Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update QEMU to v9.1.1 #90

Merged
merged 3,062 commits into from
Oct 28, 2024
Merged

Update QEMU to v9.1.1 #90

merged 3,062 commits into from
Oct 28, 2024

Conversation

rmalmain
Copy link
Collaborator

No description provided.

bonzini and others added 30 commits August 2, 2024 12:11
The vcek-disabled property of the sev-snp-guest object is misspelled
vcek-required (which I suppose would use the opposite polarity) in
the call to object_class_property_add_bool().  Fix it.

Reported-by: Zixi Chen <[email protected]>
Reviewed-by: Pankaj Gupta <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
This fixes LeakSanitizer warnings.

Signed-off-by: Akihiko Odaki <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Signed-off-by: Fabiano Rosas <[email protected]>
The QIOChannelFile object already has its reference decremented by
g_autoptr. Trying to unref an extra time causes:

ERROR:../qom/object.c:1241:object_unref: assertion failed: (obj->ref > 0)

Fixes: a701c03 ("migration: Drop reference to QIOChannel if file seeking fails")
Fixes: 6d32796 ("migration: Fix file migration with fdset")
Reported-by: Jim Fehlig <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Signed-off-by: Fabiano Rosas <[email protected]>
…on fails

When a channel fails to create, the code currently just returns. This
is wrong for two reasons:

1) Channel n+1 will not get to initialize it's semaphores, leading to
   an assert when terminate_threads tries to post to it:

 qemu-system-x86_64: ../util/qemu-thread-posix.c:92:
 qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.

2) (theoretical) If channel n-1 already started creation it will
   defeat the purpose of the channels_created logic which is in place
   to avoid migrate_fd_cleanup() to run while channels are still being
   created.

   This cannot really happen today because the current failure cases
   for multifd_new_send_channel_create() are all synchronous,
   resulting from qio_channel_file_new_path() getting a bad
   filename. This would hit all channels equally.

   But I don't want to set a trap for future people, so have all
   channels try to create (even if failing), and only fail after the
   channels_created semaphore has been posted.

While here, remove the error_report_err call. There's one already at
migrate_fd_cleanup later on.

Cc: [email protected]
Reported-by: Jim Fehlig <[email protected]>
Fixes: b7b03eb ("migration/multifd: Add outgoing QIOChannelFile support")
Reviewed-by: Peter Xu <[email protected]>
Signed-off-by: Fabiano Rosas <[email protected]>
Changed val from uint64_t to a pointer to uint64_t in hvf_sysreg_read,
but didn't change its usage in hvf_sysreg_read_cp call.

Fixes: e9e6401 ("hvf: arm: Raise an exception for sysreg by default")
Reported-by: Richard Henderson <[email protected]>
Signed-off-by: Akihiko Odaki <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
…osas/qemu into staging

Migration pull request

- Akihiko Odaki's fix for a memory leak on ppc migration
- Fabiano's fix for asserts during multifd error handling

# -----BEGIN PGP SIGNATURE-----
#
# iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmas698QHGZhcm9zYXNA
# c3VzZS5kZQAKCRDHmNx0G+wxnQYFEACNaJderA8VNnyAKyAFD5hCWeZnpZj3UfvO
# l/3CLKBx2WPu+IAMQ+32b8Hpy5v1r4HRkicn0FId86dnbWflqAZJ0wilnPDrzbNG
# oJ9IgDCPobdNCI1JgGVGCddOwraKKRo6/7e7TE5ME3MPV4AZRHs0LGfYPVxGD/5L
# gbV1Zun9SvMk7u/SjE0j8ZG/L3N2rA23Ns/aNfN7KFRLWBccpJ6vKs0q9v6SQnMQ
# iAAypK3d0szCBiuD8iiawPgh6K6pwA7OZ+SmtyGanK2gfNvdJ9YZArbxM3yzqUmJ
# IAYvxXO/xy/cwdGELsjr0lrUFSH15PeQlSUKQ0WEVMv3/okd88jZv7xbyAZy2u5v
# QZXmvb4QMH3wJUZ2rGG+DuZoZIiTL20PPnujxO/kvbhmXjsp4TuDJbKkwW7nvP2Y
# ISuHCBsHcskScu0TSoZ0Fj3sSBXHV5Qw0jZiP37lgjf4eXgJzkadAUh3DCuUI62O
# lqtFxFpBODdKtYfSYR+ThZXhicZx9DOxJHJBU8bXbBi3iGpVZl9O8ywgGi8wpQzh
# cAJk9GbXp/77N94sexzTUHK9ttE00VQUvl8rad+HfZUsBE9E8MsW0zzUaZ8VAH3c
# wzjg1S08rS48c5Ju5PO8iY2Oi5apxdGy9SOyEdpxs+ZE37GbwjoY1Q7C2U+jj72E
# q4/z0NKuWw==
# =1iRF
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 03 Aug 2024 12:23:27 AM AEST
# gpg:                using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D
# gpg:                issuer "[email protected]"
# gpg: Good signature from "Fabiano Rosas <[email protected]>" [unknown]
# gpg:                 aka "Fabiano Almeida Rosas <[email protected]>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3  64CF C798 DC74 1BEC 319D

* tag 'migration-20240802-pull-request' of https://gitlab.com/farosas/qemu:
  migration/multifd: Fix multifd_send_setup cleanup when channel creation fails
  migration: Fix cleanup of iochannel in file migration
  migration: Free removed SaveStateEntry

Signed-off-by: Richard Henderson <[email protected]>
Analyzing qemu-produced core dumps of multi-threaded apps runs into:

    (gdb) info threads
      [...]
      21   Thread 0x3ff83cc0740 (LWP 9295) warning: Couldn't find general-purpose registers in core file.
    <unavailable> in ?? ()

The reason is that all pr_pid values are the same, because the same
TaskState is used for all CPUs when generating NT_PRSTATUS notes.

Fix by using TaskStates associated with individual CPUs.

Cc: [email protected]
Fixes: 243c470 ("linux-user/elfload: Write corefile elf header in one block")
Signed-off-by: Ilya Leoshkevich <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Move close_all_open_fds() in oslib-posix, rename it
qemu_close_all_open_fds() and export it.

Signed-off-by: Clément Léger <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
In order to make it cleaner, split qemu_close_all_open_fd() logic into
multiple subfunctions (close with close_range(), with /proc/self/fd and
fallback).

Signed-off-by: Clément Léger <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
The same code is used twice to actually close all open file descriptors
after forking. Factorize it in a single place.

Signed-off-by: Clément Léger <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
In order for this function to be usable by tap.c code, add a list of
file descriptors that should not be closed.

Signed-off-by: Clément Léger <[email protected]>
Message-ID: <[email protected]>
[rth: Use max_fd in qemu_close_all_open_fd_close_range]
Signed-off-by: Richard Henderson <[email protected]>
Instead of using a slow implementation to close all open fd after
forking, use qemu_close_all_open_fd().

Signed-off-by: Clément Léger <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
…o staging

linux-user/elfload: Fix pr_pid values in core files
util: Add qemu_close_all_open_fd
net/tap: Use qemu_close_all_open_fd

# -----BEGIN PGP SIGNATURE-----
#
# iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmawHSsdHHJpY2hhcmQu
# aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV8mhQgAlNjO1eeeQmgJvKpk
# BwXx7NnXi9d8UZCA5EASK9SQVJC3eYIlMayX9byPmZZ6XJaOBRzgIzm612HkKLYn
# yIqmLb0UhUTT+VKW7Kob/wGslB/PJWSKQ3dvZFaaLMfB6L3BtpwUAFFU5hwkODU/
# TS4qici1W+eW7hInNSH5dgA68UGPcfDBEo4ITW91DbTSZRNz9RP4b2Ak+Wgv30Ux
# 2yEVsP6rBqBSxglbafcywWbYs5sX3EvSUJo4mVm8Ku4zriAf87Y9Da3irpZ4WYgi
# 02f+/GGAv9kiGbf9jPrQTD0O8tmp4Z6JMWxEOfMsCj+KCT2fHSSqcBHTU3RN0guB
# uaxx6w==
# =U5cs
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 05 Aug 2024 10:30:35 AM AEST
# gpg:                using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg:                issuer "[email protected]"
# gpg: Good signature from "Richard Henderson <[email protected]>" [ultimate]

* tag 'pull-misc-20240805' of https://gitlab.com/rth7680/qemu:
  net/tap: Use qemu_close_all_open_fd()
  qemu/osdep: Add excluded fd parameter to qemu_close_all_open_fd()
  net/tap: Factorize fd closing after forking
  qemu/osdep: Split qemu_close_all_open_fd() and add fallback
  qemu/osdep: Move close_all_open_fds() to oslib-posix
  linux-user/elfload: Fix pr_pid values in core files

Signed-off-by: Richard Henderson <[email protected]>
Sweep the entire documentation again.  Last done in commit
209e64d (qapi: Refill doc comments to conform to current
conventions).

To check the generated documentation does not change, I compared the
generated HTML before and after this commit with "wdiff -3".  Finds no
differences.  Comparing with diff is not useful, as the reflown
paragraphs are visible there.

Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
[Straightforward conflict with commit 442110b resolved]
Fixes higher-half address parsing for QMP commands
`[p]memsave`.

Signed-off-by: Josh Junon <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Markus Armbruster <[email protected]>
[Subject tweaked, and one PRId64 updated to PRIu64]
Signed-off-by: Markus Armbruster <[email protected]>
With normal SIB, index == 4 indicates no index.
With VSIB, there is no exception for VR4/VR12.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2474
Signed-off-by: Richard Henderson <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
…to staging

QAPI patches patches for 2024-08-05

# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmawhYUSHGFybWJydUBy
# ZWRoYXQuY29tAAoJEDhwtADrkYZT5j4P/i9dh0Y8sS5qJqvEZzKWFlIkXWjYpUFW
# FThfHyz5J2MilabQUeTxF0yhM40pciGu9ULXqwhzKNAXoAZwfH4VhSkT1E01pwDE
# 9RRCOvtRHM5YDExMUn+8vfsHfpTBcfqB6EAO6eteIQ+2dMsDv2wtsrWLx3uXMjHn
# 5VfxdKPVmQndcnrQDEAm8WhUpS9qVyJz5SqXuZ2Ku14X+EWyUc5ZGFEawgN63iIG
# fDqP5AwsHBPXUGtldlrbubrvBJVgNzAMwL/vizZR04L/30q6V/3ThyqaOyVuKibQ
# r1B2hebow00+Ie2nZRz1awCapnpuefk1Ll6KMHI5MD4kfmZiXBDhPeh2RnnyCBaK
# RudigAFff2kho7Z814JSJccGKBczkniXiDRb+rOeTBbE+wWEAfrlhf7YFlwqqQv7
# 4ZfeMdv3B5bIq8RUTRUbzlf/BTx3Lao9koa/c6x/x42Gwhwc2Z8F9nuQLPfxPMC/
# MbL8+dDGNF0NiZdLUbSVATLNC5zXxkAVy2D1O8GjZfQSmHK6SeyJGEyUjrEY6AxA
# FiaJ4PduCAi+aieV7bpx0tkKVKs7hHkwbIDJcPw38GwAgXc0/tuLxAornTQ4il7y
# MIUysqtEoFryFzt7Uf510vG7URzFhHpJNsMAXeHErK53Fw1+VDpXQ7ImK56Huzy2
# lH6IAh+582Sq
# =D9S5
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 05 Aug 2024 05:55:49 PM AEST
# gpg:                using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg:                issuer "[email protected]"
# gpg: Good signature from "Markus Armbruster <[email protected]>" [full]
# gpg:                 aka "Markus Armbruster <[email protected]>" [full]

* tag 'pull-qapi-2024-08-05' of https://repo.or.cz/qemu/armbru:
  qmp: Fix higher half vaddrs for [p]memsave
  qapi: Refill doc comments to conform to conventions

Signed-off-by: Richard Henderson <[email protected]>
* target/i386: SEV: fix incorrect property name
* target/i386: tcg: fix VSIB decode with XMM/YMM{4,12}

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmawwjoUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroO+kgf/SIOaF14Ozw6w33zddDiuK969ouNR
# 00hC17p0acVl3KwmbXBJp2CXtc4TcZwLEg6y2KrActEVg2CaFFjGx9wJUnTGOL/D
# 3Nhp3ipsExv+rFQuQvV9k/BeAVG0G9YoTZtQJVQvLPL/LYJ76h2JlVamjr9rsuKy
# hsVeHX6Xl6ad6mtM1hSFBonJzfGK08rKQPTnALfB0raFLmSHWleg9Xzs0r1YiuO2
# SsGVr0NF369pZA2U0Y/tcw0RIRIikXfVYTX5+o9H6RzEqbqaOh3j9upLYSWym6LN
# cedTxjNFJdxZReR/VE1kAys3s2pE8k+yiQIBGzfwo4fN6hukJZGCtwrVmw==
# =2tkB
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 05 Aug 2024 10:14:50 PM AEST
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "[email protected]"
# gpg: Good signature from "Paolo Bonzini <[email protected]>" [full]
# gpg:                 aka "Paolo Bonzini <[email protected]>" [full]

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
  target/i386: Fix VSIB decode
  target/i386: SEV: fix mismatch in vcek-disabled property name

Signed-off-by: Richard Henderson <[email protected]>
Compressed encodings also applies to zama16b.
riscv/riscv-isa-manual#1557

Suggested-by: Alistair Francis <[email protected]>
Signed-off-by: LIU Zhiwei <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
Zama16b loads and stores of no more than MXLEN bits defined in the F, D, and Q
extensions.

Signed-off-by: LIU Zhiwei <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
According to the risc-v specification:
"FLD and FSD are only guaranteed to execute atomically if the effective
address is naturally aligned and XLEN≥64."

We currently implement fld as MO_ATOM_IFALIGN when XLEN < 64, which does
not violate the rules. But it will hide some problems. So relax it to
MO_ATOM_NONE.

Signed-off-by: LIU Zhiwei <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
Coverity complained about the possible out-of-bounds access with
counter_virt/counter_virt_prev because these two arrays are
accessed with privilege mode. However, these two arrays are accessed
only when virt is enabled. Thus, the privilege mode can't be M mode.

Add the asserts anyways to detect any wrong usage of these arrays
in the future.

Suggested-by: Peter Maydell <[email protected]>
Signed-off-by: Atish Patra <[email protected]>
Fixes: Coverity CID 1558459
Fixes: Coverity CID 1558462
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
A new minor version of OpenSBI was just released after our bump to
OpenSBI 1.5. It contains significant bug fixes that it's worth doing
a new update for QEMU 9.1.

Submodule roms/opensbi 455de672dd..43cace6c36:
  > lib: sbi: check result of pmp_get() in is_pmp_entry_mapped()
  > lib: sbi: fwft: fix incorrect size passed to sbi_zalloc()
  > lib: sbi: dbtr: fix potential NULL pointer dereferences
  > include: Adjust Sscofpmf mhpmevent mask for upper 8 bits
  > lib: sbi_hsm: Save/restore menvcfg only when it exists

Signed-off-by: Daniel Henrique Barboza <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
…tair23/qemu into staging

RISC-V PR for 9.1

* roms/opensbi: update to v1.5.1
* target/riscv: Add asserts for out-of-bound access
* Remove redundant insn length check for zama16b

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmaxwTwACgkQr3yVEwxT
# gBOpoQ/9EoGHvGZtd3Zio/51G+tiNok/H+LJGZxGOPl5xc12efhJk15nN/JwVCFp
# zETriTjQ8UUlx+/xvpoQhQbfNm+MtCSl+xyNcPsjAgE6le8MTn38zjroGhUI0JEB
# AuIp9FfwRx4z7nEpuzO8cYdl2Suw5Nh8gi/+0SSrX1vXLY44Ma7UZdM8BjvkGbZp
# TWSqetj236bMoBqSHIk4OddVFbAPlnCQZRo6fwslsjzV6y12PVQw/FgVKKmN7J9k
# qtBoGSuqwFgMnXgxvJXqFmOQYAipgLONRRBaQEj/sGf09UTR/MppMz8CKilAPAYy
# 9+UT0/5t+GUUpmbBN2ijWJEgYC9Ev4USIzfGe03XJSWA8uDEyTpJbnbGKDKotfrC
# /qmx2y4Lb4I/3AkJiKgHW32fNeTMURQvzs+ws8frwebWAmH8zwBVbj0EbbceH5M/
# SavAuDivbU4MLdSNKpp5yvB/pkREzCE7pwbjOr0skSLrCiT/S+t9tryt7p+iHxQl
# 1xhMbOYFPcbxq7mJvLurtkzn8fl4o1j93tBcq1BcBvRE5O3Odn5VJpje29BYPDpk
# AG82CEeUJ2N+ZVzcV/rYhJaz8WZ7ck+I/j9cK1UtMsp57zmm2awp+mMwyShpAmP3
# MPMHwROJrue9V3z4qdaimNfpaB0p9NCOl9A95J70A/59Q2vO32k=
# =bjWM
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 06 Aug 2024 04:22:52 PM AEST
# gpg:                using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65  9296 AF7C 9513 0C53 8013

* tag 'pull-riscv-to-apply-20240806-2' of https://github.com/alistair23/qemu:
  roms/opensbi: Update to v1.5.1
  target/riscv: Add asserts for out-of-bound access
  target/riscv: Relax fld alignment requirement
  target/riscv: Add MXLEN check for F/D/Q applies to zama16b
  target/riscv: Remove redundant insn length check for zama16b

Signed-off-by: Richard Henderson <[email protected]>
We'll have to add LoongsonIPIClass in few commits,
so rename LoongsonIPI as LoongsonIPIState for clarity.

Signed-off-by: Bibo Mao <[email protected]>
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Tested-by: Bibo Mao <[email protected]>
Acked-by: Song Gao <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Jiaxun Yang <[email protected]>
Tested-by: Jiaxun Yang <[email protected]>
Message-Id: <[email protected]>
In preparation to extract common IPI code in few commits,
extract loongson_ipi_common_realize().

Signed-off-by: Bibo Mao <[email protected]>
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Tested-by: Bibo Mao <[email protected]>
Acked-by: Song Gao <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Jiaxun Yang <[email protected]>
Tested-by: Jiaxun Yang <[email protected]>
Message-Id: <[email protected]>
Introduce LOONGSON_IPI_COMMON stubs, QDev parent of LOONGSON_IPI.

Signed-off-by: Bibo Mao <[email protected]>
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Tested-by: Bibo Mao <[email protected]>
Acked-by: Song Gao <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Jiaxun Yang <[email protected]>
Tested-by: Jiaxun Yang <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Bibo Mao <[email protected]>
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Tested-by: Bibo Mao <[email protected]>
Acked-by: Song Gao <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Jiaxun Yang <[email protected]>
Tested-by: Jiaxun Yang <[email protected]>
Message-Id: <[email protected]>
It is easier to manage one array of MMIO MR rather
than one per vCPU.

Signed-off-by: Bibo Mao <[email protected]>
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Tested-by: Bibo Mao <[email protected]>
Acked-by: Song Gao <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Jiaxun Yang <[email protected]>
Tested-by: Jiaxun Yang <[email protected]>
Message-Id: <[email protected]>
Move the IPICore structure and corresponding common fields
of LoongsonIPICommonState to "hw/intc/loongson_ipi_common.h".

Signed-off-by: Bibo Mao <[email protected]>
[PMD: Extracted from bigger commit, added commit description]
Co-Developed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Tested-by: Bibo Mao <[email protected]>
Acked-by: Song Gao <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Jiaxun Yang <[email protected]>
Tested-by: Jiaxun Yang <[email protected]>
Message-Id: <[email protected]>
foxmox and others added 26 commits October 1, 2024 19:21
Allow overlapping request by removing the assert that made it
impossible. There are only two callers:

1. block_copy_task_create()

It already asserts the very same condition before calling
reqlist_init_req().

2. cbw_snapshot_read_lock()

There is no need to have read requests be non-overlapping in
copy-before-write when used for snapshot-access. In fact, there was no
protection against two callers of cbw_snapshot_read_lock() calling
reqlist_init_req() with overlapping ranges and this could lead to an
assertion failure [1].

In particular, with the reproducer script below [0], two
cbw_co_snapshot_block_status() callers could race, with the second
calling reqlist_init_req() before the first one finishes and removes
its conflicting request.

[0]:

> #!/bin/bash -e
> dd if=/dev/urandom of=/tmp/disk.raw bs=1M count=1024
> ./qemu-img create /tmp/fleecing.raw -f raw 1G
> (
> ./qemu-system-x86_64 --qmp stdio \
> --blockdev raw,node-name=node0,file.driver=file,file.filename=/tmp/disk.raw \
> --blockdev raw,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.raw \
> <<EOF
> {"execute": "qmp_capabilities"}
> {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write", "file": "node0", "target": "node1", "node-name": "node3" } }
> {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access", "file": "node3", "node-name": "snap0" } }
> {"execute": "nbd-server-start", "arguments": {"addr": { "type": "unix", "data": { "path": "/tmp/nbd.socket" } } } }
> {"execute": "block-export-add", "arguments": {"id": "exp0", "node-name": "snap0", "type": "nbd", "name": "exp0"}}
> EOF
> ) &
> sleep 5
> while true; do
> ./qemu-nbd -d /dev/nbd0
> ./qemu-nbd -c /dev/nbd0 nbd:unix:/tmp/nbd.socket:exportname=exp0 -f raw -r
> nbdinfo --map 'nbd+unix:///exp0?socket=/tmp/nbd.socket'
> done

[1]:

> #5  0x000071e5f0088eb2 in __GI___assert_fail (...) at ./assert/assert.c:101
> #6  0x0000615285438017 in reqlist_init_req (...) at ../block/reqlist.c:23
> #7  0x00006152853e2d98 in cbw_snapshot_read_lock (...) at ../block/copy-before-write.c:237
> #8  0x00006152853e3068 in cbw_co_snapshot_block_status (...) at ../block/copy-before-write.c:304
> #9  0x00006152853f4d22 in bdrv_co_snapshot_block_status (...) at ../block/io.c:3726
> #10 0x000061528543a63e in snapshot_access_co_block_status (...) at ../block/snapshot-access.c:48
> #11 0x00006152853f1a0a in bdrv_co_do_block_status (...) at ../block/io.c:2474
> #12 0x00006152853f2016 in bdrv_co_common_block_status_above (...) at ../block/io.c:2652
> #13 0x00006152853f22cf in bdrv_co_block_status_above (...) at ../block/io.c:2732
> #14 0x00006152853d9a86 in blk_co_block_status_above (...) at ../block/block-backend.c:1473
> #15 0x000061528538da6c in blockstatus_to_extents (...) at ../nbd/server.c:2374
> #16 0x000061528538deb1 in nbd_co_send_block_status (...) at ../nbd/server.c:2481
> #17 0x000061528538f424 in nbd_handle_request (...) at ../nbd/server.c:2978
> #18 0x000061528538f906 in nbd_trip (...) at ../nbd/server.c:3121
> #19 0x00006152855a7caf in coroutine_trampoline (...) at ../util/coroutine-ucontext.c:175

Cc: [email protected]
Suggested-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Signed-off-by: Fiona Ebner <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]>
Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]>
(cherry picked from commit 6475155d519209c80fdda53e05130365aa769838)
Signed-off-by: Michael Tokarev <[email protected]>
target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermediate physical address when LPAE is being used.

Given that Linux may place leaf level user page tables in high memory
when built for LPAE, the kernel will crash with an external abort as
soon as it enters user space when running with more than ~3 GiB of
system RAM.

So replace target_ulong with vaddr in places where it may carry an
address value that is not representable in 32 bits.

Fixes: f3639a6 ("target/arm: Use softmmu tlbs for page table walking")
Cc: [email protected]
Reported-by: Arnd Bergmann <[email protected]>
Tested-by: Arnd Bergmann <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Ard Biesheuvel <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 67d762e716a7127ecc114e9708254316dd521911)
Signed-off-by: Michael Tokarev <[email protected]>
The enable bits in the EXT_CSD_PART_CONFIG ext_csd register do *not*
specify whether the boot partitions exist, but whether they are enabled
for booting. Existence of the boot partitions is specified by a
EXT_CSD_BOOT_MULT != 0.

Currently, in the case of boot-partition-size=1M and boot-config=0,
Linux detects boot partitions of 1M. But as sd_bootpart_offset always
returns 0, all reads/writes are mapped to the same offset in the backing
file.

Fix this bug by calculating the offset independent of which partition is
enabled for booting.

This bug is unlikely to affect many users with QEMU's current set of
boards, because only aspeed sets boot-partition-size, and it also
sets boot-config to 8. So to run into this a user would have to
manually mark the boot partition non-booting from within the guest.

Cc: [email protected]
Signed-off-by: Jan Luebbe <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
[PMM: added note to commit message about effects of bug]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 9601076b3b0bced7ed597d1470e3ff2f4e7177d6)
Signed-off-by: Michael Tokarev <[email protected]>
The mips64el cross setup is very broken for bullseye which has now
entered LTS support so is unlikely to be fixed. While we still can't
build the container with all packages for bookworm due to a single
missing dependency that will hopefully get fixed in due course. For
the sake of keeping the CI green we disable the problematic packages
via the lcitool's mappings.yml file.

See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081535

Signed-off-by: Alex Bennée <[email protected]>
[thuth: Disable the problematic packages via lcitool's mappings.yml]
Message-ID: <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit c60473d29254b79d9437eface8b342e84663ba66)
Signed-off-by: Michael Tokarev <[email protected]>
Since commit e99441a ("ui/curses: Do not use console_select()")
qemu_text_console_put_keysym() no longer checks for NULL console
argument, which leads to a later crash:

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332
332	        } else if (s->echo && (keysym == '\r' || keysym == '\n')) {
(gdb) bt
 #0  0x00005555559ee186 in qemu_text_console_handle_keysym (s=0x0, keysym=31) at ../ui/console-vc.c:332
 #1  0x00005555559e18e5 in qemu_text_console_put_keysym (s=<optimized out>, keysym=<optimized out>) at ../ui/console.c:303
 #2  0x00005555559f2e88 in do_key_event (vs=vs@entry=0x5555579045c0, down=down@entry=1, keycode=keycode@entry=60, sym=sym@entry=65471) at ../ui/vnc.c:2034
 #3  0x00005555559f845c in ext_key_event (vs=0x5555579045c0, down=1, sym=65471, keycode=<optimized out>) at ../ui/vnc.c:2070
 #4  protocol_client_msg (vs=0x5555579045c0, data=<optimized out>, len=<optimized out>) at ../ui/vnc.c:2514
 #5  0x00005555559f515c in vnc_client_read (vs=0x5555579045c0) at ../ui/vnc.c:1607

Fixes: e99441a ("ui/curses: Do not use console_select()")
Fixes: https://issues.redhat.com/browse/RHEL-50529
Cc: [email protected]
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 0e60fc80938d9ce84274a36ddfaaa640bdef2be8)
Signed-off-by: Michael Tokarev <[email protected]>
load_flt_binary() calls load_flat_file() -> page_set_flags().

page_set_flags() must be called with the mmap_lock held,
otherwise it aborts:

  $ qemu-arm -L stm32/lib/ stm32/bin/busybox
  qemu-arm: ../accel/tcg/user-exec.c:505: page_set_flags: Assertion `have_mmap_lock()' failed.
  Aborted (core dumped)

Fix by taking the lock in load_flt_binary().

Fixes: fbd3c4c ("linux-user/arm: Mark the commpage executable")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2525
Suggested-by: Richard Henderson <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a9ee641bd46f5462eeed183ac3c3760bddfc2600)
Signed-off-by: Michael Tokarev <[email protected]>
Comparing a string of 4 bytes only works in little-endian.

Adjust bulk bswap to only apply to the note payload.
Perform swapping of the note header manually; the magic
is defined so that it does not need a runtime swap.

Fixes: 83f990e ("linux-user/elfload: Parse NT_GNU_PROPERTY_TYPE_0 notes")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2596
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
(cherry picked from commit 2884596f5f385b5712c356310dd4125a089888a8)
Signed-off-by: Michael Tokarev <[email protected]>
In the fallback when STDBRX is not available, avoid clobbering
TCG_REG_TMP1, which might be h.base, which is still in use.
Use TCG_REG_TMP2 instead.

Cc: [email protected]
Fixes: 01a112e ("tcg/ppc: Reorg tcg_out_tlb_read")
Signed-off-by: Richard Henderson <[email protected]>
Tested-By: Michael Tokarev <[email protected]>
(cherry picked from commit 4cabcb89b101942346aebff081aa1453e958fe7f)
Signed-off-by: Michael Tokarev <[email protected]>
In tcg_out_qemu_ldst_i128, we need a non-zero index register,
which we then use as a base register in several address modes.
Since we always have TCG_REG_TMP2 available, use that.

Cc: [email protected]
Fixes: 526cd4e ("tcg/ppc: Support 128-bit load/store")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2597
Signed-off-by: Richard Henderson <[email protected]>
Tested-By: Michael Tokarev <[email protected]>
(cherry picked from commit 3213da7b9539581c6df95f8ced5b09d0b02d425f)
Signed-off-by: Michael Tokarev <[email protected]>
Returning a raw areg does not preserve the value if the areg
is subsequently modified.  Fixes, e.g. "jsr (sp)", where the
return address is pushed before the branch.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2483
Signed-off-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 352cc9f300d83ea48b8154bfd2ff985fece887d0)
Signed-off-by: Michael Tokarev <[email protected]>
s/mbmi1/mbmi/

When configuring with -Dx86_version >= 3, meson step works, but
compilation fails because option -mbmi1 is unknown.

Signed-off-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: [email protected]
Fixes: ef7d1ad ("meson: allow configuring the x86-64 baseline", 2024-06-28)
Revieved-by: Michael Tokarev <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 461a9252e249adab5f0bae3b9634be77dd5be17e)
Signed-off-by: Michael Tokarev <[email protected]>
Create a separate variable for compiler flags that enable
specific instruction set extensions, so that they can be used with
cc.compiles/cc.links.

Note that -mfpmath=sse is a code generation option but it does not
enable new instructions, therefore I did not make it part of
qemu_isa_flags.

Suggested-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 6ae8c5382b2396d394e135c2c6d3742d11c6d0c2)
Signed-off-by: Michael Tokarev <[email protected]>
Moving -mcx16 out of CPU_CFLAGS caused the detection of ATOMIC128 to
fail, because flags have to be specified by hand in cc.compiles and
cc.links invocations (why oh why??).

Ensure that these tests enable all the instruction set extensions that
will be used to build the emulators.

Fixes: c2bf2cc ("configure: move -mcx16 flag out of CPU_CFLAGS", 2024-05-24)
Reported-by: Alex Bennée <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 8db4e0f92e83fd80b6609439440b303ddded7ad8)
Signed-off-by: Michael Tokarev <[email protected]>
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved.

Add an explicit cast to match the documentation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Cc: [email protected]
Fixes: d2c0c6a ("hw/intc/arm_gicv3: Handle icv_nmiar1_read() for icc_nmiar1_read()")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit e0c0ea6eca4f210a52b9742817586cc97b1ee434)
Signed-off-by: Michael Tokarev <[email protected]>
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICC_AP[0/1]R<n>_EL2 are reserved.

Add an explicit cast to match the documentation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Cc: [email protected]
Fixes: 28cca59 ("hw/intc/arm_gicv3: Add NMI handling CPU interface registers")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 12dc8f6eca1ead876142fd3d6731cf3da1295f2a)
Signed-off-by: Michael Tokarev <[email protected]>
The result of 1 << regbit with regbit==31 has a 1 in the 32nd bit.
When cast to uint64_t (for further bitwise OR), the 32 most
significant bits will be filled with 1s. However, the documentation
states that the upper 32 bits of ICH_AP[0/1]R<n>_EL2 are reserved.

Add an explicit cast to match the documentation.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Cc: [email protected]
Fixes: c3f21b0 ("hw/intc/arm_gicv3_cpuif: Support vLPIs")
Signed-off-by: Alexandra Diupina <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 3db74afec3ca87f81fbdf5918ed1e21d837fbfab)
Signed-off-by: Michael Tokarev <[email protected]>
In commit b88cfee we defined masks for the IBRD and FBRD
integer and fractional baud rate divider registers, to prevent the
guest from writing invalid values which could cause division-by-zero.
Unfortunately we got the mask values the wrong way around: the FBRD
register is six bits and the IBRD register is 16 bits, not
vice-versa.

You would only run into this bug if you programmed the UART to a baud
rate of less than 9600, because for 9600 baud and above the IBRD
value will fit into 6 bits, as per the table in
 https://developer.arm.com/documentation/ddi0183/g/programmers-model/register-descriptions/fractional-baud-rate-register--uartfbrd

The only visible effects would be that the value read back from
the register by the guest would be truncated, and we would
print an incorrect baud rate in the debug logs.

Cc: [email protected]
Fixes: b88cfee ("hw/char/pl011: Avoid division-by-zero in pl011_get_baudrate()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2610
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Gavin Shan <[email protected]>
Message-id: [email protected]
(cherry picked from commit cd247eae16ab1b9ce97fd34c000c1b883feeda45)
Signed-off-by: Michael Tokarev <[email protected]>
Fixes: 280c1e1 ("audio/hda: create millisecond timers that handle IO")

Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit f27206ceedbe2efae37c8d143c5eb2db05251508)
Signed-off-by: Michael Tokarev <[email protected]>
When SET_STREAM_FORMAT is called, we should clear the existing setup.

Factor out common function to close a stream.

Direct leak of 144 byte(s) in 3 object(s) allocated from:
    #0 0x7f91d38f7350 in calloc (/lib64/libasan.so.8+0xf7350) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a)
    #1 0x7f91d2ab7871 in g_malloc0 (/lib64/libglib-2.0.so.0+0x64871) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
    #2 0x562fa2f447ee in timer_new_full /home/elmarco/src/qemu/include/qemu/timer.h:538
    #3 0x562fa2f4486f in timer_new /home/elmarco/src/qemu/include/qemu/timer.h:559
    #4 0x562fa2f448a9 in timer_new_ns /home/elmarco/src/qemu/include/qemu/timer.h:577
    #5 0x562fa2f47955 in hda_audio_setup ../hw/audio/hda-codec.c:490
    #6 0x562fa2f4897e in hda_audio_command ../hw/audio/hda-codec.c:605

Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 6d6e23361fc732e4fe36a8bc5873b85f264ed53a)
Signed-off-by: Michael Tokarev <[email protected]>
A filter function that wants to drop a message should return NULL, in
which case it must also unref the message itself.

Fixes: fa88b85 ("ui/dbus: filter out pending messages when scanout")

Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 244d52ff736fefc3dd364ed091720aa896af306d)
Signed-off-by: Michael Tokarev <[email protected]>
DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <[email protected]>
Filtering pending messages when a new scanout is given shouldn't discard
pending cursor changes, for example.

Since filtering happens in a different thread, use atomic set/get.

Fixes: fa88b85 ("ui/dbus: filter out pending messages when scanout")

Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit cf59889781297a5618f1735a5f31402caa806b42)
Signed-off-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
@rmalmain rmalmain changed the title Update qemu to v9.1.1 Update QEMU to v9.1.1 Oct 26, 2024
@rmalmain rmalmain merged commit 6bc81c2 into main Oct 28, 2024
2 checks passed
@rmalmain rmalmain deleted the update_qemu_v9_1_1 branch October 28, 2024 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.