempted to be called, but that is a NULL pointer. In particular, this can happen when using the KRDC (22.12.3) VNC client. Another scenario leading to the same issue is with two clients (say noVNC and KRDC): The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and initializes its cbpeer. The KRDC client does not, but triggers a vnc_client_cut_text() (note it's not the _ext variant)). There, a new clipboard info with it as the 'owner' is created and via qemu_clipboard_set_data() is called, which in turn calls qemu_clipboard_update() with that info. In qemu_clipboard_update(), the notifier for the noVNC client will be called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the noVNC client. The 'owner' in that clipboard info is the clipboard peer for the KRDC client, which did not initialize the 'request' function. That sounds correct to me, it is the owner of that clipboard info. Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it passes), that clipboard info is passed to qemu_clipboard_request() and the original segfault still happens. Fix the issue by handling updates with size 0 differently. In particular, mark in the clipboard info that the type is not available. While at it, switch to g_memdup2(), because g_memdup() is deprecated. Cc: qemu-stable@nongnu.org Fixes: CVE-2023-6683 Reported-by: Markus Frank <m.frank@proxmox.com> Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Tested-by: Markus Frank <m.frank@proxmox.com> Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com> (cherry picked from commit 405484b29f6548c7b86549b0f961b906337aa68a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20ui: reject extended clipboard message if not activatedDaniel P. Berrangé
The extended clipboard message protocol requires that the client activate the extension by requesting a psuedo encoding. If this is not done, then any extended clipboard messages from the client should be considered invalid and the client dropped. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20240115095119.654271-1-berrange@redhat.com> (cherry picked from commit 4cba8388968b70fe20e290221dc421c717051fdd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20target/i386: Generate an illegal opcode exception on cmp instructions with ↵Ziqiao Kong
lock prefix target/i386: As specified by Intel Manual Vol2 3-180, cmp instructions are not allowed to have lock prefix and a `UD` should be raised. Without this patch, s1->T0 will be uninitialized and used in the case OP_CMPL. Signed-off-by: Ziqiao Kong <ziqiaokong@gmail.com> Message-ID: <20240215095015.570748-2-ziqiaokong@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 99d0dcd7f102c07a510200d768cae65e5db25d23) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20i386/cpuid: Move leaf 7 to correct groupXiaoyao Li
CPUID leaf 7 was grouped together with SGX leaf 0x12 by commit b9edbadefb9e ("i386: Propagate SGX CPUID sub-leafs to KVM") by mistake. SGX leaf 0x12 has its specific logic to check if subleaf (starting from 2) is valid or not by checking the bit 0:3 of corresponding EAX is 1 or not. Leaf 7 follows the logic that EAX of subleaf 0 enumerates the maximum valid subleaf. Fixes: b9edbadefb9e ("i386: Propagate SGX CPUID sub-leafs to KVM") Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> Message-ID: <20240125024016.2521244-4-xiaoyao.li@intel.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 0729857c707535847d7fe31d3d91eb8b2a118e3c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1FXiaoyao Li
Existing code misses a decrement of cpuid_i when skip leaf 0x1F. There's a blank CPUID entry(with leaf, subleaf as 0, and all fields stuffed 0s) left in the CPUID array. It conflicts with correct CPUID leaf 0. Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by:Yang Weijiang <weijiang.yang@intel.com> Message-ID: <20240125024016.2521244-2-xiaoyao.li@intel.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 10f92799af8ba3c3cef2352adcd4780f13fbab31) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and ↵Xiaoyao Li
FEAT_XSAVE_XSS_HI leafs The value of FEAT_XSAVE_XCR0_HI leaf and FEAT_XSAVE_XSS_HI leaf also need to be masked by XCR0 and XSS mask respectively, to make it logically correct. Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features") Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by: Yang Weijiang <weijiang.yang@intel.com> Message-ID: <20240115091325.1904229-3-xiaoyao.li@intel.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit a11a365159b944e05be76f3ec3b98c8b38cb70fd) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-20i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not availableXiaoyao Li
Leaf FEAT_XSAVE_XSS_LO and FEAT_XSAVE_XSS_HI also need to be cleared when CPUID_EXT_XSAVE is not set. Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features") Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by: Yang Weijiang <weijiang.yang@intel.com> Message-ID: <20240115091325.1904229-2-xiaoyao.li@intel.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 81f5cad3858f27623b1b14467926032d229b76cc) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16.gitlab-ci/windows.yml: Don't install libusb or spice packages on 32-bitPeter Maydell
When msys2 updated their libusb packages to libusb 1.0.27, they dropped support for building them for mingw32, leaving only mingw64 packages. This broke our CI job, as the 'pacman' package install now fails with: error: target not found: mingw-w64-i686-libusb error: target not found: mingw-w64-i686-usbredir (both these binary packages are from the libusb source package). Similarly, spice is now 64-bit only: error: target not found: mingw-w64-i686-spice Fix this by dropping these packages from the list we install for our msys2-32bit build. We do this with a simple mechanism for the msys2-64bit and msys2-32bit jobs to specify a list of extra packages to install on top of the common ones we install for both jobs. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2160 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-id: 20240215155009.2422335-1-peter.maydell@linaro.org (cherry picked from commit 8e31b744fdf2c5d933681e4128acee72a83af4b8) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16iotests: Make 144 deterministic againKevin Wolf
Since commit effd60c8 changed how QMP commands are processed, the order of the block-commit return value and job events in iotests 144 wasn't fixed and more and caused the test to fail intermittently. Change the test to cache events first and then print them in a predefined order. Waiting three times for JOB_STATUS_CHANGE is a bit uglier than just waiting for the JOB_STATUS_CHANGE that has "status": "ready", but the tooling we have doesn't seem to allow the latter easily. Fixes: effd60c878176bcaf97fa7ce2b12d04bb8ead6f7 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2126 Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 20240209173103.239994-1-kwolf@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit cc29c12ec629ba68a4a6cb7d165c94cc8502815a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ↵Peter Maydell
ARM_FEATURE_PMU It doesn't make sense to read the value of MDCR_EL2 on a non-A-profile CPU, and in fact if you try to do it we will assert: #6 0x00007ffff4b95e96 in __GI___assert_fail (assertion=0x5555565a8c70 "!arm_feature(env, ARM_FEATURE_M)", file=0x5555565a6e5c "../../target/arm/helper.c", line=12600, function=0x5555565a9560 <__PRETTY_FUNCTION__.0> "arm_security_space_below_el3") at ./assert/assert.c:101 #7 0x0000555555ebf412 in arm_security_space_below_el3 (env=0x555557bc8190) at ../../target/arm/helper.c:12600 #8 0x0000555555ea6f89 in arm_is_el2_enabled (env=0x555557bc8190) at ../../target/arm/cpu.h:2595 #9 0x0000555555ea942f in arm_mdcr_el2_eff (env=0x555557bc8190) at ../../target/arm/internals.h:1512 We might call pmu_counter_enabled() on an M-profile CPU (for example from the migration pre/post hooks in machine.c); this should always return false because these CPUs don't set ARM_FEATURE_PMU. Avoid the assertion by not calling arm_mdcr_el2_eff() before we have done the early return for "PMU not present". This fixes an assertion failure if you try to do a loadvm or savevm for an M-profile board. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2155 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240208153346.970021-1-peter.maydell@linaro.org (cherry picked from commit ac1d88e9e7ca0bed83e91e07ce6d0597f10cc77d) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16target/arm: Fix SVE/SME gross MTE suppression checksRichard Henderson
The TBI and TCMA bits are located within mtedesc, not desc. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Gustavo Romero <gustavo.romero@linaro.org> Message-id: 20240207025210.8837-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 855f94eca80c85a99f459e36684ea2f98f6a3243) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16target/arm: Handle mte in do_ldrq, do_ldroRichard Henderson
These functions "use the standard load helpers", but fail to clean_data_tbi or populate mtedesc. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Gustavo Romero <gustavo.romero@linaro.org> Message-id: 20240207025210.8837-6-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 623507ccfcfebb0f10229ae5de3f85a27fb615a7) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16target/arm: Split out make_svemte_descRichard Henderson
Share code that creates mtedesc and embeds within simd_desc. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Gustavo Romero <gustavo.romero@linaro.org> Message-id: 20240207025210.8837-5-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 96fcc9982b4aad7aced7fbff046048bbccc6cb0c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16target/arm: Adjust and validate mtedesc sizem1Richard Henderson
When we added SVE_MTEDESC_SHIFT, we effectively limited the maximum size of MTEDESC. Adjust SIZEM1 to consume the remaining bits (32 - 10 - 5 - 12 == 5). Assert that the data to be stored fits within the field (expecting 8 * 4 - 1 == 31, exact fit). Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Gustavo Romero <gustavo.romero@linaro.org> Message-id: 20240207025210.8837-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit b12a7671b6099a26ce5d5ab09701f151e21c112c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16target/arm: Fix nregs computation in do_{ld,st}_zpaRichard Henderson
The field is encoded as [0-3], which is convenient for indexing our array of function pointers, but the true value is [1-4]. Adjust before calling do_mem_zpa. Add an assert, and move the comment re passing ZT to the helper back next to the relevant code. Cc: qemu-stable@nongnu.org Fixes: 206adacfb8d ("target/arm: Add mte helpers for sve scalar + int loads") Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Gustavo Romero <gustavo.romero@linaro.org> Message-id: 20240207025210.8837-3-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 64c6e7444dff64b42d11b836b9aec9acfbe8ecc2) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-16linux-user/aarch64: Choose SYNC as the preferred MTE modeRichard Henderson
The API does not generate an error for setting ASYNC | SYNC; that merely constrains the selection vs the per-cpu default. For qemu linux-user, choose SYNC as the default. Cc: qemu-stable@nongnu.org Reported-by: Gustavo Romero <gustavo.romero@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Gustavo Romero <gustavo.romero@linaro.org> Message-id: 20240207025210.8837-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 681dfc0d552963d4d598350d26097a692900b408) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-15tests/acpi: Update DSDT.cxl to reflect change _STA return value.Jonathan Cameron
_STA will now return 0xB (in common with most other devices) rather than not setting the bits to indicate this fake device has not been enabled, and self tests haven't passed. Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-Id: <20240126120132.24248-13-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit b24a981b9f1c4767aaea815e504a2c7aeb405d72) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-02-15hw/i386: Fix _STA return value for ACPI0017Jonathan Cameron
Found whilst testing a series for the linux kernel that actually bothers to check if enabled is set. 0xB is the option used for vast majority of DSDT entries in QEMU. It is a little odd for a device that doesn't really exist and is simply a hook to tell the OS there is a CEDT table but 0xB seems a reasonable choice and avoids need to special case this device in the OS. Means: * Device present. * Device enabled and decoding it's resources. * Not shown in UI * Functioning properly * No battery (on this device!) Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-Id: <20240126120132.24248-12-Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit d9ae5802f656f6fb53b788747ba557a826b6e740) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>