Alex Bennée [Mon, 29 Nov 2021 14:09:29 +0000 (14:09 +0000)]
gdbstub: handle a potentially racing TaskState
When dealing with multi-threaded userspace programs there is a race
condition with the addition of cpu->opaque (aka TaskState). This is
due to cpu_copy calling cpu_create which updates the global vCPU list.
However the task state isn't set until later. This shouldn't be a
problem because the new thread can't have executed anything yet but
the gdbstub code does liberally iterate through the CPU list in
various places.
This sticking plaster ensure the not yet fully realized vCPU is given
an pid of -1 which should be enough to ensure it doesn't show up
anywhere else.
In the longer term I think the code that manages the association
between vCPUs and attached GDB processes could do with a clean-up and
re-factor.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Cc: Richard Henderson <richard.henderson@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/730
Message-Id: <20211129140932.4115115-6-alex.bennee@linaro.org>
Alex Bennée [Mon, 29 Nov 2021 14:09:28 +0000 (14:09 +0000)]
plugins/meson.build: fix linker issue with weird paths
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Stefan Weil <sw@weilnetz.de> Fixes: https://gitlab.com/qemu-project/qemu/-/issues/712 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211129140932.4115115-5-alex.bennee@linaro.org>
Alex Bennée [Mon, 29 Nov 2021 14:09:27 +0000 (14:09 +0000)]
tests/avocado: fix tcg_plugin mem access count test
When we cleaned up argument handling the test was missed.
Fixes: 5ae589faad ("tests/plugins/mem: introduce "track" arg and make args not positional") Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211129140932.4115115-4-alex.bennee@linaro.org>
Alex Bennée [Mon, 29 Nov 2021 14:09:26 +0000 (14:09 +0000)]
accel/tcg: suppress IRQ check for special TBs
When we set cpu->cflags_next_tb it is because we want to carefully
control the execution of the next TB. Currently there is a race that
causes the second stage of watchpoint handling to get ignored if an
IRQ is processed before we finish executing the instruction that
triggers the watchpoint. Use the new CF_NOIRQ facility to avoid the
race.
We also suppress IRQs when handling precise self modifying code to
avoid unnecessary bouncing.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Cc: Pavel Dovgalyuk <pavel.dovgalyuk@ispras.ru> Fixes: https://gitlab.com/qemu-project/qemu/-/issues/245 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20211129140932.4115115-3-alex.bennee@linaro.org>
Alex Bennée [Mon, 29 Nov 2021 14:09:25 +0000 (14:09 +0000)]
accel/tcg: introduce CF_NOIRQ
Here we introduce a new compiler flag to disable the checking of exit
request (icount_decr.u32). This is useful when we want to ensure the
next block cannot be preempted by an asynchronous event.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20211129140932.4115115-2-alex.bennee@linaro.org>
Merge tag 'pull-target-arm-20211129' of https://git.linaro.org/people/pmaydell/qemu-arm into staging
target-arm queue:
* virt: Diagnose attempts to enable MTE or virt when using HVF accelerator
* GICv3 ITS: Allow clearing of ITS CTLR Enabled bit
* GICv3: Update cached state after LPI state changes
* GICv3: Fix handling of LPIs in list registers
# gpg: Signature made Mon 29 Nov 2021 11:34:46 AM CET
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
* tag 'pull-target-arm-20211129' of https://git.linaro.org/people/pmaydell/qemu-arm:
hw/intc/arm_gicv3: fix handling of LPIs in list registers
hw/intc/arm_gicv3: Add new gicv3_intid_is_special() function
hw/intc/arm_gicv3: Update cached state after LPI state changes
hw/intc: cannot clear GICv3 ITS CTLR[Enabled] bit
hw/arm/virt: Extend nested and mte checks to hvf
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Fri, 26 Nov 2021 16:39:15 +0000 (16:39 +0000)]
hw/intc/arm_gicv3: fix handling of LPIs in list registers
It is valid for an OS to put virtual interrupt ID values into the
list registers ICH_LR<n> which are greater than 1023. This
corresponds to (for example) KVM using the in-kernel emulated ITS to
give a (nested) guest an ITS. LPIs are delivered by the L1 kernel to
the L2 guest via the list registers in the same way as non-LPI
interrupts.
QEMU's code for handling writes to ICV_IARn (which happen when the L2
guest acknowledges an interrupt) and to ICV_EOIRn (which happen at
the end of the interrupt) did not consider LPIs, so it would
incorrectly treat interrupt IDs above 1023 as invalid. Fix this by
using the correct condition, which is gicv3_intid_is_special().
Note that the condition in icv_dir_write() is correct -- LPIs
are not valid there and so we want to ignore both "special" ID
values and LPIs.
(In the pseudocode this logic is in:
- VirtualReadIAR0(), VirtualReadIAR1(), which call IsSpecial()
- VirtualWriteEOIR0(), VirtualWriteEOIR1(), which call
VirtualIdentifierValid(data, TRUE) meaning "LPIs OK"
- VirtualWriteDIR(), which calls VirtualIdentifierValid(data, FALSE)
meaning "LPIs not OK")
This bug doesn't seem to have any visible effect on Linux L2 guests
most of the time, because the two bugs cancel each other out: we
neither mark the interrupt active nor deactivate it. However it does
mean that the L2 vCPU priority while the LPI handler is running will
not be correct, so the interrupt handler could be unexpectedly
interrupted by a different interrupt.
(NB: this has nothing to do with using QEMU's emulated ITS.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Marc Zyngier <maz@kernel.org>
Peter Maydell [Fri, 26 Nov 2021 16:39:14 +0000 (16:39 +0000)]
hw/intc/arm_gicv3: Add new gicv3_intid_is_special() function
The GICv3/v4 pseudocode has a function IsSpecial() which returns true
if passed a "special" interrupt ID number (anything between 1020 and
1023 inclusive). We open-code this condition in a couple of places,
so abstract it out into a new function gicv3_intid_is_special().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Peter Maydell [Wed, 24 Nov 2021 20:20:05 +0000 (20:20 +0000)]
hw/intc/arm_gicv3: Update cached state after LPI state changes
The logic of gicv3_redist_update() is as follows:
* it must be called in any code path that changes the state of
(only) redistributor interrupts
* if it finds a redistributor interrupt that is (now) higher
priority than the previous highest-priority pending interrupt,
then this must be the new highest-priority pending interrupt
* if it does *not* find a better redistributor interrupt, then:
- if the previous state was "no interrupts pending" then
the new state is still "no interrupts pending"
- if the previous best interrupt was not a redistributor
interrupt then that remains the best interrupt
- if the previous best interrupt *was* a redistributor interrupt,
then the new best interrupt must be some non-redistributor
interrupt, but we don't know which so must do a full scan
In commit 17fb5e36aabd4b2c125 we effectively added the LPI interrupts
as a kind of "redistributor interrupt" for this purpose, by adding
cs->hpplpi to the set of things that gicv3_redist_update() considers
before it gives up and decides to do a full scan of distributor
interrupts. However we didn't quite get this right:
* the condition check for "was the previous best interrupt a
redistributor interrupt" must be updated to include LPIs
in what it considers to be redistributor interrupts
* every code path which updates the LPI state which
gicv3_redist_update() checks must also call gicv3_redist_update():
this is cs->hpplpi and the GICR_CTLR ENABLE_LPIS bit
This commit fixes this by:
* correcting the test on cs->hppi.irq in gicv3_redist_update()
* making gicv3_redist_update_lpi() always call gicv3_redist_update()
* introducing a new gicv3_redist_update_lpi_only() for the one
callsite (the post-load hook) which must not call
gicv3_redist_update()
* making gicv3_redist_lpi_pending() always call gicv3_redist_update(),
either directly or via gicv3_redist_update_lpi()
* removing a couple of now-unnecessary calls to gicv3_redist_update()
from some callers of those two functions
* calling gicv3_redist_update() when the GICR_CTLR ENABLE_LPIS
bit is cleared
(This means that the not-file-local gicv3_redist_* LPI related
functions now all take care of the updates of internally cached
GICv3 information, in the same way the older functions
gicv3_redist_set_irq() and gicv3_redist_send_sgi() do.)
The visible effect of this bug was that when the guest acknowledged
an LPI by reading ICC_IAR1_EL1, we marked it as not pending in the
LPI data structure but still left it in cs->hppi so we would offer it
to the guest again. In particular for setups using an emulated GICv3
and ITS and using devices which use LPIs (ie PCI devices) a Linux
guest would complain "irq 54: nobody cared" and then hang. (The hang
was intermittent, presumably depending on the timing between
different interrupts arriving and being completed.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20211124202005.989935-1-peter.maydell@linaro.org
Alexander Graf [Tue, 23 Nov 2021 12:28:59 +0000 (13:28 +0100)]
hw/arm/virt: Extend nested and mte checks to hvf
The virt machine has properties to enable MTE and Nested Virtualization
support. However, its check to ensure the backing accel implementation
supports it today only looks for KVM and bails out if it finds it.
Extend the checks to HVF as well as it does not support either today.
This will cause QEMU to print a useful error message rather than
silently ignoring the attempt by the user to enable either MTE or
the Virtualization extensions.
Reported-by: saar amar <saaramar5@gmail.com> Signed-off-by: Alexander Graf <agraf@csgraf.de>
Message-id: 20211123122859.22452-1-agraf@csgraf.de Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Merge tag 'pull-block-2021-11-23' of https://gitlab.com/hreitz/qemu into staging
Block patches for 6.2-rc2:
- Fix memory leak in vvfat when vvfat_open() fails
- iotest fixes for the gnutls crypto backend
# gpg: Signature made Tue 23 Nov 2021 04:58:05 PM CET
# gpg: using RSA key CB62D7A0EE3829E45F004D34A1FA40D098019CDF
# gpg: issuer "hreitz@redhat.com"
# gpg: Good signature from "Hanna Reitz <hreitz@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: CB62 D7A0 EE38 29E4 5F00 4D34 A1FA 40D0 9801 9CDF
* tag 'pull-block-2021-11-23' of https://gitlab.com/hreitz/qemu:
iotests/149: Skip on unsupported ciphers
iotests: Use aes-128-cbc
block/vvfat.c fix leak when failure occurs
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Hanna Reitz [Wed, 17 Nov 2021 15:17:07 +0000 (16:17 +0100)]
iotests/149: Skip on unsupported ciphers
Whenever qemu-img or qemu-io report that some cipher is unsupported,
skip the whole test, because that is probably because qemu has been
configured with the gnutls crypto backend.
We could taylor the algorithm list to what gnutls supports, but this is
a test that is run rather rarely anyway (because it requires
password-less sudo), and so it seems better and easier to skip it. When
this test is intentionally run to check LUKS compatibility, it seems
better not to limit the algorithms but keep the list extensive.
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20211117151707.52549-3-hreitz@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Hanna Reitz [Wed, 17 Nov 2021 15:17:06 +0000 (16:17 +0100)]
iotests: Use aes-128-cbc
Our gnutls crypto backend (which is the default as of 8bd0931f6)
supports neither twofish-128 nor the CTR mode. CBC and aes-128 are
supported by all of our backends (as far as I can tell), so use
aes-128-cbc in our iotests.
(We could also use e.g. aes-256-cbc, but the different key sizes would
lead to different key slot offsets and so change the reference output
more, which is why I went with aes-128.)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20211117151707.52549-2-hreitz@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com>
Daniella Lee [Fri, 19 Nov 2021 11:25:53 +0000 (19:25 +0800)]
block/vvfat.c fix leak when failure occurs
Function vvfat_open called function enable_write_target and init_directories,
and these functions malloc new memory for BDRVVVFATState::qcow_filename,
BDRVVVFATState::used_clusters, and BDRVVVFATState::cluster_buff.
When the specified folder does not exist ,it may contains memory leak.
After init_directories function is executed, the vvfat_open return -EIO,
and bdrv_open_driver goto label open_failed,
the program use g_free(bs->opaque) to release BDRVVVFATState struct
without members mentioned.
command line:
qemu-system-x86_64 -hdb <vdisk qcow file> -usb -device usb-storage,drive=fat16
-drive file=fat:rw:fat-type=16:"<path of a host folder does not exist>",
id=fat16,format=raw,if=none
enable_write_target called:
(gdb) bt
at ../block/vvfat.c:3114
flags=155650, errp=0x7fffffffd780) at ../block/vvfat.c:1236
node_name=0x0, options=0x555556fa45d0, open_flags=155650,
errp=0x7fffffffd890) at ../block.c:1558
errp=0x7fffffffd890) at ../block.c:1852
reference=0x0, options=0x555556fa45d0, flags=40962, parent=0x555556f98cd0,
child_class=0x555556b1d6a0 <child_of_bds>, child_role=19,
errp=0x7fffffffda90) at ../block.c:3779
options=0x555556f9cfc0, bdref_key=0x555556239bb8 "file",
parent=0x555556f98cd0, child_class=0x555556b1d6a0 <child_of_bds>,
child_role=19, allow_none=true, errp=0x7fffffffda90) at ../block.c:3419
reference=0x0, options=0x555556f9cfc0, flags=8194, parent=0x0,
child_class=0x0, child_role=0, errp=0x555556c98c40 <error_fatal>)
at ../block.c:3726
options=0x555556f757b0, flags=0, errp=0x555556c98c40 <error_fatal>)
at ../block.c:3872
options=0x555556f757b0, flags=0, errp=0x555556c98c40 <error_fatal>)
at ../block/block-backend.c:436
bs_opts=0x555556f757b0, errp=0x555556c98c40 <error_fatal>)
at ../blockdev.c:608
errp=0x555556c98c40 <error_fatal>) at ../blockdev.c:992
......
Signed-off-by: Daniella Lee <daniellalee111@gmail.com>
Message-Id: <20211119112553.352222-1-daniellalee111@gmail.com>
[hreitz: Took commit message from v1] Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Merge tag 'pull-lu-20211123' of https://gitlab.com/rth7680/qemu into staging
Create common rewind_if_in_safe_syscall function.
Resolves pointer type issues with uc_mcontext.pc
on aarch64 between glibc and musl.
# gpg: Signature made Tue 23 Nov 2021 09:47:07 AM CET
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [ultimate]
* tag 'pull-lu-20211123' of https://gitlab.com/rth7680/qemu:
linux-user/signal.c: Create a common rewind_if_in_safe_syscall
linux-user: Add host_signal_set_pc to set pc in mcontext
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'python-pull-request' of https://gitlab.com/jsnow/qemu into staging
Python testing fixes for 6.2
A few more fixes to help eliminate race conditions from
device-crash-test, along with a fix that allows the SCM_RIGHTS
functionality to work on hosts that only have Python 3.6.
If this is too much this late in the RC process, I'd advocate for at
least patch 7/7 by itself.
# gpg: Signature made Tue 23 Nov 2021 03:37:17 AM CET
# gpg: using RSA key F9B7ABDBBCACDF95BE76CBD07DEF8106AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" [full]
* tag 'python-pull-request' of https://gitlab.com/jsnow/qemu:
python/aqmp: fix send_fd_scm for python 3.6.x
scripts/device-crash-test: Use a QMP timeout
python/machine: handle "fast" QEMU terminations
python/machine: move more variable initializations to _pre_launch
python/machine: add instance disambiguator to default nickname
python/machine: remove _remove_monitor_sockfile property
python/machine: add @sock_dir property
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Warner Losh [Sat, 13 Nov 2021 04:56:00 +0000 (21:56 -0700)]
linux-user/signal.c: Create a common rewind_if_in_safe_syscall
All instances of rewind_if_in_safe_syscall are the same, differing only
in how the instruction point is fetched from the ucontext and the size
of the registers. Use host_signal_pc and new host_signal_set_pc
interfaces to fetch the pointer to the PC and adjust if needed. Delete
all the old copies of rewind_if_in_safe_syscall.
Acked-by: Laurent Vivier <laurent@vivier.eu> Signed-off-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211113045603.60391-3-imp@bsdimp.com>
[rth: include safe-syscall.h, simplify ifdefs] Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
John Snow [Thu, 18 Nov 2021 20:46:20 +0000 (15:46 -0500)]
python/aqmp: fix send_fd_scm for python 3.6.x
3.6 doesn't play keepaway with the socket object, so we don't need to go
fishing for it on this version. In fact, so long as 'sendmsg' is still
available, it's probably preferable to just use that method and only go
fishing for forbidden details when we absolutely have to.
Reported-by: Thomas Huth <thuth@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Message-id: 20211118204620.1897674-8-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 18 Nov 2021 20:46:19 +0000 (15:46 -0500)]
scripts/device-crash-test: Use a QMP timeout
Despite all the previous fixes, it's still possible for
device-crash-test to wedge itself in the case that QEMU terminates *so
quickly* that it doesn't even begin a connection attempt to our QMP
client. Python will just joyfully wait ad infinitum for a connection
that will now never arrive.
The real fix is to use asyncio to simultaneously poll both the health of
the launched process AND the connection attempt. That's quite a bit more
invasive than just setting a connection timeout, though.
Do the very simplest thing for now.
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 20211118204620.1897674-7-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 18 Nov 2021 20:46:18 +0000 (15:46 -0500)]
python/machine: handle "fast" QEMU terminations
In the case that the QEMU process actually launches -- but then dies so
quickly that we can't establish a QMP connection to it -- QEMUMachine
currently calls _post_shutdown() assuming that it never launched the VM
process.
This isn't true, though: it "merely" may have failed to establish a QMP
connection and the process is in the middle of its own exit path.
If we don't wait for the subprocess, the caller may get a bogus `None`
return for .exitcode(). This behavior was observed from
device-crash-test; after the switch to Async QMP, the timings were
changed such that it was now seemingly possible to witness the failure
of "vm.launch()" *prior* to the exitcode becoming available.
The semantic of the `_launched` property is changed in this
patch. Instead of representing the condition "launch() executed
successfully", it will now represent "has forked a child process
successfully". This way, wait() when called in the exit path won't
become a no-op.
Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Message-id: 20211118204620.1897674-6-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 18 Nov 2021 20:46:16 +0000 (15:46 -0500)]
python/machine: add instance disambiguator to default nickname
If you create two instances of QEMUMachine(), they'll both create the
same nickname by default -- which is not that helpful.
Luckily, they'll both create unique temporary directories ... but due to
user configuration, they may share logging and sockfile directories,
meaning two instances can collide. The Python logging will also be quite
confusing, with no differentiation between the two instances.
Add an instance disambiguator (The memory address of the instance) to
the default nickname to foolproof this in all cases.
Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Message-id: 20211118204620.1897674-4-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
It doesn't matter if it was the user or the class itself that specified
where the sockfile should be created; the fact is that if we are using a
sockfile here, we created it and we can clean it up.
Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Message-id: 20211118204620.1897674-3-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 18 Nov 2021 20:46:14 +0000 (15:46 -0500)]
python/machine: add @sock_dir property
Analogous to temp_dir and log_dir, add a sock_dir property that defaults
to @temp_dir -- instead of base_temp_dir -- when the user hasn't
overridden the sock dir value in the initializer.
This gives us a much more unique directory to put sockfiles in by default.
Signed-off-by: John Snow <jsnow@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com>
Message-id: 20211118204620.1897674-2-jsnow@redhat.com Signed-off-by: John Snow <jsnow@redhat.com>
Merge tag 'pull-request-2021-11-22' of https://gitlab.com/thuth/qemu into staging
* Documentation updates
# gpg: Signature made Mon 22 Nov 2021 03:05:39 PM CET
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
* tag 'pull-request-2021-11-22' of https://gitlab.com/thuth/qemu:
docs: Render binary names as monospaced text
docs: Use double quotes instead of single quotes for COLO
docs: Drop deprecated 'props' from object-add
Fix some typos in documentation (found by codespell)
docs: List more commit-message tags in "submitting-a-patch"
docs: Fix botched rST conversion of 'submitting-a-patch.rst'
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Eric Auger [Mon, 22 Nov 2021 18:17:17 +0000 (18:17 +0000)]
hw/intc/arm_gicv3_its: Revert version increments in vmstate_its
Commit 18f6290a6a ("hw/intc: GICv3 ITS initial framework")
incremented version_id and minimum_version_id fields of
VMStateDescription vmstate_its. This breaks the migration between
6.2 and 6.1 with the following message:
qemu-system-aarch64: savevm: unsupported version 1 for 'arm_gicv3_its' v0
qemu-system-aarch64: load of migration failed: Invalid argument
Revert that change.
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20211122171020.1195483-1-eric.auger@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Merge tag 'pull-nbd-2021-11-22' of https://repo.or.cz/qemu/ericb into staging
nbd patches for 2021-11-22
- Eric Blake: Avoid uninitialized memory on client hard disconnect
- Eric Blake: Take advantage of block layer 64-bit zero/trim
# gpg: Signature made Mon 22 Nov 2021 02:55:07 PM CET
# gpg: using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full]
# gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full]
# gpg: aka "[jpeg image of size 6874]" [full]
* tag 'pull-nbd-2021-11-22' of https://repo.or.cz/qemu/ericb:
nbd/server: Simplify zero and trim
nbd/server: Don't complain on certain client disconnects
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20211118192744.64325-1-philmd@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Rao, Lei [Mon, 22 Nov 2021 07:49:47 +0000 (15:49 +0800)]
docs: Use double quotes instead of single quotes for COLO
Signed-off-by: Lei Rao <lei.rao@intel.com>
Message-Id: <1637567387-28250-2-git-send-email-lei.rao@intel.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Rao, Lei [Mon, 22 Nov 2021 07:49:46 +0000 (15:49 +0800)]
docs: Drop deprecated 'props' from object-add
In commit 5024340745 "qapi/qom: Drop deprecated 'props' from
object-add" (v6.0.0), we also should update documents.
Signed-off-by: Lei Rao <lei.rao@intel.com>
Message-Id: <1637567387-28250-1-git-send-email-lei.rao@intel.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Stefan Weil [Wed, 17 Nov 2021 21:07:02 +0000 (22:07 +0100)]
Fix some typos in documentation (found by codespell)
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Message-Id: <20211117210702.1393570-1-sw@weilnetz.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
[thuth: "what's" --> "what is" as suggested by philmd] Signed-off-by: Thomas Huth <thuth@redhat.com>
docs: Fix botched rST conversion of 'submitting-a-patch.rst'
I completely botched up the merged[0] rST conversion of this document by
accidentally dropping entire hunks (!) of text. :-( I made it very hard
for reviewers to spot it, as the omitted text was buried deep in the
document. To fix my hatchet job, I reconverted the "SubmitAPatch"
wiki[1] page from scratch and replaced the existing rST with it, while
making sure I incorporated previous feedback.
In summary, in this reconverted edition:
- I did a careful (to the extent my eyes allowed) para-by-para
comparison of the wiki and the rST to make sure I didn't omit
anything accidentally.
- I made sure to work in the cosmetic feedback[2] that Thomas Huth
pointed out in the merged (and botched) edition:
- fix the hyperlinks in "Split up long patches"
- replace ".". with "does not end with a dot" (in "Write a meaningful
commit message" section)
- replace "---" with ``---`` so that it doesn't render as an em-dash
(there were two other occurrences; I fixed those too)
- Use "QEMU" spelling consistently in prose usage
- Add a consistent "refer to git-config" link where appropriate
Thanks to Thomas Huth and Alex Bennée for noticing it on IRC. And sorry
for my sloppiness.
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
Message-Id: <20211119193118.949698-2-kchamart@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
[thuth: Some more cosmetical changes, fixed links from external to internal] Signed-off-by: Thomas Huth <thuth@redhat.com>
This change turns out to cause regressions, for instance on the
imx6ul boards as described here:
https://lore.kernel.org/qemu-devel/c8b89685-7490-328b-51a3-48711c140a84@tribudubois.net/
The primary cause of that regression is that the guest code running
at EL3 expects SMCs (not related to PSCI) to do what they would if
our PSCI emulation was not present at all, but after this change
they instead set a value in R0/X0 and continue.
We could fix that by a refactoring that allowed us to only turn on
the PSCI emulation if we weren't booting the guest at EL3, but there
is a more tangled problem with the highbank board, which:
(1) wants to enable PSCI emulation
(2) has a bit of guest code that it wants to run at EL3 and
to perform SMC calls that trap to the monitor vector table:
this is the boot stub code that is written to memory by
arm_write_secure_board_setup_dummy_smc() and which the
highbank board enables by setting bootinfo->secure_board_setup
We can't satisfy both of those and also have the PSCI emulation
handle all SMC instruction executions regardless of function
identifier value.
This is too tricky to try to sort out before 6.2 is released;
revert this commit so we can take the time to get it right in
the 7.0 release.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211119163419.557623-1-peter.maydell@linaro.org
Eric Blake [Wed, 17 Nov 2021 17:02:30 +0000 (11:02 -0600)]
nbd/server: Simplify zero and trim
Now that the block layer supports 64-bit operations (see commit 2800637a and friends, new to v6.2), we no longer have to self-fragment
requests larger than 2G, reverting the workaround added in 890cbccb08
("nbd: Fix large trim/zero requests", v5.1.0).
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211117170230.1128262-3-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Eric Blake [Wed, 17 Nov 2021 17:02:29 +0000 (11:02 -0600)]
nbd/server: Don't complain on certain client disconnects
When a client disconnects abruptly, but did not have any pending
requests (for example, when using nbdsh without calling h.shutdown),
we used to output the following message:
$ qemu-nbd -f raw file
$ nbdsh -u 'nbd://localhost:10809' -c 'h.trim(1,0)'
qemu-nbd: Disconnect client, due to: Failed to read request: Unexpected end-of-file before all bytes were read
Then in commit f148ae7, we refactored nbd_receive_request() to use
nbd_read_eof(); when this returns 0, we regressed into tracing
uninitialized memory (if tracing is enabled) and reporting a
less-specific:
qemu-nbd: Disconnect client, due to: Request handling failed in intermediate state
Note that with Unix sockets, we have yet another error message,
unchanged by the 6.0 regression:
$ qemu-nbd -k /tmp/sock -f raw file
$ nbdsh -u 'nbd+unix:///?socket=/tmp/sock' -c 'h.trim(1,0)'
qemu-nbd: Disconnect client, due to: Failed to send reply: Unable to write to socket: Broken pipe
But in all cases, the error message goes away if the client performs a
soft shutdown by using NBD_CMD_DISC, rather than a hard shutdown by
abrupt disconnect:
This patch fixes things to avoid uninitialized memory, and in general
avoids warning about a client that does a hard shutdown when not in
the middle of a packet. A client that aborts mid-request, or which
does not read the full server's reply, can still result in warnings,
but those are indeed much more unusual situations.
CC: qemu-stable@nongnu.org Fixes: f148ae7d36 ("nbd/server: Quiesce coroutines on context switch", v6.0.0) Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
[eblake: defer unrelated typo fixes to later patch]
Message-Id: <20211117170230.1128262-2-eblake@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
Merge tag 'fixes-20211122-pull-request' of git://git.kraxel.org/qemu into staging
fixes for 6.2: microvm, ui, modules.
# gpg: Signature made Mon 22 Nov 2021 01:39:53 PM CET
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
* tag 'fixes-20211122-pull-request' of git://git.kraxel.org/qemu:
microvm: check g_file_set_contents() return value
microvm: add missing g_free() call
hw/i386/microvm: Reduce annoying debug message in dt_setup_microvm()
migration: fix dump-vmstate with modules
ui/vnc-clipboard: fix adding notifier twice
ui/gtk: graphic_hw_gl_flushed after closing dmabuf->fence_fd
ui: fix incorrect pointer position on highdpi with gtk
ui: fix incorrect scaling on highdpi with gtk/opengl
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Laurent Vivier [Tue, 16 Nov 2021 07:28:40 +0000 (08:28 +0100)]
migration: fix dump-vmstate with modules
To work correctly -dump-vmstate and vmstate-static-checker.py need to
dump all the supported vmstates.
But as some devices can be modules, they are not loaded at startup and not
dumped. Fix that by loading all available modules before dumping the
machine vmstate.
vnc_server_cut_text_caps() is not guaranteed to be called only once.
If it called twice, we finally call notifier_list_add() twice with same
element. Which leads to loopback QLIST. So, on next
notifier_list_notify() we'll loop forever and QEMU stuck.
So, let's only register new notifier if it's not yet registered.
Note, that similar check is used in vdagent_chr_recv_caps() (before
call qemu_clipboard_peer_register()), and also before
qemu_clipboard_peer_unregister() call in vdagent_disconnect() and in
vnc_disconnect_finish().
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20211110103800.2266729-1-vsementsov@virtuozzo.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Dongwon Kim [Sun, 21 Nov 2021 17:22:37 +0000 (09:22 -0800)]
ui/gtk: graphic_hw_gl_flushed after closing dmabuf->fence_fd
The dmabuf often becomes invalid right after unblocking pipeline
and graphic_hw_gl_flushed in case a new scanout blob is submitted
because the dmabuf associated with the current guest scanout is
freed after swapping.
So both graphic_hw_gl_block and graphic_hw_gl_flushed should be
executed after closing fence_fd for the current dmabuf.
# gpg: Signature made Mon 22 Nov 2021 09:22:37 AM CET
# gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C
# gpg: issuer "laurent@vivier.eu"
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full]
# gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full]
# gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full]
* tag 'linux-user-for-6.2-pull-request' of git://github.com/vivier/qemu:
linux-user: fix Coverity CID 1464101
linux-user: Rewrite do_getdents, do_getdents64
linux-user: Fix member types of target_dirent64
linux-user: Always use flexible arrays for dirent d_name
linux-user: Split out do_getdents, do_getdents64
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
# gpg: Signature made Mon 22 Nov 2021 07:51:24 AM CET
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [full]
* tag 'pull-riscv-to-apply-20211122' of github.com:alistair23/qemu:
hw/misc/sifive_u_otp: Do not reset OTP content on hardware reset
hw/misc/sifive_u_otp: Use IF_PFLASH for the OTP device instead of IF_NONE
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
hw/misc/sifive_u_otp: Do not reset OTP content on hardware reset
Once a "One Time Programmable" is programmed, it shouldn't be reset.
Do not re-initialize the OTP content in the DeviceReset handler,
initialize it once in the DeviceRealize one.
Fixes: 9fb45c62ae8 ("riscv: sifive: Implement a model for SiFive FU540 OTP") Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20211119104757.331579-1-f4bug@amsat.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Thomas Huth [Fri, 19 Nov 2021 10:25:49 +0000 (11:25 +0100)]
hw/misc/sifive_u_otp: Use IF_PFLASH for the OTP device instead of IF_NONE
Configuring a drive with "if=none" is meant for creation of a backend
only, it should not get automatically assigned to a device frontend.
Use "if=pflash" for the One-Time-Programmable device instead (like
it is e.g. also done for the efuse device in hw/arm/xlnx-zcu102.c).
Since the old way of configuring the device has already been published
with the previous QEMU versions, we cannot remove this immediately, but
have to deprecate it and support it for at least two more releases.
Signed-off-by: Thomas Huth <thuth@redhat.com> Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20211119102549.217755-1-thuth@redhat.com Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Always allocate host storage; this ensures that the struct
is sufficiently aligned for the host. Merge the three host
implementations of getdents via a few ifdefs. Utilize the
same method for do_getdents64.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/704 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211114103539.298686-5-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
linux-user: Always use flexible arrays for dirent d_name
We currently use a flexible array member for target_dirent,
but use incorrectly fixed length arrays for target_dirent64,
linux_dirent and linux_dirent64.
This requires that we adjust the definition of the VFAT READDIR
ioctls which hard-code the 256 namelen size into the ioctl constant.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211114103539.298686-3-richard.henderson@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Merge tag 'qemu-sparc-20211121' of git://github.com/mcayland/qemu into staging
qemu-sparc queue
# gpg: Signature made Sun 21 Nov 2021 10:57:01 AM CET
# gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F
# gpg: issuer "mark.cave-ayland@ilande.co.uk"
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" [full]
* tag 'qemu-sparc-20211121' of git://github.com/mcayland/qemu:
escc: update the R_SPEC register SPEC_ALLSENT bit when writing to W_TXCTRL1
escc: always set STATUS_TXEMPTY in R_STATUS on device reset
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Mark Cave-Ayland [Thu, 18 Nov 2021 18:18:35 +0000 (18:18 +0000)]
escc: update the R_SPEC register SPEC_ALLSENT bit when writing to W_TXCTRL1
The ESCC datasheet states that SPEC_ALLSENT is always set in sync mode and set
in async mode once all characters have cleared the transmitter. Since writes to
SERIAL_DATA use a synchronous chardev API, the guest can never see the state when
transmission is in progress so it is possible to set SPEC_ALLSENT in the
R_SPEC register unconditionally.
This fixes a hang when using the Sun PROM as it attempts to enumerate the
onboard serial devices, and a similar hang in OpenBSD SPARC32 where in both cases
the boot process will not proceed until SPEC_ALLSENT has been set after writing
to W_TXCTRL1.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20211118181835.18497-3-mark.cave-ayland@ilande.co.uk> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Mark Cave-Ayland [Thu, 18 Nov 2021 18:18:34 +0000 (18:18 +0000)]
escc: always set STATUS_TXEMPTY in R_STATUS on device reset
The "Transmit Interrupts and Transmit Buffer Empty Bit" section of the ESCC
datasheet states the following about the STATUS_TXEMPTY bit: "After a hardware
reset (including a hardware reset by software), or a channel reset, this bit
is set to 1".
Update escc_reset() to set the STATUS_TXEMPTY bit in the R_STATUS register
on device reset as described which fixes a regression whereby the Sun PROM
checks this bit early on startup and gets stuck in an infinite loop if it is
not set.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20211118181835.18497-2-mark.cave-ayland@ilande.co.uk> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
Bugfixes for 6.2.
# gpg: Signature made Fri 19 Nov 2021 10:33:29 AM CET
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
chardev/wctable: don't free the instance in wctablet_chr_finalize
meson.build: Support ncurses on MacOS and OpenBSD
docs: Spell QEMU all caps
qtest/am53c974-test: add test for reset before transfer
esp: ensure that async_len is reset to 0 during esp_hard_reset()
nvmm: Fix support for stable version
meson: fix botched compile check conversions
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-ppc-20211119' of https://github.com/legoater/qemu into staging
ppc 6.2 queue:
* fix pmu vmstate
* Fix compile of byte_reverse on new compilers
# gpg: Signature made Fri 19 Nov 2021 12:49:30 PM CET
# gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@kaod.org>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B 0B60 51A3 43C7 CFFB ECA1
* tag 'pull-ppc-20211119' of https://github.com/legoater/qemu:
tests/tcg/ppc64le: Fix compile flags for byte_reverse
pmu: fix pmu vmstate subsection list
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
# gpg: Signature made Fri 19 Nov 2021 08:59:03 AM CET
# gpg: using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <its@irrelevant.dk>" [unknown]
# gpg: aka "Klaus Jensen <k.jensen@samsung.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468 4272 63D5 6FC5 E55D A838
# Subkey fingerprint: 5228 33AA 75E2 DCE6 A247 66C0 4DE1 AF31 6D4F 0DE9
* tag 'nvme-fixes-for-6.2-pull-request' of git://git.infradead.org/qemu-nvme:
hw/nvme: fix buffer overrun in nvme_changed_nslist (CVE-2021-3947)
hw/nvme: change nvme-ns 'shared' default
hw/nvme: reattach subsystem namespaces on hotplug
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Daniil Tatianin [Wed, 17 Nov 2021 14:23:49 +0000 (17:23 +0300)]
chardev/wctable: don't free the instance in wctablet_chr_finalize
Object is supposed to be freed by invoking obj->free, and not
obj->instance_finalize. This would lead to use-after-free followed by
double free in object_unref/object_finalize.
Stefan Weil [Wed, 17 Nov 2021 20:53:55 +0000 (21:53 +0100)]
meson.build: Support ncurses on MacOS and OpenBSD
MacOS provides header files for curses 5.7 with support
for wide characters, but requires _XOPEN_SOURCE_EXTENDED=1
to activate that.
By default those old header files are used even if there
is a newer Homebrew installation of ncurses 6.2 available.
Change also the old macro definition of NCURSES_WIDECHAR
and set it to 1 like it is done in newer versions of
curses.h when _XOPEN_SOURCE_EXTENDED=1 is defined.
OpenBSD has the same version of ncurses and needs the same fix.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Tested-by: Brad Smith <brad@comstyle.com>
Message-Id: <20211117205355.1392292-1-sw@weilnetz.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20211118143401.4101497-1-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Mark Cave-Ayland [Thu, 18 Nov 2021 10:03:27 +0000 (10:03 +0000)]
qtest/am53c974-test: add test for reset before transfer
Based upon the qtest reproducer posted to Gitlab issue #724 at
https://gitlab.com/qemu-project/qemu/-/issues/724.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211118100327.29061-3-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Mark Cave-Ayland [Thu, 18 Nov 2021 10:03:26 +0000 (10:03 +0000)]
esp: ensure that async_len is reset to 0 during esp_hard_reset()
If a reset command is sent after data has been transferred into the SCSI buffer
ensure that async_len is reset to 0. Otherwise a subsequent TI command assumes
the SCSI buffer contains data to be transferred to the device causing it to
dereference the stale async_buf pointer.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Fixes: https://gitlab.com/qemu-project/qemu/-/issues/724 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20211118100327.29061-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
nia [Wed, 13 Oct 2021 13:54:17 +0000 (13:54 +0000)]
nvmm: Fix support for stable version
NVMM user version 1 is the version being shipped with netbsd-9,
which is the most recent stable branch of NetBSD. This makes it
possible to use the NVMM accelerator on the most recent NetBSD
release, 9.2, which lacks nvmm_cpu_stop.
Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging
# gpg: Signature made Fri 19 Nov 2021 04:45:32 AM CET
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* tag 'net-pull-request' of https://github.com/jasowang/qemu:
net/colo-compare.c: Fix incorrect return when input wrong size
net/colo-compare.c: Fix ACK track reverse issue
net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Hannes Reinecke [Thu, 9 Sep 2021 09:43:08 +0000 (11:43 +0200)]
hw/nvme: reattach subsystem namespaces on hotplug
With commit 5ffbaeed16 ("hw/nvme: fix controller hot unplugging")
namespaces get moved from the controller to the subsystem if one
is specified.
That keeps the namespaces alive after a controller hot-unplug, but
after a controller hotplug we have to reconnect the namespaces
from the subsystem to the controller.
Fixes: 5ffbaeed16 ("hw/nvme: fix controller hot unplugging") Cc: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Hannes Reinecke <hare@suse.de>
[k.jensen: only attach to shared and non-detached namespaces] Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
net: vmxnet3: validate configuration values during activate (CVE-2021-20203)
While activating device in vmxnet3_acticate_device(), it does not
validate guest supplied configuration values against predefined
minimum - maximum limits. This may lead to integer overflow or
OOB access issues. Add checks to avoid it.
Fixes: CVE-2021-20203 Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 Reported-by: Gaoning Pan <pgn@zju.edu.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Merge tag 'sev-hashes-pull-request' of https://gitlab.com/berrange/qemu into staging
Add property for requesting AMD SEV measured kernel launch
- The 'sev-guest' object gains a boolean 'kernel-hashes' property
which must be enabled to request a measured kernel launch.
# gpg: Signature made Thu 18 Nov 2021 02:33:25 PM CET
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
* tag 'sev-hashes-pull-request' of https://gitlab.com/berrange/qemu:
target/i386/sev: Replace qemu_map_ram_ptr with address_space_map
target/i386/sev: Perform padding calculations at compile-time
target/i386/sev: Fail when invalid hashes table area detected
target/i386/sev: Rephrase error message when no hashes table in guest firmware
target/i386/sev: Add kernel hashes only if sev-guest.kernel-hashes=on
qapi/qom,target/i386: sev-guest: Introduce kernel-hashes=on|off option
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Dov Murik [Thu, 11 Nov 2021 10:00:47 +0000 (10:00 +0000)]
target/i386/sev: Perform padding calculations at compile-time
In sev_add_kernel_loader_hashes, the sizes of structs are known at
compile-time, so calculate needed padding at compile-time.
No functional change intended.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Dov Murik [Thu, 11 Nov 2021 10:00:46 +0000 (10:00 +0000)]
target/i386/sev: Fail when invalid hashes table area detected
Commit cff03145ed3c ("sev/i386: Introduce sev_add_kernel_loader_hashes
for measured linux boot", 2021-09-30) introduced measured direct boot
with -kernel, using an OVMF-designated hashes table which QEMU fills.
However, no checks are performed on the validity of the hashes area
designated by OVMF. Specifically, if OVMF publishes the
SEV_HASH_TABLE_RV_GUID entry but it is filled with zeroes, this will
cause QEMU to write the hashes entries over the first page of the
guest's memory (GPA 0).
Add validity checks to the published area. If the hashes table area's
base address is zero, or its size is too small to fit the aligned hashes
table, display an error and stop the guest launch. In such case, the
following error will be displayed:
qemu-system-x86_64: SEV: guest firmware hashes table area is invalid (base=0x0 size=0x0)
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reported-by: Brijesh Singh <brijesh.singh@amd.com> Acked-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Dov Murik [Thu, 11 Nov 2021 10:00:44 +0000 (10:00 +0000)]
target/i386/sev: Add kernel hashes only if sev-guest.kernel-hashes=on
Commit cff03145ed3c ("sev/i386: Introduce sev_add_kernel_loader_hashes
for measured linux boot", 2021-09-30) introduced measured direct boot
with -kernel, using an OVMF-designated hashes table which QEMU fills.
However, if OVMF doesn't designate such an area, QEMU would completely
abort the VM launch. This breaks launching with -kernel using older
OVMF images which don't publish the SEV_HASH_TABLE_RV_GUID.
Fix that so QEMU will only look for the hashes table if the sev-guest
kernel-hashes option is set to on. Otherwise, QEMU won't look for the
designated area in OVMF and won't fill that area.
To enable addition of kernel hashes, launch the guest with:
-object sev-guest,...,kernel-hashes=on
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reported-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Introduce new boolean 'kernel-hashes' option on the sev-guest object.
It will be used to to decide whether to add the hashes of
kernel/initrd/cmdline to SEV guest memory when booting with -kernel.
The default value is 'off'.
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Acked-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Peng Liang [Wed, 17 Nov 2021 01:47:39 +0000 (09:47 +0800)]
vfio: Fix memory leak of hostwin
hostwin is allocated and added to hostwin_list in vfio_host_win_add, but
it is only deleted from hostwin_list in vfio_host_win_del, which causes
a memory leak. Also, freeing all elements in hostwin_list is missing in
vfio_disconnect_container.
tests/tcg/ppc64le: Fix compile flags for byte_reverse
With a host compiler new enough to recognize power10 insns,
CROSS_CC_HAS_POWER10 is true, but we do not supply the -cpu
option to the compiler, resulting in
Merge tag 'pull-request-2021-11-17' of https://gitlab.com/thuth/qemu into staging
* Remove some unused #defines in s390x code
* rSTify some of the development process pages from the Wiki
* Revert a useless patch in the device-crash-test script
* Bump timeout of the Cirrus-CI jobs to 80 minutes
# gpg: Signature made Wed 17 Nov 2021 11:13:43 AM CET
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
* tag 'pull-request-2021-11-17' of https://gitlab.com/thuth/qemu:
gitlab-ci/cirrus: Increase timeout to 80 minutes
Revert "device-crash-test: Ignore errors about a bus not being available"
docs: rSTify the "SubmitAPatch" wiki
docs: rSTify the "SubmitAPullRequest" wiki
docs: rSTify the "TrivialPatches" wiki
target/s390x/cpu.h: Remove unused SIGP_MODE defines
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-riscv-to-apply-20211117-1' of github.com:alistair23/qemu into staging
Sixth RISC-V PR for QEMU 6.2
- Fix build for riscv hosts
- Soft code alphabetically
# gpg: Signature made Wed 17 Nov 2021 10:19:25 AM CET
# gpg: using RSA key F6C4AC46D4934868D3B8CE8F21E10D29DF977054
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [full]
* tag 'pull-riscv-to-apply-20211117-1' of github.com:alistair23/qemu:
meson.build: Merge riscv32 and riscv64 cpu family
target/riscv: machine: Sort the .subsections
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Thomas Huth [Tue, 16 Nov 2021 16:33:09 +0000 (17:33 +0100)]
gitlab-ci/cirrus: Increase timeout to 80 minutes
The jobs on Cirrus-CI sometimes get delayed quite a bit, waiting to
be scheduled, so while the build test itself finishes within 60 minutes,
the total run time of the jobs can be longer due to this waiting time.
Thus let's increase the timeout on the gitlab side a little bit, so
that these jobs are not marked as failing just because of the delay.
Message-Id: <20211116163309.246602-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Willian Rampazzo <willianr@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
There is already an entry for this kind of messages earlier in the
ERROR_RULE_LIST - when I added this patch, I just got fooled by
the other errors that occur due to a race between QMP connection
and QEMU terminating early (which still spit out the 'No bus found'
messages in their backtrace), but these other problems have now
fortunately been tackled by John Snow, so we certainly don't need
this duplicated entry here anymore.
Message-Id: <20211112072220.108580-1-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
In ba0e73336200, we merged riscv32 and riscv64 in configure.
However, meson does not treat them the same. We need to merge
them here as well.
Fixes: ba0e73336200 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20211116095042.335224-1-richard.henderson@linaro.org Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bin Meng [Sat, 30 Oct 2021 03:06:06 +0000 (11:06 +0800)]
target/riscv: machine: Sort the .subsections
Move the codes around so that the order of .subsections matches
the one they are referenced in vmstate_riscv_cpu.
Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20211030030606.32297-1-bmeng.cn@gmail.com Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
- The only minor touch-ups I did was to fix URLs. But 99%, it is a 1-1
conversion.
(An example of a "touch-up": under the section "Patch emails must
include a Signed-off-by: line", I updated the "see SubmittingPatches
1.12" to "1.12) Sign your work")
- I have also converted a couple other related wiki pages (included in
this patch series) that were hyperlinked within the SubmitAPatch page,
or a page that it refers to:
projects / mirror_qemu.git / log