Re: [PATCH v8 15/15] hw/vmapple/vmapple: Add vmapple machine type

On 2024/11/08 23:47, Phil Dennis-Jordan wrote: From: Alexander Graf Apple defines a new "vmapple" machine type as part of its proprietary macOS Virtualization.Framework vmm. This machine type is similar to the virt one, but with subtle differences in base devices, a few special vmapple device a

Re: [PATCH v8 12/15] hw/vmapple/cfg: Introduce vmapple cfg region

On 2024/11/08 23:47, Phil Dennis-Jordan wrote: From: Alexander Graf Instead of device tree or other more standardized means, VMApple passes platform configuration to the first stage boot loader in a binary encoded format that resides at a dedicated RAM region in physical address space. This pa

Re: [PATCH v8 01/15] ui & main loop: Redesign of system-specific main thread event handling

On 2024/11/10 16:08, Phil Dennis-Jordan wrote: On Sun 10. Nov 2024 at 08:01, Akihiko Odaki > wrote: On 2024/11/08 23:46, Phil Dennis-Jordan wrote: > macOS's Cocoa event handling must be done on the initial (main) thread > of the process. Furt

Re: [PATCH v8 01/15] ui & main loop: Redesign of system-specific main thread event handling

On Sun 10. Nov 2024 at 08:01, Akihiko Odaki wrote: > On 2024/11/08 23:46, Phil Dennis-Jordan wrote: > > macOS's Cocoa event handling must be done on the initial (main) thread > > of the process. Furthermore, if library or application code uses > > libdispatch, the main dispatch queue must be hand

Re: [PATCH v8 11/15] hw/vmapple/bdif: Introduce vmapple backdoor interface

On 2024/11/08 23:47, Phil Dennis-Jordan wrote: From: Alexander Graf The VMApple machine exposes AUX and ROOT block devices (as well as USB OTG emulation) via virtio-pci as well as a special, simple backdoor platform device. This patch implements this backdoor platform device to the best of my

Re: [PATCH v8 10/15] hw/vmapple/aes: Introduce aes engine

On 2024/11/08 23:47, Phil Dennis-Jordan wrote: From: Alexander Graf VMApple contains an "aes" engine device that it uses to encrypt and decrypt its nvram. It has trivial hard coded keys it uses for that purpose. Add device emulation for this device model. Signed-off-by: Alexander Graf Signed

Re: [PATCH v8 01/15] ui & main loop: Redesign of system-specific main thread event handling

On 2024/11/08 23:46, Phil Dennis-Jordan wrote: macOS's Cocoa event handling must be done on the initial (main) thread of the process. Furthermore, if library or application code uses libdispatch, the main dispatch queue must be handling events on the main thread as well. So far, this has affecte

Re: [PATCH v8 04/15] hw/display/apple-gfx: Adds configurable mode list

On 2024/11/08 23:46, Phil Dennis-Jordan wrote: This change adds a property 'display_modes' on the graphics device which permits specifying a list of display modes. (screen resolution and refresh rate) The property is an array of a custom type to make the syntax slightly less awkward to use, for

Re: [PATCH v8 03/15] hw/display/apple-gfx: Adds PCI implementation

On 2024/11/08 23:46, Phil Dennis-Jordan wrote: This change wires up the PCI variant of the paravirtualised graphics device, mainly useful for x86-64 macOS guests, implemented by macOS's ParavirtualizedGraphics.framework. It builds on code shared with the vmapple/mmio variant of the PVG device. S

Re: [PATCH v8 02/15] hw/display/apple-gfx: Introduce ParavirtualizedGraphics.Framework support

On 2024/11/08 23:46, Phil Dennis-Jordan wrote: MacOS provides a framework (library) that allows any vmm to implement a paravirtualized 3d graphics passthrough to the host metal stack called ParavirtualizedGraphics.Framework (PVG). The library abstracts away almost every aspect of the paravirtuali

[PATCH 2/2] hw/usb: Add TI TUSB73X0 XHCI controller model

This controller is accepted by IBM Power firmware when the subsystem IDs are set to Power servers. Firmware is picky about device support so the NEC driver does not work. The TI HW has some interesting differences from NEC, notably a separate BAR for MSIX, and PM capabilities. The spec is freely a

[PATCH 1/2] hw/usb: Make PCI device more configurable

To prepare to support another USB PCI Host Controller, make some PCI configuration dynamic. Signed-off-by: Nicholas Piggin --- hw/usb/hcd-xhci-pci.h | 9 ++ hw/usb/hcd-xhci-nec.c | 10 +++ hw/usb/hcd-xhci-pci.c | 69 --- 3 files changed, 78 insert

[PATCH 0/2] hw/usb: Add TI TUSB73X0 XHCI controller model

Hi, This adds a new USB XHCI model. The biggest change is really making some XHCI PCI config dynamic and the MSIX init has some changes to support a separate BAR (hopefully now it has better error handling. Thanks, Nick Nicholas Piggin (2): hw/usb: Make PCI device more configurable hw/usb: A

[RFC PATCH 2/2] usb/msd: Permit relaxed ordering of IN packets

The USB MSD protocol has 3 packets that make up a command, and only one command may be active at any time. - CBW to start a command (that contains a SCSI request). - DATA (IN or OUT) to send request data between host and SCSI layer. - CSW to return status and complete the command. DATA is optiona

[RFC PATCH 0/2] usb/msd: Permit relaxed ordering of IN packets

Hi, This allows MSD Data-In and CSW packets before the CBW packet. This is just for RFC for now, but it does work. Patch 2 has the main description of the problem and solution. I've not found a good way to split this into smaller pieces yet, but I will try, also migration is currently broken, I'

[RFC PATCH 1/2] usb/msd: Add status to usb_msd_packet_complete() function

This is a convenience change that accepts a status when completing a packet. Signed-off-by: Nicholas Piggin --- hw/usb/dev-storage.c | 17 - 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c index 341e505bd0..4f1e8b7f6c 1006

Re: [CAUTION - External Sender] Re: [PATCH] target/riscv: Add Tenstorrent Ascalon CPU

Hi Philippe, On Sun, Nov 10, 2024 at 5:21 AM Philippe Mathieu-Daudé wrote: > Generally speaking (I'm not objecting to this patch as is), for > DEFINE_VENDOR_CPU() it would be nice to have reference to some > documentation -- at least to review whether the cpu features > announced make sense or no

Re: [PATCH 0/3] trace: Minor cleanups to trace header includes

On 11/8/24 08:29, Peter Maydell wrote: Peter Maydell (3): system/dma-helpers.c: Move trace events to system/trace-events target/arm/hvf: Add trace.h header trace: Don't include trace-root.h in control.c or control-target.c Reviewed-by: Richard Henderson r~

[PATCH] MAINTAINERS: CC rust/ patches to qemu-rust list

integration M: Manos Pitsidianakis +L: qemu-r...@nongnu.org S: Maintained F: scripts/rust/ F: rust/.gitignore --- base-commit: 134b443512825bed401b6e141447b8cdc22d2efe change-id: 20241109-update-maintainers-file-rust-5cbd97b7b11a -- γαῖα πυρί μιχθήτω

Re: [PATCH 4/5] hw/openrisc: Mark devices as big-endian

Am Sat, 9 Nov 2024 10:08:16 -0800 schrieb Richard Henderson : > On 11/9/24 07:58, Philippe Mathieu-Daudé wrote: > > Hi Thomas, > > > > On 9/11/24 06:42, Thomas Huth wrote: > >> Am Wed,  6 Nov 2024 18:46:11 + > >> schrieb Philippe Mathieu-Daudé : > >> > >>> These devices are only used by t

Re: [PATCH] target/riscv: Add Tenstorrent Ascalon CPU

Hi, On 8/11/24 23:07, Anton Blanchard wrote: Add a CPU entry for the Tenstorrent Ascalon CPU, a series of 2 wide to 8 wide RV64 cores. Signed-off-by: Anton Blanchard --- target/riscv/cpu-qom.h | 1 + target/riscv/cpu.c | 67 ++ 2 files changed,

Re: [PATCH 4/5] hw/openrisc: Mark devices as big-endian

On 11/9/24 07:58, Philippe Mathieu-Daudé wrote: Hi Thomas, On 9/11/24 06:42, Thomas Huth wrote: Am Wed,  6 Nov 2024 18:46:11 + schrieb Philippe Mathieu-Daudé : These devices are only used by the OpenRISC target, which is only built as big-endian. Therefore the DEVICE_NATIVE_ENDIAN definit

Re: [PATCH 4/5] hw/openrisc: Mark devices as big-endian

Hi Thomas, On 9/11/24 06:42, Thomas Huth wrote: Am Wed, 6 Nov 2024 18:46:11 + schrieb Philippe Mathieu-Daudé : These devices are only used by the OpenRISC target, which is only built as big-endian. Therefore the DEVICE_NATIVE_ENDIAN definition expand to DEVICE_BIG_ENDIAN (besides, the DEV

Re: [PATCH v3 2/6] ui/sdl2: Implement dpy dmabuf functions

On 11/9/24 13:07, Akihiko Odaki wrote: > On 2024/11/09 15:52, Dmitry Osipenko wrote: >> Accidentally missed this email a week ago. Thanks again for all the >> reviews! >> >> On 10/31/24 10:32, Akihiko Odaki wrote: >> ...    +# libx11 presents together with SDL or GTK libs on systems that

Re: [PULL v2 00/13] (Almost entirely) bugfix changes for QEMU 9.2 hard freeze

On Sat, 9 Nov 2024 at 12:35, Peter Maydell wrote: > > On Sat, 9 Nov 2024 at 07:36, Paolo Bonzini wrote: > > > > The following changes since commit a1dacb66915eb7d08a0596cc97068a37c39930d3: > > > > Merge tag 'for-upstream-rust' of https://gitlab.com/bonzini/qemu into > > staging (2024-11-06 21:

[Stable-9.1.2 32/58] target/riscv: Set vtype.vill on CPU reset

From: Rob Bradford The RISC-V unprivileged specification "31.3.11. State of Vector Extension at Reset" has a note that recommends vtype.vill be set on reset as part of ensuring that the vector extension have a consistent state at reset. This change now makes QEMU consistent with Spike which sets

[Stable-9.1.2 35/58] target/riscv/kvm: clarify how 'riscv-aia' default works

From: Daniel Henrique Barboza We do not have control in the default 'riscv-aia' default value. We can try to set it to a specific value, in this case 'auto', but there's no guarantee that the host will accept it. Couple with this we're always doing a 'qemu_log' to inform whether we're ended up u

Re: [PULL v2 00/13] (Almost entirely) bugfix changes for QEMU 9.2 hard freeze

On Sat, 9 Nov 2024 at 07:36, Paolo Bonzini wrote: > > The following changes since commit a1dacb66915eb7d08a0596cc97068a37c39930d3: > > Merge tag 'for-upstream-rust' of https://gitlab.com/bonzini/qemu into > staging (2024-11-06 21:27:47 +) > > are available in the Git repository at: > > ht

[Stable-9.1.2 42/58] target/ppc: Fix HFSCR facility checks

From: Nicholas Piggin The HFSCR defines were being encoded as bit masks, but the users expect (and analogous FSCR defines are) bit numbers. Cc: qemu-sta...@nongnu.org Reviewed-by: Richard Henderson Signed-off-by: Nicholas Piggin (cherry picked from commit 87de77f6aeba4e38d123f7541cfdae7b124f6a

[Stable-9.1.2 33/58] hw/intc/riscv_aplic: Check and update pending when write sourcecfg

From: Yong-Xuan Wang The section 4.5.2 of the RISC-V AIA specification says that any write to a sourcecfg register of an APLIC might (or might not) cause the corresponding interrupt-pending bit to be set to one if the rectified input value is high (= 1) under the new source mode. If an interrupt

[Stable-9.1.2 46/58] hw/ssi/pnv_spi: Fixes Coverity CID 1558831

From: Chalapathi V In this commit the following coverity scan defect has been fixed CID 1558831: Resource leaks (RESOURCE_LEAK) Variable "rsp_payload" going out of scope leaks the storage it points to. Cc: qemu-sta...@nongnu.org Fixes: Coverity CID 1558831 Signed-off-by: Chalapathi V Fixe

[Stable-9.1.2 16/58] vfio/migration: Report only stop-copy size in vfio_state_pending_exact()

From: Avihai Horon vfio_state_pending_exact() is used to update migration core how much device data is left for the device migration. Currently, the sum of pre-copy and stop-copy sizes of the VFIO device are reported. The pre-copy size is obtained via the VFIO_MIG_GET_PRECOPY_INFO ioctl, which r

[Stable-9.1.2 48/58] hw/sd/sdcard: Fix calculation of size when using eMMC boot partitions

From: Jan Luebbe The sd_bootpart_offset() function calculates the *runtime* offset which changes as the guest switches between accessing the main user data area and the boot partitions by writing to the EXT_CSD_PART_CONFIG_ACC_MASK bits, so it shouldn't be used to calculate the main user data are

[Stable-9.1.2 41/58] target/ppc: Fix mtDPDES targeting SMT siblings

From: Nicholas Piggin A typo in the loop over SMT threads to set irq level for doorbells when storing to DPDES meant everything was aimed at the CPU executing the instruction. Cc: qemu-sta...@nongnu.org Fixes: d24e80b2ae ("target/ppc: Add msgsnd/p and DPDES SMT support") Reviewed-by: Philippe Ma

[Stable-9.1.2 25/58] hw/sd/omap_mmc: Don't use sd_cmd_type_t

From: Peter Maydell In commit 1ab08790bb75e4 we did some refactoring of the SD card implementation, which included a rearrangement of the sd_cmd_type_t enum values. Unfortunately we didn't notice that this enum is not used solely inside the SD card model itself, but is also used by the OMAP MMC

[Stable-9.1.2 36/58] target/riscv: Fix vcompress with rvv_ta_all_1s

From: Anton Blanchard vcompress packs vl or less fields into vd, so the tail starts after the last packed field. This could be more clearly expressed in the ISA, but for now this thread helps to explain it: https://github.com/riscv/riscv-v-spec/issues/796 Signed-off-by: Anton Blanchard Reviewe

[Stable-9.1.2 04/58] accel/kvm: check for KVM_CAP_READONLY_MEM on VM

From: Tom Dohrmann KVM_CAP_READONLY_MEM used to be a global capability, but with the introduction of AMD SEV-SNP confidential VMs, this extension is not always available on all VM types [1,2]. Query the extension on the VM level instead of on the KVM level. [1] https://patchwork.kernel.org/pro

[Stable-9.1.2 10/58] tcg: Reset data_gen_ptr correctly

From: Richard Henderson This pointer needs to be reset after overflow just like code_buf and code_ptr. Cc: qemu-sta...@nongnu.org Fixes: 57a269469db ("tcg: Infrastructure for managing constant pools") Acked-by: Alistair Francis Reviewed-by: Pierrick Bouvier Reviewed-by: LIU Zhiwei Signed-off-

[Stable-9.1.2 44/58] hw/ssi/pnv_spi: Match _xfer_buffer_free() with _xfer_buffer_new()

From: Philippe Mathieu-Daudé pnv_spi_xfer_buffer_new() allocates %payload using g_malloc0(), and pnv_spi_xfer_buffer_write_ptr() allocates %payload->data using g_realloc(). Use the API equivalent g_free() to release the buffers. Cc: qemu-sta...@nongnu.org Signed-off-by: Philippe Mathieu-Daudé R

[Stable-9.1.2 49/58] qemu-ga: Fix a SIGSEGV in ga_run_command() helper

From: Sunil Nimmagadda qemu-ga on a NetBSD -current VM terminates with a SIGSEGV upon receiving 'guest-set-time' command... Core was generated by `qemu-ga'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0cd37a40 in ga_pipe_read_str (fd=fd@entry=0xff922a20, str=st

[Stable-9.1.2 20/58] net: Check if nc is NULL in qemu_get_vnet_hdr_len()

From: Akihiko Odaki A netdev may not have a peer specified, resulting in NULL. We should make it behave like /dev/null in such a case instead of letting it cause segmentatin fault. Fixes: 4b52d63249a5 ("tap: Remove qemu_using_vnet_hdr()") Cc: qemu-sta...@nongnu.org Reported-by: Jonathan Cameron

[Stable-9.1.2 51/58] acpi/disassemle-aml.sh: fix up after dir reorg

From: "Michael S. Tsirkin" We moved expected files around, fix up the disassembler script. Fixes: 7c08eefcaf ("tests/data/acpi: Move x86 ACPI tables under x86/${machine} path") Fixes: 7434f90467 ("tests/data/acpi/virt: Move ARM64 ACPI tables under aarch64/${machine} path") Cc: "Sunil V L" Mes

[Stable-9.0.4 50/57] ppc/xive: Fix ESB length overflow on 32-bit hosts

From: Nicholas Piggin The length of this region can be > 32-bits, which overflows size_t on 32-bit hosts. Change to uint64_t. Signed-off-by: Nicholas Piggin (cherry picked from commit 07f2770503e24889720028ddf9ef54788ddf3b6d) Signed-off-by: Michael Tokarev diff --git a/hw/intc/spapr_xive_kvm.

[Stable-9.1.2 13/58] linux-user: Emulate /proc/self/maps under mmap_lock

From: Ilya Leoshkevich If one thread modifies the mappings and another thread prints them, a situation may occur that the printer thread sees a guest mapping without a corresponding host mapping, leading to a crash in open_self_maps_2(). Cc: qemu-sta...@nongnu.org Fixes: 7b7a3366e142 ("linux-use

[Stable-9.1.2 08/58] tests/qemu-iotests/211.out: Update to expect MapEntry 'compressed' field

From: Peter Maydell In commit 52b10c9c0c68e90f in 2023 the QAPI MapEntry struct was updated to add a 'compressed' field. That commit updated a number of iotest expected-output files, but missed 211, which is vdi specific. The result is that ./check -vdi and more specifically ./check -vdi 211 fa

[Stable-9.1.2 14/58] linux-user/ppc: Fix sigmask endianness issue in sigreturn

From: Ilya Leoshkevich do_setcontext() copies the target sigmask without endianness handling and then uses target_to_host_sigset_internal(), which expects a byte-swapped one. Use target_to_host_sigset() instead. Fixes: bcd4933a23f1 ("linux-user: ppc signal handling") Signed-off-by: Ilya Leoshkev

[Stable-9.1.2 02/58] KVM: Dynamic sized kvm memslots array

From: Peter Xu Zhiyi reported an infinite loop issue in VFIO use case. The cause of that was a separate discussion, however during that I found a regression of dirty sync slowness when profiling. Each KVMMemoryListerner maintains an array of kvm memslots. Currently it's statically allocated to

[PATCH] docs/nitro-enclave: Fix terminal commands formatting

Signed-off-by: Dorjoy Chowdhury --- docs/system/i386/nitro-enclave.rst | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/system/i386/nitro-enclave.rst b/docs/system/i386/nitro-enclave.rst index 73e3edefe5..48eda5bd9e 100644 --- a/docs/system/i386/nitro-enclave.rst

[Stable-9.0.4 34/57] gitlab: make check-[dco|patch] a little more verbose

From: Alex Bennée When git fails the rather terse backtrace only indicates it failed without some useful context. Add some to make the log a little more useful. Reviewed-by: Daniel P. Berrangé Signed-off-by: Alex Bennée Message-Id: <20241023113406.1284676-11-alex.ben...@linaro.org> (cherry pic

Re: [PULL 00/10] Functional test fixes & next-cube cleanup

On Fri, 8 Nov 2024 at 10:43, Thomas Huth wrote: > > Hi Peter! > > The following changes since commit feef1866d1366d651e6a3cb8c9cf1a9aabb81395: > > Merge tag 'pull-riscv-to-apply-20241107' of > https://github.com/alistair23/qemu into staging (2024-11-07 15:08:05 +) > > are available in the

[Stable-9.1.2 52/58] Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"

From: Peter Maydell This reverts commit 4c2c0474693229c1f533239bb983495c5427784d. This commit tried to fix a problem with our usage of MMU indexes when EL3 is AArch32, using what it described as a "more complicated approach" where we share the same MMU index values for Secure PL1&0 and NonSecure

[Stable-9.1.2 38/58] target/ppc: Make divd[u] handler method decodetree compatible

From: Ilya Leoshkevich This is like commit 86e6202a57b1 ("target/ppc: Make divw[u] handler method decodetree compatible."), but for gen_op_arith_divd(). Cc: qemu-sta...@nongnu.org Suggested-by: Richard Henderson Signed-off-by: Ilya Leoshkevich Reviewed-by: Richard Henderson Reviewed-by: Phili

[Stable-9.0.4 52/57] Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"

From: Peter Maydell This reverts commit 4c2c0474693229c1f533239bb983495c5427784d. (2b5c04d82eb2378d3cb00b2d3057db99530d13e6 in stable-9.0 series) This commit tried to fix a problem with our usage of MMU indexes when EL3 is AArch32, using what it described as a "more complicated approach" where w

[Stable-9.1.2 29/58] target/riscv/csr.c: Fix an access to VXSAT

From: Evgenii Prokopiev The register VXSAT should be RW only to the first bit. The remaining bits should be 0. The RISC-V Instruction Set Manual Volume I: Unprivileged Architecture The vxsat CSR has a single read-write least-significant bit (vxsat[0]) that indicates if a fixed-point instruction

[Stable-9.1.2 37/58] target/ppc: Set ctx->opcode for decode_insn32()

From: Ilya Leoshkevich divdu (without a dot) sometimes updates cr0, even though it shouldn't. The reason is that gen_op_arith_divd() checks Rc(ctx->opcode), which is not initialized. This field is initialized only for instructions that go through decode_legacy(), and not decodetree. There alread

[Stable-9.1.2 45/58] hw/ssi/pnv_spi: Return early in transfer()

From: Philippe Mathieu-Daudé Return early to simplify next commit. No logical change intended. Cc: qemu-sta...@nongnu.org Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Nicholas Piggin (cherry picked from commit 3feabc18ad4d4bdc178a205b986353a54dbfcf20) Signed-off-by: Michael Tokarev d

[Stable-9.1.2 24/58] target/arm: Don't assert in regime_is_user() for E10 mmuidx values

From: Peter Maydell In regime_is_user() we assert if we're passed an ARMMMUIdx_E10_* mmuidx value. This used to make sense because we only used this function in ptw.c and would never use it on this kind of stage 1+2 mmuidx, only for an individual stage 1 or stage 2 mmuidx. However, when we imple

[Stable-9.1.2 03/58] target/i386/tcg: Use DPL-level accesses for interrupts and call gates

From: Paolo Bonzini Stack accesses should be explicit and use the privilege level of the target stack. This ensures that SMAP is not applied when the target stack is in ring 3. This fixes a bug wherein i386/tcg assumed that an interrupt return, or a far call using the CALL or JMP instruction, w

[PATCH] device/virtio-nsm: Support string data for extendPCR

NSM device in AWS Nitro Enclaves supports extending with both bytestring and string data. Signed-off-by: Dorjoy Chowdhury --- hw/virtio/virtio-nsm.c | 21 ++--- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/hw/virtio/virtio-nsm.c b/hw/virtio/virtio-nsm.c index a3

[Stable-9.1.2 58/58] Revert "hw/audio/hda: fix memory leak on audio setup"

This reverts commit 6d03242a7e47815ed56687ecd13f683d8da3f2fe. Let's revert this one for now. It is a revert of a commit picked to 9.1.x from master 6d6e23361fc732e4fe36a8bc5873b85f264ed53a, restoring the status quo with audio for now. See https://gitlab.com/qemu-project/qemu/-/issues/2639 for de

[Stable-9.1.2 28/58] stubs: avoid duplicate symbols in libqemuutil.a

From: Paolo Bonzini qapi_event_send_device_deleted is always included (together with the rest of QAPI) in libqemuutil.a if either system-mode emulation or tools are being built, and in that case the stub causes a duplicate symbol to appear in libqemuutil.a. Add the symbol only if events are not

[PATCH] eif: Use stateful qcrypto apis

We were storing the pointers to buffers in a GList due to lack of stateful crypto apis and instead doing the final hash computation at the end after we had all the necessary buffers. Now that we have the stateful qcrypto apis available, we can instead update the hashes inline in the read_eif_* func

[Stable-9.1.2 11/58] target/i386: Walk NPT in guest real mode

From: Alexander Graf When translating virtual to physical address with a guest CPU that supports nested paging (NPT), we need to perform every page table walk access indirectly through the NPT, which we correctly do. However, we treat real mode (no page table walk) special: In that case, we curr

[Stable-9.1.2 06/58] tests: Wait for migration completion on destination QEMU to avoid failures

From: Stefan Berger Rather than waiting for the completion of migration on the source side, wait for it on the destination QEMU side to avoid accessing the TPM TIS memory mapped registers before QEMU could restore their state. This error condition could be triggered on busy systems where the dest

[Stable-9.1.2 30/58] target/riscv: Correct SXL return value for RV32 in RV64 QEMU

From: TANG Tiancheng Ensure that riscv_cpu_sxl returns MXL_RV32 when runningRV32 in an RV64 QEMU. Signed-off-by: TANG Tiancheng Fixes: 05e6ca5e156 ("target/riscv: Ignore reserved bits in PTE for RV64") Reviewed-by: Liu Zhiwei Reviewed-by: Alistair Francis Message-ID: <20240919055048.562-4-zhi

[Stable-9.0.4 46/57] target/riscv/kvm: clarify how 'riscv-aia' default works

From: Daniel Henrique Barboza We do not have control in the default 'riscv-aia' default value. We can try to set it to a specific value, in this case 'auto', but there's no guarantee that the host will accept it. Couple with this we're always doing a 'qemu_log' to inform whether we're ended up u

[Stable-9.1.2 09/58] raw-format: Fix error message for invalid offset/size

From: Kevin Wolf s->offset and s->size are only set at the end of the function and still contain the old values when formatting the error message. Print the parameters with the new values that we actually checked instead. Fixes: 500e2434207d ('raw-format: Split raw_read_options()') Signed-off-by

[Stable-9.1.2 43/58] ppc/pnv: ADU fix possible buffer overrun with invalid size

From: Nicholas Piggin The ADU LPC transfer-size field is 7 bits, but the supported sizes for LPC access via ADU appear to be 1, 2, 4, 8. The data buffer could overrun if firmware set an invalid size field, so add checks to reject them with a message. Cc: qemu-sta...@nongnu.org Reported-by: Cédri

[Stable-9.0.4 44/57] hw/intc/riscv_aplic: Check and update pending when write sourcecfg

From: Yong-Xuan Wang The section 4.5.2 of the RISC-V AIA specification says that any write to a sourcecfg register of an APLIC might (or might not) cause the corresponding interrupt-pending bit to be set to one if the rectified input value is high (= 1) under the new source mode. If an interrupt

[Stable-9.1.2 47/58] tests/tcg: Replace -mpower8-vector with -mcpu=power8

From: Ilya Leoshkevich [1] deprecated -mpower8-vector, resulting in: powerpc64-linux-gnu-gcc: warning: switch '-mpower8-vector' is no longer supported qemu/tests/tcg/ppc64/vsx_f2i_nan.c:4:15: error: expected ';' before 'float' 4 | typedef vector float vsx_float32_vec_t;

[Stable-9.1.2 57/58] 9pfs: fix crash on 'Treaddir' request

From: Christian Schoenebeck A bad (broken or malicious) 9p client (guest) could cause QEMU host to crash by sending a 9p 'Treaddir' request with a numeric file ID (FID) that was previously opened for a file instead of an expected directory: #0 0x762aff8f4919 in __GI___rewinddir (dirp=0xf)

[Stable-9.0.4 56/57] hw/nvme: fix handling of over-committed queues

From: Klaus Jensen If a host chooses to use the SQHD "hint" in the CQE to know if there is room in the submission queue for additional commands, it may result in a situation where there are not enough internal resources (struct NvmeRequest) available to process the command. For a lack of a better

[Stable-9.1.2 34/58] target/riscv/kvm: set 'aia_mode' to default in error path

From: Daniel Henrique Barboza When failing to set the selected AIA mode, 'aia_mode' is left untouched. This means that 'aia_mode' will not reflect the actual AIA mode, retrieved in 'default_aia_mode', This is benign for now, but it will impact QMP query commands that will expose the 'aia_mode' v

[Stable-9.1.2 31/58] hw/intc: Don't clear pending bits on IRQ lowering

From: Sergey Makarov According to PLIC specification (chapter 5), there is only one case, when interrupt is claimed. Fix PLIC controller to match this behavior. Signed-off-by: Sergey Makarov Reviewed-by: Alistair Francis Message-ID: <20240918140229.124329-3-s.maka...@syntacore.com> Signed-off-

[Stable-9.0.4 21/57] tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE

From: Paolo Bonzini 32-bit TSTEQ and TSTNE is subject to the same constraints as for 64-bit, but setcond_i32 and negsetcond_i32 were incorrectly using TCG_CT_CONST ("i") instead of TCG_CT_CONST_CMP ("C"). Adjust the constraint and make tcg_target_const_match use the same sequence as tgen_cmp2: f

[Stable-9.1.2 07/58] Revert "hw/sh4/r2d: Realize IDE controller before accessing it"

From: Thomas Huth This reverts commit 3c5f86a22686ef475a8259c0d8ee714f61c770c9. Changing the order here caused a regression with the "tuxrun" kernels (from https://storage.tuxboot.com/20230331/) - ATA commands fail with a "ata1: lost interrupt (Status 0x58)" message. Apparently we need to wire t

[Stable-9.0.4 45/57] target/riscv/kvm: set 'aia_mode' to default in error path

From: Daniel Henrique Barboza When failing to set the selected AIA mode, 'aia_mode' is left untouched. This means that 'aia_mode' will not reflect the actual AIA mode, retrieved in 'default_aia_mode', This is benign for now, but it will impact QMP query commands that will expose the 'aia_mode' v

[Stable-9.1.2 26/58] target/arm: Fix arithmetic underflow in SETM instruction

From: Ido Plat Pass the stage size to step function callback, otherwise do_setm would hang when size is larger then page size because stage size would underflow. This fix changes do_setm to be more inline with do_setp. Cc: qemu-sta...@nongnu.org Fixes: 0e92818887dee ("target/arm: Implement the

[Stable-9.1.2 50/58] hw/acpi: Fix ordering of BDF in Generic Initiator PCI Device Handle.

From: Jonathan Cameron The ordering in ACPI specification [1] has bus number in the lowest byte. As ACPI tables are little endian this is the reverse of the ordering used by PCI_BUILD_BDF(). As a minimal fix split the QEMU BDF up into bus and devfn and write them as single bytes in the correct o

[Stable-9.1.2 39/58] ppc/pnv: Fix LPC serirq routing calculation

From: Nicholas Piggin The serirq routing table is split over two registers, the calculation for the high irqs in the second register did not subtract the irq offset. This was spotted by Coverity as a shift-by-negative. Fix this and change the open-coded shifting and masking to use extract32() fun

[Stable-9.0.4 17/57] hw/audio/hda: free timer on exit

From: Marc-André Lureau Fixes: 280c1e1cd ("audio/hda: create millisecond timers that handle IO") Signed-off-by: Marc-André Lureau Reviewed-by: Akihiko Odaki Message-ID: <20241008125028.1177932-2-marcandre.lur...@redhat.com> (cherry picked from commit f27206ceedbe2efae37c8d143c5eb2db05251508) S

[Stable-9.1.2 55/58] migration: Ensure vmstate_save() sets errp

From: Hanna Czenczek migration/savevm.c contains some calls to vmstate_save() that are followed by migrate_set_error() if the integer return value indicates an error. migrate_set_error() requires that the `Error *` object passed to it is set. Therefore, vmstate_save() is assumed to always set *

[Stable-9.0.4 31/57] linux-user/ppc: Fix sigmask endianness issue in sigreturn

From: Ilya Leoshkevich do_setcontext() copies the target sigmask without endianness handling and then uses target_to_host_sigset_internal(), which expects a byte-swapped one. Use target_to_host_sigset() instead. Fixes: bcd4933a23f1 ("linux-user: ppc signal handling") Signed-off-by: Ilya Leoshkev

[Stable-9.1.2 05/58] target/i386: Use only 16 and 32-bit operands for IN/OUT

From: Richard Henderson The REX.W prefix is ignored for these instructions. Mirror the solution already used for INS/OUTS: X86_SIZE_z. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2581 Signed-off-by: Richard Henderson Cc: qemu-sta...@nongnu.org Link: https://lore.kernel.org/r/202410

[Stable-9.1.2 23/58] net/tap-win32: Fix gcc 14 format truncation errors

From: Bernhard Beschow The patch fixes the following errors generated by GCC 14.2: ../src/net/tap-win32.c:343:19: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 176 [-Werror=format-truncation=] 343 | "%s\\%s\\Connection", |

[Stable-9.1.2 56/58] hw/nvme: fix handling of over-committed queues

From: Klaus Jensen If a host chooses to use the SQHD "hint" in the CQE to know if there is room in the submission queue for additional commands, it may result in a situation where there are not enough internal resources (struct NvmeRequest) available to process the command. For a lack of a better

[Stable-9.1.2 27/58] target/arm: Store FPSR cumulative exception bits in env->vfp.fpsr

From: Peter Maydell Currently we store the FPSR cumulative exception bits in the float_status fields, and use env->vfp.fpsr only for the NZCV bits. (The QC bit is stored in env->vfp.qc[].) This works for TCG, but if QEMU was built without CONFIG_TCG (i.e. with KVM support only) then we use the s

[Stable-9.1.2 54/58] target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed)

From: Peter Maydell Our implementation of the indexed version of SVE SDOT/UDOT/USDOT got the calculation of the inner loop terminator wrong. Although we correctly account for the element size when we calculate the terminator for the first iteration: intptr_t segend = MIN(16 / sizeof(TYPED), o

[Stable-9.1.2 17/58] gitlab: make check-[dco|patch] a little more verbose

From: Alex Bennée When git fails the rather terse backtrace only indicates it failed without some useful context. Add some to make the log a little more useful. Reviewed-by: Daniel P. Berrangé Signed-off-by: Alex Bennée Message-Id: <20241023113406.1284676-11-alex.ben...@linaro.org> (cherry pic

[Stable-9.0.4 48/57] target/ppc: Set ctx->opcode for decode_insn32()

From: Ilya Leoshkevich divdu (without a dot) sometimes updates cr0, even though it shouldn't. The reason is that gen_op_arith_divd() checks Rc(ctx->opcode), which is not initialized. This field is initialized only for instructions that go through decode_legacy(), and not decodetree. There alread

[Stable-9.0.4 26/57] raw-format: Fix error message for invalid offset/size

From: Kevin Wolf s->offset and s->size are only set at the end of the function and still contain the old values when formatting the error message. Print the parameters with the new values that we actually checked instead. Fixes: 500e2434207d ('raw-format: Split raw_read_options()') Signed-off-by

[Stable-9.0.4 38/57] net/tap-win32: Fix gcc 14 format truncation errors

From: Bernhard Beschow The patch fixes the following errors generated by GCC 14.2: ../src/net/tap-win32.c:343:19: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 176 [-Werror=format-truncation=] 343 | "%s\\%s\\Connection", |

qemu-devel@nongnu.org

From: Peter Maydell Our current usage of MMU indexes when EL3 is AArch32 is confused. Architecturally, when EL3 is AArch32, all Secure code runs under the Secure PL1&0 translation regime: * code at EL3, which might be Mon, or SVC, or any of the other privileged modes (PL1) * code at EL0 (Sec

[Stable-9.0.4 33/57] vfio/migration: Report only stop-copy size in vfio_state_pending_exact()

From: Avihai Horon vfio_state_pending_exact() is used to update migration core how much device data is left for the device migration. Currently, the sum of pre-copy and stop-copy sizes of the VFIO device are reported. The pre-copy size is obtained via the VFIO_MIG_GET_PRECOPY_INFO ioctl, which r

[Stable-9.1.2 01/58] tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE

From: Paolo Bonzini 32-bit TSTEQ and TSTNE is subject to the same constraints as for 64-bit, but setcond_i32 and negsetcond_i32 were incorrectly using TCG_CT_CONST ("i") instead of TCG_CT_CONST_CMP ("C"). Adjust the constraint and make tcg_target_const_match use the same sequence as tgen_cmp2: f

[Stable-9.1.2 40/58] ppc/pnv: Fix LPC POWER8 register sanity check

From: Nicholas Piggin POWER8 does not have the ISA IRQ -> SERIRQ routing system of later CPUs, instead all ISA IRQs are sent to the CPU via a single PSI interrupt. There is a sanity check in the POWER8 case to ensure the routing bits have not been set, because that would indicate a programming er

[Stable-9.0.4 22/57] KVM: Dynamic sized kvm memslots array

From: Peter Xu Zhiyi reported an infinite loop issue in VFIO use case. The cause of that was a separate discussion, however during that I found a regression of dirty sync slowness when profiling. Each KVMMemoryListerner maintains an array of kvm memslots. Currently it's statically allocated to

[Stable-9.0.4 57/57] 9pfs: fix crash on 'Treaddir' request

From: Christian Schoenebeck A bad (broken or malicious) 9p client (guest) could cause QEMU host to crash by sending a 9p 'Treaddir' request with a numeric file ID (FID) that was previously opened for a file instead of an expected directory: #0 0x762aff8f4919 in __GI___rewinddir (dirp=0xf)

[Stable-9.0.4 13/57] tcg/ppc: Use TCG_REG_TMP2 for scratch tcg_out_qemu_st

From: Richard Henderson In the fallback when STDBRX is not available, avoid clobbering TCG_REG_TMP1, which might be h.base, which is still in use. Use TCG_REG_TMP2 instead. Cc: qemu-sta...@nongnu.org Fixes: 01a112e2e9 ("tcg/ppc: Reorg tcg_out_tlb_read") Signed-off-by: Richard Henderson Tested-B

[Stable-9.1.2 21/58] Fix calculation of minimum in colo_compare_tcp

From: Stefan Weil GitHub's CodeQL reports a critical error which is fixed by using the MIN macro: Unsigned difference expression compared to zero Signed-off-by: Stefan Weil Cc: qemu-sta...@nongnu.org Reviewed-by: Zhang Chen Signed-off-by: Jason Wang (cherry picked from commit e29bc931e16

  1   2   3   >