On 10/4/24 08:53, Akihiko Odaki wrote:
On 2024/04/10 3:04, Philippe Mathieu-Daudé wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
-device igb,netdev=net0 \
On 09.04.24 18:49, Eric Blake wrote:
On Tue, Apr 09, 2024 at 09:30:39AM +0300, Vladimir Sementsov-Ogievskiy wrote:
On 08.04.24 19:00, Eric Blake wrote:
nbd_negotiate() is already marked coroutine_fn. And given the fix in
the previous patch to have nbd_negotiate_handle_starttls not create
and w
On 2024/04/10 16:04, Philippe Mathieu-Daudé wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
Reproduced using:
$ cat << EOF | qemu-system-i386 -display none -nodefaults \
-machine q35,accel=qtest -m 32M \
If the binary loaded via -kernel is *not* a linux kernel (in which
case protocol == 0), do not patch the linux kernel header fields.
It's (a) pointless and (b) might break binaries by random patching
and (c) changes the binary hash which in turn breaks secure boot
verification.
Background: OVMF h
The following patches are queued for QEMU stable v8.2.3:
https://gitlab.com/qemu-project/qemu/-/commits/staging-8.2
Patch freeze is 2024-04-20, and the release is planned for 2024-04-22:
https://wiki.qemu.org/Planning/8.2
Please respond here or CC qemu-sta...@nongnu.org on any additional pa
From: Richard Henderson
>From
>https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms
When passing an argument with 16-byte alignment in integer registers,
Apple platforms allow the argument to start in an odd-numbered xN
register. The standard ABI requires
From: Sven Schnelle
Netbsd isn't happy with qemu lsi53c895a emulation:
cd0(esiop0:0:2:0): command with tag id 0 reset
esiop0: autoconfiguration error: phase mismatch without command
esiop0: autoconfiguration error: unhandled scsi interrupt, sist=0x80 sstat1=0x0
DSA=0x23a64b1 DSP=0x50
This is b
From: Peter Maydell
The sun4v RTC device model added under commit a0e893039cf2ce0 in 2016
was unfortunately added with a license of GPL-v3-or-later, which is
not compatible with other QEMU code which has a GPL-v2-only license.
Relicense the code in the .c and the .h file to GPL-v2-or-later,
to m
From: Richard Henderson
While the 8-bit input elements are sequential in the input vector,
the 32-bit output elements are not sequential in the output matrix.
Do not attempt to compute 2 32-bit outputs at the same time.
Cc: qemu-sta...@nongnu.org
Fixes: 23a5e3859f5 ("target/arm: Implement SME in
From: Richard Henderson
The assertion was never correct, because the alignment is a composite
of the image alignment and SHMLBA. Even if the image alignment didn't
match the image address, an assertion would not be correct -- more
appropriate would be an error message about an ill formed image.
From: Paolo Bonzini
Commit 39fb3cfc28b ("configure: clean up plugin option handling", 2023-10-18)
dropped the CONFIG_PLUGIN line from tests/tcg/config-host.mak, due to confusion
caused by the shadowing of $config_host_mak. However, TCG tests were still
expecting it. Oops.
Put it back, in the m
From: David Parsons
macOS Sonoma changes the NSView.clipsToBounds to false by default
where it was true in earlier version of macOS. This causes the window
contents to be occluded by the frame at the top of the window. This
fixes the issue by conditionally compiling the clipping on Sonoma to
true
From: Daniel P. Berrangé
The 13.2 images have been deleted from gcloud
Cc: qemu-sta...@nongnu.org
Signed-off-by: Daniel P. Berrangé
Reviewed-by: Peter Maydell
Message-id: 20240304144456.3825935-3-berra...@redhat.com
Signed-off-by: Peter Maydell
(cherry picked from commit 9ea920dc28254cd9a363a
From: Dmitrii Gavrilov
Original goal of addition of drain_call_rcu to qmp_device_add was to cover
the failure case of qdev_device_add. It seems call of drain_call_rcu was
misplaced in 7bed89958bfbf40df what led to waiting for pending RCU callbacks
under happy path too. What led to overall perform
From: Klaus Jensen
The number of logical blocks within a source range is converted into a
1s based number at the time of parsing. However, when verifying the copy
length we add one again, causing the check against MCL to fail in error.
Cc: qemu-sta...@nongnu.org
Fixes: 381ab99d8587 ("hw/nvme: ch
From: Peng Fan
xen_invalidate_map_cache_entry is not expected to run in a
coroutine. Without this, there is crash:
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
threadid=) at pthread_kill.c:78
at /usr/src/debug/glibc/2.38+git-r0/sysdeps/posix/raise.c:26
fmt=0xf
From: Nick Briggs
There is no guarantee that the PCNetState is allocated such that
csr[8] is allocated on an 8-byte boundary. Since not all hosts are
capable of unaligned fetches the 16-bit elements need to be fetched
individually to avoid a potential fault. Closes issue #2143
Resolves: https:
From: Volker Rümelin
The payload size returned by command VIRTIO_SND_R_PCM_INFO is
wrong. The code in process_cmd() assumes that all commands
return only a virtio_snd_hdr payload, but some commands like
VIRTIO_SND_R_PCM_INFO may return an additional payload.
Add a zero initialized payload_size v
From: Kevin Wolf
This replicates the scenario in which the bug was reported.
Unfortunately this relies on actually executing a guest (so that the
firmware initialises the virtio-blk device and moves it to its
configured iothread), so this can't make use of the qtest accelerator
like most other te
From: Laurent Vivier
On resume e1000e_vm_state_change() always calls e1000e_autoneg_resume()
that sets link_down to false, and thus activates the link even
if we have disabled it.
The problem can be reproduced starting qemu in paused state (-S) and
then set the link to down. When we resume the m
For a long time, we provide two compression formats in the
download area, .bz2 and .xz. There's absolutely no reason
to provide two in parallel, .xz compresses better, and all
the links we use points to .xz. Downstream distributions
mostly use .xz too.
For the release maintenance providing two f
From: Kevin Wolf
When draining an NBD export, nbd_drained_begin() first sets
client->quiescing so that nbd_client_receive_next_request() won't start
any new request coroutines. Then nbd_drained_poll() tries to makes sure
that we wait for any existing request coroutines by checking that
client->nb
From: Minwoo Im
Currently, when a VF is created, it uses the 'params' object of the PF
as it is. In other words, the 'params.serial' string memory area is also
shared. In this situation, if the VF is removed from the system, the
PF's 'params.serial' object is released with object_finalize() follo
From: Kevin Wolf
Calling job_pause_point() while holding the graph reader lock
potentially results in a deadlock: bdrv_graph_wrlock() first drains
everything, including the mirror job, which pauses it. The job is only
unpaused at the end of the drain section, which is when the graph writer
lock h
From: Laurent Vivier
On resume igb_vm_state_change() always calls igb_autoneg_resume()
that sets link_down to false, and thus activates the link even
if we have disabled it.
The problem can be reproduced starting qemu in paused state (-S) and
then set the link to down. When we resume the machine
From: Sven Schnelle
mfia should return only the iaoq bits without privilege
bits.
Fixes: 98a9cb792c8 ("target-hppa: Implement system and memory-management insns")
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Reviewed-by: Helge Deller
Message-Id: <20240319161921.487080-6-sv...@s
From: Sven Schnelle
PA2.0 provides 8 instead of 4 PID registers.
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Message-Id: <20240319161921.487080-4-sv...@stackframe.org>
Signed-off-by: Richard Henderson
(cherry picked from commit ae157fc25053917830c3b581bc282f906e6d95d3)
Signed-
From: Yu Zhang
In commit 3fa9642ff7 change was made to convert the RDMA backend to
accept MigrateAddress struct. However, the assignment of "host" leads
to data corruption on the target host and the failure of migration.
isock->host = rdma->host;
By allocating the memory explicitly for it w
From: Richard Henderson
Tested-by: Helge Deller
Reviewed-by: Helge Deller
Reported-by: Sven Schnelle
Signed-off-by: Richard Henderson
(cherry picked from commit 4768c28edd4097ebef42822e15b4a43026b15376)
Signed-off-by: Michael Tokarev
diff --git a/target/hppa/insns.decode b/target/hppa/insns
From: Cédric Le Goater
The block .save_setup() handler calls a helper routine
init_blk_migration() which builds a list of block devices to take into
account for migration. When one device is found to be empty (sectors
== 0), the loop exits and all the remaining devices are ignored. This
is a regr
From: Stefan Hajnoczi
NBDClient has a number of fields that are accessed by both the export
AioContext and the main loop thread. When the AioContext lock is removed
these fields will need another form of protection.
Add NBDClient->lock and protect fields that are accessed by both
threads. Also a
From: Sven Schnelle
Fixes: 96d6407f363 ("target-hppa: Implement loads and stores")
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Message-Id: <20240319161921.487080-2-sv...@stackframe.org>
Signed-off-by: Richard Henderson
(cherry picked from commit c3ea1996a14d5dbbedb3f9036f7ebec4
From: Thomas Huth
When running the tests in slow mode on a very loaded system and with
--enable-debug, the test-aio-multithread can take longer than 1 minute.
Bump the timeout to two minutes to make sure that it also passes in
such situations.
Signed-off-by: Thomas Huth
Message-Id: <20231215070
From: Marc-André Lureau
Building dbus-display1.c explicitly as a static library drops -fPIC by
default, which may not be correct if it ends up linked to a shared
library.
Let the target decide how to build the unit, with or without -fPIC. This
makes commit 186acfbaf7 ("tests/qtest: Depend on dbu
From: Gregory Price
CXL emulation of interleave requires read and write hooks due to
requirement for subpage granularity. The Linux kernel stack now enables
using this memory as conventional memory in a separate NUMA node. If a
process is deliberately forced to run from that node
$ numactl --memb
From: Daniel P. Berrangé
This commit results in unexpected termination of the TLS connection.
When 'fd_can_read' returns 0, the code goes on to pass a zero length
buffer to qio_channel_read. The TLS impl calls into gnutls_recv()
with this zero length buffer, at which point GNUTLS returns an error
From: Song Gao
qemu-system-loongarch64 assert failed with the option '-d int',
the helper_idle() raise an exception EXCP_HLT, but the exception name is
undefined.
Signed-off-by: Song Gao
Reviewed-by: Philippe Mathieu-Daudé
Message-Id: <20240321123606.1704900-1-gaos...@loongson.cn>
(cherry pic
From: Sven Schnelle
When the guest modifies the tb it is currently executing from,
it executes a fic instruction. Exit the tb on such instruction,
otherwise we might execute stale code.
Signed-off-by: Sven Schnelle
Message-Id: <20240319161921.487080-5-sv...@stackframe.org>
Signed-off-by: Richar
From: Richard Henderson
Reported-by: Sven Schnelle
Reviewed-by: Helge Deller
Signed-off-by: Richard Henderson
(cherry picked from commit 72bace2d13cb427fde3bb50ae1a71a2abe9acc0f)
Signed-off-by: Michael Tokarev
diff --git a/target/hppa/insns.decode b/target/hppa/insns.decode
index f5a3f02fd1.
From: Thomas Huth
When running the tests in slow mode on a very loaded system and with
--enable-debug, the test-crypto-block can take longer than 4 minutes.
Bump the timeout to 5 minutes to make sure that it also passes in
such situations.
Signed-off-by: Thomas Huth
Message-Id: <20231215070357.
From: Paolo Bonzini
Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and
MMU_PHYS_IDX) from mmu_translate(). This will make it possible to split
32-bit and 64-bit MMU indexes.
Signed-off-by: Paolo Bonzini
(cherry picked from commit 5f97afe2543f09160a8d123ab6e2e8c6d98fa9ce)
S
From: Frank Chang
Currently, QEMU only sets the iforce register to 0 and returns early
when claiming the iforce register. However, this may leave mip.meip
remains at 1 if a spurious external interrupt triggered by iforce
register is the only pending interrupt to be claimed, and the interrupt
cann
From: Zheyu Ma
This modification ensures that in scenarios where the buffer size is
insufficient for a zone report, the function will now properly set an
error status and proceed to a cleanup label, instead of merely
returning.
The following ASAN log reveals it:
==1767400==ERROR: LeakSanitizer:
From: Daniel Henrique Barboza
Change the for loops in ldst helpers to do a single increment in the
counter, and assign it env->vstart, to avoid re-reading from vstart
every time.
Suggested-by: Richard Henderson
Signed-off-by: Daniel Henrique Barboza
Reviewed-by: Alistair Francis
Reviewed-by:
From: Daniel Henrique Barboza
vmvr_v isn't handling the case where the host might be big endian and
the bytes to be copied aren't sequential.
Suggested-by: Richard Henderson
Fixes: f714361ed7 ("target/riscv: rvv-1.0: implement vstart CSR")
Signed-off-by: Daniel Henrique Barboza
Reviewed-by: Al
From: Song Gao
On gen_ll, if a->imm is zero, make_address_x return src1,
but the load to destination may clobber src1. We use a new
destination to fix this problem.
Fixes: c5af6628f4be (target/loongarch: Extract make_address_i() helper)
Reviewed-by: Richard Henderson
Suggested-by: Richard Hende
From: Sven Schnelle
Fixes: f7b775a9c075 ("target/hppa: Implement SHRPD")
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Reviewed-by: Helge Deller
Message-Id: <20240319161921.487080-3-sv...@stackframe.org>
Signed-off-by: Richard Henderson
(cherry picked from commit d37fad0ae5bd2c5
From: Fiona Ebner
Same rationale as for commit "block-backend: fix edge case in
bdrv_next() where BDS associated to BB changes". The block graph might
change between the bdrv_next() call and the bdrv_next_cleanup() call,
so it could be that the associated BDS is not the same that was
referenced p
From: Daniel Henrique Barboza
trans_vmv_x_s, trans_vmv_s_x, trans_vfmv_f_s and trans_vfmv_s_f aren't
setting vstart = 0 after execution. This is usually done by a helper in
vector_helper.c but these functions don't use helpers.
We'll set vstart after any potential 'over' brconds, and that will a
From: Fiona Ebner
The old_bs variable in bdrv_next() is currently determined by looking
at the old block backend. However, if the block graph changes before
the next bdrv_next() call, it might be that the associated BDS is not
the same that was referenced previously. In that case, the wrong BDS
i
From: Wafer
In the event of writing many chains of descriptors, the device must
write just the id of the last buffer in the descriptor chain, skip
forward the number of descriptors in the chain, and then repeat the
operations for the rest of chains.
Current QEMU code writes all the buffer ids co
From: Thomas Huth
The macOS jobs in our CI recently started failing, complaining that
the distutils module is not available anymore. And indeed, according to
https://peps.python.org/pep-0632/ it's been deprecated since a while
and now likely got removed in recent Python versions.
Fortunately, we
From: Ido Plat
Otherwise TCG would assume the register that holds t1 would be constant
and reuse whenever it needs the value within it.
Cc: qemu-sta...@nongnu.org
Fixes: f1ea739bd598 ("target/s390x: Use tcg_constant_* in local contexts")
Reviewed-by: Ilya Leoshkevich
Reviewed-by: Richard Hender
From: Sven Schnelle
HP-UX 10.20 seems to make the lsi53c895a spinning on a memory location
under certain circumstances. As the SCSI controller and CPU are not
running at the same time this loop will never finish. After some
time, the check loop interrupts with a unexpected device disconnect.
This
From: Kevin Wolf
VDUSE requires that virtqueues are first enabled before the DRIVER_OK
status flag is set; with the current API of the kernel module, it is
impossible to enable the opposite order in our block export code because
userspace is not notified when a virtqueue is enabled.
This require
From: Klaus Jensen
Generalize the mbar size helper such that it can handle cases where the
MSI-X table and PBA are expected to be in an exclusive bar.
Cc: qemu-sta...@nongnu.org
Reviewed-by: Jesper Wendel Devantier
Signed-off-by: Klaus Jensen
(cherry picked from commit ee7bda4d38cda3eaf114c850
From: Klaus Jensen
Commit 1901b4967c3f ("hw/block/nvme: move msix table and pba to BAR 0")
moved the MSI-X table and PBA to BAR 0 to make room for enabling CMR and
PMR at the same time. As reported by Julien Grall in #2184, this breaks
migration through system hibernation.
Add a machine compatib
On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> If the binary loaded via -kernel is *not* a linux kernel (in which
> case protocol == 0), do not patch the linux kernel header fields.
>
> It's (a) pointless and (b) might break binaries by random patching
> and (c) changes the binar
From: Daniel Henrique Barboza
These insns have 2 paths: we'll either have vstart already cleared if
vstart_eq_zero or we'll do a brcond to check if vstart >= maxsz to call
the 'vmvr_v' helper. The helper will clear vstart if it executes until
the end, or if vstart >= vl.
For starters, the check
From: Yao Xingtao
In qemu monitor mode, when we use gpa2hva command to print the host
virtual address corresponding to a guest physical address, if the gpa is
not in RAM, the error message is below:
(qemu) gpa2hva 0x75000
Memory at address 0x75000is not RAM
A space is missed between
From: Peter Maydell
If the group of the highest priority pending interrupt is disabled
via ICC_IGRPEN*, the ICC_HPPIR* registers should return
INTID_SPURIOUS, not the interrupt ID. (See the GIC architecture
specification pseudocode functions ICC_HPPIR1_EL1[] and
HighestPriorityPendingInterrupt()
From: Akihiko Odaki
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.
Cc: qemu-sta...@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization
(SR/IOV)")
Signed-off-by: Akihiko Odaki
M
From: Akihiko Odaki
It is incorrect to have the VIRTIO_NET_HDR_F_NEEDS_CSUM set when
checksum offloading is disabled so clear the bit.
TCP/UDP checksum is usually offloaded when the peer requires virtio
headers because they can instruct the peer to compute checksum. However,
igb disables TX chec
Commit ab72522797 "gitlab: switch from 'stable' to
'latest' docker container tags" switched most tags
to 'latest' but missed cirrus image. Fix this now.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2256
Signed-off-by: Michael Tokarev
Message-id: 20240401051633.2780456-1-...@tls.msk.ru
From: Kevin Wolf
We're seeing timeouts for this test on CI runs (specifically for
ubuntu-20.04-s390x-all). It doesn't fail consistently, but even the
successful runs take about 27 or 28 seconds, which is not very far from
the 30 seconds timeout.
Bump the timeout a bit to make failure less likely
From: Jonathan Cameron
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing out
From: Yajun Wu
When vhost-user or vhost-kernel is handling virtio net datapath,
QEMU should not touch used ring.
But with vhost-user socket reconnect scenario, in a very rare case
(has pending kick event). VRING_USED_F_NO_NOTIFY is set by QEMU in
following code path:
#0 virtio_queue_sp
From: Stefan Reiter
Some operations, e.g. block-stream, perform reads while discarding the
results (only copy-on-read matters). In this case, they will pass NULL
as the target QEMUIOVector, which will however trip bdrv_pad_request,
since it wants to extend its passed vector. In particular, this i
Hi,
On Wed, Apr 10, 2024 at 9:05 AM Philippe Mathieu-Daudé
wrote:
>
> If a fragmented packet size is too short, do not try to
> calculate its checksum.
This was assigned CVE-2024-3567.
Thanks,
> Reproduced using:
>
> $ cat << EOF | qemu-system-i386 -display none -nodefaults \
>
This reverts commit 6eeeb8733177db7bc23fb2e7271dea759b47e4f9.
This commit has been wrongly back-ported to 8.2.x, $config_host_mak
in master didn't include the tests/tcg/ prefix, while 8.2.0 did it.
The result of this "backport" is this message during configure:
../configure: 1679: cannot create
From: Paolo Bonzini
The low bit of MMU indices for x86 TCG indicates whether the processor is
in 32-bit mode and therefore linear addresses have to be masked to 32 bits.
However, the index was computed incorrectly, leading to possible conflicts
in the TLB for any address above 4G.
Analyzed-by: M
On 28/2/24 09:06, Sriram Yagnaraman wrote:
Due to company policies, I have changed my mail address. Updating
MAINTAINERS and .mailmap to show my latest mail address.
Signed-off-by: Sriram Yagnaraman
---
.mailmap| 1 +
MAINTAINERS | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
From: Akihiko Odaki
nvme_sriov_pre_write_ctrl() used to directly inspect SR-IOV
configurations to know the number of VFs being disabled due to SR-IOV
configuration writes, but the logic was flawed and resulted in
out-of-bound memory access.
It assumed PCI_SRIOV_NUM_VF always has the number of cu
From: Wei Wang
Before loading the guest states, ensure that the preempt channel has been
ready to use, as some of the states (e.g. via virtio_load) might trigger
page faults that will be handled through the preempt channel. So yield to
the main thread in the case that the channel create event has
From: Daniel Henrique Barboza
We're going to make changes that will required each helper to be
responsible for the 'vstart' management, i.e. we will relieve the
'vstart < vl' assumption that helpers have today.
Helpers are usually able to deal with vstart >= vl, i.e. doing nothing
aside from set
From: Daniel Henrique Barboza
The helper isn't setting env->vstart = 0 after its execution, as it is
expected from every vector instruction that completes successfully.
Signed-off-by: Daniel Henrique Barboza
Reviewed-by: Richard Henderson
Reviewed-by: Alistair Francis
Reviewed-by: LIU Zhiwei
From: Avihai Horon
There are several places where postcopy_start() fails without setting
errp. This can cause a null pointer de-reference, as in case of error,
the caller of postcopy_start() copies/prints the error set in errp.
Fix it by setting errp in all of postcopy_start() error paths.
Cc:
From: Sven Schnelle
stdby,e,m was writing data from the wrong half of the register
into memory for cases 0-3.
Fixes: 25460fc5a71 ("target/hppa: Implement STDBY")
Signed-off-by: Sven Schnelle
Reviewed-by: Richard Henderson
Message-Id: <20240319161921.487080-7-sv...@stackframe.org>
Signed-off-by
From: Stefan Hajnoczi
The NBD clients list is currently accessed from both the export
AioContext and the main loop thread. When the AioContext lock is removed
there will be nothing protecting the clients list.
Adding a lock around the clients list is tricky because NBDClient
structs are refcount
From: Tao Su
monitor_puts() doesn't check the monitor pointer, but do_inject_x86_mce()
may have a parameter with NULL monitor pointer. Revert monitor_puts() in
do_inject_x86_mce() to fix, then the fact that we send the same message to
monitor and log is again more obvious.
Fixes: bf0c50d4aa85 (m
From: Akihiko Odaki
virtio_net_guest_notifier_pending() and virtio_net_guest_notifier_mask()
checked VIRTIO_NET_F_MQ to know there are multiple queues, but
VIRTIO_NET_F_RSS also enables multiple queues. Refer to n->multiqueue,
which is set to true either of VIRTIO_NET_F_MQ or VIRTIO_NET_F_RSS is
From: Richard Henderson
Tested-by: Helge Deller
Reported-by: Sven Schnelle
Signed-off-by: Richard Henderson
(cherry picked from commit 46174e140d274385b1255bc7f16a5a711853053f)
Signed-off-by: Michael Tokarev
diff --git a/target/hppa/insns.decode b/target/hppa/insns.decode
index 9c6f92444c..5
From: Zheyu Ma
This patch improves error handling in virtio_snd_handle_tx_xfer()
and virtio_snd_handle_rx_xfer() in the VirtIO sound driver. Previously,
'goto' statements were used for error paths, leading to unnecessary
processing and potential null pointer dereferences. Now, 'continue' is
used
From: Lorenz Brun
The io_timeout property, introduced in c9b6609 (part of 6.0) is
silently overwritten by the hardcoded default value of 30 seconds
(DEFAULT_IO_TIMEOUT) in scsi_generic_realize because that function is
being called after the properties have already been applied.
The property defi
From: Richard Henderson
Along this path we have already skipped the insn to be
nullified, so the subsequent insn should be executed.
Cc: qemu-sta...@nongnu.org
Reported-by: Sven Schnelle
Tested-by: Sven Schnelle
Reviewed-by: Philippe Mathieu-Daudé
Signed-off-by: Richard Henderson
(cherry pic
From: Yong-Xuan Wang
The timebase-frequency of guest OS should be the same with host
machine. The timebase-frequency value in DTS should be got from
hypervisor when using KVM acceleration.
Signed-off-by: Yong-Xuan Wang
Message-ID: <20240314061510.9800-1-yongxuan.w...@sifive.com>
Reviewed-by: An
From: Peter Maydell
The HSTR_EL2 register allows the hypervisor to trap AArch32 EL1 and
EL0 accesses to cp15 registers. We incorrectly implemented this so
they trap to EL1 when we detect the need for a HSTR trap at code
generation time. (The check in access_check_cp_reg() which we do at
runtime
From: Peter Maydell
When we do an AT address translation operation, the page table walk
is supposed to be performed in the context of the EL we're doing the
walk for, so for instance an AT S1E2R walk is done for EL2. In the
pseudocode an EL is passed to AArch64.AT(), which calls
SecurityStateAtE
From: Irina Ryapolova
Need to convert mmu_idx to privilege mode for PMP function.
Signed-off-by: Irina Ryapolova
Fixes: b297129ae1 ("target/riscv: propagate PMP permission to TLB page")
Reviewed-by: Alistair Francis
Reviewed-by: Daniel Henrique Barboza
Message-ID: <20240320172828.23965-1-irin
From: Fiona Ebner
Previously, bdrv_pad_request() could not deal with a NULL qiov when
a read needed to be aligned. During prefetch, a stream job will pass a
NULL qiov. Add a test case to cover this scenario.
By accident, also covers a previous race during shutdown, where block
graph changes duri
From: lyx634449800
The set_config callback function vhost_vdpa_device_get_config in
vdpa-dev does not fetch the current device status from the hardware
device, causing the guest os to not receive the latest device status
information.
The hardware updates the config status of the vdpa device and
From: Richard Henderson
The 'sign' computation is attempting to locate the sign bit that has
been repeated, so that we can test if that bit is known zero. That
computation can be zero if there are no known sign repetitions.
Cc: qemu-sta...@nongnu.org
Fixes: 93a967fbb57 ("tcg/optimize: Propagate
From: Manos Pitsidianakis
The current handling of invalid virtqueue elements inside the TX/RX virt
queue handlers is wrong.
They are added in a per-stream invalid queue to be processed after the
handler is done examining each message, but the invalid message might
not be specifying any stream_id
From: Paolo Bonzini
Accesses from a 32-bit environment (32-bit code segment for instruction
accesses, EFER.LMA==0 for processor accesses) have to mask away the
upper 32 bits of the address. While a bit wasteful, the easiest way
to do so is to use separate MMU indexes. These days, QEMU anyway is
From: Max Chou
According to the Zvfbfmin definition in the RISC-V BF16 extensions spec,
the Zvfbfmin extension only requires either the V extension or the
Zve32f extension.
Signed-off-by: Max Chou
Reviewed-by: Alistair Francis
Message-ID: <20240321170929.1162507-1-max.c...@sifive.com>
Signed-o
On 4/2/2024 4:44 PM, Li Feng wrote:
*External email: Use caution opening links or attachments*
Hi,
I tested it today and there is indeed a problem in this scenario.
It seems that the first version of the patch is the best and can
handle all scenarios.
With this patch, the previously merged
On Wed, Apr 10, 2024 at 3:06 PM Akihiko Odaki wrote:
>
> On 2024/04/10 16:04, Philippe Mathieu-Daudé wrote:
> > If a fragmented packet size is too short, do not try to
> > calculate its checksum.
> >
> > Reproduced using:
> >
> >$ cat << EOF | qemu-system-i386 -display none -nodefaults \
> >
On 10/4/24 09:35, Mauro Matteo Cascella wrote:
Hi,
On Wed, Apr 10, 2024 at 9:05 AM Philippe Mathieu-Daudé
wrote:
If a fragmented packet size is too short, do not try to
calculate its checksum.
This was assigned CVE-2024-3567.
Thanks for the quick reaction!
Reproduced using:
$ cat <<
Offline:
On Wed, Apr 10, 2024 at 2:28 PM Cindy Lu wrote:
>
> On Wed, Apr 10, 2024 at 1:36 PM Jason Wang wrote:
> >
> > On Wed, Apr 10, 2024 at 1:29 PM Cindy Lu wrote:
> > >
> > > When the guest triggers vhost_stop and then virtio_reset, the vector will
> > > the
> > > IRQFD for this vector wil
1 - 100 of 195 matches
Mail list logo
