aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-04-10hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugsPhilippe Mathieu-Daudé
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-4-philmd@linaro.org>
2024-04-10hw/display/virtio-gpu: Protect from DMA re-entrancy bugsPhilippe Mathieu-Daudé
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest \ -m 512M \ -device virtio-gpu \ -qtest stdio outl 0xcf8 0x80000820 outl 0xcfc 0xe0004000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0004030 0x4 0x024000e0 write 0xe0004028 0x1 0xff write 0xe0004020 0x4 0x00009300 write 0xe000401c 0x1 0x01 write 0x101 0x1 0x04 write 0x103 0x1 0x1c write 0x9301c8 0x1 0x18 write 0x105 0x1 0x1c write 0x107 0x1 0x1c write 0x109 0x1 0x1c write 0x10b 0x1 0x00 write 0x10d 0x1 0x00 write 0x10f 0x1 0x00 write 0x111 0x1 0x00 write 0x113 0x1 0x00 write 0x115 0x1 0x00 write 0x117 0x1 0x00 write 0x119 0x1 0x00 write 0x11b 0x1 0x00 write 0x11d 0x1 0x00 write 0x11f 0x1 0x00 write 0x121 0x1 0x00 write 0x123 0x1 0x00 write 0x125 0x1 0x00 write 0x127 0x1 0x00 write 0x129 0x1 0x00 write 0x12b 0x1 0x00 write 0x12d 0x1 0x00 write 0x12f 0x1 0x00 write 0x131 0x1 0x00 write 0x133 0x1 0x00 write 0x135 0x1 0x00 write 0x137 0x1 0x00 write 0x139 0x1 0x00 write 0xe0007003 0x1 0x00 EOF ... ================================================================= ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178 at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58 READ of size 8 at 0x60d000011178 thread T0 #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42 #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5 #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13 #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9 #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5 #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9 #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5 #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11 #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9 #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14 #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3 #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0) 0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8) freed by thread T0 here: #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662) #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9 #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9 #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5 #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5 #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18 previously allocated by thread T0 here: #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e) #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12 #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16 #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15 #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response With this change, the same reproducer triggers: qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6 Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Yongkang Jia <kangel@zju.edu.cn> Reported-by: Xiao Lei <nop.leixiao@gmail.com> Reported-by: Yiming Tao <taoym@zju.edu.cn> Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-3-philmd@linaro.org>
2024-04-10hw/virtio: Introduce virtio_bh_new_guarded() helperPhilippe Mathieu-Daudé
Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded() but using the transport memory guard, instead of the device one (there can only be one virtio device per virtio bus). Inspired-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-2-philmd@linaro.org>
2024-04-09Merge tag 'pull-misc-20240409' of https://gitlab.com/rth7680/qemu into stagingPeter Maydell
target/m68k: Fix fp accrued exception reporting target/hppa: Fix IIAOQ, IIASQ for pa2.0 target/sh4: Fixes to mac.l and mac.w saturation target/sh4: Fixes to illegal delay slot reporting linux-user: Fix waitid return of siginfo_t and rusage linux-user: Preserve unswapped siginfo_t for strace tcg/optimize: Do not attempt to constant fold neg_vec accel/tcg: Improve can_do_io management, mmio bug fix # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmYVl/kdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/MXgf/bMzLStvB+DvcpKCR # hxewlDvNaDHntpXc0+3KzFPOeP9ELGlRDWSUcsdfR0v6BjUQHoUx9t+wC7R/Qe1B # K9EWQUW9ayU++ELF9dXqtNDLGZaaSAx73PuCd+sDykBdj4/iuX0yc6htWQ+AbP0L # x1j8CCKuCy/qDjQXyaAtCltlUurHgnswBgnZBxa2Bm0OSszDEBe49IXRIuFW5CcH # PkVT250zZXU1lblOhpSnOBApZgxbSotk3Wdz7ARbzWisrCEW5x91ClWrP88odjX4 # wiRAe+LvFeLBjlFo+TWbdsvU6Zu2TNxSbv/Tr0HQSFoDkiXKU+5IM4L9Rx9x9EMo # x1lmkg== # =FYg/ # -----END PGP SIGNATURE----- # gpg: Signature made Tue 09 Apr 2024 20:33:13 BST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full] # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * tag 'pull-misc-20240409' of https://gitlab.com/rth7680/qemu: linux-user: Preserve unswapped siginfo_t for strace accel/tcg: Improve can_do_io management target/s390x: Use insn_start from DisasContextBase target/riscv: Use insn_start from DisasContextBase target/microblaze: Use insn_start from DisasContextBase target/i386: Preserve DisasContextBase.insn_start across rewind target/hppa: Use insn_start from DisasContextBase target/arm: Use insn_start from DisasContextBase accel/tcg: Add insn_start to DisasContextBase tcg: Add TCGContext.emit_before_op target/m68k: Map FPU exceptions to FPSR register target/sh4: add missing CHECK_NOT_DELAY_SLOT target/sh4: Fix mac.w with saturation enabled target/sh4: Fix mac.l with saturation enabled target/sh4: Merge mach and macl into a union target/sh4: mac.w: memory accesses are 16-bit words target/hppa: Fix IIAOQ, IIASQ for pa2.0 linux-user: replace calloc() with g_new0() linux-user: Fix waitid return of siginfo_t and rusage tcg/optimize: Do not attempt to constant fold neg_vec Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09linux-user: Preserve unswapped siginfo_t for straceRichard Henderson
Passing the tswapped structure to strace means that our internal si_type is also gone, which then aborts in print_siginfo. Fixes: 4d6d8a05a0a ("linux-user: Move tswap_siginfo out of target code") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09accel/tcg: Improve can_do_io managementRichard Henderson
We already attempted to set and clear can_do_io before the first and last insns, but only used the initial value of max_insns and the call to translator_io_start to find those insns. Now that we track insn_start in DisasContextBase, and now that we have emit_before_op, we can wait until we have finished translation to identify the true first and last insns and emit the sets of can_do_io at that time. This fixes the case of a translation block which crossed a page boundary, and for which the second page turned out to be mmio. In this case we truncate the block, and the previous logic for can_do_io could leave a block with a single insn with can_do_io set to false, which would fail an assertion in cpu_io_recompile. Reported-by: Jørgen Hansen <Jorgen.Hansen@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Jørgen Hansen <Jorgen.Hansen@wdc.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/s390x: Use insn_start from DisasContextBaseRichard Henderson
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/riscv: Use insn_start from DisasContextBaseRichard Henderson
To keep the multiple update check, replace insn_start with insn_start_updated. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/microblaze: Use insn_start from DisasContextBaseRichard Henderson
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/i386: Preserve DisasContextBase.insn_start across rewindRichard Henderson
When aborting translation of the current insn, restore the previous value of insn_start. Acked-by: Paolo Bonzini <pbonzini@redhat.com> Tested-by: Jørgen Hansen <Jorgen.Hansen@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/hppa: Use insn_start from DisasContextBaseRichard Henderson
To keep the multiple update check, replace insn_start with insn_start_updated. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/arm: Use insn_start from DisasContextBaseRichard Henderson
To keep the multiple update check, replace insn_start with insn_start_updated. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09accel/tcg: Add insn_start to DisasContextBaseRichard Henderson
This is currently target-specific for many; begin making it target independent. Tested-by: Jørgen Hansen <Jorgen.Hansen@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09tcg: Add TCGContext.emit_before_opRichard Henderson
Allow operations to be emitted via normal expanders into the middle of the opcode stream. Tested-by: Jørgen Hansen <Jorgen.Hansen@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/m68k: Map FPU exceptions to FPSR registerKeith Packard
Add helpers for reading/writing the 68881 FPSR register so that changes in floating point exception state can be seen by the application. Call these helpers in pre_load/post_load hooks to synchronize exception state. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230803035231.429697-1-keithp@keithp.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/sh4: add missing CHECK_NOT_DELAY_SLOTZack Buhman
CHECK_NOT_DELAY_SLOT is correctly applied to the branch-related instructions, but not to the PC-relative mov* instructions. I verified the existence of an illegal slot exception on a SH7091 when any of these instructions are attempted inside a delay slot. This also matches the behavior described in the SH-4 ISA manual. Signed-off-by: Zack Buhman <zack@buhman.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20240407150705.5965-1-zack@buhman.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewd-by: Yoshinori Sato <ysato@users.sourceforge.jp>
2024-04-09target/sh4: Fix mac.w with saturation enabledZack Buhman
The saturation arithmetic logic in helper_macw is not correct. I tested and verified this behavior on a SH7091. Reviewd-by: Yoshinori Sato <ysato@users.sourceforge.jp> Signed-off-by: Zack Buhman <zack@buhman.org> Message-Id: <20240405233802.29128-3-zack@buhman.org> [rth: Reformat helper_macw, add a test case.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-04-09target/sh4: Fix mac.l with saturation enabledZack Buhman
The saturation arithmetic logic in helper_macl is not correct. I tested and verified this behavior on a SH7091. Signed-off-by: Zack Buhman <zack@buhman.org> Message-Id: <20240404162641.27528-2-zack@buhman.org> [rth: Reformat helper_macl, add a test case.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-04-09target/sh4: Merge mach and macl into a unionRichard Henderson
Allow host access to the entire 64-bit accumulator. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/sh4: mac.w: memory accesses are 16-bit wordsZack Buhman
Before this change, executing a code sequence such as: mova tblm,r0 mov r0,r1 mova tbln,r0 clrs clrmac mac.w @r0+,@r1+ mac.w @r0+,@r1+ .align 4 tblm: .word 0x1234 .word 0x5678 tbln: .word 0x9abc .word 0xdefg Does not result in correct behavior: Expected behavior: first macw : macl = 0x1234 * 0x9abc + 0x0 mach = 0x0 second macw: macl = 0x5678 * 0xdefg + 0xb00a630 mach = 0x0 Observed behavior (qemu-sh4eb, prior to this commit): first macw : macl = 0x5678 * 0xdefg + 0x0 mach = 0x0 second macw: (unaligned longword memory access, SIGBUS) Various SH-4 ISA manuals also confirm that `mac.w` is a 16-bit word memory access, not a 32-bit longword memory access. Signed-off-by: Zack Buhman <zack@buhman.org> Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240402093756.27466-1-zack@buhman.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09target/hppa: Fix IIAOQ, IIASQ for pa2.0Richard Henderson
The contents of IIAOQ depend on PSW_W. Follow the text in "Interruption Instruction Address Queues", pages 2-13 through 2-15. Tested-by: Sven Schnelle <svens@stackframe.org> Tested-by: Helge Deller <deller@gmx.de> Reported-by: Sven Schnelle <svens@stackframe.org> Fixes: b10700d826c ("target/hppa: Update IIAOQ, IIASQ for pa2.0") Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09linux-user: replace calloc() with g_new0()Nguyen Dinh Phi
Use glib allocation as recommended by the coding convention Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com> Message-Id: <20240317171747.1642207-1-phind.uet@gmail.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09linux-user: Fix waitid return of siginfo_t and rusageRichard Henderson
The copy back to siginfo_t should be conditional only on arg3, not the specific values that might have been written. The copy back to rusage was missing entirely. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2262 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Alex Fan <alex.fan.q@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-04-09tcg/optimize: Do not attempt to constant fold neg_vecRichard Henderson
Split out the tail of fold_neg to fold_neg_no_const so that we can avoid attempting to constant fold vector negate. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2150 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-04-09Merge tag 'edk2-20240409-pull-request' of https://gitlab.com/kraxel/qemu ↵Peter Maydell
into staging edk2: fix version information, rebuild binaries. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmYVbGAACgkQTLbY7tPo # cTiKIw/9G1GGakAfkq48BS7LDvO0u/qzFmt+EKaBtwbFEKEZ+aUp6RgdYENnARxO # qJpffW8nief9VchjRSnJ2Sy9lKR/rfckwc9HgXpXtRVzqyMYJkJmuVMiw3H5INC6 # QR+4IPIS3SckPPvBDMr92L0MQMYDNLnjnBF3KiZ0tNpRf5tstl4KN5QsatKk9gpB # /sspC9DzujE8uuDrcPb9bEAUm/jILvD9CmDN9TWSq9uk6yLw3Rgqh5lvs5zK//HY # cwzpEhn/OjLCfAx2RnXNDqBL2JbGLl65luVvMy+lkrB0PNP4YSREAuLdO4kwZGgx # LWFvMhNvAYuBSEZcoX7vurUzcoMc3G5Awh4ybv1Auwn5iOXKIkES15DxmGJVItXN # K09nFJiTI/Fr/zFHUqKGmM/PYggV5EjsKmTkJtKxn8u7GBTzbZOGQXCHK6pI3VpI # m61L4VOzQxIBlM4e6NLS32TOejXS4MIMlRnFixwQDgWMUzEQ7SogHVFhv3GNaXBs # DM6PRzdWUhpwMkRLzt+kO3hrJC4+SiZ1xMZQDoipIAtF3gKTz6/6vjtRtpMTmq9K # eI6YZXG7LfiHDInKJyQZIF1H+OFMdv+OIDe+tssmyjMRXxzsPIeb3dTnuGRbYiCo # Z/8UDig1EDPdu07Egr4ZM9S1GD0+r2OLFoJTH5G+zPvi+z0OCH8= # =rslQ # -----END PGP SIGNATURE----- # gpg: Signature made Tue 09 Apr 2024 17:27:12 BST # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * tag 'edk2-20240409-pull-request' of https://gitlab.com/kraxel/qemu: edk2: rebuild binaries with correct version information edk2/seabios: use common extra version edk2: commit version info edk2: get version + date from git submodule Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09edk2: rebuild binaries with correct version informationGerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2024-04-09edk2/seabios: use common extra versionGerd Hoffmann
Bring a bit more consistency into the naming. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-ID: <20240327102448.61877-4-kraxel@redhat.com>
2024-04-09edk2: commit version infoGerd Hoffmann
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-ID: <20240327102448.61877-3-kraxel@redhat.com>
2024-04-09edk2: get version + date from git submoduleGerd Hoffmann
Turned out hard-coding version and date in the Makefile wasn't a bright idea. Updating it on edk2 updates is easily forgotten. Fetch the info from git instead. Store in edk2-version, so this can be committed to the repo and is present in tarballs too. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-ID: <20240327102448.61877-2-kraxel@redhat.com>
2024-04-09Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu ↵Peter Maydell
into staging virtio,pc,pci: bugfixes Tiny fixes: important but mostly obvious ones. Revert VDPA network sim for this release as there are questions around it's maintainatiblity. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmYU7qcPHG1zdEByZWRo # YXQuY29tAAoJECgfDbjSjVRpn/cIAJBWRN67BS5ysdHjK0Hmw1zumbLpK+85wlAv # dTfmJmUnIV6Ft5yaFFXCpxVH0/lh/vhG2ra5+lu53mX+GMtwjdqk4Sufvo4TukXu # uweHUqlb4pdL37Yf7Q9N6kSX4Ay3ITEC7N18IvlBU8be5gRhidejMWlKq/gW/1rk # +mnWeD5Qxs91Lh2pxShcnsRah0D4UY47dNu3VnglC9wYb4fupukGgj0qOnqYDF2K # tG9Us0grU/qF1FgqWwbrlhOUO1Ntlp4uYn4JNOFhswAFDPm2XXIJRIPUhoYEi9G2 # HhxGSpDjJm8I9BBbllDnQVpIbBFxoG/EiQRT64Nt+rw+Tq01sPA= # =AZIl # -----END PGP SIGNATURE----- # gpg: Signature made Tue 09 Apr 2024 08:30:47 BST # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "mst@redhat.com" # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: qdev-monitor: fix error message in find_device_state() vhost-user-blk: simplify and fix vhost_user_blk_handle_config_change vdpa-dev: Fix the issue of device status not updating when configuration interruption is triggered hw/virtio: Fix packed virtqueue flush used_idx virtio-snd: rewrite invalid tx/rx message handling virtio-snd: Enhance error handling for invalid transfers Revert "hw/virtio: Add support for VDPA network simulation devices" Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into stagingPeter Maydell
* fall back to non-ioeventfd notification if KVM routing table is full * support kitware ninja with jobserver support * nanomips: fix warnings with GCC 14 # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmYURBsUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroNuygf8DzxNFSPCKatkiZ0HSekMUcM6+vCf # fcQx+PEmgnBGTMaeMqUMFGRBPx1FdrvvLpV0oeJ1RvyfyZLCEmRMaO9LnzkqlYgD # jd5R4/mQcbH+qpZyk5x+g10gHLzafXHYf/aBVkzqlO02UyO61lgpoXp/Z1l+jkhB # 1FA8Y3NH5x1gqT37pSCYUIeIAfoY1mndjsPNa/IuDUlMk0jwKz2zEWWYkQF2DvY0 # nfZG2+V7YdOBv+vkZi2gcl82FWAJdsZF+cMBmshvYp+N3/JKezgB588vJ3Yu3UVV # Y3Z/GbbqS+mCFBe2M6TsL7eU18UgU5E8mXB6Lp8fOGTwIG8iM0tcBYBc0g== # =qHqi # -----END PGP SIGNATURE----- # gpg: Signature made Mon 08 Apr 2024 20:23:07 BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: kvm: error out of kvm_irqchip_add_msi_route() in case of full route table nanomips: fix warnings with GCC 14 Makefile: preserve --jobserver-auth argument when calling ninja Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09qdev-monitor: fix error message in find_device_state()Vladimir Sementsov-Ogievskiy
This "hotpluggable" here is misleading. Actually we check is object a device or not. Let's drop the word. Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20240329183758.3360733-3-vsementsov@yandex-team.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09vhost-user-blk: simplify and fix vhost_user_blk_handle_config_changeVladimir Sementsov-Ogievskiy
Let's not care about what was changed and update the whole config, reasons: 1. config->geometry should be updated together with capacity, so we fix a bug. 2. Vhost-user protocol doesn't say anything about config change limitation. Silent ignore of changes doesn't seem to be correct. 3. vhost-user-vsock reads the whole config 4. on realize we don't do any checks on retrieved config, so no reason to care here Comment "valid for resize only" exists since introduction the whole hw/block/vhost-user-blk.c in commit 00343e4b54ba0685e9ebe928ec5713b0cf7f1d1c "vhost-user-blk: introduce a new vhost-user-blk host device", seems it was just an extra limitation. Also, let's notify guest unconditionally: 1. So does vhost-user-vsock 2. We are going to reuse the functionality in new cases when we do want to notify the guest unconditionally. So, no reason to create extra branches in the logic. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Acked-by: Raphael Norwitz <raphael.norwitz@nutanix.com> Message-Id: <20240329183758.3360733-2-vsementsov@yandex-team.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09vdpa-dev: Fix the issue of device status not updating when configuration ↵lyx634449800
interruption is triggered The set_config callback function vhost_vdpa_device_get_config in vdpa-dev does not fetch the current device status from the hardware device, causing the guest os to not receive the latest device status information. The hardware updates the config status of the vdpa device and then notifies the os. The guest os receives an interrupt notification, triggering a get_config access in the kernel, which then enters qemu internally. Ultimately, the vhost_vdpa_device_get_config function of vdpa-dev is called One scenario encountered is when the device needs to bring down the vdpa net device. After modifying the status field of virtio_net_config in the hardware, it sends an interrupt notification. However, the guest os always receives the STATUS field as VIRTIO_NET_S_LINK_UP. Signed-off-by: Yuxue Liu <yuxue.liu@jaguarmicro.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-Id: <20240408020003.1979-1-yuxue.liu@jaguarmicro.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09hw/virtio: Fix packed virtqueue flush used_idxWafer
In the event of writing many chains of descriptors, the device must write just the id of the last buffer in the descriptor chain, skip forward the number of descriptors in the chain, and then repeat the operations for the rest of chains. Current QEMU code writes all the buffer ids consecutively, and then skips all the buffers altogether. This is a bug, and can be reproduced with a VirtIONet device with _F_MRG_RXBUB and without _F_INDIRECT_DESC: If a virtio-net device has the VIRTIO_NET_F_MRG_RXBUF feature but not the VIRTIO_RING_F_INDIRECT_DESC feature, 'VirtIONetQueue->rx_vq' will use the merge feature to store data in multiple 'elems'. The 'num_buffers' in the virtio header indicates how many elements are merged. If the value of 'num_buffers' is greater than 1, all the merged elements will be filled into the descriptor ring. The 'idx' of the elements should be the value of 'vq->used_idx' plus 'ndescs'. Fixes: 86044b24e8 ("virtio: basic packed virtqueue support") Acked-by: Eugenio Pérez <eperezma@redhat.com> Signed-off-by: Wafer <wafer@jaguarmicro.com> Message-Id: <20240407015451.5228-2-wafer@jaguarmicro.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09virtio-snd: rewrite invalid tx/rx message handlingManos Pitsidianakis
The current handling of invalid virtqueue elements inside the TX/RX virt queue handlers is wrong. They are added in a per-stream invalid queue to be processed after the handler is done examining each message, but the invalid message might not be specifying any stream_id; which means it's invalid to add it to any stream->invalid queue since stream could be NULL at this point. This commit moves the invalid queue to the VirtIOSound struct which guarantees there will always be a valid temporary place to store them inside the tx/rx handlers. The queue will be emptied before the handler returns, so the queue must be empty at any other point of the device's lifetime. Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <virtio-snd-rewrite-invalid-tx-rx-message-handling-v1.manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09virtio-snd: Enhance error handling for invalid transfersZheyu Ma
This patch improves error handling in virtio_snd_handle_tx_xfer() and virtio_snd_handle_rx_xfer() in the VirtIO sound driver. Previously, 'goto' statements were used for error paths, leading to unnecessary processing and potential null pointer dereferences. Now, 'continue' is used to skip the rest of the current loop iteration for errors such as message size discrepancies or null streams, reducing crash risks. ASAN log illustrating the issue addressed: ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 #0 0x57cea39967b8 in qemu_mutex_lock_impl qemu/util/qemu-thread-posix.c:92:5 #1 0x57cea128c462 in qemu_mutex_lock qemu/include/qemu/thread.h:122:5 #2 0x57cea128d72f in qemu_lockable_lock qemu/include/qemu/lockable.h:95:5 #3 0x57cea128c294 in qemu_lockable_auto_lock qemu/include/qemu/lockable.h:105:5 #4 0x57cea1285eb2 in virtio_snd_handle_rx_xfer qemu/hw/audio/virtio-snd.c:1026:9 #5 0x57cea2caebbc in virtio_queue_notify_vq qemu/hw/virtio/virtio.c:2268:9 #6 0x57cea2cae412 in virtio_queue_host_notifier_read qemu/hw/virtio/virtio.c:3671:9 #7 0x57cea39822f1 in aio_dispatch_handler qemu/util/aio-posix.c:372:9 #8 0x57cea3979385 in aio_dispatch_handlers qemu/util/aio-posix.c:414:20 #9 0x57cea3978eb1 in aio_dispatch qemu/util/aio-posix.c:424:5 #10 0x57cea3a1eede in aio_ctx_dispatch qemu/util/async.c:360:5 Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <20240322110827.568412-1-zheyuma97@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09Revert "hw/virtio: Add support for VDPA network simulation devices"Michael S. Tsirkin
This reverts commit cd341fd1ffded978b2aa0b5309b00be7c42e347c. The patch adds non-upstream code in include/standard-headers/linux/virtio_pci.h which would make maintainance harder. Revert for now. Suggested-by: Jason Wang <jasowang@redhat.com> Message-Id: <df6b6b465753e754a19459e8cd61416548f89a42.1712569644.git.mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-08kvm: error out of kvm_irqchip_add_msi_route() in case of full route tableIgor Mammedov
subj is calling kvm_add_routing_entry() which simply extends KVMState::irq_routes::entries[] but doesn't check if number of routes goes beyond limit the kernel is willing to accept. Which later leads toi the assert qemu-kvm: ../accel/kvm/kvm-all.c:1833: kvm_irqchip_commit_routes: Assertion `ret == 0' failed typically it happens during guest boot for large enough guest Reproduced with: ./qemu --enable-kvm -m 8G -smp 64 -machine pc \ `for b in {1..2}; do echo -n "-device pci-bridge,id=pci$b,chassis_nr=$b "; for i in {0..31}; do touch /tmp/vblk$b$i; echo -n "-drive file=/tmp/vblk$b$i,if=none,id=drive$b$i,format=raw -device virtio-blk-pci,drive=drive$b$i,bus=pci$b "; done; done` While crash at boot time is bad, the same might happen at hotplug time which is unacceptable. So instead calling kvm_add_routing_entry() unconditionally, check first that number of routes won't exceed KVM_CAP_IRQ_ROUTING. This way virtio device insteads killin qemu, will gracefully fail to initialize device as expected with following warnings on console: virtio-blk failed to set guest notifier (-28), ensure -accel kvm is set. virtio_bus_start_ioeventfd: failed. Fallback to userspace (slower). Signed-off-by: Igor Mammedov <imammedo@redhat.com> Message-ID: <20240408110956.451558-1-imammedo@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-04-08nanomips: fix warnings with GCC 14Paolo Bonzini
GCC 14 shows -Wshadow=local warnings if an enum conflicts with a local variable (including a parameter). To avoid this, move the problematic enum and all of its dependencies after the hundreds of functions that have a parameter named "instruction". Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-04-08Merge tag 'pull-target-arm-20240408' of ↵Peter Maydell
https://git.linaro.org/people/pmaydell/qemu-arm into staging target-arm: * Use correct SecuritySpace for AArch64 AT ops at EL3 * Fix CNTPOFF_EL2 trap to missing EL3 # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmYUC2EZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3kyhD/9QQb8qrtd7Lan/ODI1PKuv # gHl1MNCpf1qxfCzl/hL2+Ci2p220AL22EIBUBwzTXoIjidRKoqmUAkKvNk3xANI2 # ZiO1+NZIOqdVLbQGboJDbd4jEDuABPok6fOSyw1WCs9FvGFOWYswx1Eb/T9X31hz # cSxakeW1cIQo0FNtVEGldUdKQLTxAw6pO/fuL/YleXq2Heiw6ktIe48LxQ0ufVLU # 7ebpTWSbVeEqwKb4H1HixZ54a2in4NnsHQkkIxup7mPjH78l78WvQjEn1d4CDqJB # /hzCV/tDrPzUYET7wYN5gHFYuMOOeDDcOn42Lj+qF+dyjMgg64qMMdZ46wxQKSdr # KInSkcnKCsMWNN8fYFDrGcefuXmvFd81l368DczxCHOgTWZdnZj+M3yQQ85a6TER # 5f9mmUOMLtvrogfxrlKJklo9P+FzHFp5luT3d8c8wXY46B5wkpS43tJGjZEyvHps # 1cQnJN+Y3ys6VU7FfLO9Dl/qI4dR0xUhDvjqPEicuu79lTBPgFoQox7xSGVAk90y # QKzz0eXV/ECy1kabMFDrZNINkg07KtNFKLrRgrHCPt4gdTO1Nu9UMWUTVjiNYSh4 # aEMy3xHCIKo315BvUsVVwpQLa98CYfLF/rw3J6ECaPTCYN7uCrlWyDEcDdbFfPXD # xPbXgH7ocQoDn7Tj+KxfhQ== # =WmlH # -----END PGP SIGNATURE----- # gpg: Signature made Mon 08 Apr 2024 16:21:05 BST # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * tag 'pull-target-arm-20240408' of https://git.linaro.org/people/pmaydell/qemu-arm: target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 target/arm: Fix CNTPOFF_EL2 trap to missing EL3 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-08Merge tag 'migration-20240407-pull-request' of ↵Peter Maydell
https://gitlab.com/peterx/qemu into staging Migration pull for 9.0-rc3 - Wei/Lei's fix on a rare postcopy race that can hang the channel (since 8.0) - Avihai's fix on maintainers file, points to the right doc links # -----BEGIN PGP SIGNATURE----- # # iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCZhLpJBIccGV0ZXJ4QHJl # ZGhhdC5jb20ACgkQO1/MzfOr1wa87AEAhvXqJyLxYYdlQ5fqp4hVV6O/3N1vNHMu # kT3d9tmM0jsBAJ5KxK176iGDp+ej5MEyYSm1gG7ivj3y3v3wlPnSmJMJ # =T1lk # -----END PGP SIGNATURE----- # gpg: Signature made Sun 07 Apr 2024 19:42:44 BST # gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706 # gpg: issuer "peterx@redhat.com" # gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal] # gpg: aka "Peter Xu <peterx@redhat.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706 * tag 'migration-20240407-pull-request' of https://gitlab.com/peterx/qemu: MAINTAINERS: Adjust migration documentation files migration/postcopy: ensure preempt channel is ready before loading states Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-08target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3Peter Maydell
When we do an AT address translation operation, the page table walk is supposed to be performed in the context of the EL we're doing the walk for, so for instance an AT S1E2R walk is done for EL2. In the pseudocode an EL is passed to AArch64.AT(), which calls SecurityStateAtEL() to find the security state that we should be doing the walk with. In ats_write64() we get this wrong, instead using the current security space always. This is fine for AT operations performed from EL1 and EL2, because there the current security state and the security state for the lower EL are the same. But for AT operations performed from EL3, the current security state is always either Secure or Root, whereas we want to use the security state defined by SCR_EL3.{NS,NSE} for the walk. This affects not just guests using FEAT_RME but also ones where EL3 is Secure state and the EL3 code is trying to do an AT for a NonSecure EL2 or EL1. Use arm_security_space_below_el3() to get the SecuritySpace to pass to do_ats_write() for all AT operations except the AT S1E3* operations. Cc: qemu-stable@nongnu.org Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
2024-04-08Makefile: preserve --jobserver-auth argument when calling ninjaMartin Hundebøll
Qemu wraps its call to ninja in a Makefile. Since ninja, as opposed to make, utilizes all CPU cores by default, the qemu Makefile translates the absense of a `-jN` argument into `-j1`. This breaks jobserver functionality, so update the -jN mangling to take the --jobserver-auth argument into considerationa too. Signed-off-by: Martin Hundebøll <martin@geanix.com> Message-Id: <20240402081738.1051560-1-martin@geanix.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-04-07MAINTAINERS: Adjust migration documentation filesAvihai Horon
Commit 8cb2f8b172e7 ("docs/migration: Create migration/ directory") changed migration documentation file structure but forgot to update the entries in the MAINTAINERS file. Commit 4c6f8a79ae53 ("docs/migration: Split 'dirty limit'") extracted dirty limit documentation to a new file without updating dirty limit section in MAINTAINERS file. Fix the above. Fixes: 8cb2f8b172e7 ("docs/migration: Create migration/ directory") Fixes: 4c6f8a79ae53 ("docs/migration: Split 'dirty limit'") Signed-off-by: Avihai Horon <avihaih@nvidia.com> Link: https://lore.kernel.org/r/20240407081125.13951-1-avihaih@nvidia.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-04-07migration/postcopy: ensure preempt channel is ready before loading statesWei Wang
Before loading the guest states, ensure that the preempt channel has been ready to use, as some of the states (e.g. via virtio_load) might trigger page faults that will be handled through the preempt channel. So yield to the main thread in the case that the channel create event hasn't been dispatched. Cc: qemu-stable <qemu-stable@nongnu.org> Fixes: 9358982744 ("migration: Send requested page directly in rp-return thread") Originally-by: Lei Wang <lei4.wang@intel.com> Link: https://lore.kernel.org/all/9aa5d1be-7801-40dd-83fd-f7e041ced249@intel.com/T/ Signed-off-by: Lei Wang <lei4.wang@intel.com> Signed-off-by: Wei Wang <wei.w.wang@intel.com> Link: https://lore.kernel.org/r/20240405034056.23933-1-wei.w.wang@intel.com [peterx: add a todo section, add Fixes and copy stable for 8.0+] Signed-off-by: Peter Xu <peterx@redhat.com>
2024-04-05target/arm: Fix CNTPOFF_EL2 trap to missing EL3Pierre-Clément Tosi
EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is present, as described by the reference manual (for MRS): /* ... */ elsif PSTATE.EL == EL2 then if Halted() && HaveEL(EL3) && /*...*/ then UNDEFINED; elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then /* ... */ else X[t, 64] = CNTPOFF_EL2; However, the existing implementation of gt_cntpoff_access() always returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In pseudo-code terminology, this corresponds to assuming that HaveEL(EL3) is always true, which is wrong. As a result, QEMU panics in access_check_cp_reg() when started without EL3 and running EL2 code accessing the register (e.g. any recent KVM booting a guest). Therefore, add the HaveEL(EL3) check to gt_cntpoff_access(). Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling") Signed-off-by: Pierre-Clément Tosi <ptosi@google.com> Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-04Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into stagingPeter Maydell
qemu-sparc queue # -----BEGIN PGP SIGNATURE----- # # iQFSBAABCgA8FiEEzGIauY6CIA2RXMnEW8LFb64PMh8FAmYOtvEeHG1hcmsuY2F2 # ZS1heWxhbmRAaWxhbmRlLmNvLnVrAAoJEFvCxW+uDzIf+5oIAJtRPiTP5aUmN4nU # s72NBtgARBJ+5hHl0fqFFlCrG9elO28F1vhT9DwwBOLwihZCnfIXf+SCoE+pvqDw # c+AMN/RnDu+1F4LF93W0ZIr305yGDfVlU+S3vKGtB9G4rcLeBDmNlhui2d0Bqx9R # jwX1y57vcPclObE0KL6AVOfSDPYiVEVQSiTr3j4oW8TqAs2bduEZMRh6esb3XMIA # hmj8mhZAszfh1YvX8ufbxtPQsnNuFMM+Fxgxp0pux8QaI0addDHwVNObRUYlTUZ1 # o4xCw7TRXXotaHde/OqZApFECs+md3R7rC2wj7s3ae0ynohHHDFfaB5t1f4pm+kA # /6UN/Jc= # =XwaI # -----END PGP SIGNATURE----- # gpg: Signature made Thu 04 Apr 2024 15:19:29 BST # gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F # gpg: issuer "mark.cave-ayland@ilande.co.uk" # gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" [full] # Primary key fingerprint: CC62 1AB9 8E82 200D 915C C9C4 5BC2 C56F AE0F 321F * tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu: esp.c: remove explicit setting of DRQ within ESP state machine esp.c: ensure esp_pdma_write() always calls esp_fifo_push() esp.c: update esp_fifo_{push, pop}() to call esp_update_drq() esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file esp.c: prevent cmdfifo overflow in esp_cdb_ready() esp.c: rework esp_cdb_length() into esp_cdb_ready() esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO esp.c: change esp_fifo_pop_buf() to take ESPState esp.c: use esp_fifo_push() instead of fifo8_push() esp.c: change esp_fifo_pop() to take ESPState esp.c: change esp_fifo_push() to take ESPState esp.c: replace cmdfifo use of esp_fifo_pop() in do_message_phase() esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase() esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_command_phase() esp.c: move esp_fifo_pop_buf() internals to new esp_fifo8_pop_buf() function Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-04Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into stagingPeter Maydell
Pull request Fix a memory leak in virtio-blk zone report emulation code when the request is invalid. # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmYOsfEACgkQnKSrs4Gr # c8iKjAf9FwsKVoMlcTFTbWFDX/JPer3kPYIdpXoKm0KYivwAiGsG++sw2zCAOQdB # F8uCaMi+NDOJ2RA14NSUVKEIEqf7qUL7DjKAqZiQ0H4nsqK3G0bmHI5TknMaKPHm # h7enMy6Ms32z0UE9lATY86GqIJPKK892GtDNPRiSZj9hPYyvaJ8s08f91Qyfl3Qf # sYPpY+2+hQZaXay4DpLhIzXGC3B+AEZNzvVJvuow749jMVGnn7ejH005NWjbdHaG # TwYYMPtY/D1/B+Faf/wA3HyT27zvKi0JWFIpf/hpBX84Ma8dYXdkgv3hUtOQKw9N # zX+38oDL7IUGPvcVBKe3X0LQW1z0+A== # =FGir # -----END PGP SIGNATURE----- # gpg: Signature made Thu 04 Apr 2024 14:58:09 BST # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full] # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full] # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * tag 'block-pull-request' of https://gitlab.com/stefanha/qemu: block/virtio-blk: Fix memory leak from virtio_blk_zone_report Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-04esp.c: remove explicit setting of DRQ within ESP state machineMark Cave-Ayland
Now the esp_update_drq() is called for all reads/writes to the FIFO, there is no need to manually raise and lower the DRQ signal. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/611 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1831 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-18-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>