From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619327; cv=none;
	d=zohomail.com; s=zohoarc;
	b=S50d1N6BRUOFB3WQ3kUnM4wsRzAqsvdrrmAZMJG+ZTXCPign1SdtQlQHHekmU3208BIEdoGnuSsbhmB2zHVMQCacCQHj61hTyedNCpCkXlK4IT1WSHvKHtg+caMiKC42xmevoR+7+gNjKP1WxDIYHyFTMBPd4DvghaiIIV0ik/U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619327;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gLWMhHT4bDkobKyo9D2IZDYUkrRPsJ7SyKqcgflPg+I=;
	b=J7JxKWNRu2yQ/0c6MEZSUOlvwb2Zh/xqtx9xKq5U7IsHsN+wWD4WFbLl/7R4toXoRZFdZVilgXlnvsCJ0QRIiHpazVQd2pDx6BgGn9KbXjT5oTMSbGyQyhh/D8wtvmLpnQmx5QVBbwjLMPDlxS2ReKnFSeqUzP0Id6k6W0GEt70=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619327829634.6707410767275;
 Tue, 12 May 2026 13:55:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8F-0003xO-Qv; Tue, 12 May 2026 16:55:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu85-0003sh-4n; Tue, 12 May 2026 16:55:03 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu81-0002bN-Ra; Tue, 12 May 2026 16:55:00 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 67DDE1AA2CD;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6E8293ABC3E;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=s7EcSwO6NdZNoeJZ8alhR5BEWxbxZ01fkpBzNjt0LYk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ua1G/dn0OzwWvrKxelkaOiwF44QtH+9/4dusDv8gJMvzdLFzysDHvzYuY/5AmRO/Q
 8HgwSJG1dotadoHbKo+jWVEoH7HaOpmPeitnuXgtdc1LxAkfebYt68bg9c1tK/CVpA
 +Yjj2i++qJCzxYYraqnsFY0/8iGxKvVtTirdP1Fh4CUUAX2q3NjkunjjgvQtHms3E2
 lciOuP5c1UGeMIhKOhHlEGxfd3dagXvatT6Fn1RFgQEfL3SoAc2yHnFYtAhUMoa/C8
 y+OvUlrMXvljmZW+Ef/bsOTS7AzGuaRxNpSepvlWV7ELGeRRmXTc6A/vwQouh8ySwH
 yRlohsneQGutw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Yodel Eldar <yodel.eldar@yodel.dev>, Thomas Huth <thuth@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 001/107] hw/net/rtl8319: Work around GCC sanitizer /
 -Wstringop-overflow bug
Date: Tue, 12 May 2026 23:52:48 +0300
Message-ID: <20260512205437.360850-1-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619335361154100

From: Peter Maydell <peter.maydell@linaro.org>

If you compile QEMU with GCC with -fsanitize=3Daddress and
-Wstringop-overflow, this causes GCC to produce a false-positive
warning which it does not produce when the sanitizer is not enabled
(and which makes compilation fail if you're using -Werror, as we do
by default for builds from git):

../../hw/net/rtl8139.c: In function =E2=80=98rtl8139_io_writeb=E2=80=99:
../../hw/net/rtl8139.c:2264:17: error: writing 8 bytes into a region of siz=
e 0 [-Werror=3Dstringop-overflow=3D]
 2264 |                 memcpy(data_to_checksum, saved_ip_header + 12, 8);
      |                 ^
In file included from ../../hw/net/rtl8139.c:62:
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into dest=
ination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~
../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of siz=
e 0 [-Werror=3Dstringop-overflow=3D]
 2192 |                     memcpy(data_to_checksum, saved_ip_header + 12, =
8);
      |                     ^
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into dest=
ination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~
../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of siz=
e 0 [-Werror=3Dstringop-overflow=3D]
 2192 |                     memcpy(data_to_checksum, saved_ip_header + 12, =
8);
      |                     ^
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into dest=
ination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~
In file included from /home/pm215/qemu/include/system/memory.h:21,
                 from /home/pm215/qemu/include/hw/pci/pci.h:4,
                 from /home/pm215/qemu/include/hw/pci/pci_device.h:4,
                 from ../../hw/net/rtl8139.c:54:
In function =E2=80=98stl_he_p=E2=80=99,
    inlined from =E2=80=98stl_be_p=E2=80=99 at /home/pm215/qemu/include/qem=
u/bswap.h:371:5,
    inlined from =E2=80=98rtl8139_cplus_transmit_one=E2=80=99 at ../../hw/n=
et/rtl8139.c:2244:21,
    inlined from =E2=80=98rtl8139_cplus_transmit=E2=80=99 at ../../hw/net/r=
tl8139.c:2345:28,
    inlined from =E2=80=98rtl8139_io_writeb=E2=80=99 at ../../hw/net/rtl813=
9.c:2728:17:
/home/pm215/qemu/include/qemu/bswap.h:284:5: error: writing 4 bytes into a =
region of size 0 [-Werror=3Dstringop-overflow=3D]
  284 |     __builtin_memcpy(ptr, &v, sizeof(v));
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/pm215/qemu/include/net/eth.h: In function =E2=80=98rtl8139_io_writeb=
=E2=80=99:
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [24, 64] into des=
tination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~

This has been triaged as a bug in GCC:
 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D114494
 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99673
(the sanitizer pass rewrites the IR in a way that conflicts with its
use by the warning pass that runs afterwards).

Since this is the only place in our code where we hit this, work
around it by disabling the -Wstringop-overflow in the part of
the function that hits it. We do this only when using the
address sanitizer on GCC, so that we still get the benefit
of the warning in most compilation scenarios.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3006
Suggested-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Tested-by: Yodel Eldar <yodel.eldar@yodel.dev>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20260305140512.1330691-1-peter.maydell@linaro.org
(cherry picked from commit b83a42dc779a36b454ce6eeade4584018491faf4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 135ab57160..fb78b1184f 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2131,6 +2131,26 @@ static int rtl8139_cplus_transmit_one(RTL8139State *=
s)
                     hlen, ip->ip_sum);
             }
=20
+            /*
+             * The code in this function triggers a GCC bug where an
+             * interaction between -fsanitize=3Daddress and -Wstringop-ove=
rflow
+             * results in a false-positive stringop-overflow warning that =
is
+             * only emitted when the address sanitizer is enabled:
+             *     https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D114494
+             *     https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99673
+             * GCC incorrectly thinks that the eth_payload_data buffer has
+             * the type and size of the first field in 'struct ip_header',=
 i.e.
+             * one byte, and then complains about all other attempts to ac=
cess
+             * data in the buffer.
+             *
+             * Work around this by disabling the warning when building with
+             * GCC and the address sanitizer is enabled.
+             */
+#pragma GCC diagnostic push
+#if !defined(__clang__) && defined(QEMU_SANITIZE_ADDRESS)
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
+
             if ((txdw0 & CP_TX_LGSEN) && ip_protocol =3D=3D IP_PROTO_TCP)
             {
                 /* Large enough for the TCP header? */
@@ -2314,6 +2334,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
                 /* restore IP header */
                 memcpy(eth_payload_data, saved_ip_header, hlen);
             }
+
+#pragma GCC diagnostic pop
+
         }
=20
 skip_offload:
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619360; cv=none;
	d=zohomail.com; s=zohoarc;
	b=D64C/MDKw3l36cpoXXKcgNdly6uaNZH43psitaxBIbNSHECOXlOdT3u9bntTT1FQ0hI9dJ3RhdcxYCkxGgI4UNg6wJO1InOU6HgUx4QBXXuV7qXKtVJgzmam140pA2ymxr+siQoxws5WDM3OZgPnrkgJjpngL3u9ByeaXD241cI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619360;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=stVD2uWuAalSeHMrJCjIv5ijsM43S7Q1EWDzHhvDRIs=;
	b=DX2nGSZjOBqR4BUiyxT8AwgDxo4faaiU8RqRtxuhOw1zk7LWx/90b2/Oans98XoCzB5RR+mzRxwHrdmiE7v6jF3Auxj802Dzw2vjqJUPobWVgL4WfrjLpTPdK1b3tNt8bt3s7V3Gg5zMkrW3U4FcBLvIETKUHLNHWviihk0gHAU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619359651768.3345058561088;
 Tue, 12 May 2026 13:55:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8r-0004Gx-Pt; Tue, 12 May 2026 16:55:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8A-0003uO-0I; Tue, 12 May 2026 16:55:06 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu87-0002mu-D6; Tue, 12 May 2026 16:55:05 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 77F5B1AA2CE;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8369A3ABC3F;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=oVpMHYrOe1hVRsgnmvIQkNX6E8D9+i02immjOp//NHw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=g9g/gS1e3A3x40d5LuX8m7TJ6GhAhIsMXPLe2iC+LQaR7WpLg/HeFbHIk6ctcy0dS
 iVGYUZRp90sLCr82wbU2TLjQommuh37ZRStP2k9Jv9LQ3EfmWrM3/7Y0f09+hhahLg
 PCsLqQr+BqM60a6D8VzqLzgbSzwic5yq5jlrgW4cHQ8+MgnfFfaFn3OdcEu8KGs59G
 WnB1jMsBVxP1Eps9hmVa/zCUtC1VJbCAxq4G+IsUXJm0YssHURqC4GOWnYEqYtqmHF
 Kucj4l5mh5eJAmMq3houUvWgTdee+dciuYTGR7GlmkZa5DmZHTtiSxKX1GUzXxwFUm
 PGPz4QGc4yrow==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Razvan Ghiorghe <razvanghiorghe16@gmail.com>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 002/107] linux-user: Fix zero_bss for RX PT_LOAD
 segments
Date: Tue, 12 May 2026 23:52:49 +0300
Message-ID: <20260512205437.360850-2-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619363784154100
Content-Type: text/plain; charset="utf-8"

From: Razvan Ghiorghe <razvanghiorghe16@gmail.com>

zero_bss() incorrectly assumed that any PT_LOAD containing .bss must be
writable, rejecting valid ELF binaries where .bss overlaps the tail of
an RX file-backed page.

Instead of failing, temporarily enable write access on the overlapping
page to zero the fractional bss range, then restore the original page
permissions once initialization is complete.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3179
Signed-off-by: Razvan Ghiorghe <razvanghiorghe16@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 2ff529c6f64b706213339d4bbce76c7788243ddb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index fa83d78667..0f05db4715 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2377,12 +2377,6 @@ static bool zero_bss(abi_ulong start_bss, abi_ulong =
end_bss,
 {
     abi_ulong align_bss;
=20
-    /* We only expect writable bss; the code segment shouldn't need this. =
*/
-    if (!(prot & PROT_WRITE)) {
-        error_setg(errp, "PT_LOAD with non-writable bss");
-        return false;
-    }
-
     align_bss =3D TARGET_PAGE_ALIGN(start_bss);
     end_bss =3D TARGET_PAGE_ALIGN(end_bss);
=20
@@ -2400,20 +2394,35 @@ static bool zero_bss(abi_ulong start_bss, abi_ulong=
 end_bss,
              */
             align_bss -=3D TARGET_PAGE_SIZE;
         } else {
+            abi_ulong start_page_aligned =3D start_bss & TARGET_PAGE_MASK;
             /*
-             * The start of the bss shares a page with something.
-             * The only thing that we expect is the data section,
-             * which would already be marked writable.
-             * Overlapping the RX code segment seems malformed.
+             * The logical OR between flags and PAGE_WRITE works because
+             * in include/exec/page-protection.h they are defined as PROT_*
+             * values, matching mprotect().
+             * Temporarily enable write access to zero the fractional bss.
+             * target_mprotect() handles TB invalidation if needed.
              */
             if (!(flags & PAGE_WRITE)) {
-                error_setg(errp, "PT_LOAD with bss overlapping "
-                           "non-writable page");
-                return false;
+                if (target_mprotect(start_page_aligned,
+                                    TARGET_PAGE_SIZE,
+                                    prot | PAGE_WRITE) =3D=3D -1) {
+                    error_setg_errno(errp, errno,
+                                    "Error enabling write access for bss");
+                    return false;
+                }
             }
=20
-            /* The page is already mapped and writable. */
+            /* The page is already mapped and now guaranteed writable. */
             memset(g2h_untagged(start_bss), 0, align_bss - start_bss);
+
+            if (!(flags & PAGE_WRITE)) {
+                if (target_mprotect(start_page_aligned,
+                                    TARGET_PAGE_SIZE, prot) =3D=3D -1) {
+                    error_setg_errno(errp, errno,
+                                    "Error restoring bss first permissions=
");
+                    return false;
+                }
+            }
         }
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619358; cv=none;
	d=zohomail.com; s=zohoarc;
	b=V+3jM6zsDvMf0H7j7qqBu7ABuv+KWVTizsZpKDFNmexegK8dIfu2pz0R+QQeyTiuR32RrZSACaKteLvY2mclQIcqNw89YdWU+SGTsZgGBAzlcRHTp6wgQJh4YhwQXZ3xE8BGHTCGirYTdPK98+SYDPAdLZfWnYN4k4PLk33Gosg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619358;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=QH5C4l053ErY8+Pac61ddVyfSbDjPUJj/BkpHk9yvFQ=;
	b=iO3idH5kBLIQR0KWy6diI/m7o0iqJZDMasDarJnFIaR5J/Kvp70W60rPOay9ov3tjtn+DhNMVzpHEW7ECSkiBVnwzY4Vq5jK5kZBO5+DLn8e9W/PtR1P9i7wKz0tAdZb4FXliigZV0BXyoErBelhQerKzRiIq3PVkHxQw5TCn4I=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786193573171013.3436342537591;
 Tue, 12 May 2026 13:55:57 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8k-00047p-2y; Tue, 12 May 2026 16:55:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu89-0003uB-2n; Tue, 12 May 2026 16:55:05 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu86-0002mt-SD; Tue, 12 May 2026 16:55:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8881C1AA2CF;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 93F4D3ABC40;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=2UUgR8FXm+KpvO3CMsyF0r3dDsABIBfClWVOSx0Yxl8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=FTBdBAuqdV4qwvoTMdKRvxVxMamiSAcAuE0gzvB07Mol/Tk/v60iDlG4aUOF+2JI4
 bdHNP4wqjzcflSKP7pmy40th0BD0yZMEtCqPWOmgoiYzKbSB6iu43HxuKlcC9o+4SV
 pp3MYOtDP+aSxNhOxRD40RzwvMav1zw9ORixGAbpDtDlT9R1JwYz7Cww5mbQhMuahR
 jVnPbd0DD8rI9dwyGDVuxGGXjww6G2pFlrZb37sFgw4/Ov575RA8XHrpL4itGEVYcn
 VtW8oSevub/toWnQsrGBke0dwUXxz9/ja/ptEC8ISJuTYMdo4354QgoLxSqdfxAIPX
 RBhntCB1y4AJQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Razvan Ghiorghe <razvanghiorghe16@gmail.com>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 003/107] linux-user: fix mremap with old_size=0 for
 shared mappings
Date: Tue, 12 May 2026 23:52:50 +0300
Message-ID: <20260512205437.360850-3-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619360650154100
Content-Type: text/plain; charset="utf-8"

From: Razvan Ghiorghe <razvanghiorghe16@gmail.com>

When old_size is zero and old_address refers to a shareable mapping,
mremap() should create a new mapping of the same pages according to the
mremap(2) man page. The MREMAP_MAYMOVE flag must be specified in this case.

Previously, QEMU's target_mremap() rejected this valid case with EFAULT
during the initial validation, before checking for the special
old_size =3D=3D 0 behaviour.

This patch adds proper handling for old_size =3D=3D 0:
- Validates that MREMAP_MAYMOVE flag is set (required by man spec)
- Passes the call through to the host mremap()
- Creates a new mapping without invalidating the original, with both
  being valid and sharing the same physical memory frames.
- Ensures the new mapping address falls within the valid guest address
  region before returning it to the guest.

Tested with the reproducer from the issue on qemu-riscv64, qemu-hppa,
and qemu-aarch64.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3105
Signed-off-by: Razvan Ghiorghe <razvanghiorghe16@gmail.com>
Tested-by: Helge Deller <deller@gmx.de>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 5e5b278d2b1b81fc2b5ca09dba4848f81cd3a718)
(mjt, rth: backport to pre-f55fc1c092
 "accel/tcg: Add clear_flags argument to page_set_flags")
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 5622a01123..230bc2c094 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -1118,6 +1118,58 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong=
 old_size,
         errno =3D EINVAL;
         return -1;
     }
+
+    if (!old_size) {
+        if (!(flags & MREMAP_MAYMOVE)) {
+            errno =3D EINVAL;
+            return -1;
+        }
+        mmap_lock();
+        if (flags & MREMAP_FIXED) {
+            host_addr =3D mremap(g2h_untagged(old_addr), old_size, new_siz=
e,
+                             flags, g2h_untagged(new_addr));
+        } else {
+            /*
+             * We ensure that the new mapping stands in the
+             * region of guest mappable addresses.
+             */
+            abi_ulong mmap_start;
+
+            mmap_start =3D mmap_find_vma(0, new_size, TARGET_PAGE_SIZE);
+
+            if (mmap_start =3D=3D -1) {
+                errno =3D ENOMEM;
+                mmap_unlock();
+                return -1;
+            }
+
+            host_addr =3D mremap(g2h_untagged(old_addr), old_size, new_siz=
e,
+                             flags | MREMAP_FIXED, g2h_untagged(mmap_start=
));
+
+            new_addr =3D mmap_start;
+        }
+
+        if (host_addr =3D=3D MAP_FAILED) {
+            mmap_unlock();
+            return -1;
+        }
+
+        if (flags & MREMAP_FIXED) {
+            new_addr =3D h2g(host_addr);
+        }
+
+        prot =3D page_get_flags(old_addr);
+        /*
+         * For old_size zero, there is nothing to clear at old_addr.
+         * Only set the flags for the new mapping. They both are valid.
+         */
+        page_set_flags(new_addr, new_addr + new_size - 1,
+                       prot | PAGE_VALID | PAGE_RESET);
+        shm_region_rm_complete(new_addr, new_addr + new_size - 1);
+        mmap_unlock();
+        return new_addr;
+    }
+
     if (!guest_range_valid_untagged(old_addr, old_size)) {
         errno =3D EFAULT;
         return -1;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619839; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jBthVrhrs06E97GQOAJyK+8PTt8U53RYasF33yXs2u8d8DO+VzPed16gmK4dgP4p6FtY6Zd7PMUbuM8LcDQ7OVRhXF3snyScQuxhAoo8T0GJTuoBAeXcv8HElPA/tUgZ7gaOKhd1JgrzEA2Lq03k1AhD67XJzWZ53S92kP3lk5g=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619839;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=RPMosTRvwHi1LcxufLYQrNgly8aQgLD/tlyEgZAYd0Q=;
	b=f2B2rlJn0V9kiAHGZrmvH1gfJIEkoIPgQ8q8OblSjwY9GFPyml8y/0AK7WPcsnPXdsSPygRs/XKMh/H2c71v7VfVu7lMyO8OklDHTLUNJ4vGWc1UZYf4ZKskaj2At37FfONYCWAeW3fEQurZsNu4rmDN0x+FF4noWO9mpkre7ro=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619839015458.1345151964514;
 Tue, 12 May 2026 14:03:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8x-0004Ti-Ch; Tue, 12 May 2026 16:55:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8H-00042k-Vf; Tue, 12 May 2026 16:55:14 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8A-0002wR-Gk; Tue, 12 May 2026 16:55:08 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 980051AA2D0;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A36523ABC41;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=tcLESvGH/xKC4dW5ail80vsN8Oc+IrzX9ldk40aW6bU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=JZNcInnrUqJfKL0EBCZv9x5XsAcSZk1Bm99jjUaRN3apTzUHmn6jltS2poWtouEDG
 QY0+W0VuIANItoV2Wit+9pQa27xHVmsY5mf0Hrlr7ymsX7qXEe0Bpp06Sg0OzFT9zm
 DsP2FKOZMYIuK8+N3gA4bm6keJUKMhO8udkd242d7aJqNAAvr/UTyc7fg5ooBtzP1Q
 21bcM7fpLmK/XGaovQ6t4xPu5MdXH1pnpAkODmpe9zMOxFa9FnFd+ke43eHSlFF94t
 AfG2jOHywFOP7sv5EuquZyKzTVVawJiLTmsT8JdzeoSy8cCwXH6akWpiwyPAi/qXKj
 u/NYCdkkAHjcQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Jim MacArthur <jim.macarthur@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 004/107] hw/dma/pl080: Handle bogus swidth and dwidth
 in transfers
Date: Tue, 12 May 2026 23:52:51 +0300
Message-ID: <20260512205437.360850-4-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619839936154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

The PL080 TRM states that the DWidth and SWidth fields of the channel
control registers can only validly specify widths up to 32 bits (i.e.
values from 0 to 2) and all other values are reserved.

Currently we don't check this, so if the guest specifies an invalid
value we will transfer more data into our local 'buff[]' array than
it can hold.

Check the widths; since the TRM doesn't clearly specify any behaviour
for what to do on invalid values, we choose to log them and then
ignore the channel for transfers.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3203
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260306152140.2191653-1-peter.maydell@linaro.org
(cherry picked from commit 37c9f6fce5c59db216e7f7ad961395b6e702bda9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 8a9b073b24..ed79d331cc 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -164,6 +164,21 @@ again:
                destination widths are different.  */
             swidth =3D 1 << ((ch->ctrl >> 18) & 7);
             dwidth =3D 1 << ((ch->ctrl >> 21) & 7);
+
+            /* Only widths of 1, 2 or 4 are valid */
+            if (swidth > 4) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "pl080: channel %d: invalid SWidth %d\n",
+                              c, extract32(ch->ctrl, 18, 3));
+                continue;
+            }
+            if (dwidth > 4) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "pl080: channel %d: invalid DWidth %d\n",
+                              c, extract32(ch->ctrl, 21, 3));
+                continue;
+            }
+
             for (n =3D 0; n < dwidth; n+=3D swidth) {
                 address_space_read(&s->downstream_as, ch->src,
                                    MEMTXATTRS_UNSPECIFIED, buff + n, swidt=
h);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619384; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bzX9LCRCaysxGDQRzZabEyF5fuQvXF5IqccaBY/+GC3ksZUQY5E7eC15IaejCoE3EPPz4pM1PA1oYjWcsU/tDiZlssZr2FHN3+/8yDDRd35e7QMnveT6g3G7ku9NIs90uB3wf3fqw3WrW2zXDLrQaSuBSZkcbQd2ZSophNQvx8A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619384;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=CzvHyCY+BPsW3a8m0oDzydObXEKvp/avi7OQP2Bpw6Y=;
	b=CQifxyNFQIbS4KfxkEzaIfYHzryix3QDAh/6FoYMXixVe/xPRrBcJsc4XO6K1+dU+O280snChpGTm3Ly+P1nuo0aiv9Zfo5sxUhIohn0Kxw8QVXuNQMaxWwAF+USnOO2nzVQPeq6WqBIESAJGLxtZXudmUciFmY91PaTplPPcoE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619384075466.8885055526613;
 Tue, 12 May 2026 13:56:24 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu91-0004Xl-6e; Tue, 12 May 2026 16:56:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8J-00043S-AL; Tue, 12 May 2026 16:55:21 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8B-0002zh-Gu; Tue, 12 May 2026 16:55:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A85C01AA2D1;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B3A363ABC42;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=33LdTb1N+djsbeXVn2COuPFm5D1Y1a8x65WoxdY8YOM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=WBx5RyNOe0r2r+tr4EnJ/3U4mCRLLMbDMXyVlU0G4YEQuxS94/g8WaeY9TwwIuLhV
 5jTWMhE8Fu9s6vn08UcfAUqSOfvjX1kFZT7lIK0xPONxljje7j8hS0q4n5Du/t6y8D
 F6CIE8HE0aGnPTo9vUvG2SWDU3F1GF9hofeOGJOivnvl6ukIaw5ctZ9f19tQMdYgTv
 YEfQ2MIYR53/ReJJ0FsFVYaZLdoWAlQfCZAtVdyGwpNWBSS9WHvzJENLHByiFXwPu+
 pI5J79nkyRRcWsmRd0wj6YltNMMVrFC77M6nbS/15zvo4mNYV2fHAfacPOBosPZpOD
 rnGVkQVddR0lQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Tao Ding <dingtao0430@163.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 005/107] hw/dma/pl080: Update interrupts after
 pl080_run()
Date: Tue, 12 May 2026 23:52:52 +0300
Message-ID: <20260512205437.360850-5-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619388110158500
Content-Type: text/plain; charset="utf-8"

From: Tao Ding <dingtao0430@163.com>

In the codepath in pl080_write() where we run the DMA engine
after a change in the channel configuration register, we were
missing a pl080_update() call, which meant that we weren't
raising any interrupts generated by that DMA transfer.

A repro case for this is to program the PL080 and then
check the interrupt status by looking at the PL190 status
register, since the PL080 interrupt output is connected
to input 17 of the PL190. We look at the register value via
the QEMU monitor:

Reproducer
    ./qemu-system-arm -M versatilepb -m 128M -nographic -S \
    -device loader,addr=3D0x00000000,data=3D0x11223344,data-len=3D4 \
    -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \
    -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \
    -device loader,addr=3D0x10130108,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x1013010C,data=3D0x9e4bf001,data-len=3D4 \
    -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4

Qemu monitor
    (qemu) xp /1wx 0x10140008
    10140008: 0x00000000

The correct result after this fix:
    (qemu) xp /1wx 0x10140008
    10140008: 0x00020000

Cc: qemu-stable@nongnu.org
Signed-off-by: Tao Ding <dingtao0430@163.com>
Message-id: 7584486ba62bc6d767c0d132dc843067f8c5efff.1773301927.git.dingtao=
0430@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: Adjusted commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit b6e61d1cc3bfc9091ab83e25d9781a67ef9c86c1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index ed79d331cc..477147281c 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -227,6 +227,7 @@ again:
         if (--s->running)
             s->running =3D 1;
     }
+    pl080_update(s);
 }
=20
 static uint64_t pl080_read(void *opaque, hwaddr offset,
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619837; cv=none;
	d=zohomail.com; s=zohoarc;
	b=IQ0fJR2QfXekbQZvb34tTaL+C0CjBLj2/fsFhIHHQBYojbSjYNuUyV331/Iv36PKjB9To7xao2+m6xZtXIl1BzWyJIhR2FhO0kbmir4VK2NNHX02RA5brGmi/WZhxaWovyi+b3MbMG7IziGzWQqOlFSLo9nb9DQ11+2Cs73NBfc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619837;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=hwWDFC1uRgSUsufiIqAyiPLt01JBfpMzI66IB79lEfc=;
	b=VHRdef6P5CJpstRr3Xy23NAybTc9mqAy/4ZUDlh+FmFsTNlS2mfa3dARw/VqVMBt5zSvGv9mgnjOnAEaAUs6mpEYHvd+KX/AkaXqoAB0qGW/driIMTVoK4TN1mFu1zFGU/YkOzMyaGLWxpsl5HUjsa7zzykOx3BmhPxWmxeKt98=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619836996196.93865288323957;
 Tue, 12 May 2026 14:03:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8x-0004Sj-4w; Tue, 12 May 2026 16:55:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8K-00043V-Qu; Tue, 12 May 2026 16:55:26 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8J-00030w-56; Tue, 12 May 2026 16:55:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B7EDB1AA2D2;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C399B3ABC43;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=/UX1VvtmohRWHEDkWGENAeLai4Fo3ba4/8Ez4pTw+7A=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=xeOcZSyJLrsJ44VhyJAgxSw3em8oR5lTuxBNoU17J08Pxdtjl11D1Xb4RNjyNNAWX
 jRaNpjeAztnpEkLmT4vuaZMrgXsvMgeVydh1ShNGhquOCy2g17PQaBWC0Zhpe+uIZv
 hyKXteCrgtTo1BL08WI8fMXvD+5ZX3TVVkp4jA8Yv5HA13F3r1R4DIZdekbvfP/PQq
 zjIk2N3iDECns5M3YMBwPCUIVH4FWFhTfKgTWxPznkNZUIHl154nJpNMvd3r9Ynfpy
 pSMk1/24TIsusxdrcG9CK5phCeJUSFK1dwLL/Hn7fvnnenxW5W3CgBsUfVRenOpQyK
 pSHAfwnC8VJsw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Tao Ding <dingtao0430@163.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 006/107] hw/dma/pl080: Ignore bottom 2 bits of LLI
 register
Date: Tue, 12 May 2026 23:52:53 +0300
Message-ID: <20260512205437.360850-6-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619837972154100
Content-Type: text/plain; charset="utf-8"

From: Tao Ding <dingtao0430@163.com>

The PL080 channel LLI (linked list item) register has bits [31:2] of
the address of the next LLI in bits [31:2], with bit [1] reserved
and bits [0] the AHB master select. We were incorrectly using the
whole register value as the address, which meant that if the guest
programmed something into the AHB master select bit we would use
an incorrect address, and read incorrect data from memory.

The following reproducer creates a setup which has bit 0 set in
an LLI value:

Configuration
    ../configure --target-list=3Darm-softmmu --enable-debug
Reproducer
    ./qemu-system-arm -M versatilepb -m 128M -nographic -S \
     -device loader,addr=3D0x00002000,data=3D0x00000004,data-len=3D4 \
     -device loader,addr=3D0x00002004,data=3D0x00001004,data-len=3D4 \
     -device loader,addr=3D0x00002008,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x0000200c,data=3D0x9e4bf001,data-len=3D4 \
     -device loader,addr=3D0x00000000,data=3D0x44332211,data-len=3D4 \
     -device loader,addr=3D0x00000004,data=3D0x88776655,data-len=3D4 \
     -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x00001004,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \
     -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \
     -device loader,addr=3D0x10130108,data=3D0x00002001,data-len=3D4 \
     -device loader,addr=3D0x1013010C,data=3D0x1e4bf001,data-len=3D4 \
     -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4

The correct result with this bug fix:
    (qemu) xp /1wx 0x00001000
     00001000: 0x44332211
    (qemu) xp /1wx 0x00001004
     00001004: 0x88776655

Cc: qemu-stable@nongnu.org
Signed-off-by: Tao Ding <dingtao0430@163.com>
[PMM: Adjusted commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: cb35c1b622674da7a2b70691402132f691933f2c.1773301927.git.dingtao=
0430@163.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f9b16f791502d912cf07ec040a1a2efb1009f713)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 477147281c..8b97cbb425 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -102,6 +102,7 @@ static void pl080_run(PL080State *s)
     int size;
     uint8_t buff[4];
     uint32_t req;
+    uint32_t next_lli;
=20
     s->tc_mask =3D 0;
     for (c =3D 0; c < s->nchannels; c++) {
@@ -198,21 +199,22 @@ again:
             ch->ctrl =3D (ch->ctrl & 0xfffff000) | size;
             if (size =3D=3D 0) {
                 /* Transfer complete.  */
-                if (ch->lli) {
+                next_lli =3D (ch->lli & ~3);
+                if (next_lli) {
                     ch->src =3D address_space_ldl_le(&s->downstream_as,
-                                                   ch->lli,
+                                                   next_lli,
                                                    MEMTXATTRS_UNSPECIFIED,
                                                    NULL);
                     ch->dest =3D address_space_ldl_le(&s->downstream_as,
-                                                    ch->lli + 4,
+                                                    next_lli + 4,
                                                     MEMTXATTRS_UNSPECIFIED,
                                                     NULL);
                     ch->ctrl =3D address_space_ldl_le(&s->downstream_as,
-                                                    ch->lli + 12,
+                                                    next_lli + 12,
                                                     MEMTXATTRS_UNSPECIFIED,
                                                     NULL);
                     ch->lli =3D address_space_ldl_le(&s->downstream_as,
-                                                   ch->lli + 8,
+                                                   next_lli + 8,
                                                    MEMTXATTRS_UNSPECIFIED,
                                                    NULL);
                 } else {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619407; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iA+25uoQdO0XBKTvWcL5BPkgc87dP/i4SsQ/JV6Y+yo2K76iUyjIc43ldHDj7NKVKDOpUzGmHGpB9TWi2jipUxeNp4TSN1EZ+kcc+LLIeTRbYxYht7+nP0PmVqGrPTN52s7OfXeYMm9ZF7SOY6r9TEQANO1X+QMnHWZ7Cy9tOHM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619407;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=XhDEVVU1HwFTPU2I5765uYBtNoCRwQs28xXesMj5AJI=;
	b=GBF92LK6ttjCgVW0HcsY8AxKF2X3QVF72Z3iTc6VuLYq6ZL55oXBlDmKGilKrklVTmFqxZpX4+R4UyjyVobcFC4QAxp5I6LjoZhidgyZd8eOGm/BwOeRuIL+5M333+NEGSZy1eq+NCINI0BkvDJ7seMsAq+nQdhnc7+8JnP5mow=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619407775471.6627973021667;
 Tue, 12 May 2026 13:56:47 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu94-0004oK-PA; Tue, 12 May 2026 16:56:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8M-00043c-Os; Tue, 12 May 2026 16:55:26 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8K-00031b-RR; Tue, 12 May 2026 16:55:18 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C896A1AA2D3;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D34673ABC44;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=ZQFNhl+/MkNtnq57gZeBuYACK/ciOlPIy0s5tBnKoDM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=OFC1O1TepKITZsf7RE2uvZcVjzz98ezV05z009/feB5dvSOTQ4URYPGq40k954kOf
 eW4z2f9MpR0K+EzXnxIAJKvQewXugaFTv3xyDUTaSNNln/fNSM4k5o9NsWvMtW6lxW
 kiQzP7ZzUjfSGXyzVfaCzTWfAaclb2jwSnCRBUtafl2ksYTMuW3uUvoqQvlWLEZDJ9
 AJGDuCgTfeqjTwGdgCrc2q5KXlbWlnaXQEIss7bH2Tkwo4qV6OUS02LBa5agRRJHZa
 1lD/lttZl7BFX0AQrrQqkfCTqYHtls6drMv4FfKwxDYGv3UlvPOlbJTjn46GIkI9WT
 RqnN/RJXHkQkA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Sergei Heifetz <heifetz@yandex-team.com>,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Zhao Liu <zhao1.liu@intel.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 007/107] target/i386: fix NULL pointer dereference in
 legacy-cache=off handling
Date: Tue, 12 May 2026 23:52:54 +0300
Message-ID: <20260512205437.360850-7-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619412376154100
Content-Type: text/plain; charset="utf-8"

From: Sergei Heifetz <heifetz@yandex-team.com>

The check that xcc->model is not NULL occurs after it is dereferenced
inside x86_cpu_get_versioned_cache_info(), so something like
`-cpu host,legacy-cache=3Doff` leads to a segfault rather than an error.
This patch fixes that.

Fixes: cca0a000d06f897411a8a ("target/i386: allow versioned CPUs to specify=
 new cache_info")
Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
[Mjt: simplify the following condition too]
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 2741d2cc39033929485b50792a85b5c794b1c903)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 76e0cceb10..9401258a54 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -8332,10 +8332,11 @@ static void x86_cpu_realizefn(DeviceState *dev, Err=
or **errp)
=20
     /* Cache information initialization */
     if (!cpu->legacy_cache) {
-        const CPUCaches *cache_info =3D
-            x86_cpu_get_versioned_cache_info(cpu, xcc->model);
+        const CPUCaches *cache_info =3D xcc->model
+            ? x86_cpu_get_versioned_cache_info(cpu, xcc->model)
+            : NULL;
=20
-        if (!xcc->model || !cache_info) {
+        if (!cache_info) {
             g_autofree char *name =3D x86_cpu_class_get_model_name(xcc);
             error_setg(errp,
                        "CPU model '%s' doesn't support legacy-cache=3Doff"=
, name);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619494; cv=none;
	d=zohomail.com; s=zohoarc;
	b=AImv+hX1ipVMyvRFk/C1S9hb7gjyGblZLg6hr1XDIpPky6/w7r98JofjA1XedNQ5yvShPT1D0pjpFOTOZhJx+Vx26jeBRlDQZAo02xIhTf3tSDiDSiikz1grvg02WzcBP4c2mtnx3qZbq3AHbquWocWU8oaetrZH6vIe43UKtI0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619494;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=a07DKMe+cJBTgTn84ACdAsoejWAvrTb0e8tGTDig9zk=;
	b=Kt1EcU2MEF+b4EguUQnW5IrtUGu18NIbMF50ChZDfcwJMQzfOBlNjH9rAitST2iEe+J0K26vJ8SizUg09+LafV0LzjpYl4rj5nkdeTxLNJ6a3rnGCe4bSsh9rDEUxPqcWUqxRfjvm+OQNb2wpzxghhowzFYB5U7UfESn2R6WCzo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861949428313.140726398089328;
 Tue, 12 May 2026 13:58:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu94-0004lC-29; Tue, 12 May 2026 16:56:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8U-000445-1t; Tue, 12 May 2026 16:55:30 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8M-00032G-Eh; Tue, 12 May 2026 16:55:21 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D86231AA2D4;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E3E713ABC45;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=YEZQ/7VgyxT0BFyGkOjZ34gF6pss1UwWAxqee8IKMyQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Y6V6sRp/YPFoVcmXOUwN1giTXmfpoDKiRWk4v+NtrxAMnW28YtlFm5cuarr8ccscQ
 4CWwWgljkfW//xvWep+d0SFItQlUj08tYwdjFVs/B1XX18luvahZKx2d9u7ZgpyIG0
 B2D1+6BGzsx+fOL4X8ktqNN9xP+92bGE6kqbhTTCG8Es1G7A5zYjvw/x55uHm+EfiO
 A2en5TC9WlYzYIQ+sgBjY+k/njRI58bgHZ9nGU2P4ikJc4vA2AK9m3tOoU/r06XPTe
 rmVYCGcj4Fot8JtTQFnt0DbeB18Yy+Hi0RhfFFIC4CsKOd1Fu3FHGCIhgmcOghHEg/
 wOJCBbWOdHd9Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alberto Garcia <berto@igalia.com>,
 Hanna Czenczek <hreitz@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 008/107] throttle-group: Fix race condition in
 throttle_group_restart_queue()
Date: Tue, 12 May 2026 23:52:55 +0300
Message-ID: <20260512205437.360850-8-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619498124154100
Content-Type: text/plain; charset="utf-8"

From: Alberto Garcia <berto@igalia.com>

When a timer is fired a pending I/O request is restarted and
tg->any_timer_armed is reset so other requests can be scheduled.

However we're resetting any_timer_armed first in timer_cb() before
the request is actually restarted, and there's a window between both
moments in which another thread can arm the same timer, hitting an
assertion in throttle_group_restart_queue().

This can be solved by deferring the reset of tg->any_timer_armed to
the moment when the queue is actually restarted, which is protected by
tg->lock, preventing other threads from arming the timer before that.

In addition to that, throttle_group_restart_tgm() is also updated to
hold tg->lock while the timer is being inspected. Here we consider
three different scenarios:

- If the tgm has a timer set, fire it immediately
- If another tgm has a timer set, restart the queue anyway
- If there is no timer set in this group then simulate a timer that
  fires immediately, by setting tg->any_timer_armed in order to
  prevent other threads from arming a timer in the meantime.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3194
Signed-off-by: Alberto Garcia <berto@igalia.com>
Message-Id: <825598ef34ad384d936da19d634eda75598508f7.1773316842.git.berto@=
igalia.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit 9c8430f5d65144b85ad76433369288182a1c7baa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/throttle-groups.c b/block/throttle-groups.c
index 4385748bbf..ee5dea9621 100644
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@@ -391,6 +391,7 @@ void coroutine_fn throttle_group_co_io_limits_intercept=
(ThrottleGroupMember *tgm
 typedef struct {
     ThrottleGroupMember *tgm;
     ThrottleDirection direction;
+    bool reset_timer_armed;
 } RestartData;
=20
 static void coroutine_fn throttle_group_restart_queue_entry(void *opaque)
@@ -403,6 +404,9 @@ static void coroutine_fn throttle_group_restart_queue_e=
ntry(void *opaque)
     bool empty_queue;
=20
     qemu_mutex_lock(&tg->lock);
+    if (data->reset_timer_armed) {
+        tg->any_timer_armed[direction] =3D false;
+    }
     empty_queue =3D !throttle_group_co_restart_queue(tgm, direction);
=20
     /* If the request queue was empty then we have to take care of
@@ -419,18 +423,23 @@ static void coroutine_fn throttle_group_restart_queue=
_entry(void *opaque)
 }
=20
 static void throttle_group_restart_queue(ThrottleGroupMember *tgm,
-                                        ThrottleDirection direction)
+                                         ThrottleDirection direction,
+                                         bool reset_timer_armed)
 {
     Coroutine *co;
     RestartData *rd =3D g_new0(RestartData, 1);
=20
     rd->tgm =3D tgm;
     rd->direction =3D direction;
+    rd->reset_timer_armed =3D reset_timer_armed;
=20
-    /* This function is called when a timer is fired or when
-     * throttle_group_restart_tgm() is called. Either way, there can
+    /* If reset_timer_armed is set then this means that this function
+     * was called when a timer was fired (either from timer_cb() or
+     * from throttle_group_restart_tgm()). In this case there can
      * be no timer pending on this tgm at this point */
-    assert(!timer_pending(tgm->throttle_timers.timers[direction]));
+    if (reset_timer_armed) {
+        assert(!timer_pending(tgm->throttle_timers.timers[direction]));
+    }
=20
     qatomic_inc(&tgm->restart_pending);
=20
@@ -444,15 +453,50 @@ void throttle_group_restart_tgm(ThrottleGroupMember *=
tgm)
=20
     if (tgm->throttle_state) {
         for (dir =3D THROTTLE_READ; dir < THROTTLE_MAX; dir++) {
-            QEMUTimer *t =3D tgm->throttle_timers.timers[dir];
+            QEMUTimer *t;
+            ThrottleState *ts =3D tgm->throttle_state;
+            ThrottleGroup *tg =3D container_of(ts, ThrottleGroup, ts);
+            bool reset_timer_armed;
+
+            /*
+             * This function restarts the tgm's queue immediately.
+             * This is used for example for callers to drain all requests.
+             * There are three different scenarios depending on whether
+             * a timer is armed for this tg and which tgm owns the timer.
+             */
+
+            qemu_mutex_lock(&tg->lock);
+
+            t =3D tgm->throttle_timers.timers[dir];
             if (timer_pending(t)) {
-                /* If there's a pending timer on this tgm, fire it now */
+                /*
+                 * Case 1: this tgm has a pending timer.
+                 * We can fire the timer immediately.
+                 */
                 timer_del(t);
-                timer_cb(tgm, dir);
+                reset_timer_armed =3D true;
+            } else if (tg->any_timer_armed[dir]) {
+                /*
+                 * Case 2: another tgm has a pending timer.
+                 * In this case we can still restart the queue but we
+                 * have to leave any_timer_armed untouched so the
+                 * other tgm's timer is not disrupted.
+                 */
+                reset_timer_armed =3D false;
             } else {
-                /* Else run the next request from the queue manually */
-                throttle_group_restart_queue(tgm, dir);
+                /*
+                 * Case 3: there is no timer set for this group.
+                 * Here we can simulate a timer that fires immediately,
+                 * so the queue is restarted but no other thread
+                 * can arm a timer in the meantime.
+                 */
+                tg->any_timer_armed[dir] =3D true;
+                reset_timer_armed =3D true;
             }
+
+            qemu_mutex_unlock(&tg->lock);
+
+            throttle_group_restart_queue(tgm, dir, reset_timer_armed);
         }
     }
 }
@@ -499,16 +543,13 @@ void throttle_group_get_config(ThrottleGroupMember *t=
gm, ThrottleConfig *cfg)
  */
 static void timer_cb(ThrottleGroupMember *tgm, ThrottleDirection direction)
 {
-    ThrottleState *ts =3D tgm->throttle_state;
-    ThrottleGroup *tg =3D container_of(ts, ThrottleGroup, ts);
-
-    /* The timer has just been fired, so we can update the flag */
-    qemu_mutex_lock(&tg->lock);
-    tg->any_timer_armed[direction] =3D false;
-    qemu_mutex_unlock(&tg->lock);
-
-    /* Run the request that was waiting for this timer */
-    throttle_group_restart_queue(tgm, direction);
+    /*
+     * Run the request that was waiting for this timer.
+     * tg->any_timer_armed needs to be cleared, but we'll do it later
+     * when the queue is restarted in order to prevent another thread
+     * from arming the timer before that.
+     */
+    throttle_group_restart_queue(tgm, direction, true);
 }
=20
 static void read_timer_cb(void *opaque)
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619411; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jQHnYY94X19IV3iV51OsbuREySFpWF2t+gNVDyhEhpvD0fK5UOVVv4bkt5OoemD7zvkARczEZWRfIQC4H61APe+EoaulXg3trMHRblcZL45WI2g6jJixUZfKKwWO230+Yoc+ogC0r8TdmFV6EITHLXU4aaeODdXcFDD9n9incDk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619411;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=IsnYMspAWMSUKpfh1FMH4VexCjO92sakdvdil1g+wOw=;
	b=hv2QEp0+BKPPVGB8hdcZkbl6EIWWLeXihJx7IIkYMsmGx0VyGZxe1Zlt8FSOOscvaYdkSmOpikd31RDluaP2dHAKf+MLZSn3fmzT4q37xruLmopXBFgdorwFozl9vHZydpP2Q1T45ha1pqbU9vY3I0simdc8Z5dhcVotieJ7Dak=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619411533905.0700619704453;
 Tue, 12 May 2026 13:56:51 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu95-0004py-Lp; Tue, 12 May 2026 16:56:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8U-00044A-Um; Tue, 12 May 2026 16:55:34 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8Q-00034R-4W; Tue, 12 May 2026 16:55:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E4F891AA2D5;
 Tue, 12 May 2026 23:54:33 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id F28D43ABC46;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619273; bh=zIFKA1gK2QxIQt9X5V1nHTN2R3ohlFdjcYEgFfNWMDA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=DMAToGBlpz0dyEo2J0JOxNqkF+W+lgwNEnxnI9Ot/+XGhOGAmb0cVNWuf7jRj4DY8
 FdeC2s1BujIs21njxieOYEnhQfz6P4UYBY9Vb6xHYXnJonZWnshYV6FtbW0kbgQcMq
 IAohEUPjkitiQMCPHWE7BiBgXQ0kbykOUSwIsaebPxYUuJYpsxs0vAfn0ioF0EY8+O
 5JHxAOlOkkLhrLLU1y38sa+ulxkS51TwiacmY2iitiy6A3dBNBmSvxcXefPHH2wvX3
 PzLZEl3Drjym3hJmNNNPHt6IKOapvoXjJXelHCRNv56eTOlm1ow8VusOrRwDfAvtTh
 mFaylLzecI4yw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fiona Ebner <f.ebner@proxmox.com>,
 Hanna Czenczek <hreitz@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 009/107] block/mirror: fix assertion failure upon
 duplicate complete for job using 'replaces'
Date: Tue, 12 May 2026 23:52:56 +0300
Message-ID: <20260512205437.360850-9-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619413817158500
Content-Type: text/plain; charset="utf-8"

From: Fiona Ebner <f.ebner@proxmox.com>

If s->replace_blocker was already set by an earlier invocation of
mirror_complete(), then there will be an assertion failure when
error_setg() is called for it a second time. The bdrv_op_block_all()
and bdrv_ref() operations should only be done a single time too.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-Id: <20260311145717.668492-2-f.ebner@proxmox.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit 9ac85f4cc7995217db8f736733b990d6addcb036)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/mirror.c b/block/mirror.c
index db2af08050..09d2c9017d 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1185,23 +1185,25 @@ static void mirror_complete(Job *job, Error **errp)
         return;
     }
=20
-    /* block all operations on to_replace bs */
-    if (s->replaces) {
-        s->to_replace =3D bdrv_find_node(s->replaces);
-        if (!s->to_replace) {
-            error_setg(errp, "Node name '%s' not found", s->replaces);
-            return;
+    if (!s->should_complete) {
+        /* block all operations on to_replace bs */
+        if (s->replaces) {
+            s->to_replace =3D bdrv_find_node(s->replaces);
+            if (!s->to_replace) {
+                error_setg(errp, "Node name '%s' not found", s->replaces);
+                return;
+            }
+
+            /* TODO Translate this into child freeze system. */
+            error_setg(&s->replace_blocker,
+                       "block device is in use by block-job-complete");
+            bdrv_op_block_all(s->to_replace, s->replace_blocker);
+            bdrv_ref(s->to_replace);
         }
=20
-        /* TODO Translate this into child freeze system. */
-        error_setg(&s->replace_blocker,
-                   "block device is in use by block-job-complete");
-        bdrv_op_block_all(s->to_replace, s->replace_blocker);
-        bdrv_ref(s->to_replace);
+        s->should_complete =3D true;
     }
=20
-    s->should_complete =3D true;
-
     /* If the job is paused, it will be re-entered when it is resumed */
     WITH_JOB_LOCK_GUARD() {
         if (!job->paused) {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619808; cv=none;
	d=zohomail.com; s=zohoarc;
	b=MGamQv30dAKsy/T9UsEAertG/dC7itQN8Bmrvc6D84qe3Ml4Z/zyoyvvjJiLQcTCwMRcRx49vM9zxLNbOkyghAHgOReH5urvFXCRPm6NZnhCYwx/hn7hhkMJi+1gE6CPe5H75NoX07QcbpPxiiuxQPCwNDf2RPjOFNQk7mrutyM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619808;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=dZsxxSNchMsQyoInmtTbKH0zl6IlnvnPQoiC6KzqPQc=;
	b=bvsxM17Q/0MBkxWNta/s7D3jO5l1D7D0udPfDsxUVrobtUOSosTL8A36/DRqYTnORBOlbEYaV6X6i1N9UrXyXQu3z2SR/Nc8oFZmp2Y9yswtibMWQH2/I9ROrjSxKoXsESePxGg0jvu6/HDl5/G4xuzX3IE2e6CDOoMXczG82vQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861980848912.683574957936912;
 Tue, 12 May 2026 14:03:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8x-0004T0-7a; Tue, 12 May 2026 16:55:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8Y-000465-Q7; Tue, 12 May 2026 16:55:34 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8V-00036a-RC; Tue, 12 May 2026 16:55:30 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 01AE01AA2D6;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0B4F13ABC47;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=YMZrUYsIlbBqCWStEj4HLXZ9OHaM8mNn1Z68T//7P1I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=V4ha8WbBFJutd79MEV7og4XqYsEN4Oux0MQJRmqUkfcXipyHAuFLZI1Jcv4io5oyk
 82oOs+7IkpzWx1NOk/dEyQs84XOqAIU40iT0TX9D4y82sPPo0YCZ7yXHlI+L0ThP8W
 sf1tY7/z9KmS14ffDjkH1YxmEBedtOE5PaQ5n4MRxjcbtSZ6dFakwLV5zvmMwZIw6E
 XScpfVK5u4eAaIJ+O28omoT/dbxWoJ4ob5EdYc7oii/xt1XrQ8w1byz7e6v5M/WDi9
 NhaJcc+tzNWEXop1LtzI/yXBtN3YkHeLJeVY/Q+BF0M0MlyeJxxK5o39CxruEZ1D1g
 Dux342/gVvjpQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Shivang Upadhyay <shivangu@linux.ibm.com>,
 Aditya Gupta <adityag@linux.ibm.com>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 BALATON Zoltan <balaton@eik.bme.hu>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 010/107] ppc/pnv: fix dumpdtb option
Date: Tue, 12 May 2026 23:52:57 +0300
Message-ID: <20260512205437.360850-10-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619811616154100
Content-Type: text/plain; charset="utf-8"

From: Shivang Upadhyay <shivangu@linux.ibm.com>

The '-machine dumpdtb' command line option stopped working on
PowerPC/pnv systems after recent design change [1].

Fixing this by generating fdt blob in `pnv_init`.

[1] https://lore.kernel.org/qemu-devel/20250206151214.2947842-1-peter.mayde=
ll@linaro.org/

Cc: Aditya Gupta <adityag@linux.ibm.com>
Cc: Harsh Prateek Bora <harshpb@linux.ibm.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: BALATON Zoltan <balaton@eik.bme.hu>
Cc: qemu-stable@nongnu.org
Fixes: 8fd2518ef2f8d34 ("hw: Centralize handling of -machine dumpdtb option=
")
Signed-off-by: Shivang Upadhyay <shivangu@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20260311143549.118720-1-shivangu@l=
inux.ibm.com
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
(cherry picked from commit a16d4c2f162a86db1f84ef0836d42eabaf57fe69)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 07a44ccd4c..9f9f3ce4ac 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -741,26 +741,8 @@ static void pnv_reset(MachineState *machine, ResetType=
 type)
         }
     }
=20
-    if (machine->fdt) {
-        fdt =3D machine->fdt;
-    } else {
-        fdt =3D pnv_dt_create(machine);
-        /* Pack resulting tree */
-        _FDT((fdt_pack(fdt)));
-    }
-
+    fdt =3D machine->fdt;
     cpu_physical_memory_write(PNV_FDT_ADDR, fdt, fdt_totalsize(fdt));
-
-    /* Update machine->fdt with latest fdt */
-    if (machine->fdt !=3D fdt) {
-        /*
-         * Set machine->fdt for 'dumpdtb' QMP/HMP command. Free
-         * the existing machine->fdt to avoid leaking it during
-         * a reset.
-         */
-        g_free(machine->fdt);
-        machine->fdt =3D fdt;
-    }
 }
=20
 static ISABus *pnv_chip_power8_isa_create(PnvChip *chip, Error **errp)
@@ -1208,6 +1190,11 @@ static void pnv_init(MachineState *machine)
     if (pmc->i2c_init) {
         pmc->i2c_init(pnv);
     }
+
+    if (!machine->fdt) {
+        machine->fdt =3D pnv_dt_create(machine);
+        _FDT((fdt_pack(machine->fdt)));
+    }
 }
=20
 /*
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619625; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lihkMn74SXryedHtiaecSDEM6Q2BxWhKI4f8w0imGk3wqx3H74o6jqSBvum5ISZIGcKCRK3u4okfgMb66tpq7zzw2gE049iVfasapWVhBipRvKnLj+kpxE3NNxn7nOcHCF3YLvjkwoAjoC6vaEOwifL6PUlDcBH8aoK3ihQp3E4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619625;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=bKDU3KlH8zfENuRVhwpDhNbMhEPwB/zM07i2lumHd1c=;
	b=ROnWOqGaoS+h/sL7BC+kxWaTQGM4lZ25DQ7D3L0b3wzf1jyxLn7aGYc9jeqL84uutX4YhL4HVuXeIgx/ywc5bJJVcJVgkxu/yoS1lxMrVWdGUyZqGIeQtCdSKrLEzdcsSrPt6i0dzHqV4IYcFzpBMjp5cFu55zG03++/m0sppuk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619625232239.7875774446527;
 Tue, 12 May 2026 14:00:25 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu92-0004aG-7o; Tue, 12 May 2026 16:56:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8a-00046F-7W; Tue, 12 May 2026 16:55:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8X-00036u-FP; Tue, 12 May 2026 16:55:31 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 17E781AA2D7;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1CEF23ABC48;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=aBVQ7bdYlNm++Hb0XXYw8W9HWcrYieYw3MIh8jY1fLs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=dh1QXwNfZxwCIVFSWbWVpc5n+UZ8V95FMFNjUVMvzwiHAJN3NSE9v3VEc862cuTRi
 NEbKToO/NZHKBWRN3O7RYQMz7dgZW1Kt+w3577+WkZRhUEB7cJqP7fkgMgI2RSffdt
 QluGe/cDJhK0yBG0AiVMxrBtTqTQ1eytB8DKbWPv2sIc4DI0vY91NepjpIKNjmXQ31
 /9Txt0qqBkDgPafb0Tt77PI1mj02Q6sQsxbRtMSCnE+J/FjyEGWHT0HkbO9e3sOn33
 aIOjCxBcobcorZguJaR+Pu/ujNN1ws/Bj/ObFGO4Rq1Tg+UMmCnDBTMV4dIfXCq1J9
 ORh01QWHpE6VA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Shivang Upadhyay <shivangu@linux.ibm.com>,
 Aditya Gupta <adityag@linux.ibm.com>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 BALATON Zoltan <balaton@eik.bme.hu>, Nathan Chancellor <nathan@kernel.org>,
 Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 011/107] ppc/pnv: generate dtb after machine
 initialization is complete
Date: Tue, 12 May 2026 23:52:58 +0300
Message-ID: <20260512205437.360850-11-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619627580154100

From: Shivang Upadhyay <shivangu@linux.ibm.com>

Currently, the machine dtb is generated in pnv_init(), before all devices
are fully initialized. This can result in an incomplete dtb for the system,
as seen in bug [1].

Fix this by deferring dtb generation until machine initialization is comple=
te,
using the machine_init_done_notifier hook.

[1] https://lore.kernel.org/all/20260323231612.GA2637687@ax162/

Cc: Aditya Gupta <adityag@linux.ibm.com>
Cc: Harsh Prateek Bora <harshpb@linux.ibm.com>
Cc: BALATON Zoltan <balaton@eik.bme.hu>
Cc: qemu-stable@nongnu.org
Reported-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: a16d4c2f162a86d ("ppc/pnv: fix dumpdtb option")
Fixes: b7460b0d546ec0e ("ppc/pnv: fix dumpdtb option") in 10.0.x series
Signed-off-by: Shivang Upadhyay <shivangu@linux.ibm.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260327124136.983955-1-shivangu@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit ba48bff09fa1fea8030eb26f2bc0add8c3549bb7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 9f9f3ce4ac..e510a1cae1 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -716,31 +716,10 @@ static void pnv_powerdown_notify(Notifier *n, void *o=
paque)
=20
 static void pnv_reset(MachineState *machine, ResetType type)
 {
-    PnvMachineState *pnv =3D PNV_MACHINE(machine);
-    IPMIBmc *bmc;
     void *fdt;
=20
     qemu_devices_reset(type);
=20
-    /*
-     * The machine should provide by default an internal BMC simulator.
-     * If not, try to use the BMC device that was provided on the command
-     * line.
-     */
-    bmc =3D pnv_bmc_find(&error_fatal);
-    if (!pnv->bmc) {
-        if (!bmc) {
-            if (!qtest_enabled()) {
-                warn_report("machine has no BMC device. Use '-device "
-                            "ipmi-bmc-sim,id=3Dbmc0 -device isa-ipmi-bt,bm=
c=3Dbmc0,irq=3D10' "
-                            "to define one");
-            }
-        } else {
-            pnv_bmc_set_pnor(bmc, pnv->pnor);
-            pnv->bmc =3D bmc;
-        }
-    }
-
     fdt =3D machine->fdt;
     cpu_physical_memory_write(PNV_FDT_ADDR, fdt, fdt_totalsize(fdt));
 }
@@ -916,6 +895,37 @@ static uint64_t pnv_chip_get_ram_size(PnvMachineState =
*pnv, int chip_id)
     return chip_id =3D=3D 0 ? 1 * GiB : QEMU_ALIGN_DOWN(ram_per_chip, 1 * =
MiB);
 }
=20
+static void pnv_machine_init_done(Notifier *notifier, void *data)
+{
+    PnvMachineState *pnv =3D container_of(notifier, PnvMachineState, machi=
ne_init_done);
+    MachineState *machine =3D MACHINE(pnv);
+    IPMIBmc *bmc;
+
+    /*
+     * The machine should provide by default an internal BMC simulator.
+     * If not, try to use the BMC device that was provided on the command
+     * line.
+     */
+    bmc =3D pnv_bmc_find(&error_fatal);
+    if (!pnv->bmc) {
+        if (!bmc) {
+            if (!qtest_enabled()) {
+                warn_report("machine has no BMC device. Use '-device "
+                            "ipmi-bmc-sim,id=3Dbmc0 -device isa-ipmi-bt,bm=
c=3Dbmc0,irq=3D10' "
+                            "to define one");
+            }
+        } else {
+            pnv_bmc_set_pnor(bmc, pnv->pnor);
+            pnv->bmc =3D bmc;
+        }
+    }
+
+    if (!machine->fdt) {
+        machine->fdt =3D pnv_dt_create(machine);
+        _FDT((fdt_pack(machine->fdt)));
+    }
+}
+
 static void pnv_init(MachineState *machine)
 {
     const char *bios_name =3D machine->firmware ?: FW_FILE_NAME;
@@ -1191,10 +1201,8 @@ static void pnv_init(MachineState *machine)
         pmc->i2c_init(pnv);
     }
=20
-    if (!machine->fdt) {
-        machine->fdt =3D pnv_dt_create(machine);
-        _FDT((fdt_pack(machine->fdt)));
-    }
+    pnv->machine_init_done.notify =3D pnv_machine_init_done;
+    qemu_add_machine_init_done_notifier(&pnv->machine_init_done);
 }
=20
 /*
diff --git a/include/hw/ppc/pnv.h b/include/hw/ppc/pnv.h
index d8fca079f2..cf3bb46693 100644
--- a/include/hw/ppc/pnv.h
+++ b/include/hw/ppc/pnv.h
@@ -106,6 +106,8 @@ struct PnvMachineState {
=20
     bool         big_core;
     bool         lpar_per_core;
+
+    Notifier     machine_init_done;
 };
=20
 PnvChip *pnv_get_chip(PnvMachineState *pnv, uint32_t chip_id);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619401; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gVLc33wtVxmee09P61KvnZUQ+bNJe9WWtBYrYg7s5kea1LTAmKbbh9LyGJtf35vdnxqTq7mtHuN1sGlVTUaP9VAwhRcg5duQclaY9WruhYlOb/dju+qdK5Flmltpa825fUJxxPqrbw17AVVbt7jsfC74IojJ05EA44mlUHcTg7Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619401;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=+u3s007+dLCDxBlnuq6hNhiQBS4vzgRz0r0nQgTxh7Y=;
	b=l7fzEcjDpJlBj5iR8D2LPWGfnlQWXwqy8LscGGz96qQ8KDIv0s7iczotPKZRUCGe8NE4YQdNLx7mE5g30eLvyl8Ll4W3CdaGp92Sy2cMiblOBqRp96DHKcXBTXfHP55dPUftbF+tLYD8C8tjOXv13QYPUfcUjwxzl/UVx0M7Y18=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619397832900.9722184894987;
 Tue, 12 May 2026 13:56:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu8v-0004Kk-US; Tue, 12 May 2026 16:55:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8c-00046W-Oy; Tue, 12 May 2026 16:55:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8a-000384-8R; Tue, 12 May 2026 16:55:33 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2625E1AA2D8;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 32F1A3ABC49;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=lekVdSW+GZE5VxPi+wE6oP1a1indjyHR7rqj1m9TbZ8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=U8S7X2Pf1YOCI/hv6io2LaUUfq+YgkzMqkrvBHp+9oIRULqonaW41ujkF5LPZ6Av5
 NfZZi1PBExmDC9KPOKi+LihjPvr8/27q7w1e9cHsuJdcymsIEDX8deOg7ao8L3LpQO
 mzKjslYL4U/3ilUlK5sjJixP5uTc8FQmE5+LZMJdM8QMhcSkvt8uAh0uqka1L2HbLq
 QK5l3E3Lv7VbOippAtr8gjHf3xPvMWSIxhNIfABvvXp9Yolw6RI8IfgM7rkCXSNqHd
 i1o1YItsxHso8spBQeIzSLu6aNkU9w9L6g1oV/xTU8YbJ4i6C02apH/Tpuh/gjM12h
 hNtVp9SbZwFbg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fabiano Rosas <farosas@suse.de>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 012/107] io: Fix TLS bye task leak
Date: Tue, 12 May 2026 23:52:59 +0300
Message-ID: <20260512205437.360850-12-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619403547158500

From: Fabiano Rosas <farosas@suse.de>

Recent fixes to TLS tasks memory handling have left the TLS bye task
uncovered. Fix by freeing the task in the same way the handshake task
is freed.

Direct leak of 704 byte(s) in 4 object(s) allocated from:
    #1 0x7f5909b1d6a0 in g_malloc0 ../glib/gmem.c:163
    #2 0x557650496d61 in qio_task_new ../io/task.c:58:12
    #3 0x557650475d7f in qio_channel_tls_bye ../io/channel-tls.c:352:12
    #4 0x55764f7a1bb4 in migration_tls_channel_end ../migration/tls.c:159:5
    #5 0x55764f709750 in migration_ioc_shutdown_gracefully ../migration/mul=
tifd.c:462:9
    #6 0x55764f6fcf53 in multifd_send_terminate_threads ../migration/multif=
d.c:493:13
    #7 0x55764f6fcafb in multifd_send_shutdown ../migration/multifd.c:580:5
    #8 0x55764f6e1b14 in migration_cleanup ../migration/migration.c:1323:9
    #9 0x55764f6f5bac in migration_cleanup_bh ../migration/migration.c:1350=
:5

Fixes: d39d0f3acd ("io: fix cleanup for TLS I/O source data on cancellation=
")
Fixes: 1b63062f57 ("io: fix cleanup for TLS I/O source data on cancellation=
") in 10.0.x series
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Acked-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260311213418.16951-3-farosas@sus=
e.de
Signed-off-by: Fabiano Rosas <farosas@suse.de>
(cherry picked from commit c20f143cc9fb9b1c79627d9f2ecb8daf771bdb4a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/io/channel-tls.c b/io/channel-tls.c
index 329ef6759f..d25a55c107 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -347,7 +347,9 @@ void qio_channel_tls_bye(QIOChannelTLS *ioc, Error **er=
rp)
     task =3D qio_task_new(OBJECT(ioc), propagate_error, errp, NULL);
=20
     trace_qio_channel_tls_bye_start(ioc);
-    qio_channel_tls_bye_task(ioc, task, NULL);
+    if (qio_channel_tls_bye_task(ioc, task, NULL)) {
+        qio_task_free(task);
+    }
 }
=20
 static void qio_channel_tls_init(Object *obj G_GNUC_UNUSED)
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619542; cv=none;
	d=zohomail.com; s=zohoarc;
	b=j8rV3DAKFnmZz6PIyDY/5aUabLBQRo9vhnLq5K2hBeXT7K6+keGarh5+nvxDlh1nGfK0r3vQMMMP4SEmy/lrcfKi94gjnwieRRnIF0g16ztJk56lCKtsxAGXmessgLaSrmLHde5wXcV7xdKKq0kfFu4RtbLcwmU921myI4YyMuk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619542;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=0Q4cykVh2n5F+oV2lqFanLFejQIylNVUK5nIp6oa82A=;
	b=DvcXijR3/1FkuJgkQiCBaKGqGc0hC2eXWoIZh0aCqVI+n+2o+FUjz02GeyVzQJa5gIiJ2lcuEntptNSZKvdKKq2UyynKWEciaOriYXqp33dIJW7b+1DbXofKs5q2aQq6/eNuJVm2JzPjxmiXbAW/FVQHSS19WR9RuMRa204pXqA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619542121824.6644425537839;
 Tue, 12 May 2026 13:59:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu93-0004iI-Gu; Tue, 12 May 2026 16:56:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8f-00046a-2S; Tue, 12 May 2026 16:55:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8c-00038F-O7; Tue, 12 May 2026 16:55:36 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 355661AA2D9;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4111C3ABC4A;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=yBUf5mPDddwteeja6RTb3Z3+b9mfjiSs70Ddir/gUGw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=bHOvzH++xhAx8AdkLQGjdOfg1CiYsBRDLfxQFDmzWJU9mQnKsvlw+1VFshTngGiGq
 /CTKAmIhQMMtWmMI0EnnnIsEQmlCiqNZoVsvgHUzFfPSc5WIuBRVLW/lnc26fZPKf7
 6tfSDeGMmga3qdhkvJEtUnY8uB8SEfHUfGmH6UVkZhXc5sOSNel8t+iA4C+2kRj7Hf
 IOnoxUJxaerF/FDTs6FVYxUwSY0fB/7SGjupjTH9BzZspF8kCubbNN2qVgZaYhhnCB
 wVVqEKiwaunjpNzQJg8sGucDD/f/sANb616+YJr8iTlRSNlg4wM++N9l+lNLYd6Z7k
 EWjGA9a/bbwAQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Zero Day Initiative <zdi-disclosures@trendmicro.com>,
 Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 013/107] virtio-gpu: fix overflow check when
 allocating 2d image
Date: Tue, 12 May 2026 23:53:00 +0300
Message-ID: <20260512205437.360850-13-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619542730158500

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

The calc_image_hostmem() comment says pixman_image_create_bits() checks
for overflow. However, this relied on the facts that "bits" was NULL and
it performed it when it was introduced. Since commit 9462ff4695aa, the
"bits" argument can be provided and the check is no longer applied.

Promotes the computation to uint64_t and adds an explicit overflow check
to avoid potential later OOB read/write on the image data.

Fixes: CVE-2026-3886
Fixes: ZDI-CAN-27578
Fixes: 9462ff4695aa ("virtio-gpu/win32: allocate shareable 2d resources/ima=
ges")
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-Id: <20260311-cve-v1-1-f72b4c7c1ab2@redhat.com>
(cherry picked from commit c035d5eadf400670593a76778f98f052d7482968)
(Mjt: adjust context for 10.0.x)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7ab5221fbc..0d1e991e1c 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -227,16 +227,20 @@ void virtio_gpu_get_edid(VirtIOGPU *g,
     virtio_gpu_ctrl_response(g, cmd, &edid.hdr, sizeof(edid));
 }
=20
-static uint32_t calc_image_hostmem(pixman_format_code_t pformat,
-                                   uint32_t width, uint32_t height)
+static bool calc_image_hostmem(pixman_format_code_t pformat,
+                               uint32_t width, uint32_t height,
+                               uint32_t *hostmem)
 {
-    /* Copied from pixman/pixman-bits-image.c, skip integer overflow check.
-     * pixman_image_create_bits will fail in case it overflow.
-     */
+    uint64_t bpp =3D PIXMAN_FORMAT_BPP(pformat);
+    uint64_t stride =3D (((uint64_t)width * bpp + 0x1f) >> 5) * sizeof(uin=
t32_t);
+    uint64_t size =3D (uint64_t)height * stride;
=20
-    int bpp =3D PIXMAN_FORMAT_BPP(pformat);
-    int stride =3D ((width * bpp + 0x1f) >> 5) * sizeof(uint32_t);
-    return height * stride;
+    if (size > UINT32_MAX) {
+        return false;
+    }
+
+    *hostmem =3D size;
+    return true;
 }
=20
 static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
@@ -245,6 +249,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
     pixman_format_code_t pformat;
     struct virtio_gpu_simple_resource *res;
     struct virtio_gpu_resource_create_2d c2d;
+    uint32_t hostmem;
=20
     VIRTIO_GPU_FILL_CMD(c2d);
     virtio_gpu_bswap_32(&c2d, sizeof(c2d));
@@ -283,7 +288,12 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
         return;
     }
=20
-    res->hostmem =3D calc_image_hostmem(pformat, c2d.width, c2d.height);
+    if (!calc_image_hostmem(pformat, c2d.width, c2d.height, &hostmem)) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: image dimensions overflow\n",
+                      __func__);
+        goto end;
+    }
+    res->hostmem =3D hostmem;
     if (res->hostmem + g->hostmem < g->conf_max_hostmem) {
         if (!qemu_pixman_image_new_shareable(
                 &res->image,
@@ -1283,7 +1293,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque,=
 size_t size,
 {
     VirtIOGPU *g =3D opaque;
     struct virtio_gpu_simple_resource *res;
-    uint32_t resource_id, pformat;
+    uint32_t resource_id, pformat, hostmem;
     int i;
=20
     g->hostmem =3D 0;
@@ -1309,7 +1319,11 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque=
, size_t size,
             return -EINVAL;
         }
=20
-        res->hostmem =3D calc_image_hostmem(pformat, res->width, res->heig=
ht);
+        if (!calc_image_hostmem(pformat, res->width, res->height, &hostmem=
)) {
+            g_free(res);
+            return -EINVAL;
+        }
+        res->hostmem =3D hostmem;
         if (!qemu_pixman_image_new_shareable(&res->image,
                                              &res->share_handle,
                                              "virtio-gpu res",
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619369; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E5GNvdyF8jTdr9xYnW4HeJZk0AuvT71y5IDfsNKX5z+/JnmVa9e0X24B2wd5AVR2PtWAD0pxDWegaUQV5FcpDwyanmbnJ0YX5Sq3kp+1P872SsUEDd1ToIHHjHOO8JAIcZtm7GziE4wKyDSoz06puJrO61S50UVp0c77o5verKc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619369;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vPoPVrPzrA7uiwItmG3nswkeo3dE1VcNRtk/quE3ycM=;
	b=Bf9p7wY/gM7RF+13z9XHbCNSVXr5Sc/9fXLkV+aP8sJ2U0SBROZjL19/fakMxmgzk6kIoc+Elx4/5bXRYX9wRgxyaBJfQz3DBLkGTmo9z7AvZh7VEeomTMKWakL8oneE40HbX0Zq7e84zYa431HOvUd1xb7mFpulsqOEAkx/yOE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619369249676.2635394288721;
 Tue, 12 May 2026 13:56:09 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu99-0004xx-7v; Tue, 12 May 2026 16:56:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu94-0004p3-P0; Tue, 12 May 2026 16:56:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu8z-00038j-Pn; Tue, 12 May 2026 16:56:02 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 45DFB1AA2DA;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 50EE83ABC4B;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=iS6yg6kd9P5LPm70u83D6gfXlRMV2TMAxGmVnErLYno=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=SgqQbhVebyfZAYGLcOJoKOsO6wWkUSxLOh8L3CMopV4z7AXvgEiBI8pXaq4f4azPv
 Ch9zHbcw5x3ed96Rmv4yAt1JTUbo5rIxR+dZvJ5Hj/kY/EgKmk0nSc/dIjuVh0lXKh
 UsSOgIS/eJhrLOmh2OsVKIgvDpsgQk0aV+aN7WJGqv0buYQtwZTpTjZ6+KKqb1PEU/
 qBuGHa5KPWjTQEjY5YPg2HFSPu+1BQSrlvPjOG9OyWwDDfO85igFaYr50PmmyyJ7BL
 +ONwbnVE+kTRONqxzIZJhlkJIQkMX91WEOcmGqZBoR92K3hTKqkJbT9H45EOluaGhF
 wSPWy0gpB+7aw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Wesley Hershberger <wesley.hershberger@canonical.com>,
 Kevin Wolf <kwolf@redhat.com>,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 014/107] block: Drop detach_subchain for
 bdrv_replace_node
Date: Tue, 12 May 2026 23:53:01 +0300
Message-ID: <20260512205437.360850-14-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619373524154100
Content-Type: text/plain; charset="utf-8"

From: Wesley Hershberger <wesley.hershberger@canonical.com>

Detaching filters using detach_subchain=3Dtrue can cause segfaults as
described in #3149.

More specifically, this was observed when executing concurrent
block-stream and query-named-block-nodes. block-stream adds a
copy-on-read filter as the main BDS for the blockjob; that filter was
dropped with detach_subchain=3Dtrue but not unref'd until the the blockjob
was free'd. Because query-named-block-nodes assumes that a filter will
always have exactly one child, it caused a segfault when it observed the
detached filter. Stacktrace:

0  bdrv_refresh_filename (bs=3D0x5efed72f8350)
    at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/block.c:8082
1  0x00005efea73cf9dc in bdrv_block_device_info
    (blk=3D0x0, bs=3D0x5efed72f8350, flat=3Dtrue, errp=3D0x7ffeb829ebd8)
    at block/qapi.c:62
2  0x00005efea7391ed3 in bdrv_named_nodes_list
    (flat=3D<optimized out>, errp=3D0x7ffeb829ebd8)
    at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/block.c:6275
3  0x00005efea7471993 in qmp_query_named_block_nodes
    (has_flat=3D<optimized out>, flat=3D<optimized out>, errp=3D0x7ffeb829e=
bd8)
    at /usr/src/qemu-1:10.1.0+ds-5ubuntu2/b/qemu/blockdev.c:2834
4  qmp_marshal_query_named_block_nodes
    (args=3D<optimized out>, ret=3D0x7f2b753beec0, errp=3D0x7f2b753beec8)
    at qapi/qapi-commands-block-core.c:553
5  0x00005efea74f03a5 in do_qmp_dispatch_bh (opaque=3D0x7f2b753beed0)
    at qapi/qmp-dispatch.c:128
6  0x00005efea75108e6 in aio_bh_poll (ctx=3D0x5efed6f3f430)
    at util/async.c:219
7  0x00005efea74ffdb2 in aio_dispatch (ctx=3D0x5efed6f3f430)
    at util/aio-posix.c:436
8  0x00005efea7512846 in aio_ctx_dispatch (source=3D<optimized out>,
    callback=3D<optimized out>,user_data=3D<optimized out>)
    at util/async.c:361
9  0x00007f2b77809bfb in ?? ()
    from /lib/x86_64-linux-gnu/libglib-2.0.so.0
10 0x00007f2b77809e70 in g_main_context_dispatch ()
    from /lib/x86_64-linux-gnu/libglib-2.0.so.0
11 0x00005efea7517228 in glib_pollfds_poll () at util/main-loop.c:287
12 os_host_main_loop_wait (timeout=3D0) at util/main-loop.c:310
13 main_loop_wait (nonblocking=3D<optimized out>) at util/main-loop.c:589
14 0x00005efea7140482 in qemu_main_loop () at system/runstate.c:905
15 0x00005efea744e4e8 in qemu_default_main (opaque=3Dopaque@entry=3D0x0)
    at system/main.c:50
16 0x00005efea6e76319 in main
    (argc=3D<optimized out>, argv=3D<optimized out>)
    at system/main.c:93

As discussed in 20251024-second-fix-3149-v1-1-d997fa3d5ce2@canonical.com,
a filter should not exist without children in the first place; therefore,
drop the parameter entirely as it is only used for filters.

This is a partial revert of 3108a15cf09865456d499b08fe14e3dbec4ccbb3.

After this change, a blockdev-backup job's copy-before-write filter will
hold references to its children until the filter is unref'd. This causes
an additional flush during bdrv_close, so also update iotest 257.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3149
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Message-ID: <20251029-third-fix-3149-v2-1-94932bb404f4@canonical.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 9dbfd4e28dd11a83f54c371fade8d49a63d6dc1e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block.c b/block.c
index 0ece805e41..1c1c19d04a 100644
--- a/block.c
+++ b/block.c
@@ -5377,17 +5377,13 @@ bdrv_replace_node_noperm(BlockDriverState *from,
  *
  * With auto_skip=3Dfalse the error is returned if from has a parent which=
 should
  * not be updated.
- *
- * With @detach_subchain=3Dtrue @to must be in a backing chain of @from. I=
n this
- * case backing link of the cow-parent of @to is removed.
  */
 static int GRAPH_WRLOCK
 bdrv_replace_node_common(BlockDriverState *from, BlockDriverState *to,
-                         bool auto_skip, bool detach_subchain, Error **err=
p)
+                         bool auto_skip, Error **errp)
 {
     Transaction *tran =3D tran_new();
     g_autoptr(GSList) refresh_list =3D NULL;
-    BlockDriverState *to_cow_parent =3D NULL;
     int ret;
=20
     GLOBAL_STATE_CODE();
@@ -5396,17 +5392,6 @@ bdrv_replace_node_common(BlockDriverState *from, Blo=
ckDriverState *to,
     assert(to->quiesce_counter);
     assert(bdrv_get_aio_context(from) =3D=3D bdrv_get_aio_context(to));
=20
-    if (detach_subchain) {
-        assert(bdrv_chain_contains(from, to));
-        assert(from !=3D to);
-        for (to_cow_parent =3D from;
-             bdrv_filter_or_cow_bs(to_cow_parent) !=3D to;
-             to_cow_parent =3D bdrv_filter_or_cow_bs(to_cow_parent))
-        {
-            ;
-        }
-    }
-
     /*
      * Do the replacement without permission update.
      * Replacement may influence the permissions, we should calculate new
@@ -5418,11 +5403,6 @@ bdrv_replace_node_common(BlockDriverState *from, Blo=
ckDriverState *to,
         goto out;
     }
=20
-    if (detach_subchain) {
-        /* to_cow_parent is already drained because from is drained */
-        bdrv_remove_child(bdrv_filter_or_cow_child(to_cow_parent), tran);
-    }
-
     refresh_list =3D g_slist_prepend(refresh_list, to);
     refresh_list =3D g_slist_prepend(refresh_list, from);
=20
@@ -5441,7 +5421,7 @@ out:
 int bdrv_replace_node(BlockDriverState *from, BlockDriverState *to,
                       Error **errp)
 {
-    return bdrv_replace_node_common(from, to, true, false, errp);
+    return bdrv_replace_node_common(from, to, true, errp);
 }
=20
 int bdrv_drop_filter(BlockDriverState *bs, Error **errp)
@@ -5457,7 +5437,7 @@ int bdrv_drop_filter(BlockDriverState *bs, Error **er=
rp)
=20
     bdrv_drained_begin(child_bs);
     bdrv_graph_wrlock();
-    ret =3D bdrv_replace_node_common(bs, child_bs, true, true, errp);
+    ret =3D bdrv_replace_node_common(bs, child_bs, true, errp);
     bdrv_graph_wrunlock();
     bdrv_drained_end(child_bs);
=20
@@ -5914,17 +5894,7 @@ int bdrv_drop_intermediate(BlockDriverState *top, Bl=
ockDriverState *base,
         updated_children =3D g_slist_prepend(updated_children, c);
     }
=20
-    /*
-     * It seems correct to pass detach_subchain=3Dtrue here, but it trigge=
rs
-     * one more yet not fixed bug, when due to nested aio_poll loop we swi=
tch to
-     * another drained section, which modify the graph (for example, remov=
ing
-     * the child, which we keep in updated_children list). So, it's a TODO.
-     *
-     * Note, bug triggered if pass detach_subchain=3Dtrue here and run
-     * test-bdrv-drain. test_drop_intermediate_poll() test-case will crash.
-     * That's a FIXME.
-     */
-    bdrv_replace_node_common(top, base, false, false, &local_err);
+    bdrv_replace_node_common(top, base, false, &local_err);
     bdrv_graph_wrunlock();
=20
     if (local_err) {
diff --git a/tests/qemu-iotests/257 b/tests/qemu-iotests/257
index 7d3720b8e5..cd0468aaa1 100755
--- a/tests/qemu-iotests/257
+++ b/tests/qemu-iotests/257
@@ -310,14 +310,18 @@ def test_bitmap_sync(bsync_mode, msync_mode=3D'bitmap=
', failure=3DNone):
                     'state': 1,
                     'new_state': 2
                 }, {
-                    'event': 'read_aio',
+                    'event': 'flush_to_disk',
                     'state': 2,
                     'new_state': 3
+                }, {
+                    'event': "read_aio",
+                    'state': 3,
+                    'new_state': 4
                 }],
                 'inject-error': [{
                     'event': 'read_aio',
                     'errno': 5,
-                    'state': 3,
+                    'state': 4,
                     'immediately': False,
                     'once': True
                 }]
diff --git a/tests/qemu-iotests/257.out b/tests/qemu-iotests/257.out
index c33dd7f3a9..fb28333cb2 100644
--- a/tests/qemu-iotests/257.out
+++ b/tests/qemu-iotests/257.out
@@ -272,7 +272,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fback=
up2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
@@ -1017,7 +1017,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fba=
ckup2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
@@ -1762,7 +1762,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fba=
ckup2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
@@ -2507,7 +2507,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fba=
ckup2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
@@ -3252,7 +3252,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fba=
ckup2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
@@ -3997,7 +3997,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fba=
ckup2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
@@ -4742,7 +4742,7 @@ qemu_img compare "TEST_DIR/PID-img" "TEST_DIR/PID-fba=
ckup2" =3D=3D> Identical, OK!
=20
 --- Preparing image & VM ---
=20
-{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 3}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "read_aio", "new-state": 3, "state": 2}]=
}, "node-name": "drive0"}}
+{"execute": "blockdev-add", "arguments": {"driver": "qcow2", "file": {"dri=
ver": "blkdebug", "image": {"driver": "file", "filename": "TEST_DIR/PID-img=
"}, "inject-error": [{"errno": 5, "event": "read_aio", "immediately": false=
, "once": true, "state": 4}], "set-state": [{"event": "flush_to_disk", "new=
-state": 2, "state": 1}, {"event": "flush_to_disk", "new-state": 3, "state"=
: 2}, {"event": "read_aio", "new-state": 4, "state": 3}]}, "node-name": "dr=
ive0"}}
 {"return": {}}
=20
 --- Write #0 ---
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619749; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hhxj4H1vZcls8Ma3Z86wRJBYxnx/MyVBGfCzg3wcFRN6rveCpAXNbupqwb2F6SpsM4uMFo9wRuLkBfW/cNMR8aL0AVhDGprwp5IrbmWKV7rCfZdQp9Udg4irJBbMcSuYsRtj/DgFRUVzf/ECVRT76dEk7V2qcS+kyVasLKHrGss=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619749;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=zLw3CBwdUW1f2EMpNc8Pg0fBNat9mPuy7AxAIWEmwv0=;
	b=mc8ROqpGOGP8GxL9EHOZR5KDo7AjSOq3HTCgm3KKL6zu4caeSWdv4lsDi22pUVwqssA/DnN2THIsE/M6z6LtaSRRPg5ZqfPMYUXY08cG6BuenzVV9mZZZwUagHLLL/6c0Y3dNUXIrlpsJlHQDyIB/vKjgO5f6VQ3Rjqj/87QHgI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619749221805.9414617907822;
 Tue, 12 May 2026 14:02:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu97-0004v5-8M; Tue, 12 May 2026 16:56:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu93-0004lK-S9; Tue, 12 May 2026 16:56:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu90-00039A-FS; Tue, 12 May 2026 16:56:01 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 55FFD1AA2DB;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 610B63ABC4C;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=LToFnHP4IGVx7WGv/Q89mzg69hdbQi83BH1usxyH5/I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sdTO6ZX2+ANcDISMBjzxEfupkDKRmqbzHhOdNKpkmvfzWm4w9sOq/ISp+BTftm4NU
 /i8Ai6RJ+85IpvP+PB5RpN/qvmMmRKubagdGlT5gLu0/krIS31dnAvqr4xri903lEj
 MN7vnxEDQ3aBOEQ7/UwQxNl2zAs0y/EjgKpqSq7qDIi+nIrOlaxUq0/6LZoa8m/DQH
 ydx92KmBXzPqSvchT2uSp8zRs1dUzNuM2NK/1ofmZUXA+60w10A57EssR+YNH3VTNU
 uPp4ng2fa0JU4OO+vdAKbeUoZvQEcLb0EAeOUeBScBSsKWFTpURQ5dhW2a8IOVgN7f
 zr6z9acxLcRXA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Savini <paolo.savini@embecosm.com>,
 Daniel Henrique Barboza <dbarboza@ventanamicro.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 015/107] Expand the probe_pages helper function to
 handle probe flags.
Date: Tue, 12 May 2026 23:53:02 +0300
Message-ID: <20260512205437.360850-15-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619751085158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Savini <paolo.savini@embecosm.com>

This commit expands the probe_pages helper function in
target/riscv/vector_helper.c to handle also the cases in which we need acce=
ss to
the flags raised while probing the memory and the host address.
This is done in order to provide a unified interface to probe_access and
probe_access_flags.
The new version of probe_pages can now act as a regular call to probe_acces=
s as
before and as a call to probe_access_flags. In the latter case the user nee=
d to
pass pointers to flags and host address and a boolean value for nonfault.
The flags and host address will be set and made available as for a direct c=
all
to probe_access_flags.

Signed-off-by: Paolo Savini <paolo.savini@embecosm.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250313123926.374878-2-paolo.savini@embecosm.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit d887736225984fcb3926e3f32f3cdc332c03ba8f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 559c660566..73ec650c32 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -114,25 +114,42 @@ static inline uint32_t vext_max_elems(uint32_t desc, =
uint32_t log2_esz)
  * It will trigger an exception if there is no mapping in TLB
  * and page table walk can't fill the TLB entry. Then the guest
  * software can return here after process the exception or never return.
+ *
+ * This function can also be used when direct access to probe_access_flags=
 is
+ * needed in order to access the flags. If a pointer to a flags operand is
+ * provided the function will call probe_access_flags instead, use nonfault
+ * and update host and flags.
  */
-static void probe_pages(CPURISCVState *env, target_ulong addr,
-                        target_ulong len, uintptr_t ra,
-                        MMUAccessType access_type)
+static void probe_pages(CPURISCVState *env, target_ulong addr, target_ulon=
g len,
+                        uintptr_t ra, MMUAccessType access_type, int mmu_i=
ndex,
+                        void **host, int *flags, bool nonfault)
 {
     target_ulong pagelen =3D -(addr | TARGET_PAGE_MASK);
     target_ulong curlen =3D MIN(pagelen, len);
-    int mmu_index =3D riscv_env_mmu_index(env, false);
=20
-    probe_access(env, adjust_addr(env, addr), curlen, access_type,
-                 mmu_index, ra);
+    if (flags !=3D NULL) {
+        *flags =3D probe_access_flags(env, adjust_addr(env, addr), curlen,
+                                    access_type, mmu_index, nonfault, host=
, ra);
+    } else {
+        probe_access(env, adjust_addr(env, addr), curlen, access_type,
+                     mmu_index, ra);
+    }
+
     if (len > curlen) {
         addr +=3D curlen;
         curlen =3D len - curlen;
-        probe_access(env, adjust_addr(env, addr), curlen, access_type,
-                     mmu_index, ra);
+        if (flags !=3D NULL) {
+            *flags =3D probe_access_flags(env, adjust_addr(env, addr), cur=
len,
+                                        access_type, mmu_index, nonfault,
+                                        host, ra);
+        } else {
+            probe_access(env, adjust_addr(env, addr), curlen, access_type,
+                         mmu_index, ra);
+        }
     }
 }
=20
+
 static inline void vext_set_elem_mask(void *v0, int index,
                                       uint8_t value)
 {
@@ -332,8 +349,8 @@ vext_page_ldst_us(CPURISCVState *env, void *vd, target_=
ulong addr,
     MMUAccessType access_type =3D is_load ? MMU_DATA_LOAD : MMU_DATA_STORE;
=20
     /* Check page permission/pmp/watchpoint/etc. */
-    flags =3D probe_access_flags(env, adjust_addr(env, addr), size, access=
_type,
-                               mmu_index, true, &host, ra);
+    probe_pages(env, addr, size, ra, access_type, mmu_index, &host, &flags,
+                true);
=20
     if (flags =3D=3D 0) {
         if (nf =3D=3D 1) {
@@ -632,7 +649,7 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPURIS=
CVState *env,
     uint32_t vma =3D vext_vma(desc);
     target_ulong addr, addr_probe, addr_i, offset, remain, page_split, ele=
ms;
     int mmu_index =3D riscv_env_mmu_index(env, false);
-    int flags;
+    int flags, probe_flags;
     void *host;
=20
     VSTART_CHECK_EARLY_EXIT(env, env->vl);
@@ -646,15 +663,15 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPUR=
ISCVState *env,
     }
=20
     /* Check page permission/pmp/watchpoint/etc. */
-    flags =3D probe_access_flags(env, adjust_addr(env, addr), elems * msiz=
e,
-                               MMU_DATA_LOAD, mmu_index, true, &host, ra);
+    probe_pages(env, addr, elems * msize, ra, MMU_DATA_LOAD, mmu_index, &h=
ost,
+                &flags, true);
=20
     /* If we are crossing a page check also the second page. */
     if (env->vl > elems) {
         addr_probe =3D addr + (elems << log2_esz);
-        flags |=3D probe_access_flags(env, adjust_addr(env, addr_probe),
-                                    elems * msize, MMU_DATA_LOAD, mmu_inde=
x,
-                                    true, &host, ra);
+        probe_pages(env, addr_probe, elems * msize, ra, MMU_DATA_LOAD,
+                    mmu_index, &host, &probe_flags, true);
+        flags |=3D probe_flags;
     }
=20
     if (flags & ~TLB_WATCHPOINT) {
@@ -666,16 +683,16 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPUR=
ISCVState *env,
             addr_i =3D adjust_addr(env, base + i * (nf << log2_esz));
             if (i =3D=3D 0) {
                 /* Allow fault on first element. */
-                probe_pages(env, addr_i, nf << log2_esz, ra, MMU_DATA_LOAD=
);
+                probe_pages(env, addr_i, nf << log2_esz, ra, MMU_DATA_LOAD,
+                            mmu_index, &host, NULL, false);
             } else {
                 remain =3D nf << log2_esz;
                 while (remain > 0) {
                     offset =3D -(addr_i | TARGET_PAGE_MASK);
=20
                     /* Probe nonfault on subsequent elements. */
-                    flags =3D probe_access_flags(env, addr_i, offset,
-                                               MMU_DATA_LOAD, mmu_index, t=
rue,
-                                               &host, 0);
+                    probe_pages(env, addr_i, offset, 0, MMU_DATA_LOAD,
+                                mmu_index, &host, &flags, true);
=20
                     /*
                      * Stop if invalid (unmapped) or mmio (transaction may
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619433; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UkC+YDcEhzaHgw4uU/+KNvKxLV6/oZDVKHbiLJHTvAs5uqFrVhM+GX1jYv2wDxyVHsSIhCVbkEiX3INYQ4Sc3wRe532OWYoWaRUKT7SexYNYvneQ3PfFbkCW5hottTat744ozfQgbI7L5dDXloebgyp5jRvCq3XTY1cl5T65tJw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619433;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=O9p6MWUKyYTIPkzq19sdW10hsuwW2phpScKl1GThXC8=;
	b=RdO+l2DQrTKjAm8yPdtje+y/3e9ZFphAijfI6ZDPaab5M4OpYpsy9BGI6JlrmVcMwvxxCNdMdSMcKaMDxhzUJzjkNdQjNhfU4DepjBzYVQSFta6aCwqEUD9yoL+9cXf8k7u8OYFmj83EGTGnz+rwViuK0C8YW41IoR59Zs8O9g4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619433243823.1858118792344;
 Tue, 12 May 2026 13:57:13 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9B-0005Bd-LE; Tue, 12 May 2026 16:56:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu96-0004ut-SB; Tue, 12 May 2026 16:56:04 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu95-0003EL-AF; Tue, 12 May 2026 16:56:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 648AF1AA2DC;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 714E03ABC4D;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=phYD1ymdhviZdzcK665WLEOKK7N0SohjRSvayT6fg8w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Mj1PruI2/FzynKLD11lzqnZ57L9iyIEVYQZkhnn8pLxTjUCnF+gaz3esM+fXdwRNw
 A8UeOMYNiK8UZm5I+ANQBQcGpBztITnWG9YyNU6WGmJIgcAl2kdyboUoVrGlVRvwvo
 Xt3rHVslD/KAowbIRPTMfky9P3EdvzpyXZnyLuIfrpepuMqghk9VZHjmdtR02uxIJF
 ol5aA5UWGDOloDscaiMSPxhue7PXUeeo2JkEUIq2UUAM4hvOqwoQniZdvCk/MTlp9+
 zXuaUHcVvNujiW3AFOd0WeIaGLmbv5SPe0TQySLw9p9WnEA5JZ76hzo8ShYngvSKRQ
 pAuufjfoCfSdg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Max Chou <max.chou@sifive.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 016/107] target/riscv: rvv: Fix missing flags merge
 in probe_pages for cross-page accesses
Date: Tue, 12 May 2026 23:53:03 +0300
Message-ID: <20260512205437.360850-16-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619435935154100
Content-Type: text/plain; charset="utf-8"

From: Max Chou <max.chou@sifive.com>

When probe_pages probes a memory region that spans two pages, it calls
probe_access_flags twice - once for each page. However, the flags from
the second page probe were overwriting the flags from the first page
instead of being merged together.

Signed-off-by: Max Chou <max.chou@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-2-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 556817773849f7ed6709672759e406217261db97)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 73ec650c32..6489800416 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -139,9 +139,9 @@ static void probe_pages(CPURISCVState *env, target_ulon=
g addr, target_ulong len,
         addr +=3D curlen;
         curlen =3D len - curlen;
         if (flags !=3D NULL) {
-            *flags =3D probe_access_flags(env, adjust_addr(env, addr), cur=
len,
-                                        access_type, mmu_index, nonfault,
-                                        host, ra);
+            *flags |=3D probe_access_flags(env, adjust_addr(env, addr), cu=
rlen,
+                                         access_type, mmu_index, nonfault,
+                                         host, ra);
         } else {
             probe_access(env, adjust_addr(env, addr), curlen, access_type,
                          mmu_index, ra);
@@ -149,7 +149,6 @@ static void probe_pages(CPURISCVState *env, target_ulon=
g addr, target_ulong len,
     }
 }
=20
-
 static inline void vext_set_elem_mask(void *v0, int index,
                                       uint8_t value)
 {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619609; cv=none;
	d=zohomail.com; s=zohoarc;
	b=njmbST67Ld0XAgjgRVqCKApSzrndyS66qmtfb7tLrvq+DS9bt5BB7Vw1LipaTuJL3lW9snzc9Kbea9LaNJeGAujnz8B5UXG9sIffSp+l8p80oU8XE+oC6V+sa2LsEmBpKtJGN6gQ8X3uTfkMZgovACK8mJXGzwqs55cgYNvdvvU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619609;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=rLVqW1kYbAIbzVMsu6gmPRbyOdtXZZkS0wKsk2Ao9dc=;
	b=YNguqtNN9JsDX/sc1AUdflMrETdzzV+T1nQybsTEqZVqr2dXzwLVo5UWxuHBwwu7f4IypbTEQBNVqvBcrAYT2LGqcNcDKB5QJD48KQ1V7ngThqxZ0oBvHeZl92nvSl10G9jrj22cwzmJOMm9J10hL/0+QG07lVheA83Yb3cuxyo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619609802206.45540388184747;
 Tue, 12 May 2026 14:00:09 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9D-0005J6-3p; Tue, 12 May 2026 16:56:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu97-0004ve-SS; Tue, 12 May 2026 16:56:06 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu96-0003EV-8i; Tue, 12 May 2026 16:56:05 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 72AAB1AA2DD;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7FBB33ABC4E;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=NMkFYwibZSAnXyjUBzo7xcUvZcRHG4q5gOWZ0CoJuts=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=T2l3qikX+w4k0/sG1y/qSiOwQvGXHWa0nlPmyhGq2CZB+51PllxwRYHmaevijtsw4
 gMq4UbUvIl8tKhpTuCnZFl3wd60AH4QuvpTp8VzysOua8l1RAPoHz1M24ceSSt914K
 64k+iBq2YEIife6sD7fi6Q96ZDXaMadgkKhMbddPK7d+BMNlFbhb3Dt9SR52sbSt9R
 pPtEUr4WGylSK3hKDbAklfKC1EznsOuLnNSFIfeujoKdbntqG+e1DRDwpRziH7cylw
 fMIYF6iuIiCy9eIcTL2sclwFyBRuJntQIkQDfBIMBvvM5aC1gA46ejixesdx4JQOTy
 Y6Qy5k0bK4TaA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Max Chou <max.chou@sifive.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 017/107] target/riscv: rvv: Fix page probe issues in
 vext_ldff
Date: Tue, 12 May 2026 23:53:04 +0300
Message-ID: <20260512205437.360850-17-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619610888158500
Content-Type: text/plain; charset="utf-8"

From: Max Chou <max.chou@sifive.com>

Commit 17288e38bebf ("optimize the memory probing for vector
fault-only-first loads") introduced an optimization that moved from
per-element probing to a fast-path broad probe. Unfortunately it
introduced following bugs in cross-page handling:

- Wrong condition for second page probing: checked "env->vl > elems"
  instead of "env->vl > elems + env->vstart", failing to account for
  the vstart offset.

- Incorrect second page address calculation: used
  "addr + (elems << log2_esz)" instead of "addr + page_split".
  For segment loads (nf > 1), this would probe the wrong address,not
  at the page boundary.

- Wrong second page probe size: used "elems * msize" (the first page
  size) instead of calculating the remaining size as
  "(env->vl - env->vstart) * msize - page_split". This would probe
  too little memory and could miss faults.

This commit fixes these bugs by leveraging the probe_pages helper
which automatically handles cross-page memory accesses correctly.

Fixes: 17288e38bebf ("optimize the memory probing for vector fault-only-fir=
st loads.")

Signed-off-by: Max Chou <max.chou@sifive.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-3-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 0e8ad6a8460fe070ecdde4625e4ed6d791550e3d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 6489800416..466fe4d10c 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -646,9 +646,9 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPURIS=
CVState *env,
     uint32_t esz =3D 1 << log2_esz;
     uint32_t msize =3D nf * esz;
     uint32_t vma =3D vext_vma(desc);
-    target_ulong addr, addr_probe, addr_i, offset, remain, page_split, ele=
ms;
+    target_ulong addr, addr_i, offset, remain, page_split, elems;
     int mmu_index =3D riscv_env_mmu_index(env, false);
-    int flags, probe_flags;
+    int flags;
     void *host;
=20
     VSTART_CHECK_EARLY_EXIT(env, env->vl);
@@ -662,16 +662,8 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPURI=
SCVState *env,
     }
=20
     /* Check page permission/pmp/watchpoint/etc. */
-    probe_pages(env, addr, elems * msize, ra, MMU_DATA_LOAD, mmu_index, &h=
ost,
-                &flags, true);
-
-    /* If we are crossing a page check also the second page. */
-    if (env->vl > elems) {
-        addr_probe =3D addr + (elems << log2_esz);
-        probe_pages(env, addr_probe, elems * msize, ra, MMU_DATA_LOAD,
-                    mmu_index, &host, &probe_flags, true);
-        flags |=3D probe_flags;
-    }
+    probe_pages(env, addr, (env->vl - env->vstart) * msize, ra, MMU_DATA_L=
OAD,
+                mmu_index, &host, &flags, true);
=20
     if (flags & ~TLB_WATCHPOINT) {
         /* probe every access */
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619504; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WklTBYg1LyE6ixwByRPVA6g7mcNPjg1TQi4VrmKQJgjY7hrk+SyZSXhg8JFLCbdqSNDknDJTZuRn3F8oZjP5MRwrl1af2DcEV2Ydx0XNpl+/k8+CZYoa+5GCU+t9g5xpeZ+n8L7kHoKSIoS/vIK+EQOYVIiDZuXkNr7G8f0OPGM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619504;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=x47sJl0fU61qTuzWatnc1xrQZB5LJARL1dwYHLvyTCQ=;
	b=gA1BjTexllYgnkolEDyCJABuQIBNM7vln3h8a96rAv2SEuNSz93cKeNCEckV5Cm56g8t3XaIxBHW3Z1hE2idrNMs5ZfBaVMrkjDb3DNQFnPVUXmCsOA66kVLY6TNSUR0rEP9VrkkXcaeNcitZD5CqwBMElUDZPc9X5kJGXQfYjU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619504841732.890455016378;
 Tue, 12 May 2026 13:58:24 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9C-0005Hf-Tc; Tue, 12 May 2026 16:56:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9A-000562-6g; Tue, 12 May 2026 16:56:08 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu98-0003Eq-93; Tue, 12 May 2026 16:56:07 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8263B1AA2DE;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8DCEA3ABC4F;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=hHx/6MVcdTwYFjek/vYMKEkcpRNm8c9zWAEQmvWI/Dw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=oOtrSvSwKolaP7KYovb/XMLzBS0McOB+T5zzHnv4E0HHJ9tpfWNeFZ5inteF7RRJn
 gpT0w6VUIHB62rFTY9Yjz6WfpM5J9gVs6iPHOtVvEuYMpNGhEs8QMGPcz9RpZH8gpT
 em35ZiaokWz8ML7dM+b0ZxrS0nMDk7oOSbQGGvIr38LXS67/Ed4Uuc7nXO6XET41Pq
 j9+QNeK01cNpGd2IzVcBd462jrz9/OJRp6MRD49BRqauJUnKYuZC/GMP2DBm2dZmBw
 WPbKv05c3qvUbKKAxG6lfmLgeseeahJu4wnkpGexiOcYRd8OBCKYclz0nf98d26Ys6
 8L/2stK6tMx4A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 018/107] rust: suggest passing --locked to "cargo
 install"
Date: Tue, 12 May 2026 23:53:05 +0300
Message-ID: <20260512205437.360850-18-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619506249158500

From: Paolo Bonzini <pbonzini@redhat.com>

Without the option, cargo will try using the latest version of the
dependencies of bindgen-cli. While it will obviously respect the
constraints in Cargo.toml, old versions of Cargo do not have
version-constrained resolution and will choke on dependencies
that need Rust 2024.

Cc: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 6257754bb9b00b52018951096a9fba28b98a5b0d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/docs/about/build-platforms.rst b/docs/about/build-platforms.rst
index 52521552c8..42787ac0b6 100644
--- a/docs/about/build-platforms.rst
+++ b/docs/about/build-platforms.rst
@@ -116,7 +116,7 @@ Rust build dependencies
   bindgen tool, which is too big to package and distribute.  The minimum
   supported version of bindgen is 0.60.x.  For distributions that do not
   include bindgen or have an older version, it is recommended to install
-  a newer version using ``cargo install bindgen-cli``.
+  a newer version using ``cargo install --locked bindgen-cli``.
=20
   Developers may want to use Cargo-based tools in the QEMU source tree;
   this requires Cargo 1.74.0.  Note that Cargo is not required in order
diff --git a/meson.build b/meson.build
index 8ec796d835..327c1e19f8 100644
--- a/meson.build
+++ b/meson.build
@@ -109,7 +109,7 @@ if have_rust
   bindgen =3D find_program('bindgen', required: get_option('rust'))
   if not bindgen.found() or bindgen.version().version_compare('<0.60.0')
     if get_option('rust').enabled()
-      error('bindgen version ' + bindgen.version() + ' is unsupported. You=
 can install a new version with "cargo install bindgen-cli"')
+      error('bindgen version ' + bindgen.version() + ' is unsupported. You=
 can install a new version with "cargo install --locked bindgen-cli"')
     else
       if bindgen.found()
         warning('bindgen version ' + bindgen.version() + ' is unsupported,=
 disabling Rust compilation.')
diff --git a/tests/docker/dockerfiles/fedora-rust-nightly.docker b/tests/do=
cker/dockerfiles/fedora-rust-nightly.docker
index fe4a6ed48d..cf16205ebf 100644
--- a/tests/docker/dockerfiles/fedora-rust-nightly.docker
+++ b/tests/docker/dockerfiles/fedora-rust-nightly.docker
@@ -172,7 +172,7 @@ RUN set -eux && \
   test "$CARGO" =3D "$(/usr/local/cargo/bin/rustup +nightly which cargo)" =
&& \
   test "$RUSTC" =3D "$(/usr/local/cargo/bin/rustup +nightly which rustc)"
 ENV PATH=3D$CARGO_HOME/bin:$PATH
-RUN /usr/local/cargo/bin/rustup run nightly cargo install bindgen-cli
+RUN /usr/local/cargo/bin/rustup run nightly cargo install --locked bindgen=
-cli
 RUN $CARGO --list
 # As a final step configure the user (if env is defined)
 ARG USER
diff --git a/tests/docker/dockerfiles/ubuntu2204.docker b/tests/docker/dock=
erfiles/ubuntu2204.docker
index 88ce4ef9a9..ace5a4b1ef 100644
--- a/tests/docker/dockerfiles/ubuntu2204.docker
+++ b/tests/docker/dockerfiles/ubuntu2204.docker
@@ -154,7 +154,7 @@ ENV CARGO_HOME=3D/usr/local/cargo
 ENV PATH=3D$CARGO_HOME/bin:$PATH
 RUN DEBIAN_FRONTEND=3Dnoninteractive eatmydata \
   apt install -y --no-install-recommends cargo
-RUN cargo install bindgen-cli
+RUN cargo install --locked bindgen-cli
 # As a final step configure the user (if env is defined)
 ARG USER
 ARG UID
diff --git a/tests/lcitool/refresh b/tests/lcitool/refresh
index aa551aca9b..7f36a09450 100755
--- a/tests/lcitool/refresh
+++ b/tests/lcitool/refresh
@@ -137,7 +137,7 @@ fedora_rustup_nightly_extras =3D [
     '  test "$CARGO" =3D "$(/usr/local/cargo/bin/rustup +nightly which car=
go)" && \\\n',
     '  test "$RUSTC" =3D "$(/usr/local/cargo/bin/rustup +nightly which rus=
tc)"\n',
     'ENV PATH=3D$CARGO_HOME/bin:$PATH\n',
-    'RUN /usr/local/cargo/bin/rustup run nightly cargo install bindgen-cli=
\n',
+    'RUN /usr/local/cargo/bin/rustup run nightly cargo install --locked bi=
ndgen-cli\n',
     'RUN $CARGO --list\n',
 ]
=20
@@ -146,7 +146,7 @@ ubuntu2204_bindgen_extras =3D [
     'ENV PATH=3D$CARGO_HOME/bin:$PATH\n',
     "RUN DEBIAN_FRONTEND=3Dnoninteractive eatmydata \\\n",
     "  apt install -y --no-install-recommends cargo\n",
-    'RUN cargo install bindgen-cli\n',
+    'RUN cargo install --locked bindgen-cli\n',
 ]
=20
 def cross_build(prefix, targets):
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619438; cv=none;
	d=zohomail.com; s=zohoarc;
	b=grz75Or2XDH8MWjRwZQk73TfPhvxdoyvrUPDituDdDRkEzm0w4Uh4nniM/TaZr6ZvfaIKId4O7TuJPJzkhlKUO1om4SmNoPaQEabknY1UOzMq0gi/yjOCk7TWW8rN9Q87imTEfEaZuT7O796s/7Y1ufas1yoRetQYhh3lQKgGgY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619438;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Bc9I8Jfc4tgD9YRwTKtpDptehMRzfjJvlEY1umHZq/4=;
	b=YLZc4dJEFtY0yu5u6sRNjLOix1AqOlsnA584PE1dTAlKtd9ZfKLUprZ0PRHpyNsrYIUpBxDiueGQGTvCHxiuZxL8mnyxjU/Rr52RC7hgXCx4Sl3oQXnjfpkGWY77JNbUvJC84KKV5xJKRwoW+3t4+YxNQJPo+HHRoA+uce00Qfs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619438302418.2151681115381;
 Tue, 12 May 2026 13:57:18 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9l-0006Et-VD; Tue, 12 May 2026 16:56:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9e-0005xm-Kk; Tue, 12 May 2026 16:56:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9T-0003F9-HY; Tue, 12 May 2026 16:56:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 921CD1AA2DF;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9D5533ABC50;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=x5d/ov7fvXOitaFw3cFSLSaJdEpXsNMjl5eajYDNe9M=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=gpfNUOKYKlkM1btUc1NZ/qCKQl/8Z2uzw5zNnKmgF+NoOmJra2HfWIvsS3zapfn7r
 2CdI2lSsGFbabwJhUEXQ6e8R4540VFgS7pCTpAxICdpSSh34Jf3TKQiT9P/yd80E5U
 +7QBq8Pagb1qEFzn7LqP6oQlPXoNh6J1AIrBT/SxIwu4EmEO8kTxZymazgQfAKhZ6e
 iDNNdb5IxtDmatqkSmArfRTEe6dGYb5iroP4xqf8J8D8Yow6VdMuGT8DzJkJ3JYYYV
 IBVhbsQKmLbXZtqkttqFpvr6I2c5x9DCGYqAbXlZPmS2cvNDVkcvVbxcKWzVvv8fPY
 jIbGwGE2CUCmA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jenny Guanni Qu <qguanni@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 019/107] hw/usb/hcd-ohci: check for MPS=0 to avoid
 infinite loop
Date: Tue, 12 May 2026 23:53:06 +0300
Message-ID: <20260512205437.360850-19-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619439794158500

From: Jenny Guanni Qu <qguanni@gmail.com>

When a guest sets MaxPacketSize to 0 in an OHCI Endpoint Descriptor,
ohci_service_td() transfers 0 bytes per iteration. The Transfer
Descriptor never completes because CBP never advances toward BE,
causing ohci_service_ed_list() to loop indefinitely and hang QEMU.

Add a check for MPS=3D=3D0 after extracting the field from ED flags.
If MPS is zero, call ohci_die() to reset the controller and return
an error, preventing the infinite loop.

Fixes: CVE-2026-3890
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260321000444.909451-1-qguanni@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 129922c2bc398b656a9180150e667f98fdf0d402)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 71b54914d3..adf400a18a 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -956,6 +956,17 @@ static int ohci_service_td(OHCIState *ohci, struct ohc=
i_ed *ed)
         if (len && dir !=3D OHCI_TD_DIR_IN) {
             /* The endpoint may not allow us to transfer it all now */
             pktlen =3D (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
+            /*
+             * The OHCI spec does not say what to do if the guest hands us
+             * an endpoint descriptor which specifies a MaximumPacketSize
+             * of zero, which would mean we can never actually make forward
+             * progress transferring data to it. We choose to treat it as
+             * an error.
+             */
+            if (pktlen =3D=3D 0) {
+                ohci_die(ohci);
+                return 1;
+            }
             if (pktlen > len) {
                 pktlen =3D len;
             }
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619420; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CH+DuNdyIehAW8YnT9WRFQaey+Opr3FJlby0WvSMTke97hVJgTqCo4HxMKbCIZkCy5/GStgOMTWuVylyj8F1QmUMfgmL76cqsSuKnTT3Is996BpATL3taflaTITBxnwjzmOWuk3Wp/WSTHNwQK9ElIOLZZniABJ3wsAIWNa3lk4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619420;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=mip8+qUQX2pRoZLs1dJQ/5L4QTztm7FZgMAl5zCl1Fk=;
	b=maoxiBoopLNrWYgPoKV0F42Wa2+qxX6tC1Rh00PbIv9/c++CweIy0BYAEaPOkyU/NxbBnN8ZxDQX4ZY6wMfwUJBwo5uo1BhmWwJNz8OIk56TK8CYYgnvbvc802K2K9mdaO6fuOvIbAUYAgsrHG42q6QG5WclQAcTze/OJvXoBJ4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619420171395.08107115081;
 Tue, 12 May 2026 13:57:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9k-00067R-25; Tue, 12 May 2026 16:56:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9e-0005xo-Mz; Tue, 12 May 2026 16:56:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9V-0003Fc-Lb; Tue, 12 May 2026 16:56:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A205F1AA2E0;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AD6A93ABC51;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=acKlxLEDYl/rGWwOoSEJZsTAkfqrcjA+SI0dYYGI7p0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fc32KqJOih4dtK8BKE4P1aG13PeVMl93n6LuFacM8Rot3hOEoKoetQzytKgKSFnlA
 7yQiWgW0EF39tNdhhtT3RW/WgyyYbdhE4QYbtoiUey7nbfxbT2HjQYKia+gKoeECEn
 HXI8WF3mEYezBsX0bbXd7Vu2dRY/Nkjq1b6QyWW8gTrBq7kmn6qFJ1iQgMILG7+/0b
 4B8RtBMKVhPWiql/ovwBOUXrSI9kOr/zKylqr8CkzighI5r+DRLMxL84y6VCWoaxS3
 83o6zeX8354ScZSFf5O8RUXIp/Z/R7/b4SQi7CwBCnNgIRgdY3uVEmzdm93pY3hyNn
 vzXBL3G4Y6j/Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Jamin Lin <jamin_lin@aspeedtech.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 020/107] hw/net/ftgmac100: Improve DMA error handling
Date: Tue, 12 May 2026 23:53:07 +0300
Message-ID: <20260512205437.360850-20-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619421684158500

From: C=C3=A9dric Le Goater <clg@redhat.com>

Currently, DMA memory operation errors in the ftgmac100 model are not
all tested and this can lead to a guest-triggerable denial of service
as described in https://gitlab.com/qemu-project/qemu/-/work_items/3335.

To fix this, check the return value of ftgmac100_write_bd() in the TX
path and exit the TX loop on error to prevent further processing. In
the event of a DMA error, also set FTGMAC100_INT_AHB_ERR interrupt
flag as appropriate.

The FTGMAC100_INT_AHB_ERR interrupt status bit only applies to the
AST2400 SoC; on newer Aspeed SoCs, it is a reserved bit.
Nevertheless, since it is supported by the Linux driver and it should
be safe to use in the QEMU implementation across all SoCs.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3335
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260322215732.387383-3-clg@redhat.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit fa4a759fc1e19b2185becfadb00c6d8e57462849)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index 1f524d7a01..abfb47a824 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -624,7 +624,10 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint64_=
t tx_ring,
         bd.des0 &=3D ~FTGMAC100_TXDES0_TXDMA_OWN;
=20
         /* Write back the modified descriptor.  */
-        ftgmac100_write_bd(&bd, addr);
+        if (ftgmac100_write_bd(&bd, addr)) {
+            s->isr |=3D FTGMAC100_INT_AHB_ERR;
+            break;
+        }
         /* Advance to the next descriptor.  */
         if (bd.des0 & s->txdes0_edotr) {
             addr =3D tx_ring;
@@ -1134,7 +1137,10 @@ static ssize_t ftgmac100_receive(NetClientState *nc,=
 const uint8_t *buf,
             bd.des0 |=3D flags | FTGMAC100_RXDES0_LRS;
             s->isr |=3D FTGMAC100_INT_RPKT_BUF;
         }
-        ftgmac100_write_bd(&bd, addr);
+        if (ftgmac100_write_bd(&bd, addr)) {
+            s->isr |=3D FTGMAC100_INT_AHB_ERR;
+            break;
+        }
         if (bd.des0 & s->rxdes0_edorr) {
             addr =3D s->rx_ring;
         } else {
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619419; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gRfZSH2puZNmr330Bd2eqQkbDQYviGI6hkZ7OHQ2Hz9/PP5tE3DVF9OlnKv9d6kATxhyBFc5hqaHHt3jW6gS01MVXgGnExEKIUrQ09s5ro9H5nxvYpcjgpZBlCA52rE5HKpyup+fFF2QdDk1ebctSAwYoa4FbfyFqz7CohJkPr0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619419;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=OKMInOfsAnpHJ5RFoC9zgk/0wQO53HDD6i4iNeN0un8=;
	b=CslXNG6tEbIB3NcyPrBUkT1AwlP/4e7SQFYSCHVTfBzXKaDvOfL1V4G/zpL2DJ6Em99nk/WXCijl8KVeihkdchDzRMwQywxBRF49x2p1c0JA6pBBHRCOMfrz2phJ8m1e8JZBai0fcCNiUwtr8UCk0qAepbSYmAAJMIUInyWKW6Y=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619419634171.74961442249923;
 Tue, 12 May 2026 13:56:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9n-0006MG-M5; Tue, 12 May 2026 16:56:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9l-0006DD-2R; Tue, 12 May 2026 16:56:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9i-0003SG-HI; Tue, 12 May 2026 16:56:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AF8501AA2E1;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id BC2D43ABC52;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=JWSIGopsTg74D630j7pITK+QLGjVKq8rwPYDSMe/ysc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=goldvgpW9Ie35dcils+rnNw+vbWmV8zp5J5YI+hob7t9VeyO/heizsbSzEK+2UMsy
 IRW+G32haqcSRGKSCHof1wDEX8FgcYCgdGT5G/HZHnRcBCHqdmpYStKpiS8gRixdhe
 fxI/nT8jDxhAKfTl0/dHA+oHe/q7FYqdpQvzwi2SMKT52mR0B+/ckCx9KQM32pXgop
 tvzHAdtxAE5TkV8zQ30K/8+7VNTVI088x0kESN2pAUEuwzuQygeVGKSEZJg85BnSaO
 d54LRqs7SD4mjDrK8Dj1v5gnT3yE6Ggkj5v3m7T4abJVXECT7Qh0PFsTLEQYNbZNHt
 4vnFnlSdAMdQw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Jamin Lin <jamin_lin@aspeedtech.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 021/107] hw/ssi/aspeed_smc: Convert mem ops to
 read/write_with_attrs for error handling
Date: Tue, 12 May 2026 23:53:08 +0300
Message-ID: <20260512205437.360850-21-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619422079154100

From: C=C3=A9dric Le Goater <clg@redhat.com>

Error conditions (invalid flash mode, unwritable flash) now return
MEMTX_ERROR instead of silently succeeding or returning undefined
values.

This allows the memory subsystem to properly propagate transaction
errors to the guest, improving QEMU reliability.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3335
Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Link: https://lore.kernel.org/qemu-devel/20260323125545.577653-2-clg@redhat=
.com
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
(cherry picked from commit 80c5be945877ea3f258679c6042df8f0efd77202)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index b4a17a52a3..edb83716ed 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -493,17 +493,18 @@ static void aspeed_smc_flash_setup(AspeedSMCFlash *fl=
, uint32_t addr)
     }
 }
=20
-static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned =
size)
+static MemTxResult aspeed_smc_flash_read(void *opaque, hwaddr addr,
+                                 uint64_t *data, unsigned size, MemTxAttrs=
 attrs)
 {
     AspeedSMCFlash *fl =3D opaque;
     AspeedSMCState *s =3D fl->controller;
-    uint64_t ret =3D 0;
     int i;
=20
+    *data =3D 0;
     switch (aspeed_smc_flash_mode(fl)) {
     case CTRL_USERMODE:
         for (i =3D 0; i < size; i++) {
-            ret |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
+            *data |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
         }
         break;
     case CTRL_READMODE:
@@ -512,18 +513,19 @@ static uint64_t aspeed_smc_flash_read(void *opaque, h=
waddr addr, unsigned size)
         aspeed_smc_flash_setup(fl, addr);
=20
         for (i =3D 0; i < size; i++) {
-            ret |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
+            *data |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
         }
=20
         aspeed_smc_flash_unselect(fl);
         break;
     default:
         aspeed_smc_error("invalid flash mode %d", aspeed_smc_flash_mode(fl=
));
+        return MEMTX_ERROR;
     }
=20
-    trace_aspeed_smc_flash_read(fl->cs, addr, size, ret,
+    trace_aspeed_smc_flash_read(fl->cs, addr, size, *data,
                                 aspeed_smc_flash_mode(fl));
-    return ret;
+    return MEMTX_OK;
 }
=20
 /*
@@ -624,8 +626,8 @@ static bool aspeed_smc_do_snoop(AspeedSMCFlash *fl,  ui=
nt64_t data,
     return false;
 }
=20
-static void aspeed_smc_flash_write(void *opaque, hwaddr addr, uint64_t dat=
a,
-                                   unsigned size)
+static MemTxResult aspeed_smc_flash_write(void *opaque, hwaddr addr,
+                                   uint64_t data, unsigned size, MemTxAttr=
s attrs)
 {
     AspeedSMCFlash *fl =3D opaque;
     AspeedSMCState *s =3D fl->controller;
@@ -636,7 +638,7 @@ static void aspeed_smc_flash_write(void *opaque, hwaddr=
 addr, uint64_t data,
=20
     if (!aspeed_smc_is_writable(fl)) {
         aspeed_smc_error("flash is not writable at 0x%" HWADDR_PRIx, addr);
-        return;
+        return MEMTX_ERROR;
     }
=20
     switch (aspeed_smc_flash_mode(fl)) {
@@ -661,12 +663,15 @@ static void aspeed_smc_flash_write(void *opaque, hwad=
dr addr, uint64_t data,
         break;
     default:
         aspeed_smc_error("invalid flash mode %d", aspeed_smc_flash_mode(fl=
));
+        return MEMTX_ERROR;
     }
+
+    return MEMTX_OK;
 }
=20
 static const MemoryRegionOps aspeed_smc_flash_ops =3D {
-    .read =3D aspeed_smc_flash_read,
-    .write =3D aspeed_smc_flash_write,
+    .read_with_attrs =3D aspeed_smc_flash_read,
+    .write_with_attrs =3D aspeed_smc_flash_write,
     .endianness =3D DEVICE_LITTLE_ENDIAN,
     .valid =3D {
         .min_access_size =3D 1,
@@ -754,7 +759,8 @@ static void aspeed_smc_reset(DeviceState *d)
     s->snoop_dummies =3D 0;
 }
=20
-static uint64_t aspeed_smc_read(void *opaque, hwaddr addr, unsigned int si=
ze)
+static MemTxResult aspeed_smc_read(void *opaque, hwaddr addr, uint64_t *da=
ta,
+                                   unsigned int size, MemTxAttrs attrs)
 {
     AspeedSMCState *s =3D ASPEED_SMC(opaque);
     AspeedSMCClass *asc =3D ASPEED_SMC_GET_CLASS(opaque);
@@ -782,12 +788,13 @@ static uint64_t aspeed_smc_read(void *opaque, hwaddr =
addr, unsigned int size)
=20
         trace_aspeed_smc_read(addr << 2, size, s->regs[addr]);
=20
-        return s->regs[addr];
+        *data =3D s->regs[addr];
     } else {
         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\=
n",
                       __func__, addr);
-        return -1;
+        *data =3D -1;
     }
+    return MEMTX_OK;
 }
=20
 static uint8_t aspeed_smc_hclk_divisor(uint8_t hclk_mask)
@@ -1108,8 +1115,8 @@ static void aspeed_2600_smc_dma_ctrl(AspeedSMCState *=
s, uint32_t dma_ctrl)
     s->regs[R_DMA_CTRL] &=3D ~(DMA_CTRL_REQUEST | DMA_CTRL_GRANT);
 }
=20
-static void aspeed_smc_write(void *opaque, hwaddr addr, uint64_t data,
-                             unsigned int size)
+static MemTxResult aspeed_smc_write(void *opaque, hwaddr addr, uint64_t da=
ta,
+                                    unsigned int size, MemTxAttrs attrs)
 {
     AspeedSMCState *s =3D ASPEED_SMC(opaque);
     AspeedSMCClass *asc =3D ASPEED_SMC_GET_CLASS(s);
@@ -1159,13 +1166,13 @@ static void aspeed_smc_write(void *opaque, hwaddr a=
ddr, uint64_t data,
     } else {
         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\=
n",
                       __func__, addr);
-        return;
     }
+    return MEMTX_OK;
 }
=20
 static const MemoryRegionOps aspeed_smc_ops =3D {
-    .read =3D aspeed_smc_read,
-    .write =3D aspeed_smc_write,
+    .read_with_attrs =3D aspeed_smc_read,
+    .write_with_attrs =3D aspeed_smc_write,
     .endianness =3D DEVICE_LITTLE_ENDIAN,
 };
=20
@@ -2007,8 +2014,8 @@ static const uint32_t aspeed_2700_fmc_resets[ASPEED_S=
MC_R_MAX] =3D {
 };
=20
 static const MemoryRegionOps aspeed_2700_smc_flash_ops =3D {
-    .read =3D aspeed_smc_flash_read,
-    .write =3D aspeed_smc_flash_write,
+    .read_with_attrs =3D aspeed_smc_flash_read,
+    .write_with_attrs =3D aspeed_smc_flash_write,
     .endianness =3D DEVICE_LITTLE_ENDIAN,
     .valid =3D {
         .min_access_size =3D 1,
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619451; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NJuOPyEnp0v6RIZul3DcP1Tz7u2t84eyB3hIFVgmqA+TZYeYLRd57o3vlsg6ns/W8N6EocQSxdBG78tcOR5fFyjLG3mCvt9y1ZWytrIrCcQWm65e/DphhIxKoIpDDmpnWc8TYjTUv4S0RdSTTu5Q6CPgyHb01uMPrj/zg1CvYBA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619451;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=I3SHe2j6sgEQYoPdYruzPiYIXgK96Js6nEhg4JXSQIg=;
	b=Ln7HxVcSGv9UeoTjYEQLHiI9OlTiKJTo+waF592bsSzcYd93i0txMI8beZqgrDsjXRApjbUZploEiXgrLxhYZYT3ab3LgUd/V0NPnACfOjk0sFeTMA42WUOV9n7DEt+kEgLge+PNPDZh/XAUc94ZYeqdEzPBtRwMrACAWgQNKuM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861945114063.36156545831318;
 Tue, 12 May 2026 13:57:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9m-0006Gx-NQ; Tue, 12 May 2026 16:56:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9k-0006Cy-V4; Tue, 12 May 2026 16:56:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9j-0003SJ-15; Tue, 12 May 2026 16:56:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BCC851AA2E2;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CA1173ABC53;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=CFdcyFhJMpa4dPXVqM5/4n6Qp9NEAF+U6RtvdELjvEU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=amcNs4CjlzARV1jwEhz2NItEazlsTtVPoTjQd5Sd9SWoD3IuFeC63YwWHHis+6CyJ
 WmGroWqOltyHvVX3Z3sfTkYMr5Nt6owUhwTp5I3GVaySMVSIi91TdJzsZnhqT4gtuW
 nih8kpMm8JIzCkyI8Vb+9/pSYeeuwCYkdfFxitxJZeLvFhJjZ1rugDPK5LDX6p8fS6
 oj6GTL7Fbwuplos0uncdcEXKQsXak6POQ88zekPlgEfnZOXfOvA8kstSFBDIt//3Fl
 SJ7mYNsmvV7cFXIPdkrBvnFT87kBY61N0e9aOmIuIcQZYVI2rK5RwRDHOX6nivhFDZ
 rBWIFJcfsC3fQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 022/107] linux-user/i386/signal.c: Correct definition
 of target_fpstate_32
Date: Tue, 12 May 2026 23:53:09 +0300
Message-ID: <20260512205437.360850-22-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619452243154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

Our definition of the target_fpstate_32 struct doesn't match the
kernel's version.  We only use this struct definition in the
definition of 'struct sigframe', where it is used in a field that is
present only for legacy reasons to retain the offset of the following
'extramask' field.  So really all that matters is its length, and we
do get that right; but our previous definition using
X86LegacySaveArea implicitly added an extra alignment constraint
(because X86LegacySaveArea is tagged as 16-aligned) which the real
target_fpstate_32 does not have.  Because we allocate and use a
'struct sigframe' on the guest's stack with the guest's alignment
requirements, this resulted in the undefined-behaviour sanitizer
complaining during 'make check-tcg' for i386-linux-user:

../../linux-user/i386/signal.c:471:35: runtime error: member access within =
misaligned address 0x1000c07f75ec for type 'struct sigframe', which require=
s 16 byte alignment
0x1000c07f75ec: note: pointer points here
  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00=
  00 00 00 00 00 00 00 00
              ^

../../linux-user/i386/signal.c:808:5: runtime error: member access within m=
isaligned address 0x1000c07f75f4 for type 'struct target_sigcontext_32', wh=
ich requires 8 byte alignment
0x1000c07f75f4: note: pointer points here
  0a 00 00 00 33 00 00 00  00 00 00 00 2b 00 00 00  2b 00 00 00 40 05 80 40=
  f4 7f 10 08 58 05 80 40
              ^

and various similar errors.

Replace the use of X86LegacyXSaveArea with a set of fields that match
the kernel _fpstate_32 struct, and assert that the length is correct.
We could equally have used
   uint8_t legacy_area[512];
but following the kernel is probably less confusing overall.

Since in target/i386/cpu.h we assert that X86LegacySaveArea is 512
bytes, and in linux-user/i386/signal.c we assert that
target_fregs_state is (32 + 80) bytes, the new assertion confirms
that we didn't change the size of target_fpstate_32 here, only its
alignment requirements.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260305161739.1775232-1-peter.maydell@linaro.org
(cherry picked from commit 0376e9c2dd1f46dd779ebc85f40f7a8cfa46ed6f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/i386/signal.c b/linux-user/i386/signal.c
index 0f11dba831..b646fde431 100644
--- a/linux-user/i386/signal.c
+++ b/linux-user/i386/signal.c
@@ -60,10 +60,33 @@ struct target_fpx_sw_bytes {
 };
 QEMU_BUILD_BUG_ON(sizeof(struct target_fpx_sw_bytes) !=3D 12*4);
=20
+struct fpxreg {
+    uint16_t significand[4];
+    uint16_t exponent;
+    uint16_t padding[3];
+};
+
+struct xmmreg {
+    uint32_t element[4];
+};
+
+/*
+ * This corresponds to the kernel's _fpstate_32. Since we
+ * only use it for the fpstate_unused padding section in
+ * the target sigcontext, it doesn't actually matter what fields
+ * we define here as long as we get the size right.
+ */
 struct target_fpstate_32 {
     struct target_fregs_state fpstate;
-    X86LegacyXSaveArea fxstate;
+    uint32_t fxsr_env[6];
+    uint32_t mxcsr;
+    uint32_t reserved;
+    struct fpxreg fxsr_st[8];
+    struct xmmreg xmm[8];
+    uint32_t padding1[44];
+    uint32_t padding2[12]; /* aka sw_reserved */
 };
+QEMU_BUILD_BUG_ON(sizeof(struct target_fpstate_32) !=3D 32 + 80 + 512);
=20
 struct target_sigcontext_32 {
     uint16_t gs, __gsh;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619474; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DQYRAgI+QJFnZBF3YA6q2cv99TDWOXlkCqgIzfGvK4Mset9AcQZ+4PtFBbJ6uyAXzj9hcTZNWGGgJqglIknFCekba855SqSuBmewqCbgFjYpW+UdiJKvZLQHr+v6kfP38jXCt9DtALc2FfH19ASIr1mBHlpU3j87//t3j+cs12E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619474;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=0e0gx9jCJBFaRdZQ72OPk6MpXB+HY/r5HBWj1CExRKI=;
	b=LoZLxJq+0ldyVjymjTewj5xHlXjlLTIbyqAINiXjaEkmX2WbOA5f/YC/wKTbQv7XEAYtx8WLfdK/aRYogwvjnHE/1h3UvGWjJeomcAaJAJTFAJxbhEbuA4XY4NVRmwMrbkA7CZovXe/WVWLR6x9WbIBqIl9m8YgVcOViijXngmI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619474403569.9081309725874;
 Tue, 12 May 2026 13:57:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9q-0006Zu-OM; Tue, 12 May 2026 16:56:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9o-0006Qg-PH; Tue, 12 May 2026 16:56:48 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9m-0003T4-Kb; Tue, 12 May 2026 16:56:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C9F8A1AA2E3;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D7BE23ABC54;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=S3KM7cORLEfFPxMRKe5a5pD8crq0Nnzzn+cbI8BdE6c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=cXGGzJcCZRFNKN0/g8eUU1xwvY7OqipZkj17Q1cM3R8ajsQOnn1dpdTtZjcVvN1vn
 Wf1OPVa7qg7CnRt256y6RlpC+kesEyjQINs9ZuCezJxfjlQ+SBagnKP2/jLTyYp1RC
 ozO5CLhRdM7K4ujQxO/5jKbtlks3mfKt6n/w0jlVwaAffYxO70TUmK/wHrLqW8A6wP
 BMwxq0gbBQ67SAAKh3oVOJH/tVXxZ2kS9jfWpR8t/EZ8b9Uk5dA8ryY5drf5fb6anh
 sBaEHBSJJjOsxIuLxyUA47YRyeM2xsmNX0c31qgXEZV5NrC1UXfP7kdmMfKsYlGQ/Q
 z8fsDD+r2THQg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Tao Ding <dingtao0430@163.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 023/107] hw/dma/pl080: Fix transfer logic in PL080
Date: Tue, 12 May 2026 23:53:10 +0300
Message-ID: <20260512205437.360850-23-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619476687154100
Content-Type: text/plain; charset="utf-8"

From: Tao Ding <dingtao0430@163.com>

The logic in the PL080 for transferring data has multiple bugs:

 * The TransferSize field in the channel control register counts
   in units of the source width; because our loop may do multiple
   source loads if the destination width is greater than the
   source width, we need to decrement it by (xsize / swidth),
   not by 1, each loop

 * It is documented in the TRM that it is a software error to program
   the source and destination width such that SWidth < DWidth and
   TransferSize * SWidth is not a multiple of DWidth. (This would
   mean that there isn't enough data to do a full final destination
   write.) We weren't doing anything sensible with this case.
   The TRM doesn't document what the hardware actually does (though
   it drops some hints that suggest that it probably over-reads
   from the source).

 * In the loop to write to the destination, each loop adds swidth
   to  ch->dest for each loop and also uses (ch->dest + n) as the
   destination address. This moves the destination address on
   further than we should each time round the loop, and also
   is incrementing ch->dest by swidth when it should be dwidth.

This patch fixes these problems:
 * decrement TransferSize by the correct amount
 * log and ignore the transfer size mismatch case
 * correct the loop logic for the destination writes

A repro case which exercises some of this is as follows.  It
configures swidth to 1 byte, dwidth to 4 bytes, and transfer size 4,
for a transfer from 0x00000000 to 0x000010000.  Examining the
destination memory in the QEMU monitor should show that the
source data 0x44332211 has all been copied, but before this
fix it is not:

    ./qemu-system-arm -M versatilepb -m 128M -nographic -S \
    -device loader,addr=3D0x00000000,data=3D0x44332211,data-len=3D4 \
    -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \
    -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \
    -device loader,addr=3D0x10130108,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x1013010C,data=3D0x9e47f004,data-len=3D4 \
    -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4

Without this patch the QEMU monitor shows:
    (qemu) xp /1wx 0x00001000
    00001000: 0x00002211

Correct result:
    (qemu) xp /1wx 0x00001000
    00001000: 0x44332211

Cc: qemu-stable@nongnu.org
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Tao Ding <dingtao0430@163.com>
[PMM: Wrote up what we are fixing in the commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 5a2fa06b0957adad46ba1abe923bca04aad9a4d2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 8b97cbb425..1eef71cb86 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -179,23 +179,28 @@ again:
                               c, extract32(ch->ctrl, 21, 3));
                 continue;
             }
-
-            for (n =3D 0; n < dwidth; n+=3D swidth) {
+            if ((size * swidth) % dwidth) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                    "pl080: channel %d: transfer size mismatch: size=3D%d =
swidth=3D%d dwidth=3D%d\n",
+                    c, size, swidth, dwidth);
+                continue;
+            }
+            xsize =3D MAX(swidth, dwidth);
+            for (n =3D 0; n < xsize; n +=3D swidth) {
                 address_space_read(&s->downstream_as, ch->src,
                                    MEMTXATTRS_UNSPECIFIED, buff + n, swidt=
h);
                 if (ch->ctrl & PL080_CCTRL_SI)
                     ch->src +=3D swidth;
             }
-            xsize =3D (dwidth < swidth) ? swidth : dwidth;
             /* ??? This may pad the value incorrectly for dwidth < 32.  */
             for (n =3D 0; n < xsize; n +=3D dwidth) {
-                address_space_write(&s->downstream_as, ch->dest + n,
+                address_space_write(&s->downstream_as, ch->dest,
                                     MEMTXATTRS_UNSPECIFIED, buff + n, dwid=
th);
                 if (ch->ctrl & PL080_CCTRL_DI)
-                    ch->dest +=3D swidth;
+                    ch->dest +=3D dwidth;
             }
=20
-            size--;
+            size -=3D xsize / swidth;
             ch->ctrl =3D (ch->ctrl & 0xfffff000) | size;
             if (size =3D=3D 0) {
                 /* Transfer complete.  */
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619451; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DjbSlZWZuQMjhpwDSFWmQtUTVXjgGZh6vRURmnkVXva768+2SIgbX5mvYj3pozQjnovTX12AohF8vwQ2rGHm2xGt1sVc3KdSuE0umMB1784Q/L98FFFxAHLqK05fN9T2PKNfgt1LWjXUi9Yuu1nb0vJUobvWZaEoXVfHH6DIRhg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619451;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=hTRDdO4mHv7isowY9YDAfygUN01Rx5lV0Dc726KQ5l0=;
	b=N8g+OydirCjCaasAKdzTst4QF4YLp6nDocCFvaLbMN+3aY1NLtNGIkVAzRUu1OPaQakwWdgOyifjMDj0LzYjkyjOtAR3ewBB8Feb4zC6giI68DFL/kG5hXCXXHeZuBu8B6ltPDL6BWUIAjQ5zJkSc4P2Zrs1DyfgAuDeyE6Z3mQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619451232119.82621815917923;
 Tue, 12 May 2026 13:57:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9q-0006aI-ND; Tue, 12 May 2026 16:56:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9o-0006QK-LH; Tue, 12 May 2026 16:56:48 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9m-0003T7-Mo; Tue, 12 May 2026 16:56:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D8B3C1AA2E4;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E54083ABC55;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=USCV4JnZ/NSimDWsipGs3+8OvCXM93pU8zel/dbALAM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=idrms0dH7ll4LHC91a1ynLTtOnhmiTN/KpSsrPubKp3gcdTlSSA9uFNn0e9us9ayG
 R7sXK/JEHdSwRgDZO2SuZQQNiwBwaUJ5KZsJSSxB2graI4oP70KSEn0ZBtUHk0PJWv
 SZSieuX5ReQrw1EmvzLMlffCWkF6h0eRTJQ+6aKwcL7om5uJbxnfZTGjbtA5gx4r60
 fSnCc52StoN5BzOVq4psBCHLr3u0BDbK/GS1Ng3cYKXafXIt1eoEcVh2xr+dLaiGSv
 7a4sdp5YsvuG3AdnfswUdu+u+IUVln7Qe5tn+nADLMMOV3tXEgQWTIcoUCkKb+9ZDy
 /NKhXVLbcoNmw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 024/107] linux-aio: Put all parameters into
 qemu_laiocb
Date: Tue, 12 May 2026 23:53:11 +0300
Message-ID: <20260512205437.360850-24-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619452228154100
Content-Type: text/plain; charset="utf-8"

From: Hanna Czenczek <hreitz@redhat.com>

Put all request parameters into the qemu_laiocb struct, which will allow
re-submitting the tail of short reads/writes.

Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-2-hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit cc03b62df47a09c507e199cc043f57bdc941cc67)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/linux-aio.c b/block/linux-aio.c
index 407369f5c9..a315eb746c 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -41,9 +41,15 @@ struct qemu_laiocb {
     LinuxAioState *ctx;
     struct iocb iocb;
     ssize_t ret;
+    off_t offset;
     size_t nbytes;
     QEMUIOVector *qiov;
-    bool is_read;
+
+    int fd;
+    int type;
+    BdrvRequestFlags flags;
+
+    uint64_t dev_max_batch;
     QSIMPLEQ_ENTRY(qemu_laiocb) next;
 };
=20
@@ -87,7 +93,7 @@ static void qemu_laio_process_completion(struct qemu_laio=
cb *laiocb)
             ret =3D 0;
         } else if (ret >=3D 0) {
             /* Short reads mean EOF, pad with zeros. */
-            if (laiocb->is_read) {
+            if (laiocb->type =3D=3D QEMU_AIO_READ) {
                 qemu_iovec_memset(laiocb->qiov, ret, 0,
                     laiocb->qiov->size - ret);
             } else {
@@ -367,23 +373,23 @@ static void laio_deferred_fn(void *opaque)
     }
 }
=20
-static int laio_do_submit(int fd, struct qemu_laiocb *laiocb, off_t offset,
-                          int type, BdrvRequestFlags flags,
-                          uint64_t dev_max_batch)
+static int laio_do_submit(struct qemu_laiocb *laiocb)
 {
     LinuxAioState *s =3D laiocb->ctx;
     struct iocb *iocbs =3D &laiocb->iocb;
     QEMUIOVector *qiov =3D laiocb->qiov;
+    int fd =3D laiocb->fd;
+    off_t offset =3D laiocb->offset;
=20
-    switch (type) {
+    switch (laiocb->type) {
     case QEMU_AIO_WRITE:
 #ifdef HAVE_IO_PREP_PWRITEV2
     {
-        int laio_flags =3D (flags & BDRV_REQ_FUA) ? RWF_DSYNC : 0;
+        int laio_flags =3D (laiocb->flags & BDRV_REQ_FUA) ? RWF_DSYNC : 0;
         io_prep_pwritev2(iocbs, fd, qiov->iov, qiov->niov, offset, laio_fl=
ags);
     }
 #else
-        assert(flags =3D=3D 0);
+        assert(laiocb->flags =3D=3D 0);
         io_prep_pwritev(iocbs, fd, qiov->iov, qiov->niov, offset);
 #endif
         break;
@@ -399,7 +405,7 @@ static int laio_do_submit(int fd, struct qemu_laiocb *l=
aiocb, off_t offset,
     /* Currently Linux kernel does not support other operations */
     default:
         fprintf(stderr, "%s: invalid AIO request type 0x%x.\n",
-                        __func__, type);
+                        __func__, laiocb->type);
         return -EIO;
     }
     io_set_eventfd(&laiocb->iocb, event_notifier_get_fd(&s->e));
@@ -407,7 +413,7 @@ static int laio_do_submit(int fd, struct qemu_laiocb *l=
aiocb, off_t offset,
     QSIMPLEQ_INSERT_TAIL(&s->io_q.pending, laiocb, next);
     s->io_q.in_queue++;
     if (!s->io_q.blocked) {
-        if (s->io_q.in_queue >=3D laio_max_batch(s, dev_max_batch)) {
+        if (s->io_q.in_queue >=3D laio_max_batch(s, laiocb->dev_max_batch)=
) {
             ioq_submit(s);
         } else {
             defer_call(laio_deferred_fn, s);
@@ -425,14 +431,18 @@ int coroutine_fn laio_co_submit(int fd, uint64_t offs=
et, QEMUIOVector *qiov,
     AioContext *ctx =3D qemu_get_current_aio_context();
     struct qemu_laiocb laiocb =3D {
         .co         =3D qemu_coroutine_self(),
+        .offset     =3D offset,
         .nbytes     =3D qiov ? qiov->size : 0,
         .ctx        =3D aio_get_linux_aio(ctx),
         .ret        =3D -EINPROGRESS,
-        .is_read    =3D (type =3D=3D QEMU_AIO_READ),
         .qiov       =3D qiov,
+        .fd         =3D fd,
+        .type       =3D type,
+        .flags      =3D flags,
+        .dev_max_batch =3D dev_max_batch,
     };
=20
-    ret =3D laio_do_submit(fd, &laiocb, offset, type, flags, dev_max_batch=
);
+    ret =3D laio_do_submit(&laiocb);
     if (ret < 0) {
         return ret;
     }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619428; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SKycnLTQfl/J7Q74DmOGt5l43ErmQAdvef3OUBYcZz7MeGF2v26/LgIFCnOYWTiZOYNiJCrwQLyZheg7j7yRjSWKAi7oZZZKljZufqVLd1V0a9O4kRbpFLthvZoXTBKj47JrgOZSju2JCpAhTYhE6l9+Fq1M68rqmf/UrN60kEM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619428;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=LCQQYOypUTyj9HKh4etGfz8nbzMgYlYWPmo/pEQiW+Q=;
	b=I48bvXmpzISO+vXg2+EOfuyB05KGd0mT5tm4cfz81cb8QQk35qlyAJ+LcScWV888/+nIhbmMHzjRN7Eqkk1gtjSIXxeEjzZ9nMymmcWBEebKNtom18LNdlAePho92XfUDiU6Sxd+GQDiGSd2PCyZaANI9NzWSpK2sKlqzAP1THE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619428815393.9578627083389;
 Tue, 12 May 2026 13:57:08 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMu9v-0006s8-TF; Tue, 12 May 2026 16:56:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9t-0006i8-2o; Tue, 12 May 2026 16:56:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMu9q-0003U5-7W; Tue, 12 May 2026 16:56:52 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E6E551AA2E5;
 Tue, 12 May 2026 23:54:34 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id F3AE13ABC56;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619274; bh=nE4Kx/GV3cjA/jdgyTB+YcJrEbkeDSw0RUVIU4/PBpg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=I+iNYx0Ns7I76tKlUwDoYaIxAwb6fm6qTlcTRq040p2YcQlb9LwpVMNLqtymr+SIL
 h/MZBXHokXDNWGBYq5b7NiXF+0nonNDRJkIuWMo67QZET4rU5G1I1Qf8orcT733Fkg
 lRYDKB+bcgIUuJGRQKVpIoIXc0RbEPQuGYqyajJE9BHf+wRqySWhF6WSiwm+rYatnF
 9/iS0zlqAj9mDzV8TymEbkDu8nZr9z0mdkj43t3SSoWgrPdYtFPXOeiex7Ljxn6k8J
 jNWd6zTYP3LPX/4xv/DJx60UmDjmICNjmXSdBVDYrCCEUJnIA5N2oZyoOlyZ/CDjYO
 S67yj+Sr01R2Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 025/107] linux-aio: Resubmit tails of short
 reads/writes
Date: Tue, 12 May 2026 23:53:12 +0300
Message-ID: <20260512205437.360850-25-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619429831158500
Content-Type: text/plain; charset="utf-8"

From: Hanna Czenczek <hreitz@redhat.com>

Short reads/writes can happen.  One way to reproduce them is via our
FUSE export, with the following diff applied (%s/escaped // to apply --
if you put plain diffs in commit messages, git-am will apply them, and I
would rather avoid breaking FUSE accidentally via this patch):

escaped diff --git a/block/export/fuse.c b/block/export/fuse.c
escaped index a2a478d293..67dc50a412 100644
escaped --- a/block/export/fuse.c
escaped +++ b/block/export/fuse.c
@@ -828,7 +828,7 @@ static ssize_t coroutine_fn GRAPH_RDLOCK
 fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
              const struct fuse_init_in_compat *in)
 {
-    const uint32_t supported_flags =3D FUSE_ASYNC_READ | FUSE_ASYNC_DIO;
+    const uint32_t supported_flags =3D FUSE_ASYNC_READ;

     if (in->major !=3D 7) {
         error_report("FUSE major version mismatch: We have 7, but kernel h=
as %"
@@ -1060,6 +1060,8 @@ fuse_co_read(FuseExport *exp, void **bufptr, uint64_t=
 offset, uint32_t size)
     void *buf;
     int ret;

+    size =3D MIN(size, 4096);
+
     /* Limited by max_read, should not happen */
     if (size > FUSE_MAX_READ_BYTES) {
         return -EINVAL;
@@ -1110,6 +1112,8 @@ fuse_co_write(FuseExport *exp, struct fuse_write_out =
*out,
     int64_t blk_len;
     int ret;

+    size =3D MIN(size, 4096);
+
     QEMU_BUILD_BUG_ON(FUSE_MAX_WRITE_BYTES > BDRV_REQUEST_MAX_BYTES);
     /* Limited by max_write, should not happen */
     if (size > FUSE_MAX_WRITE_BYTES) {

Then:
$ ./qemu-img create -f raw test.raw 8k
Formatting 'test.raw', fmt=3Draw size=3D8192
$ ./qemu-io -f raw -c 'write -P 42 0 8k' test.raw
wrote 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (64.804 MiB/sec and 8294.9003 ops/sec)
$ hexdump -C test.raw
00000000  2a 2a 2a 2a 2a 2a 2a 2a  2a 2a 2a 2a 2a 2a 2a 2a  |**************=
**|
*
00002000

With aio=3Dthreads, short I/O works:
$ storage-daemon/qemu-storage-daemon \
    --blockdev file,node-name=3Dtest,filename=3Dtest.raw \
    --export fuse,id=3Dexp,node-name=3Dtest,mountpoint=3Dtest.raw,writable=
=3Dtrue

Other shell:
$ ./qemu-io --image-opts -c 'read -P 42 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dthreads
read 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (36.563 MiB/sec and 4680.0923 ops/sec)
$ ./qemu-io --image-opts -c 'write -P 23 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dthreads
wrote 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (35.995 MiB/sec and 4607.2970 ops/sec)
$ hexdump -C test.raw
00000000  17 17 17 17 17 17 17 17  17 17 17 17 17 17 17 17  |..............=
..|
*
00002000

But with aio=3Dnative, it does not:
$ ./qemu-io --image-opts -c 'read -P 23 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dnative
Pattern verification failed at offset 0, 8192 bytes
read 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (86.155 MiB/sec and 11027.7900 ops/sec)
$ ./qemu-io --image-opts -c 'write -P 42 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dnative
write failed: No space left on device
$ hexdump -C test.raw
00000000  2a 2a 2a 2a 2a 2a 2a 2a  2a 2a 2a 2a 2a 2a 2a 2a  |**************=
**|
*
00001000  17 17 17 17 17 17 17 17  17 17 17 17 17 17 17 17  |..............=
..|
*
00002000

This patch fixes that.

Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-3-hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7eca3d4883be8d328377001a9ea7ae9882b00f3c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/linux-aio.c b/block/linux-aio.c
index a315eb746c..d0f9bc389a 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -45,6 +45,10 @@ struct qemu_laiocb {
     size_t nbytes;
     QEMUIOVector *qiov;
=20
+    /* For handling short reads/writes */
+    size_t total_done;
+    QEMUIOVector resubmit_qiov;
+
     int fd;
     int type;
     BdrvRequestFlags flags;
@@ -74,28 +78,61 @@ struct LinuxAioState {
 };
=20
 static void ioq_submit(LinuxAioState *s);
+static int laio_do_submit(struct qemu_laiocb *laiocb);
=20
 static inline ssize_t io_event_ret(struct io_event *ev)
 {
     return (ssize_t)(((uint64_t)ev->res2 << 32) | ev->res);
 }
=20
+/**
+ * Retry tail of short requests.
+ */
+static int laio_resubmit_short_io(struct qemu_laiocb *laiocb, size_t done)
+{
+    QEMUIOVector *resubmit_qiov =3D &laiocb->resubmit_qiov;
+
+    laiocb->total_done +=3D done;
+
+    if (!resubmit_qiov->iov) {
+        qemu_iovec_init(resubmit_qiov, laiocb->qiov->niov);
+    } else {
+        qemu_iovec_reset(resubmit_qiov);
+    }
+    qemu_iovec_concat(resubmit_qiov, laiocb->qiov,
+                      laiocb->total_done, laiocb->nbytes - laiocb->total_d=
one);
+
+    return laio_do_submit(laiocb);
+}
+
 /*
  * Completes an AIO request.
  */
 static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
 {
-    int ret;
+    ssize_t ret;
=20
     ret =3D laiocb->ret;
     if (ret !=3D -ECANCELED) {
-        if (ret =3D=3D laiocb->nbytes) {
+        if (ret =3D=3D laiocb->nbytes - laiocb->total_done) {
             ret =3D 0;
+        } else if (ret > 0 && (laiocb->type =3D=3D QEMU_AIO_READ ||
+                               laiocb->type =3D=3D QEMU_AIO_WRITE)) {
+            ret =3D laio_resubmit_short_io(laiocb, ret);
+            if (!ret) {
+                return;
+            }
         } else if (ret >=3D 0) {
-            /* Short reads mean EOF, pad with zeros. */
+            /*
+             * For normal reads and writes, we only get here if ret =3D=3D=
 0, which
+             * means EOF for reads and ENOSPC for writes.
+             * For zone-append, we get here with any ret >=3D 0, which we =
just
+             * treat as ENOSPC, too (safer than resubmitting, probably, bu=
t not
+             * 100 % clear).
+             */
             if (laiocb->type =3D=3D QEMU_AIO_READ) {
-                qemu_iovec_memset(laiocb->qiov, ret, 0,
-                    laiocb->qiov->size - ret);
+                qemu_iovec_memset(laiocb->qiov, laiocb->total_done, 0,
+                                  laiocb->qiov->size - laiocb->total_done);
             } else {
                 ret =3D -ENOSPC;
             }
@@ -103,6 +140,9 @@ static void qemu_laio_process_completion(struct qemu_la=
iocb *laiocb)
     }
=20
     laiocb->ret =3D ret;
+    if (laiocb->resubmit_qiov.iov) {
+        qemu_iovec_destroy(&laiocb->resubmit_qiov);
+    }
=20
     /*
      * If the coroutine is already entered it must be in ioq_submit() and
@@ -379,7 +419,11 @@ static int laio_do_submit(struct qemu_laiocb *laiocb)
     struct iocb *iocbs =3D &laiocb->iocb;
     QEMUIOVector *qiov =3D laiocb->qiov;
     int fd =3D laiocb->fd;
-    off_t offset =3D laiocb->offset;
+    off_t offset =3D laiocb->offset + laiocb->total_done;
+
+    if (laiocb->resubmit_qiov.iov) {
+        qiov =3D &laiocb->resubmit_qiov;
+    }
=20
     switch (laiocb->type) {
     case QEMU_AIO_WRITE:
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619684; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Dmq+PnbI0ubAm/MS0dZ5m5EZdqJdT1BwdC36KOh5DxHjgiGm+FgmsKSSc5pmIpaduE7O7H1TkkeY2QsbH3cfMGxgcVeHPWlhENu5X+ZTVAEQaT8S+HJi30gtY8vafkywZc8GgCl/9QFOD942vDFuKJg2u47aKDzY4lh8f/0V6Ok=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619684;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gn7KMkT/Citb7kYpYPAsV/ajYjeFymalKjSPK8Fa44Q=;
	b=I0ZcsqqhDNFhfMqM2NxOR6T/HKvigJ7XErR6PtVC5AVbv73eWZBdLU7MHVqQnQr4AaWv4wkMgJfoKBuE5YKR/BvNRfPPYB4+u0vuRAyv6MJw6yQRquqSHE7DBAftSVVkg2GAARnfNqixPgZkdbHxcrftP9yTy6HE6E4qpu7lVrI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619684901350.06661566683874;
 Tue, 12 May 2026 14:01:24 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAG-0007Y0-S4; Tue, 12 May 2026 16:57:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAC-0007T5-CG; Tue, 12 May 2026 16:57:12 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAA-0003UC-Fj; Tue, 12 May 2026 16:57:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 018331AA2E6;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0E08D3ABC57;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=/QYez1SdCBu+cdrL5zYbsyo9GEw9crHY6ygsutfikKY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=T8pteQWyEA4Dk1ulhOkNz1xa2Pb9u6Spm3uIodo9iITV+//0aHQmaZLwaCC0D9/3q
 p0XTLRA+iihu4Tbg3oHcfpDV6DR4eyHv5jnGJXT6FjfvtiXUauVT0Nc4+c9a7HJ43a
 5dKP0BBNP8w5qV5aa58QoZKH05BijaSQnqvvU1AJ8smq+NzZ66OZZn0rdnayJ+Sk9y
 izlc2Tr4h3WdhFGzoN/oQHav6tQ9N5pUtdShS81H/GXDNFiHjLTHQ365M4xhwv9kZo
 ggCwua4ts4C6hlYZ53NFFkbKyCvgB3PMlNprTNrBL9wTUgfp9n6avDm8S2IJ49zIdX
 2SDbFFPV3h41Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, GuoHan Zhao <zhaoguohan@kylinos.cn>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 026/107] block/curl: free s->password in cleanup
 paths
Date: Tue, 12 May 2026 23:53:13 +0300
Message-ID: <20260512205437.360850-26-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619686127158500
Content-Type: text/plain; charset="utf-8"

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

When password-secret is used, curl_open() resolves it with
qcrypto_secret_lookup_as_utf8() and stores the returned buffer in
s->password.

Unlike s->proxypassword, s->password is not freed either in the open
failure path or in curl_close(), so the resolved secret leaks once it
has been allocated.

Free s->password in both cleanup paths.

Fixes: 1bff96064290 ('curl: add support for HTTP authentication parameters')
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Message-ID: <20260320063016.262954-1-zhaoguohan_salmon@163.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 51fc8443c122fedf4d4891bbc3a1ff25dd8bacdf)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/curl.c b/block/curl.c
index dabd2a905e..aabb602d9b 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -876,6 +876,7 @@ out_noclean:
     g_free(s->cookie);
     g_free(s->url);
     g_free(s->username);
+    g_free(s->password);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
     if (s->sockets) {
@@ -987,6 +988,7 @@ static void curl_close(BlockDriverState *bs)
     g_free(s->cookie);
     g_free(s->url);
     g_free(s->username);
+    g_free(s->password);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
 }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619736; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HoErki4COxdEPl2wgilYpJhNEvRQZ3aIY8AXcmZBDwlfL73hGoyf1c47Agz4bKVIWqQSRAsb5GOSKxS0EFkt8wNSFxC6tdMSq27GH4d7mlZTHr5G0jkpUMz+c7PQdADNsCtGs6MScRA2uki4sp+k306o6FEUjoB5s5aEGAwCYeg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619736;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=klmFy/b+sprtdaPiSvf+jn4+YLKTyuq6Y52FdOSrSEw=;
	b=VbEViJHmmtzrlTPtIlyBajpba4W/xKrtQBOohLdnLf+DVvUdIef7fu9fbs24j0AfhR5Dbr6U4bUHElNFqsl5BLycdJUZGIE9V+1GoNsCvjTOLOyihHVz1jr84ntT8LPBu/41l1G+cfJCwPNxX3X0eJDRBTSS99EyG34OknmhcpY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619736692439.7466651371319;
 Tue, 12 May 2026 14:02:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAd-0007qa-7z; Tue, 12 May 2026 16:57:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAH-0007ZC-0n; Tue, 12 May 2026 16:57:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAE-0003Uq-LB; Tue, 12 May 2026 16:57:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 106961AA2E7;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1C7EE3ABC58;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=MgrtVQ+DnS21RLJtCeuK+0fjNw0mPHM7Tdlmx0gQ5Us=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HIkujitWIh59tn/PAiYU2CKpLz9738QlIt/E+y8mTjjp6D7Bh6BBRNG2uKc1pNMpV
 0KreA1LSEIiAle7zEC6DpdLc6MqNBh1zkMF4w4KS6F519OsGKeT4sfQG+xcU/HnySi
 HUciYaIVsmyW4fk23vCOb4i5arygY5cgGnV+MwtWu+7l8r8NxuGsx/YmtdRlxlTpR7
 A6agGXFG5rdqyhu9pPJGwgjBQgPuB2DpLhJXVOQBnJsogZakhcz4H42HC6ikDlC1za
 En+evoxS/cv17uVUhn5z+2pKuXj0RhxIakBXyUGgVCBTMuWRYmZyWO/Ox2Q/okQJO7
 bTimjOOumszGA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jenny Guanni Qu <qguanni@gmail.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 027/107] hw/audio/sb16: validate VMState fields in
 post_load
Date: Tue, 12 May 2026 23:53:14 +0300
Message-ID: <20260512205437.360850-27-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619738854158500
Content-Type: text/plain; charset="utf-8"

From: Jenny Guanni Qu <qguanni@gmail.com>

The SB16 VMState loads in_index and out_data_len as raw INT32
values with no bounds validation. A crafted migration stream or
VM snapshot can set these to values exceeding their respective
buffer sizes (in2_data[10] and out_data[50]), causing heap OOB
write in dsp_write() and heap OOB read in dsp_read().

Add bounds checks in sb16_post_load() to reject invalid values
before they can be used as array indices.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3326
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Link: https://lore.kernel.org/r/20260318192918.65481-1-qguanni@gmail.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cb1e8c18df625dc9aed7f5fd5c8b961e8e4d1023)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index 0c661b4947..85b869a50a 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -1287,6 +1287,13 @@ static int sb16_post_load (void *opaque, int version=
_id)
 {
     SB16State *s =3D opaque;
=20
+
+    if (s->in_index < 0 || s->in_index > (int)sizeof(s->in2_data)) {
+        return -1;
+    }
+    if (s->out_data_len < 0 || s->out_data_len > (int)sizeof(s->out_data))=
 {
+        return -1;
+    }
     if (s->voice) {
         AUD_close_out (&s->card, s->voice);
         s->voice =3D NULL;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619851; cv=none;
	d=zohomail.com; s=zohoarc;
	b=kTuv5vCIiwtC0kunurFc7Zl8Z+i9jk2s4K/veSuPOk+9yAWS4dChXVoE7LILtul75QsOQil5mTv1WJFXSvd4VnOPp+zhrYRktkAde/1bJsgi/2NQk2ge29GzwjYnsndaTC5vptSdvft9uVHZttq4e3+uS4FjDxg3v359acqjJxY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619851;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KuPhkcWKTgOkzgS1g3o8MFQ5ffFGwD35QpFcev6JBOY=;
	b=QZ+kZJZAQ6/hxWBfghh0LdrkQAaEg0PHDhzSALPkH/IhNSNFVlB55OC5lx1Ym7gA1GTlXZexCvGXK4Pva25+u70ZltSN2AEKS7IfR3kuBAxe34m4V5UA5WG/z3nfKm9r7AUgA14i3fCDBVo+doM4EhBIbAx+3/i4PS06ojYSLBE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619851084675.7643477818082;
 Tue, 12 May 2026 14:04:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAi-0008Cy-B0; Tue, 12 May 2026 16:57:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAI-0007aq-7G; Tue, 12 May 2026 16:57:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAF-0003bM-68; Tue, 12 May 2026 16:57:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1E7EA1AA2E8;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2AF463ABC59;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=mx0/ygg3ICyu3MyXKw7556Pm/SQOAj08f2Tc/1grYrY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=KZbUACH4GGB6MQ+fYux9eYCyh2CZaJUJpjvNKGop5/nyxKAPKRrDmwEwhyZs4NMwM
 EF3sbooslDjO5NxIwCfTOBT/vMJ17trdHEl1oh64SVyYfFTElojrhvQdEvuFxFweJn
 ilhTQA+pXq5GZKkQWYLhQ2OulroIW+M+P4l/NPFg5bS0YQ5+LAJJ2jbJ444pvNS7QR
 ALrl7wjO6hQebHMy0uq+YFIpnk9NVesCHP6WcV+Pjeb04ehy70VWf/0fhXVg5HVxCe
 Mepwnw5iYAypl61nVDZ8crANt0uVZ977TFP80ClijkOWhBSAEA0wBKK6bV3qkmHRy2
 h8MbkfZO4RDxw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 028/107] tcg: Pass host-endian values to
 plugin_gen_mem_callbacks_*
Date: Tue, 12 May 2026 23:53:15 +0300
Message-ID: <20260512205437.360850-28-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619852332158500
Content-Type: text/plain; charset="utf-8"

From: Richard Henderson <richard.henderson@linaro.org>

If the host does not support swapped-endian loads and stores,
then we emulate those within the tcg expanders with explicit
bswap operations.

However, we were passing values to the plugin interface in
the middle of those bswap operations, which meant that we
would pass values of the wrong endianness to plugins when
running on hosts without swapped-endian loads and stores.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3351
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260325024252.3369186-2-pierrick.=
bouvier@linaro.org
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 539421a428fd4b8231d9be042143f2d09c719e2a)
(Mjt: back-port to 10.0.x)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tcg/tcg-op-ldst.c b/tcg/tcg-op-ldst.c
index a8f35e1970..335b50f088 100644
--- a/tcg/tcg-op-ldst.c
+++ b/tcg/tcg-op-ldst.c
@@ -260,9 +260,6 @@ static void tcg_gen_qemu_ld_i32_int(TCGv_i32 val, TCGTe=
mp *addr,
     copy_addr =3D plugin_maybe_preserve_addr(addr);
     gen_ldst(INDEX_op_qemu_ld_i32, TCG_TYPE_I32,
              tcgv_i32_temp(val), NULL, addr_new, oi);
-    plugin_gen_mem_callbacks_i32(val, copy_addr, addr, orig_oi,
-                                 QEMU_PLUGIN_MEM_R);
-    maybe_free_addr(addr, addr_new);
=20
     if ((orig_memop ^ memop) & MO_BSWAP) {
         switch (orig_memop & MO_SIZE) {
@@ -278,6 +275,10 @@ static void tcg_gen_qemu_ld_i32_int(TCGv_i32 val, TCGT=
emp *addr,
             g_assert_not_reached();
         }
     }
+
+    plugin_gen_mem_callbacks_i32(val, copy_addr, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_R);
+    maybe_free_addr(addr, addr_new);
 }
=20
 void tcg_gen_qemu_ld_i32_chk(TCGv_i32 val, TCGTemp *addr, TCGArg idx,
@@ -288,10 +289,10 @@ void tcg_gen_qemu_ld_i32_chk(TCGv_i32 val, TCGTemp *a=
ddr, TCGArg idx,
     tcg_gen_qemu_ld_i32_int(val, addr, idx, memop);
 }
=20
-static void tcg_gen_qemu_st_i32_int(TCGv_i32 val, TCGTemp *addr,
+static void tcg_gen_qemu_st_i32_int(TCGv_i32 orig_val, TCGTemp *addr,
                                     TCGArg idx, MemOp memop)
 {
-    TCGv_i32 swap =3D NULL;
+    TCGv_i32 val =3D orig_val;
     MemOpIdx orig_oi, oi;
     TCGOpcode opc;
     TCGTemp *addr_new;
@@ -301,18 +302,17 @@ static void tcg_gen_qemu_st_i32_int(TCGv_i32 val, TCG=
Temp *addr,
     orig_oi =3D oi =3D make_memop_idx(memop, idx);
=20
     if ((memop & MO_BSWAP) && !tcg_target_has_memory_bswap(memop)) {
-        swap =3D tcg_temp_ebb_new_i32();
+        val =3D tcg_temp_ebb_new_i32();
         switch (memop & MO_SIZE) {
         case MO_16:
-            tcg_gen_bswap16_i32(swap, val, 0);
+            tcg_gen_bswap16_i32(val, orig_val, 0);
             break;
         case MO_32:
-            tcg_gen_bswap32_i32(swap, val);
+            tcg_gen_bswap32_i32(val, orig_val);
             break;
         default:
             g_assert_not_reached();
         }
-        val =3D swap;
         memop &=3D ~MO_BSWAP;
         oi =3D make_memop_idx(memop, idx);
     }
@@ -324,11 +324,12 @@ static void tcg_gen_qemu_st_i32_int(TCGv_i32 val, TCG=
Temp *addr,
     }
     addr_new =3D tci_extend_addr(addr);
     gen_ldst(opc, TCG_TYPE_I32, tcgv_i32_temp(val), NULL, addr_new, oi);
-    plugin_gen_mem_callbacks_i32(val, NULL, addr, orig_oi, QEMU_PLUGIN_MEM=
_W);
+    plugin_gen_mem_callbacks_i32(orig_val, NULL, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_W);
     maybe_free_addr(addr, addr_new);
=20
-    if (swap) {
-        tcg_temp_free_i32(swap);
+    if (val !=3D orig_val) {
+        tcg_temp_free_i32(val);
     }
 }
=20
@@ -374,9 +375,6 @@ static void tcg_gen_qemu_ld_i64_int(TCGv_i64 val, TCGTe=
mp *addr,
     addr_new =3D tci_extend_addr(addr);
     copy_addr =3D plugin_maybe_preserve_addr(addr);
     gen_ldst_i64(INDEX_op_qemu_ld_i64, val, addr_new, oi);
-    plugin_gen_mem_callbacks_i64(val, copy_addr, addr, orig_oi,
-                                 QEMU_PLUGIN_MEM_R);
-    maybe_free_addr(addr, addr_new);
=20
     if ((orig_memop ^ memop) & MO_BSWAP) {
         int flags =3D (orig_memop & MO_SIGN
@@ -396,6 +394,10 @@ static void tcg_gen_qemu_ld_i64_int(TCGv_i64 val, TCGT=
emp *addr,
             g_assert_not_reached();
         }
     }
+
+    plugin_gen_mem_callbacks_i64(val, copy_addr, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_R);
+    maybe_free_addr(addr, addr_new);
 }
=20
 void tcg_gen_qemu_ld_i64_chk(TCGv_i64 val, TCGTemp *addr, TCGArg idx,
@@ -406,10 +408,10 @@ void tcg_gen_qemu_ld_i64_chk(TCGv_i64 val, TCGTemp *a=
ddr, TCGArg idx,
     tcg_gen_qemu_ld_i64_int(val, addr, idx, memop);
 }
=20
-static void tcg_gen_qemu_st_i64_int(TCGv_i64 val, TCGTemp *addr,
+static void tcg_gen_qemu_st_i64_int(TCGv_i64 orig_val, TCGTemp *addr,
                                     TCGArg idx, MemOp memop)
 {
-    TCGv_i64 swap =3D NULL;
+    TCGv_i64 val =3D orig_val;
     MemOpIdx orig_oi, oi;
     TCGTemp *addr_new;
=20
@@ -423,32 +425,32 @@ static void tcg_gen_qemu_st_i64_int(TCGv_i64 val, TCG=
Temp *addr,
     orig_oi =3D oi =3D make_memop_idx(memop, idx);
=20
     if ((memop & MO_BSWAP) && !tcg_target_has_memory_bswap(memop)) {
-        swap =3D tcg_temp_ebb_new_i64();
+        val =3D tcg_temp_ebb_new_i64();
         switch (memop & MO_SIZE) {
         case MO_16:
-            tcg_gen_bswap16_i64(swap, val, 0);
+            tcg_gen_bswap16_i64(val, orig_val, 0);
             break;
         case MO_32:
-            tcg_gen_bswap32_i64(swap, val, 0);
+            tcg_gen_bswap32_i64(val, orig_val, 0);
             break;
         case MO_64:
-            tcg_gen_bswap64_i64(swap, val);
+            tcg_gen_bswap64_i64(val, orig_val);
             break;
         default:
             g_assert_not_reached();
         }
-        val =3D swap;
         memop &=3D ~MO_BSWAP;
         oi =3D make_memop_idx(memop, idx);
     }
=20
     addr_new =3D tci_extend_addr(addr);
     gen_ldst_i64(INDEX_op_qemu_st_i64, val, addr_new, oi);
-    plugin_gen_mem_callbacks_i64(val, NULL, addr, orig_oi, QEMU_PLUGIN_MEM=
_W);
+    plugin_gen_mem_callbacks_i64(orig_val, NULL, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_W);
     maybe_free_addr(addr, addr_new);
=20
-    if (swap) {
-        tcg_temp_free_i64(swap);
+    if (val !=3D orig_val) {
+        tcg_temp_free_i64(val);
     }
 }
=20
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619987; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FJk2IZzbiA0t8HJmWSEZdjlcgDLh9Y4Kdwa8GJxaKVD0KkTTg3bhFJLLf4LhF536X2JRFQf2mfE+jrJ9q4mwjbooF4Z/Dscv+3WVuH8nN827VjJiMUyesHlTQRylI7lWSt2AGCWGBY2RPa3VHtXZfszJHa+eYzDaGLVWmlHaUJI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619987;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ntrafAAQuUtjTSd2UZ5CoS3cJgi0wbWKq5/+RmnMGqM=;
	b=GEU4E7EAiUA6vEKR7PAymTOFYse72kTaklZPCMjNyQr35PMkB3g3ovBzaPTmlnOhnxdB+wyeeiqS4xA7GPmJLSruDe0hqDBsDL30rLN5wSdt/Q3FGTkQK9TrhbEsJbN4g7ue0PesJjm7jm+XfqiA00oRlxIlgVg0tjrKBmgVlCY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619987322772.72562036789;
 Tue, 12 May 2026 14:06:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAh-000854-E3; Tue, 12 May 2026 16:57:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAK-0007co-H6; Tue, 12 May 2026 16:57:22 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAI-0003cK-KU; Tue, 12 May 2026 16:57:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2D1F61AA2E9;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 399863ABC5A;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=cEIx1tXWFx9gJffwFdAPUsulqKQV+KRXHP9GHeTqNHQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lBxUqlxvA5ypy4y3cV3aXC5mTl241Wv+KYHxJUIQ5XLze3Uho3KTVSi0Qgag1DsXK
 4SH0G4hweBpgCsh5JYD3SeYNPFHmk0al7wnk3BB8sEbSs7cvI4zqvFAV8aH0g2akXk
 MDQJkV4/yHrQPq+PucuJmhn2PtnIo2u9WL1jLfMxSqpm4CWmjEi3zQIJjhRTPoC39k
 RUE9dsjDH85rfrUumn8VgRZ28VZc4qMrzBeAqFJSRWD8OBo+7dZ1w1NWbMrRRndoiF
 GwlCo+GzHiznNKrNqDzunwq0WmclyiOVhKXxW9fvQNqMp+ClnyMzo9b0cElM33+/jW
 WxYQlgj0F8QxA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Pankaj Raghav <p.raghav@samsung.com>,
 Klaus Jensen <k.jensen@samsung.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 029/107] hw/nvme: re-enable wzds bit in namespace
 dlfeat
Date: Tue, 12 May 2026 23:53:16 +0300
Message-ID: <20260512205437.360850-29-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619988922154100
Content-Type: text/plain; charset="utf-8"

From: Pankaj Raghav <p.raghav@samsung.com>

dlfeat was changed from 0x9 to 0x1 when PI support was added.
It was removed because we can't rely on unmap and have to physically
clear it to get the checksums right but that doesnt mean that we do not
support the bit.

The spec says that if wzds is enabled, then the controller supports
deallocate (DEAC) on write zeroes. But DEAC bit in write zeroes command
is only a hint, the controller might choose to physically write zeroes in
those areas.

As we are sending write zeroes command with BDRV_REQ_MAY_UNMAP to the
underlying block device anyway (if the unmap operation is supported),
change the dlfeat value back to 0x9.

A new flag FALLOC_FL_WRITE_ZEROES has been introduced in linux for
fallocate which will use the wzds bit in dlfeat to quickly zeroout extents
using unmap operation whenever possible[1].

[1] https://lore.kernel.org/linux-fsdevel/20250619111806.3546162-1-yi.zhang=
@huaweicloud.com/

Fixes: 146f720c55 ("hw/block/nvme: end-to-end data protection")
Suggested-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit 55720ba97d2164796215c983255f009993e24432)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/nvme/ns.c b/hw/nvme/ns.c
index e895e7d950..dc7a960df1 100644
--- a/hw/nvme/ns.c
+++ b/hw/nvme/ns.c
@@ -73,7 +73,7 @@ static int nvme_ns_init(NvmeNamespace *ns, Error **errp)
     ns->csi =3D NVME_CSI_NVM;
     ns->status =3D 0x0;
=20
-    ns->id_ns.dlfeat =3D 0x1;
+    ns->id_ns.dlfeat =3D 0x9;
=20
     /* support DULBE and I/O optimization fields */
     id_ns->nsfeat |=3D (NVME_ID_NS_NSFEAT_DAE | NVME_ID_NS_NSFEAT_OPTPERF_=
ALL);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619541; cv=none;
	d=zohomail.com; s=zohoarc;
	b=djXlsRYWCJHfAsu00ZFkkEpvzGgLCHPpUldwh5Pw4ug7vKX6TGGPBTlc+kROGMgBl9AHWt26C0vz3AR9DYxsLsdVH9uhUCPpoZWazb+Sm13ueYfDYl3dvJ97cigJKLmYtGJtUUXBisHhSS0MIeZoPQca9BAcE8G4YPVewU9m5ew=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619541;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=c6QTUqTLAqGs7XSeznCVVBpU3PCz7lfLkuENvq/Rz/E=;
	b=D+LZ7ALGeYxelBmaRE5Hyyiu+LNuejtqTREpgRR7aYEPClExGjhyZp1Ki+mLM6AfyIdggV7RcjZY1SxTftI+fkReqHj4s6v55/bKxW9kRkjazel/pZ4RczvgjqfeWWYZVQDA9dypfbmc5fSnBRpCr5L2c0jqH2mguKpgQhPGZKM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619541545950.4842372457532;
 Tue, 12 May 2026 13:59:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAp-0000cW-Ty; Tue, 12 May 2026 16:57:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAf-00087t-MA; Tue, 12 May 2026 16:57:42 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAd-0003dS-Q3; Tue, 12 May 2026 16:57:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3AD311AA2EA;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 483E03ABC5B;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=8UNfDJdHb+yrzOTJNdqGfFYwGI+KsYdynfiB9eZpL4w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=wasoQNPF9dwGewKcyOr4piBVic9IBnZu74SniQRlc0KIY0Udn+JJkNhdIuLlRxyhI
 O9HKYE8hzJ3EwpCpmCF480K5To52RU4zpH0PRHMw64O+ra1Wr9FblygfD4JDv4+WQ0
 u43idFoNYxN0dT8om0vAXm1ICDLVpAVjiCbufT+1UmsG+/xwCBZ9qvS0b2BG5Jj6/k
 Rfk4BqYCWbhzkDUL1u2+0UnRI0KNBwsS3skEcYdkDCX7FNoOk0tPOBk95FEbrh52x7
 0yI+6Hmt3IOZvjGb4Aie9PyVsmGLEPoBMg/mO/Rv7D8loGWKNiKj4hFIbAXyHi4Sx/
 cUeHY2J/RFKhg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kaixuan Li <kaixuanli@ntu.edu.sg>,
 Klaus Jensen <k.jensen@samsung.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 030/107] hw/nvme: fix heap-buffer-overflow in
 nvme_abort
Date: Tue, 12 May 2026 23:53:17 +0300
Message-ID: <20260512205437.360850-30-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619544283154100
Content-Type: text/plain; charset="utf-8"

From: Kaixuan Li <kaixuanli@ntu.edu.sg>

In nvme_abort(), the submission queue pointer is dereferenced from the
guest-controlled sqid before validating it with nvme_check_sqid():

    NvmeSQueue *sq =3D n->sq[sqid];

Since sqid is a 16-bit value (range 0-65535) taken directly from CDW10,
and n->sq[] is typically only max_ioqpairs+1 (65) entries, a malicious
guest can trigger an out-of-bounds heap read by sending an Abort command
with a large sqid.

ASan reports this as heap-buffer-overflow in nvme_abort.

Fix this by moving the array dereference to after the nvme_check_sqid()
bounds validation.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3348
Fixes: 75209c071a ("hw/nvme: actually implement abort")
Cc: qemu-stable@nongnu.org
Signed-off-by: Kaixuan Li <kaixuanli@ntu.edu.sg>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit eb5cc99aff17cbfdad16b18d3503c6f22233eeb5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index c93039ba23..60738e3466 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6109,7 +6109,7 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *=
req)
 {
     uint16_t sqid =3D le32_to_cpu(req->cmd.cdw10) & 0xffff;
     uint16_t cid  =3D (le32_to_cpu(req->cmd.cdw10) >> 16) & 0xffff;
-    NvmeSQueue *sq =3D n->sq[sqid];
+    NvmeSQueue *sq;
     NvmeRequest *r, *next;
     int i;
=20
@@ -6118,6 +6118,8 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *=
req)
         return NVME_INVALID_FIELD | NVME_DNR;
     }
=20
+    sq =3D n->sq[sqid];
+
     if (sqid =3D=3D 0) {
         for (i =3D 0; i < n->outstanding_aers; i++) {
             NvmeRequest *re =3D n->aer_reqs[i];
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619657; cv=none;
	d=zohomail.com; s=zohoarc;
	b=I40J4xgqHq0BcG+IDmxlYhoVBnuXemTUStM6Ho4MuHeNyhgvsatNG6HCHLJrx3k9RWegGDtUSEAvSUF9efhO/6pvtgZjsa5hORPr4o7SefBcX435N5kQ7c8OpSVv9qp1MdBJcDS3C0lG4F4rBBU4BKB1n0XJsIy2jCo79eiUIFM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619657;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=8hEK51A0MW1Xj+ku4D/+akVhRA7DB4d4PSLmbTtDieY=;
	b=SzX3HU+v1M1/Zc6RbSk1Q6EyHTyUT/a/2Di1thStT/TZ8Sz9ntQuSIEcd3eyTFSzbcykFOGVqgAA0oxBFh6dS2xJB/SqNcZplhhujRAX8zIxyYvKY0qnPeKCdZYOunioVnlmhzOX3vfBxG7SxQsY1amOnJtTwsAmE4IJonTzKqY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619657123394.43540328177176;
 Tue, 12 May 2026 14:00:57 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAs-0000sy-0B; Tue, 12 May 2026 16:57:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAi-0008Dq-3K; Tue, 12 May 2026 16:57:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAg-0003di-3T; Tue, 12 May 2026 16:57:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 47DCB1AA2EB;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 54E0A3ABC5C;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=A+CB3r0XJJLkya9xoc9pLkn0KToDU+IUYIVFDpOoRyg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=LXG9fNkFhBX5TAGg2G0XRIPnE0RZCXP8kxEmwcQ4FBhgwCyAMZ5Mb3qdGXTrnwrTo
 nOgZUBGRQ2SgY2l/biOVKGKDbxcFtBYVF87IQKjPz7VK75UKPRBmeTC6LXVXaXJx06
 9NMa/OU46e9EGZcTW6kzDVg5N/4yQzNWIpJbmYJ9PD7EPC/uMWxbsOJKFJl1REmuVy
 RSgto5sZU8yTRZ86mtqtWQknCDXy8gqxFYb4l0crfCkTWS4n8d2b0yi9BE1a6CKQCQ
 q5YdkbXEjG+/Erud5hWxawiLCrcsskuCKJmHepXAiLuZtK2ZUP9CoGL3oLNiQUvoqx
 ytdzEubLUOJlQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Kostiantyn Kostiuk <kkostiuk@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 031/107] scripts/qemu-guest-agent/fsfreeze-hook:
 Avoid bash-isms
Date: Tue, 12 May 2026 23:53:18 +0300
Message-ID: <20260512205437.360850-31-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619657684158500
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

The fsfreeze-hook script starts with #!/bin/sh, but it uses
several bash-specific constructs, resulting in misbehaviour
on guest systems where /bin/sh is some other POSIX shell.

Fix the simple ones reported by shellcheck:

In scripts/qemu-guest-agent/fsfreeze-hook line 27:
touch "$LOGFILE" &>/dev/null || USE_SYSLOG=3D1
                 ^---------^ SC3020 (warning): In POSIX sh, &> is undefined.

In scripts/qemu-guest-agent/fsfreeze-hook line 31:
    local message=3D"$1"
    ^-----------^ SC3043 (warning): In POSIX sh, 'local' is undefined.

In scripts/qemu-guest-agent/fsfreeze-hook line 46:
    log_message "Executing $file $@"
                                 ^-- SC2145 (error): Argument mixes string =
and array. Use * or separate argument.

In scripts/qemu-guest-agent/fsfreeze-hook line 55:
    if [ $STATUS -ne 0 ]; then
         ^-----^ SC2086 (info): Double quote to prevent globbing and word s=
plitting.

There is also a use of PIPESTATUS that is more complex to fix;
that will be dealt with in a separate commit.

Cc: qemu-stable@nongnu.org
Fixes: 85978dfb6b1c133 ("qemu-ga: Optimize freeze-hook script logic of logg=
ing error")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260317094806.1944053-2-peter.may=
dell@linaro.org
Signed-off-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
(cherry picked from commit b5abb655fab6145ff3728d4bdaea3648468590fc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-ag=
ent/fsfreeze-hook
index c1feb6f5ce..a33cf21288 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -23,15 +23,14 @@ USE_SYSLOG=3D0
 # if log file is not writable, fallback to syslog
 [ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
 # try to update log file and fallback to syslog if it fails
-touch "$LOGFILE" &>/dev/null || USE_SYSLOG=3D1
+touch "$LOGFILE" >/dev/null 2>&1 || USE_SYSLOG=3D1
=20
 # Ensure the log file is writable, fallback to syslog if not
 log_message() {
-    local message=3D"$1"
     if [ "$USE_SYSLOG" -eq 0 ]; then
-        printf "%s: %s\n" "$(date)" "$message" >>"$LOGFILE"
+        printf "%s: %s\n" "$(date)" "$1" >>"$LOGFILE"
     else
-        logger -t qemu-ga-freeze-hook "$message"
+        logger -t qemu-ga-freeze-hook "$1"
     fi
 }
=20
@@ -42,7 +41,7 @@ for file in "$FSFREEZE_D"/* ; do
     is_ignored_file "$file" && continue
     [ -x "$file" ] || continue
=20
-    log_message "Executing $file $@"
+    log_message "Executing $file $*"
     if [ "$USE_SYSLOG" -eq 0 ]; then
         "$file" "$@" >>"$LOGFILE" 2>&1
         STATUS=3D$?
@@ -51,7 +50,7 @@ for file in "$FSFREEZE_D"/* ; do
         STATUS=3D${PIPESTATUS[0]}
     fi
=20
-    if [ $STATUS -ne 0 ]; then
+    if [ "$STATUS" -ne 0 ]; then
         log_message "Error: $file finished with status=3D$STATUS"
     else
         log_message "$file finished successfully"
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619983; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CC1HfGw3cBobMw/uYPBtCtXTFZe4C5GAMGYWsbKkssadq9WLbsyAqCaiCTGaJfV+CH+dvffehgehbfEtI+Zjy8ZssJ7slL90Tye4JaLETgGtpZ5JUNAMC1L4AabBhYY059hjHPRcfjFzSipRuZYoDOdIOT/21WwmMW9ca8ISfd4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619983;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=UtlRPKpjdEAinS80IjNT5FeqWUFod0p7b6+LOk+zPl8=;
	b=UOhzDZ8M0TurvwJesNVlSwpemMAL74PU3Eorx4Hlf2GjvHPai54+p7oHEFcnWCfFo9mLkQNtfWChzKWs9nXVM38/mTvlfUoiZLEi3B8KRVfuelr6p9tscPwnPlgoyE/uHfNU8IiluFa6lBq+ob9z+p1SJpSPN86pjLcIIJtlGzM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619983087895.7801809974798;
 Tue, 12 May 2026 14:06:23 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAo-0000NV-14; Tue, 12 May 2026 16:57:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAj-0008OF-Jp; Tue, 12 May 2026 16:57:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAh-00045b-In; Tue, 12 May 2026 16:57:45 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 543611AA2EC;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 622B53ABC5D;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=Kg1YSzLwzJXGTbMKwrGKtqRAdZT+TZSgZmQWn7DiT+c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=oM7i7YIHDWm8+Vjju3KL2MASalUpgW55Ty5ZNHAbyJq4ziQ6QXTKmgBBnS6kyGStV
 wTAEeUjtbbP/hvGv88huPu+GaT1PBh2Uk3fKq/7J8HXERD2lpbbeuDAM3D9O+j3ZT5
 1Au83YiSk6jugwTcOE+7LGEj1jVkMhohtYnAoms3tcgCiDWxDGxzXSP8k6sH73PrmQ
 VQEJB+sraJRsAmDV6nFk/Nqs2ogIhfmBOrqBViLhmInMYwXDW6hghk2wo28nq536Qb
 CFsIMpOc7AQX3ggENJkWZSD/V9tBPLPBdrxwcdz1UU63Quk3lclXolSxEOjIP6RoQR
 TPeD7gJ/UdXhQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Kostiantyn Kostiuk <kkostiuk@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 032/107] scripts/qemu-guest-agent/fsfreeze-hook:
 Avoid use of PIPESTATUS
Date: Tue, 12 May 2026 23:53:19 +0300
Message-ID: <20260512205437.360850-32-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619985587158500
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

PIPESTATUS is a bash-specific construct, and this script is supposed
to be POSIX shell. We only use it in one place, to capture the exit
status of a command whose output we are piping to 'logger'.

Replace the PIPESTATUS usage with the trick described in
https://unix.stackexchange.com/questions/14270/get-exit-status-of-process-t=
hats-piped-to-another/70675#70675
which uses a command-group to capture the status of the
first process in the pipeline.

Cc: qemu-stable@nongnu.org
Fixes: 85978dfb6b1c133 ("qemu-ga: Optimize freeze-hook script logic of logg=
ing error")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3339
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260317094806.1944053-3-peter.may=
dell@linaro.org
Signed-off-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
(cherry picked from commit 65b9f4791c24b09814ae51135e8dad283faed348)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-ag=
ent/fsfreeze-hook
index a33cf21288..a635a25cb8 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -46,8 +46,23 @@ for file in "$FSFREEZE_D"/* ; do
         "$file" "$@" >>"$LOGFILE" 2>&1
         STATUS=3D$?
     else
-        "$file" "$@" 2>&1 | logger -t qemu-ga-freeze-hook
-        STATUS=3D${PIPESTATUS[0]}
+        # We want to pipe the output of $file through 'logger' and also
+        # capture its exit status. Since we are a POSIX script we can't
+        # use PIPESTATUS, so instead this is a trick borrowed from
+        # https://unix.stackexchange.com/questions/14270/get-exit-status-o=
f-process-thats-piped-to-another/70675#70675
+        # which uses command-groups and redirection to get the exit status.
+        # This is equivalent to
+        #   "$file" "$@" 2>&1 | logger -t qemu-ga-freeze-hook
+        # plus setting the exit status of the pipe to the exit
+        # status of the first command rather than the last one.
+        { { { {
+                "$file" "$@" 2>&1 3>&- 4>&-
+                echo $? >&3
+            } | logger -t qemu-ga-freeze-hook >&4
+            } 3>&1
+          } | { read -r xs ; exit "$xs"; }
+        } 4>&1
+        STATUS=3D$?
     fi
=20
     if [ "$STATUS" -ne 0 ]; then
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619542; cv=none;
	d=zohomail.com; s=zohoarc;
	b=N9Sg7jHVvqd6cLkNLqeTVS+oleCiMl4xK9JAb3WXbDpvwx6HZZJ1cvT7l4pxnGo/I4/GVuxXQprqAJyxD3m3ZDorbc7G542vKos/YpwvsUsfCnHwUkXzoYSPI1ZofjcuGyweairClkKIE03RzMObUDR6N1pXxJaPOxZzAMaEpW8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619542;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=QJy1friy/yJnlA/44U3V3hrjyXoqNl2PpRTM3UeeqAw=;
	b=NjEaC5Vo2NLIgOVQ0PIzI9gPulIhFYuiivuCgT9guNaVRKtnT+mTZU8PpYu1CpV2a+Tc3Cr06uKczztoolNPzmw58LWIJzjvRAszXo2N76qkETyho/GhVxoMAM4aDXiqefZEDO91CA4IddUv4tFaRqjgVS36hS1fuChnmggof84=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619542112853.3449532724854;
 Tue, 12 May 2026 13:59:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAt-00016k-Ui; Tue, 12 May 2026 16:57:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAm-0000Ec-6b; Tue, 12 May 2026 16:57:48 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAj-00046B-RU; Tue, 12 May 2026 16:57:47 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 628991AA2ED;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6E7DB3ABC5E;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=UfCY160u0Z/PDrH/rzfGi7JtK4x16xXFa45/5pC6Fdk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kWLIMPM3tV0fncJerf8mVzyZhzpZLYcaKgUJRl3Zrx8fqvqJxvU1wgea0qtqYaBlf
 pk+qcqcT2XuP8C5qYWX/tLrsC6+qPfE/QfzXECBdYnETcxpbecBICytVREQj4qfa4w
 nh19dIlL5CEJqmKKnAqrw3edg0WoLJ8SlP6ZL+SuEmOjW+FlJpz5XpgCz6tTE/DyN/
 LapxBkRRjb47Dqyv0h7LH1PvaMZ7kU9X68XyUmT8GshxEtb8pE9/OEKezrUAS6Txv+
 KQr9VsWgi/bXVQqDFAkIogyHcF8InyEbeoq8HjLzFnVzLcBeLBlW/MoIP9yXUGwXbD
 EEpUTATaF5sSQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Kostiantyn Kostiuk <kkostiuk@redhat.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 033/107] scripts/qemu-guest-agent/fsfreeze-hook: Fix
 syslog-fallback logic
Date: Tue, 12 May 2026 23:53:20 +0300
Message-ID: <20260512205437.360850-33-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619542407158500

From: Peter Maydell <peter.maydell@linaro.org>

In the fsfreeze script we attempt to implement "log to a file if we
can, and fall back to syslog if we cannot".  We do this with:

  [ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
  touch "$LOGFILE" >/dev/null 2>&1 || USE_SYSLOG=3D1

This has a weird behaviour if it is run in a setup where we have
permissions that would allow us to write to $LOGFILE but it does not
currently exist.  On the first execution, the '-w' fails and so we
set USE_SYSLOG=3D1.  But since we also do the "touch $LOGFILE" step we
create an empty logfile.  Then on the second time the script is
executed, we see a writeable logfile and will use it.  The effect is
"log to syslog once, then to the logfile thereafter", which is not
likely to be what anybody wants.

Update the condition of the first check to only pick syslog if
the logfile exists but is not writable. This means that:
 * if the logfile doesn't exist but we are able to create it,
   we will create it and use it
 * if the logfile already exists and we can write to it,
   we will use it
 * if the logfile already exists but we can't write to it,
   we will fall back to syslog
 * if the logfile doesn't exist and we can't create it,
   we will fall back to syslog

Cc: qemu-stable@nongnu.org
Fixes: 85978dfb6b1c133 ("qemu-ga: Optimize freeze-hook script logic of logg=
ing error")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260317094806.1944053-4-peter.may=
dell@linaro.org
Signed-off-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
(cherry picked from commit 08497afcb2a737794991f17a37f0a0971fca411e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-ag=
ent/fsfreeze-hook
index a635a25cb8..a279a57857 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -20,8 +20,8 @@ is_ignored_file() {
 }
=20
 USE_SYSLOG=3D0
-# if log file is not writable, fallback to syslog
-[ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
+# if log file exists but is not writable, fallback to syslog
+[ -e "$LOGFILE" ] && [ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
 # try to update log file and fallback to syslog if it fails
 touch "$LOGFILE" >/dev/null 2>&1 || USE_SYSLOG=3D1
=20
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619494; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VS3INA/0adFoCHgMm4Cq/R6vPaMDqkL5GcRsEc1r9+WW1qVbhhNsp//dsjGn/6aoj7oqH1/f/Prx2Vrf2yNM3N42kR7aIWLmWmZLO80EV334f0TvWQxKAJW3WjoFNVHlqOmcrLLbe94GmsLoBZtHd9huCjlauICnvEj5nrzU+q0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619494;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=CEd5Fz1ubittUWpY4dLIfJCZV97rpdfqnXPGwcMlVZA=;
	b=Y0udFvZI6a08ZYFC5mvfH1HLx4bosGDSVYVqnS99OnpaII5Oz6ILi1Uilb3DA6br7AGBDODr8RAK3ocS5TjA/bh4TQdvEfWCDG29VFeydwmsQy/LuWqbHk0OxkjDyPYppjBrSZjPO4DKjhcWE/tMLzu5m55ZhZYoC0SCO4lO92M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619494139783.1670410604344;
 Tue, 12 May 2026 13:58:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuAw-0001FQ-2l; Tue, 12 May 2026 16:57:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAn-0000Mm-KI; Tue, 12 May 2026 16:57:49 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuAl-00046T-FQ; Tue, 12 May 2026 16:57:49 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7951D1AA2EE;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7CF593ABC5F;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=9LEiVKRbOf45vPH/Jl3CEYFWirjHQ/hV8kLMhcG87YM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sW8xgadj9saFLhJAnAFjx8iGCPcF6QrngJDXvFpn6kK2+6gLEfU8S1+kVbgOfRXoz
 vgi4kfAQmS7/4pEsyzi7kHUuXsCL/vn/LoxWrqapOhBfi1e5UVNA+pDLn5feQ4VebO
 u8tRyv3RcMetgVTwIFTxQGPr9FI/C37KCT2iWTNvySJucVQYJ94zQcidyHy/pBUyID
 FT1PbSkbEPSAiOSDlv9jCTJHXBg8tkY/0678dyL1L2PZvMlSRXWeBSnlfeR589fjaV
 upKIxG0BQsyyAtXZW67bu0Jisigm4ho8V4wu0rwUpkg+0RCCacf7ElnEFPDTsg4VSZ
 yz26lwir4J6dw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 034/107] lsi53c895a: keep a reference to the device
 while SCRIPTS execute
Date: Tue, 12 May 2026 23:53:21 +0300
Message-ID: <20260512205437.360850-34-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619496216158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

SCRIPTS execution can trigger PCI device unplug and consequently
a use-after-free after the unplug returns.  Avoid this by keeping
the device alive.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 6689ebba25..bf58212fb1 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1163,6 +1163,7 @@ static void lsi_execute_script(LSIState *s)
         s->waiting =3D LSI_NOWAIT;
     }
=20
+    object_ref(s);
     reentrancy_level++;
=20
     s->istat1 |=3D LSI_ISTAT1_SRUN;
@@ -1182,6 +1183,7 @@ again:
         s->waiting =3D LSI_WAIT_SCRIPTS;
         lsi_scripts_timer_start(s);
         reentrancy_level--;
+        object_unref(s);
         return;
     }
     insn =3D read_dword(s, s->dsp);
@@ -1630,6 +1632,7 @@ again:
     trace_lsi_execute_script_stop();
=20
     reentrancy_level--;
+    object_unref(s);
 }
=20
 static uint8_t lsi_reg_readb(LSIState *s, int offset)
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619952; cv=none;
	d=zohomail.com; s=zohoarc;
	b=n7SMvs79vJQi0oM5t41MvUuxsVOHB+ojXNrxyOftp7xvPqTX9iXehvoPJ3Rsu5Or7glrimqsAAkWarERy2e0TLdyMj2vN345TJE9GuFTetCR6uSPDIHnFwyNquP4UgM9Y1lu9WCy0/mMwvCmI6darXoBXhngbzx8D8oCVnk1MIg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619952;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=5WHwBri4wX0gR7ZX73wjXOJ4WJ3V4uN92vHnqjqJB78=;
	b=PVNVyaik6UurLcW73K25+M9MUe18X4VpeIDfU+vJ38y+V/69g+ooxpKb2G88HRz+ykgdE9Npnc7K2NumvFyibRAtpaC+vDQiB/bVva5gkWzJVEfIzAVqNCosP43ZEyzc4aulsOk++f+rMvnn1xoowLV3YYnL6DxiGgG61dM4zac=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619952025564.3672317144232;
 Tue, 12 May 2026 14:05:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuBP-00020k-9a; Tue, 12 May 2026 16:58:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBA-0001ic-BX; Tue, 12 May 2026 16:58:13 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuB7-00046t-LK; Tue, 12 May 2026 16:58:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 85B7D1AA2EF;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 93CE53ABC60;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=NXvklHLMe/1G/6v/zFdrKIGMlkdSHYR/Psz+Ummg+1c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vlz05jTFwUtiQucGsmhVsPFvJB+IwFIclr3meCAwmJTAGVM15kB4w93olBvU8AX0/
 hpfT3JmCwndxj6YcoJBcMwtdDb4zN4/qZmoTIWIxs32MmWKUxM+y7xmMo4FoHhR+dM
 EQaaVCJPfTI33ij1PcKE/rQFI83S7hhLiqdxhDonB1b98pLTngpM+6/ko41oG4NVd/
 qxUjSc1miYj3CVifJj3/NC8TjXWXAsvbhty2OqKN81KXy9+5EacxmwWdUhin2KeHtF
 oWPSSM7EUqQL89/v4nHqiryWkIqZJ1sam3BKedV9Flc1KeDpP0wqqNBqRfXLZs77UV
 C0g0p0AcJhDUA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 035/107] lsi53c895a: do not do anything else if a
 reset is requested by writing ISTAT0
Date: Tue, 12 May 2026 23:53:22 +0300
Message-ID: <20260512205437.360850-35-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619954118154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

If the device is reset, anything that is done before will not really
be visible.  So do the reset and exit immediately if that is one
of the requests in the value written to ISTAT0.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 64807c84e83f767c135aa9ba4b5f61162bb177ef)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index bf58212fb1..a5598931f9 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1949,6 +1949,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, =
uint8_t val)
     CASE_SET_REG32(dsa, 0x10)
     case 0x14: /* ISTAT0 */
         s->istat0 =3D (s->istat0 & 0x0f) | (val & 0xf0);
+        if (val & LSI_ISTAT0_SRST) {
+            device_cold_reset(DEVICE(s));
+            return;
+        }
         if (val & LSI_ISTAT0_ABRT) {
             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
         }
@@ -1962,9 +1966,6 @@ static void lsi_reg_writeb(LSIState *s, int offset, u=
int8_t val)
             s->dsp =3D s->dnad;
             lsi_execute_script(s);
         }
-        if (val & LSI_ISTAT0_SRST) {
-            device_cold_reset(DEVICE(s));
-        }
         break;
     case 0x16: /* MBOX0 */
         s->mbox0 =3D val;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619616; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jQiCXESnBdOZBwFBVy0EDrbM3tpybRu72cqe92YSRQJpmWulZcAu52sJ3Xdj5PFpYIFUZKkPfIlWWZyAe815NG5wgwV32r74Tr/A11HoOB6L5Z175HkqFV+U2TuC8zomxsRuYYhF7cuc2mHezeNPa5qqjGiPUoSSROA+wvPc5wU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619616;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ps9YLQ3i2p+WtiOhkUobkQLMUiVUA2dZsgbYqyY3UPw=;
	b=FfemsTiw3r33Jrg/t6e90T8ZlfjEc6Ik8ojd5NFnA3VOdEUZ+znpdjyp+NxXThynpeFldvlqpZiLbQ9zdzpFEV5hfHZ+z5hOgntXPbTj2MKPSeH5U+WSZigjUnz9DZELxsKQJldgH6ItPfr6JlP10Qcgeioznym7aKxmBO6U6p0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861961681745.306546483050056;
 Tue, 12 May 2026 14:00:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuBY-0002Eg-RL; Tue, 12 May 2026 16:58:40 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBB-0001jH-4s; Tue, 12 May 2026 16:58:16 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuB9-00047J-7K; Tue, 12 May 2026 16:58:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 935EB1AA2F0;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A11273ABC61;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=rrsMWBSCBlP4xo04jzXt7cgD2zLYfLebOS4p3YGM7BU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fRn6yKUOQ/oLnrGgDEaqYIstHCTeoxySz4rjbRO3rRN0jyIB2BqqHCGzdTPaqEGx4
 NxFmvTaSFyZeJ0oQeXlzewilryzy5HaSMDONG+VU2eBOFaXTINBHHZmv7rNd/g73eN
 VKQofCx4N/8VchjMoQh4JPEjSY/qHF658hVuhkBVJs3yPS5z6kwBUVs2KvQrcA0phN
 IlnW1CLADBg3KCFEc7E54cSgBbI8uBPFVQwdpyClTGBdUspQWytFmJs/ybh0BMC2aV
 jrfIYOBeakWI2w8ri6i6XY2pX+/ERDJfIqeSzb6nUlfVr3OKfyvc3agti2brzODsjF
 nh1eIuKmrdFVw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 036/107] lsi53c895a: keep lsi_request and SCSIRequest
 in local variables
Date: Tue, 12 May 2026 23:53:23 +0300
Message-ID: <20260512205437.360850-36-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619619159154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Protect against changes from reentrant device MMIO during DMA, by always
operating on the same request.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1ca38f84e19427c462f077390492f971f9eb11eb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index a5598931f9..be9bff02b0 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -626,6 +626,8 @@ static void lsi_do_dma(LSIState *s, int out)
     uint32_t count;
     dma_addr_t addr;
     SCSIDevice *dev;
+    SCSIRequest *req;
+    lsi_request *p;
=20
     if (!s->current || !s->current->dma_len) {
         /* Wait until data is available.  */
@@ -633,12 +635,14 @@ static void lsi_do_dma(LSIState *s, int out)
         return;
     }
=20
-    dev =3D s->current->req->dev;
+    p =3D s->current;
+    req =3D s->current->req;
+    dev =3D req->dev;
     assert(dev);
=20
     count =3D s->dbc;
-    if (count > s->current->dma_len)
-        count =3D s->current->dma_len;
+    if (count > p->dma_len)
+        count =3D p->dma_len;
=20
     addr =3D s->dnad;
     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
@@ -653,21 +657,22 @@ static void lsi_do_dma(LSIState *s, int out)
     s->csbc +=3D count;
     s->dnad +=3D count;
     s->dbc -=3D count;
-     if (s->current->dma_buf =3D=3D NULL) {
-        s->current->dma_buf =3D scsi_req_get_buf(s->current->req);
+    if (p->dma_buf =3D=3D NULL) {
+        p->dma_buf =3D scsi_req_get_buf(req);
     }
     /* ??? Set SFBR to first data byte.  */
     if (out) {
-        lsi_mem_read(s, addr, s->current->dma_buf, count);
+        lsi_mem_read(s, addr, p->dma_buf, count);
     } else {
-        lsi_mem_write(s, addr, s->current->dma_buf, count);
+        lsi_mem_write(s, addr, p->dma_buf, count);
     }
-    s->current->dma_len -=3D count;
-    if (s->current->dma_len =3D=3D 0) {
-        s->current->dma_buf =3D NULL;
-        scsi_req_continue(s->current->req);
+
+    p->dma_len -=3D count;
+    if (p->dma_len =3D=3D 0) {
+        p->dma_buf =3D NULL;
+        scsi_req_continue(req);
     } else {
-        s->current->dma_buf +=3D count;
+        p->dma_buf +=3D count;
         lsi_resume_script(s);
     }
 }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619565; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E5Io9J49cD4W5ypAhzQUzZ/tcP2Mi1AZqsDqsLEtAi0IDfe4V3F3UCFxkJduF/qBZJgG69+VsrKoJc06QwjykBrw/vVn9nNB3OOMSp6jDTOqhxwvBaRCOVWQuQ7oUFokoj6+b917qCPdZFn3lIYmH8iJ4vQTiB1W8D+Pa/i20oY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619565;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=NLCksx1c6UMnusUmXBLOy9lvoMhmmSyEqivecqvi7Lk=;
	b=EkPpzp+kOATU7ZM2wnOroDMN64PJRE0dlHkIpPpfIJOcH0Fx7f6ufgjdL++/Xro3t9OIkT+2KqrPRVAcv919EpJ5yxZcNNKbBQRaQIVwqdVrb3uIG0GVw8DpLIaQ/LZt2f2K4csR8J4gCj7JhUgQZVjyigOvocFRKhgqlK3COa4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619565084853.4551877618968;
 Tue, 12 May 2026 13:59:25 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuBL-0001sI-BS; Tue, 12 May 2026 16:58:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBD-0001mR-Tm; Tue, 12 May 2026 16:58:18 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBC-0004ge-7B; Tue, 12 May 2026 16:58:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A1D241AA2F1;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AE2C13ABC62;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=SKY70TJATbySCjlj1m9t/Vc1PDRfADpHm3QaoE8Pdbc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rfSAf235V7N99ypGI72yyFVDLYtiGRxKh2L3K7hINumyQmrWGbCuwyRQMwsg0mZRt
 FcmQlF2VVxoC+KIolc7Cd8CcmZfjuaaAKQpFU8VGrqUTIKFuYOHQ7Ye7aup+HcuXHa
 KhCgEa9p0d3YMNuA3ETBWJyy8+KJ9ViKX7SnidcFLSQMArWD9gI2gx8IeHAoV+ZYaq
 RKk2/JytuwPeSgWPtF6HhgubsMtQ4zwxqoXkKyiNXP3yH0/yqfNI7MvFDZTjKmuW0J
 QnD4vHsnwFCZRhT3N9HZwWMEWTeDu/Gfs1HL8lAS1q5qkISMesIPzlLW8wW2vXHn8v
 h0/8kb0KmZHIg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 037/107] lsi53c895a: keep lsi_request alive as long
 as the SCSIRequest
Date: Tue, 12 May 2026 23:53:24 +0300
Message-ID: <20260512205437.360850-37-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619568314154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

To protect against using the lsi_request after SCSIRequest has been freed,
keep the HBA-private data alive until the last reference to the SCSIRequest
is gone.  Because req->hba_private was used (even if just for an assertion)
to check that the request was still either current or queued, add a boolean
field that is set when the SCSIRequest is cancelled or completed, which
is when the lsi_request would have been unqueued.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7c7aaaa342b57b0099d7fc4a9803e987b891322b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index be9bff02b0..5e9321f1a2 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -197,6 +197,7 @@ typedef struct lsi_request {
     uint8_t *dma_buf;
     uint32_t pending;
     int out;
+    bool orphan;
     QTAILQ_ENTRY(lsi_request) next;
 } lsi_request;
=20
@@ -748,14 +749,20 @@ static lsi_request *lsi_find_by_tag(LSIState *s, uint=
32_t tag)
     return NULL;
 }
=20
-static void lsi_request_free(LSIState *s, lsi_request *p)
+static void lsi_request_orphan(LSIState *s, lsi_request *p)
 {
+    p->orphan =3D true;
     if (p =3D=3D s->current) {
         s->current =3D NULL;
     } else {
         QTAILQ_REMOVE(&s->queue, p, next);
     }
-    g_free(p);
+    scsi_req_unref(p->req);
+}
+
+static void lsi_free_request(SCSIBus *bus, void *priv)
+{
+    g_free(priv);
 }
=20
 static void lsi_request_cancelled(SCSIRequest *req)
@@ -763,9 +770,7 @@ static void lsi_request_cancelled(SCSIRequest *req)
     LSIState *s =3D LSI53C895A(req->bus->qbus.parent);
     lsi_request *p =3D req->hba_private;
=20
-    req->hba_private =3D NULL;
-    lsi_request_free(s, p);
-    scsi_req_unref(req);
+    lsi_request_orphan(s, p);
 }
=20
 /* Record that data is available for a queued command.  Returns zero if
@@ -817,9 +822,7 @@ static void lsi_command_complete(SCSIRequest *req, size=
_t resid)
     }
=20
     if (req->hba_private =3D=3D s->current) {
-        req->hba_private =3D NULL;
-        lsi_request_free(s, s->current);
-        scsi_req_unref(req);
+        lsi_request_orphan(s, s->current);
     }
     if (!stop) {
         lsi_resume_script(s);
@@ -830,10 +833,11 @@ static void lsi_command_complete(SCSIRequest *req, si=
ze_t resid)
 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
 {
     LSIState *s =3D LSI53C895A(req->bus->qbus.parent);
+    lsi_request *p =3D req->hba_private;
     int out;
=20
-    assert(req->hba_private);
-    if (s->waiting =3D=3D LSI_WAIT_RESELECT || req->hba_private !=3D s->cu=
rrent ||
+    assert(!p->orphan);
+    if (s->waiting =3D=3D LSI_WAIT_RESELECT || p !=3D s->current ||
         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
         if (lsi_queue_req(s, req, len)) {
             return;
@@ -2325,7 +2329,8 @@ static const struct SCSIBusInfo lsi_scsi_info =3D {
=20
     .transfer_data =3D lsi_transfer_data,
     .complete =3D lsi_command_complete,
-    .cancel =3D lsi_request_cancelled
+    .cancel =3D lsi_request_cancelled,
+    .free_request =3D lsi_free_request,
 };
=20
 static void scripts_timer_cb(void *opaque)
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619935; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VD5TJPXiiGNv5DYauxjpEEO9twdSyyFPUxqfB0iWuZWazEXMY993m8L+x703ZljjoKDxTHd/JVlXyzjVxo0bA3Kcv+0s1+0X6rvWJTTLAjO4D5XHUi5CO8vgMcZ8I0tDQWfKMiqXFtxT/Mcmd0iNRpxvKC7sECm8mq6V0cQyWCk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619935;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=P6Hj3GxCO0MKe0NvulX6B+KmFSdgfHO60+ZCwg63Byg=;
	b=Fjkmkt6zOUFB1s7Vx22Z1sqdsXFvGwLI081XGZJ7/i8k89YBIitlbgcdLUuC8nRrHairQZZpWC772dNlT7h7DrhrKGjjK8F6WM9eYMEU55owuxng6yTVZbmMPXPYaqwL+4PddZ2bS69x5AyOwcPseNrWaHEJCXGYYjZrBEwUQhI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619935455429.69167981499436;
 Tue, 12 May 2026 14:05:35 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuBP-00025o-VL; Tue, 12 May 2026 16:58:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBE-0001mZ-UX; Tue, 12 May 2026 16:58:18 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBC-0004gy-LZ; Tue, 12 May 2026 16:58:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BCE091AA2F2;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id BD04E3ABC63;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=k/qvrWjIHbUsNgB1QBl+x/GXPJXOr62bZgGHjm3idRg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=L4xrESoRrzmDaitrMuEPOAko4iU7EHsGBBW2j8vL08X+VLmMQ4flmZK8+aA28p3MS
 +FGGGefdEm2ag2fX+HKMa9mtIhOr5+GjrCP9cFKsFlFe+dVLvVer+eK8XREBvx+qi2
 yr/ZZUcZK4YwJyeZmB2lT8Z4dvfbRz2ttdSgJZkuT/jwsqwrRZephqxd5EdJvrYk1X
 o7uuNfhVJpK6mOOhlcpi5ewtxDxcaG9WDfthrLOXuGmbVsPPq9HMQoPt1vpITQPtTC
 b9G0LVQnp6SwfcYeKXLUqhrKQDedRCciV0Rxz+4ENmKAGHQRhkc8m2ICTgoFsIiGFl
 suXCeB7XXL1cA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Jihe Wang <wangjihe.mail@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 038/107] lsi53c895a: keep SCSIRequest alive during
 DMA
Date: Tue, 12 May 2026 23:53:25 +0300
Message-ID: <20260512205437.360850-38-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619937983154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Reentrant MMIO can cause the SCSIRequest to be completed, at which
point lsi_request_orphan would drop the last reference.  Anything
that happens afterwards would access freed data.  Keep a reference
to the SCSIRequest and, through req->hba_private, to the lsi_request*
for as long as DMA runs.

Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d459131ff590c517bc89fa5867d4878b5eacbc30)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 5e9321f1a2..c845e0bee7 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -637,7 +637,7 @@ static void lsi_do_dma(LSIState *s, int out)
     }
=20
     p =3D s->current;
-    req =3D s->current->req;
+    req =3D scsi_req_ref(s->current->req);
     dev =3D req->dev;
     assert(dev);
=20
@@ -667,6 +667,11 @@ static void lsi_do_dma(LSIState *s, int out)
     } else {
         lsi_mem_write(s, addr, p->dma_buf, count);
     }
+    if (p->orphan) {
+        scsi_req_unref(req);
+        return;
+    }
+    scsi_req_unref(req);
=20
     p->dma_len -=3D count;
     if (p->dma_len =3D=3D 0) {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619595; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SXOHFda4Uydo6buH1+DkEcPnKeE7OMT41nSkA2IZNGQ5Kk7hCc6C7vbGYJz5f5/cyh4ubOt9wQ+uH2dLCgpZcLTD2Kl/RwhmGDHamHXZjjKYiX2RG3tzlyRR6coo7bpqyXfWi3oTtMwdLYWJxaekpK5K5OxSxeXYanBTSwsb060=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619595;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=TWnMvt4nNQSZn4L0NyErTKciAEAGrMTeqtIRkH85ntw=;
	b=OBc7/A8VjMPkaT9D2oXCoRaoaiOM2ctegdq1yzGqJ87vd+4aUW1fdk0G0aF06rtCzZn679XfJflwxAn5izOaF3yCGl9o2H2Y59tWz7dHU1TepN8GmD5W50rtdolCZHw05zTjdtxAOqGsvZ8VpZ/LjCvz18Dw6neOSvZmiyzfEiM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619595555830.4016910948276;
 Tue, 12 May 2026 13:59:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuBS-0002BR-Qa; Tue, 12 May 2026 16:58:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBI-0001sO-FD; Tue, 12 May 2026 16:58:23 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBF-0004hQ-IG; Tue, 12 May 2026 16:58:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CAFE01AA2F3;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D79103ABC64;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=daRR+ZdyOfAs2F8KSecB4P2oiYBqmmSKFfl/fLUoENg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=bPtTowLFRYzAwW0lJ1KaEe7t6uIm2ilvKzcQfULTo2RJ68krw41GCKdbvIe114WvH
 vR+cVq1Kel7DhoPyQdu1ioqr+FLNCxUbXnjiL8JuxRphouY/kxFGQIS2z1e1vx0DNr
 VPZDG0E8BtFwEio9t14DG7H4stI7P7jzb8/wtUw41ArYUuHzTnLtlDsTI34q8B2H9Y
 r/R1QwKQVH2omQJFx6n0nLXcgOEQ7B8+4nfTFrUOuGugoO5VXb44TX9kWcDPClsIyz
 Uzif9XzFS03R3y1gMV+1NNg4ox5WOYYkpCKXrbaRgm57yy7rPQTlZInRWADWkvbJzx
 fIvvgVBjR12Hw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 039/107] hw/net/rocker: Avoid double-free of
 l2_flood.group_ids
Date: Tue, 12 May 2026 23:53:26 +0300
Message-ID: <20260512205437.360850-39-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619596795154100

From: Peter Maydell <peter.maydell@linaro.org>

In of_dpa_cmd_add_l2_flood(), we allocate memory for the
group->l2_flood.group_ids array, freeing any previous array.
However, in the error-exit path we free the group_ids memory but do
not clear the pointer to NULL.  This means that if the guest causes
us to take the error-exit path and then later call the function
again, we will try again to free the memory we already freed.

Fix this by clearing the group_ids pointer in the error exit
path, so we maintain the invariant of "either it points at
allocated memory, or it is NULL" (both being valid to g_free()).

Cc: qemu-stable@nongnu.org
Fixes: dc488f88806 ("rocker: add new rocker switch device")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3253
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-id: 20260324193530.375628-1-peter.maydell@linaro.org
(cherry picked from commit a0721c099b71f7bdfafa2675daee331d884163d2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
index 3378f63110..b4da3cc0ec 100644
--- a/hw/net/rocker/rocker_of_dpa.c
+++ b/hw/net/rocker/rocker_of_dpa.c
@@ -2063,6 +2063,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfD=
paGroup *group,
 err_out:
     group->l2_flood.group_count =3D 0;
     g_free(group->l2_flood.group_ids);
+    group->l2_flood.group_ids =3D NULL;
     g_free(tlvs);
=20
     return err;
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619980; cv=none;
	d=zohomail.com; s=zohoarc;
	b=H/1ZejDue+5N8pA8dn7RLa4OQuniQBKUSIp4c57m7RY5gonFua2eUQm37aOZnk7BZZaQhN26ggtlpvXSs0GWX8GnZ9UdqrDzjD02crw0Dz0RJo+SHgfNSjmMnUsu1Ca/JBzUFgGDEp93un20dGbV/i+XpDoAmR3jGvbg/PfxlpM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619980;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=P1N9WfesaFErU6b7pQd4LRdgZvhH8T9Y2O2DBh7zdAQ=;
	b=IfeO0u75fWunxiCzs0Y+oEp6zTmk7cxWJ2CrAZkrmiOUsq1c4BMg8YECXLBFdeSQDjffzKeHBX+D6l7gudTt3bgbpvifVGqrb6V6KpCOtcqPTFhltSa7y/6fHxQAC7VAeh7FuR+nXhw76ZJqsiGSJwpgiCE4UfBqs5/eW4T6xe0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619980215831.6217442260503;
 Tue, 12 May 2026 14:06:20 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuCp-0003DD-9x; Tue, 12 May 2026 16:59:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBd-0002J6-9b; Tue, 12 May 2026 16:58:49 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBb-0004hg-31; Tue, 12 May 2026 16:58:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DAA4A1AA2F4;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E60683ABC65;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=OLAauy1smyOkvWIcldltajH0DhAapC3fpOR51fDXTAU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=bb6eGG6PUqJJRjAee4U62VzQdRWq/zkEfOl3l6UFVv9GxRPBIiOEcSphdyezS+g1a
 jXZ1mGShp21IReEkR9b4mj1pYUVx213snlXtSAGxhIa30tRGcGBBpgr7qjHuqcACh/
 l7MyO/Fu5n2aZuTntOLF8UG41EUg7qXzxdA8M2PI+gM25hjfCueiXmM6xga5eq3Hzs
 9cNl/FSGGrd+r7doeOVl/G9KuLRTZy6l4EBnUrBJ7P7AOIkexNbV2BNjHB6U6en95M
 t8szSH/Ge4VGZTAR1gYPl1QdaHeJWVLD7e1wC4VAm+E4rTa4NdZvuygWJC9KMHlvf4
 UpHwXTGHpnDoA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 040/107] ui/vnc-jobs: fix VncRectEntry leak on job
 cleanup
Date: Tue, 12 May 2026 23:53:27 +0300
Message-ID: <20260512205437.360850-40-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619983015154100

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

When a VncJob is freed, its associated VncRectEntry list must also be
freed. Previously, vnc_job_push() and the disconnected path in
vnc_worker_thread_loop() called g_free(job) directly, leaking all
VncRectEntry allocations.

Introduce vnc_job_free() which iterates and frees the rectangle entries
before freeing the job itself, and use it in both paths.

Also add QLIST_REMOVE() in the worker loop before g_free(entry), so
that entries processed during normal operation are properly unlinked.
Without this, vnc_job_free() would iterate dangling pointers to
already-freed entries, causing use-after-free.

Fixes: bd023f953e5e ("vnc: threaded VNC server")
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 3cae0b46be5416b26039df5259ffc8fcf2989516)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c
index d3486af9e2..dd811bf658 100644
--- a/ui/vnc-jobs.c
+++ b/ui/vnc-jobs.c
@@ -108,11 +108,25 @@ int vnc_job_add_rect(VncJob *job, int x, int y, int w=
, int h)
     return 1;
 }
=20
+static void vnc_job_free(VncJob *job)
+{
+    VncRectEntry *entry, *tmp;
+
+    if (!job) {
+        return;
+    }
+    QLIST_FOREACH_SAFE(entry, &job->rectangles, next, tmp) {
+        /* no need for QLIST_REMOVE(entry, next) */
+        g_free(entry);
+    }
+    g_free(job);
+}
+
 void vnc_job_push(VncJob *job)
 {
     vnc_lock_queue(queue);
     if (queue->exit || QLIST_EMPTY(&job->rectangles)) {
-        g_free(job);
+        vnc_job_free(job);
     } else {
         QTAILQ_INSERT_TAIL(&queue->jobs, job, next);
         qemu_cond_broadcast(&queue->cond);
@@ -302,6 +316,7 @@ static int vnc_worker_thread_loop(VncJobQueue *queue)
                 n_rectangles +=3D n;
             }
         }
+        QLIST_REMOVE(entry, next);
         g_free(entry);
     }
     trace_vnc_job_nrects(&vs, job, n_rectangles);
@@ -330,7 +345,7 @@ disconnected:
     QTAILQ_REMOVE(&queue->jobs, job, next);
     vnc_unlock_queue(queue);
     qemu_cond_broadcast(&queue->cond);
-    g_free(job);
+    vnc_job_free(job);
     vs.magic =3D 0;
     return 0;
 }
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619895; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZgTBCzW6xuO2VhASbMm93G3fCXttClQiSnSjStkyUjvCE+FlMAAxDQLUKhwnP7P/cf+lgxP4Dxj3SYvWCelnAgzmtIxM5bBEw5iTvPHGW9TEhW3+U+MRbPYR9OYnF6pdcO4dPOu+at5TXB2VcVvX9SO5zFIOTANm8PsoXZvvydQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619895;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=V3Y6F3UPrjtAZyVMua2bFRU7KVpVp/YrvQXmdAytMIs=;
	b=HmTPKzzy+JnUPFz6lWcgtKrTAcXEzjOOM4NRitfZd8kYwogPvOkkK48PfS8jlFZjcp8m6liFHqAXNwrIJkegzeWUNMb5znIaYhg7vQYkyuLRAwg+zMgfFFqJyQ8h2Chxt4lZikZlTzipRY9wlbuya+u0axAmLP6juFdDgpF45V4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619895745435.9452015977606;
 Tue, 12 May 2026 14:04:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuCq-0003O3-Dv; Tue, 12 May 2026 16:59:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBj-0002Nh-PT; Tue, 12 May 2026 16:58:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBf-0004iV-0F; Tue, 12 May 2026 16:58:45 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EA58B1AA2F5;
 Tue, 12 May 2026 23:54:35 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 025543ABC66;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619275; bh=x5mBKVMJZjq2GhMSm7vHo3lfE2ygnY2l74h1Qg6bN1U=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Ep8FJPVtPPLRbR6CuOn2/zVURonoWT6iuXeUn7gRv7rBeTE/FlY/I9MbaSJrGF4Wg
 i9uzvJWkzfqvdUPwySBBlOaSJU7jptNWtV7vfZ9P6VpCtXjN41Zt+Bg79iFJGkElC/
 Y4ZGFZOwxKjMnPTkoY5rNu1NIAo8zJSEHV/adohwfTQdqPEYhenKpB8dMaVAUWJKM6
 Se+2EQtwMPkmY3jHu+QQC8WyDx8PmfUPF9u+02PQXu6QXpGMm/hh6TA2/33QgHfOvC
 AIazHlp4ilmrciPCwR2py+QstP5N/8rkePVWcxf/EBKt0aGnWcZ8tKEW6i7JkNqss0
 rxHxeNZW3lCtw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Tingting Mao <timao@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 041/107] ide: Fix potential assertion failure on VM
 stop for PIO read error
Date: Tue, 12 May 2026 23:53:28 +0300
Message-ID: <20260512205437.360850-41-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619896781158500
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

ide_sector_read() as well as its callers neglect to call ide_set_retry()
before starting I/O. If the I/O fails, this means that the retry
information is stale. In particular, ide_handle_rw_error() has an
assertion that s->bus->retry_unit =3D=3D s->unit, which can fail if either
there was no previous request or it came from another device on the bus.
If the assertion weren't there, a wrong request would be retried after
resuming the VM.

Fix this by adding a ide_set_retry() call to ide_sector_read().

This affects only reads because ide_transfer_start() does call
ide_set_retry(). For writes, the data transfer comes first and the I/O
is only started when the data has been read into s->io_buffer, so by
that time, ide_set_retry() has been called. For reads, however, the I/O
comes first and only then the data is transferred to the guest, so the
call in ide_transfer_start() is too late.

Buglink: https://redhat.atlassian.net/browse/RHEL-153537
Reported-by: Tingting Mao <timao@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260326165124.138593-1-kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 59c1d31136688415e5d682a87942292dbb3caaeb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index b14983ec54..9ca480f72e 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -799,6 +799,7 @@ static void ide_sector_read(IDEState *s)
     s->error =3D 0; /* not needed by IDE spec, but needed by Windows */
     sector_num =3D ide_get_sector(s);
     n =3D s->nsector;
+    ide_set_retry(s);
=20
     if (n =3D=3D 0) {
         ide_transfer_stop(s);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620155; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gusR3nvFm/LdnfrPhQwyf+0gZcei/+LmwKYIgQcVAy4KM2+MCMz3sxL6qZbqf1zWrGbmiXnD/4nX28f+dmBxs5JOLQ9hgU+vlgHPGQQeJouvRK0XN1ZKpojQd/AVO6ndjiHWtBBkv9X2xcnS4dI2jiXPan9VRSQP0ltKDfnD+Nc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620155;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=m9P7hZNB3BmRNLoCguXotvBu10W8L3QVOxtQSB3Dv/g=;
	b=KscvOAJDEuMAb5xKl9H4mvpCHwe95q0QnZ1SK3ycW8qUIwZaXdyTtB0xGq1je2gItsGK77jSWRqOpXOSnaszDjG1so3FX8I7nPQVWHZS4k/rCv9EMM+LK8GkxxIVN6HikOgojGAf82EzPutu1RXoSQqvemgkusye3uwhQOw/e8A=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620155983461.39245463343093;
 Tue, 12 May 2026 14:09:15 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuCo-00037r-7p; Tue, 12 May 2026 16:59:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBj-0002Ng-PH; Tue, 12 May 2026 16:58:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBf-0004s4-2N; Tue, 12 May 2026 16:58:45 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 065D61AA2F6;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 115593ABC67;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=YzvE8O4x9zZLxo+Ep6+0WXIyCOVdcNes7Y0xXI9gjLo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=nKCa6AKlO8iyE9VS4iXZUsu2XzRblD2uDL1xEGf6mmbs8FQ3xfoaluVh0nzAmnhZc
 n6Mqe9Wm9z3u5UK3B/CjpJv3qhSH4jvhfsLSYPbvQfvpT5L+gYqokDQxNwzY6zDEpt
 6TnjXIMP6vCtYJ+Ck3cIgmRkmBTaKY0vwsBZHyYy40+DPR0DEWZ/em+MXBcPEuRnf6
 LG5WzYRRKFhBq11GGliUSqEmzX7WShhod0MzhovhBZwIaZty20bofKnsyfEokxsvWU
 wBWryylq9WLaqXj7/M0naXJqwjtyvnfgY7AFkZmujjgw86la46N7LmZQMcuF237100
 /8j507UqdAq5g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 042/107] scsi: Don't consider LOGICAL UNIT NOT
 SUPPORTED guest recoverable
Date: Tue, 12 May 2026 23:53:29 +0300
Message-ID: <20260512205437.360850-42-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620158026154100
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

When commit bdf9613b introduced scsi_sense_buf_is_guest_recoverable(),
it included LOGICAL UNIT NOT SUPPORTED in the list of guest recoverable
sense codes. It doesn't really explain how the codes to be in the list
were selected.

As the LUN doesn't come from the guest, but from the block backend
(usually the SCSI device on the host that was opened with host_device,
but it could also be the iscsi block driver), there is really no way the
guest could influence this.

It seems that on some storage arrays, LOGICAL UNIT NOT SUPPORTED can
happen during failover operations. When combined with multipath, the
request should be retried on another path instead of being reported to
the guest, which would offline the filesystem in response.

Simply returning false in scsi_sense_buf_is_guest_recoverable() will
enable the retry logic in file-posix, and will also make sure that if
the error persists, the configured error policy is respected so that the
VM can be stopped.

Buglink: https://redhat.atlassian.net/browse/RHEL-158212
Fixes: bdf9613b7f87 ('scsi: explicitly list guest-recoverable sense codes')
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260330121635.49205-1-kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit ccc613f96c66eb5401185ff6eeba18143892055d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scsi/utils.c b/scsi/utils.c
index 357b036671..7533b25af1 100644
--- a/scsi/utils.c
+++ b/scsi/utils.c
@@ -373,7 +373,6 @@ static bool scsi_sense_is_guest_recoverable(int key, in=
t asc, int ascq)
     case 0x1a00: /* PARAMETER LIST LENGTH ERROR */
     case 0x2000: /* INVALID OPERATION CODE */
     case 0x2400: /* INVALID FIELD IN CDB */
-    case 0x2500: /* LOGICAL UNIT NOT SUPPORTED */
     case 0x2600: /* INVALID FIELD IN PARAMETER LIST */
=20
     case 0x2104: /* UNALIGNED WRITE COMMAND */
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619763; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KNkAWiOye1HCSItwC5cArH9l4uuFN1u5BKdGoiEMA/zKv12XwBJFIbvvjD0Jdkcnok84E9bysZaJxuJwHCd7FlcM9//OoDirigPJm3Iqc3rInM2Kbg5W5MCwTyXa8E37vPY6/y15cgbjMArEKN9mTsoIh9Tyr9k44sGHhmuyzDc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619763;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=p1pQhZO4pbUQnMf0HJ1VGKKwKZ6Y8Z0eQMUytLegjEs=;
	b=GctP/0Y+bJ6OZBRHuxACdMcbfrTYyO757MNHKSvasOghAKp8ZVyrdpSIIENq5n63zuiRL+/ssCZfSnJqq6ZMUECZl+3bqQBFFTHZojyLcutujTks+t8oG9uS5FoQemOVWgTg4+gskCpEx0hD7EadsycSdOoFmk7YWS0WUOnloxs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619763932809.5909491090358;
 Tue, 12 May 2026 14:02:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuCu-0003ik-Mc; Tue, 12 May 2026 17:00:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBm-0002Nr-UF; Tue, 12 May 2026 16:58:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBl-0004t3-6s; Tue, 12 May 2026 16:58:50 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 179A01AA2F7;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 21C7E3ABC68;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=gjFyd651RWy0F6xlDfP/SdobmZuQcY+OKU1rjZMzzV0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=xoxL5U5/a/Tz/jx32ZOmvlAtlvb/FFbqilP6fXLkpCeEJTGkNusCa9BxKeeeZ6TBt
 14cmyhHsriaRY8fQTI5mRYfynutwwK/orsWE73HZTgm7BpVfcz92xnBxEg1QHj4UmJ
 +lqvebyEPvR6ZNqitm9PTN/oSCthOqj1T96LHUHk1ik5HB6jroTSCIg+G/BlexCLYd
 b1HV62vr31p7WXw3y83eJt1EGZYUbGxQBK5bJGBRInOGUphfP1QdmiWKKLDcJl/7zW
 fKd4CEN/Z4r11z9HOws+gnzpH8Aeoal1LheVzT8nYIxgFYitxTw37ABEtZw6RVOpHg
 dBTwRGT1mXJsw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, hongmianquan <hongmianquan@bytedance.com>,
 Kevin Wolf <kwolf@redhat.com>, "wubo.bob" <wubo.bob@bytedance.com>,
 Markus Armbruster <armbru@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 043/107] monitor: Fix deadlock in monitor_cleanup
Date: Tue, 12 May 2026 23:53:30 +0300
Message-ID: <20260512205437.360850-43-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619767257158500
Content-Type: text/plain; charset="utf-8"

From: hongmianquan <hongmianquan@bytedance.com>

During qemu_cleanup, if a non-coroutine QMP command (e.g.,
query-commands) is concurrently received and processed by the
mon_iothread, it can lead to a deadlock in monitor_cleanup.

The root cause is a race condition between the main thread's shutdown
sequence and the coroutine's dispatching mechanism. When handling a
non-coroutine QMP command, qmp_dispatcher_co schedules the actual
command execution as a bottom half in iohandler_ctx and then yields. At
this suspended point, qmp_dispatcher_co_busy remains true.

Subsequently, the main thread in monitor_cleanup(), sets
qmp_dispatcher_co_shutdown, and calls qmp_dispatcher_co_wake(). Since
qmp_dispatcher_co_busy is already true, the aio_co_wake is skipped. The
main thread then enters the AIO_WAIT_WHILE_UNLOCKED loop, it executes
the scheduled BH (do_qmp_dispatch_bh) via aio_poll(iohandler_ctx,
false), which attempts to wake up the coroutine, aio_co_wake schedules a
new wake-up BH in iohandler_ctx. The main thread then blocks
indefinitely in aio_poll(qemu_aio_context, true), while the coroutine's
wake-up BH is starved in iohandler_ctx, qmp_dispatcher_co never reaches
termination, resulting in a deadlock.

The execution sequence is illustrated below:

 IO Thread                 Main Thread (qemu_aio_context)        qmp_dispat=
cher_co (iohandler_ctx)
    |                                 |                                    =
    |
    |-- query-commands                |                                    =
    |
    |-- qmp_dispatcher_co_wake()      |                                    =
    |
    |    (sets busy =3D true)           |                                  =
      |
    |                                 |   <-- Wakes up in iohandler_ctx -->=
    |
    |                                 |                                    =
    |-- qmp_dispatch()
    |                                 |                                    =
    |-- Schedules BH (do_qmp_dispatch_bh)
    |                                 |                                    =
    |-- qemu_coroutine_yield()
    |                                 |                                    =
        [State: Suspended, busy=3Dtrue]
    |   [ quit triggered ]            |
    |                                 |-- monitor_cleanup()
    |                                 |-- qmp_dispatcher_co_shutdown =3D tr=
ue
    |                                 |-- qmp_dispatcher_co_wake()
    |                                 |    -> Checks busy flag. It's TRUE!
    |                                 |    -> Skips aio_co_wake().
    |                                 |
    |                                 |-- AIO_WAIT_WHILE_UNLOCKED:
    |                                 |   |-- aio_poll(iohandler_ctx, false)
    |                                 |   |    -> Executes do_qmp_dispatch_=
bh
    |                                 |   |    -> Schedules 'co_schedule_bh=
' in iohandler_ctx
    |                                 |   |
    |                                 |   |-- aio_poll(qemu_aio_context, tr=
ue)
    |                                 |   |    -> Blocks indefinitely! (Dea=
dlock)
    |                                 |
    |                                 X (Main thread sleeping)             =
    X (Waiting for next iohandler_ctx poll)

To fix this, we add an explicit aio_wait_kick() in do_qmp_dispatch_bh()
to break the main loop out of its blocking poll, allowing it to evaluate
the loop condition and poll iohandler_ctx.

Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: hongmianquan <hongmianquan@bytedance.com>
Signed-off-by: wubo.bob <wubo.bob@bytedance.com>
Message-ID: <20260327131024.51947-1-hongmianquan@bytedance.com>
Acked-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit fc1a2ec7da531223b3473185dc2584f8a7c6c659)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
index e569224eae..50eae4f082 100644
--- a/qapi/qmp-dispatch.c
+++ b/qapi/qmp-dispatch.c
@@ -128,6 +128,16 @@ static void do_qmp_dispatch_bh(void *opaque)
     data->cmd->fn(data->args, data->ret, data->errp);
     monitor_set_cur(qemu_coroutine_self(), NULL);
     aio_co_wake(data->co);
+
+    /*
+     * If the QMP dispatcher coroutine is waiting to be scheduled
+     * in iohandler_ctx, we must kick the main loop. This ensures
+     * that AIO_WAIT_WHILE_UNLOCKED() in monitor_cleanup() doesn't
+     * block indefinitely waiting for an event in qemu_aio_context,
+     * but actually gets the chance to poll iohandler_ctx and resume
+     * the coroutine.
+     */
+    aio_wait_kick();
 }
=20
 /*
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620039; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eZhCelAdGtjs9SqsorftYwWTYHvziVB4hz4mBr8tpcLPRHyHJob6v7tWYYaHRkp30qakJk+JtUIfYc2yt/4B7EBx/h18NN8inEKATmSJlq5GjmsjWILloRC9Qe35ouA4NB4T2LLw/1JYsufj2FlacplpMLFW2fNRklyqoqms70E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620039;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=7VHS2D6LkhqOg0s0eN+EpKlq2guV1W1oA429hkkb6/w=;
	b=iaRPWdJoFrOPgCckAi82A/3SDKSxYK6GwcqGMnNMW09HFc+HwWhuj6Xwpi1G66J9pzWFFWNRvrEU0dBo295tKXnwIeF0/powAiz3otQNAwVYMIS6vt23PFPDQJezjjQpNTYJ/2Uc5CbgUVgGSAbQ/dTWqlb01OdFyT9ITlSJZOs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620039114395.7880614006127;
 Tue, 12 May 2026 14:07:19 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuCr-0003Vp-8g; Tue, 12 May 2026 16:59:57 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBm-0002Nq-TU; Tue, 12 May 2026 16:58:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuBl-0004t4-6w; Tue, 12 May 2026 16:58:50 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 24DE61AA2F8;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 32E913ABC69;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=sHoIBRPTuAcrkSlVDY9jAqJpgsRsIidUwG8UYfWBmdk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RyD0/xAZBgw1Famd9ptljuWIgAJIwS8lVRqehhK4cmEUECG/4SzLcKz+n7nX89Kx2
 VMdw35//fmjvrCSC1vqIYjc+BbjJHEkR+qgIwfr0INIV/HZiJgKe4ADRg2UGAdetpn
 81gjP7KZD4+QEPLvKGhxAfdctZyyVq290f6V61cnDoHs+dXuTn50xJ8ZbXQ6JV5oli
 Fuq8IEf7twDQkRoUBSt2VSGJCiGEbp3lRQojS8Ai7EWpDUySxgwosi27pS8OZngf3w
 MEKSEuc4llCiAMq1R222IIWuAb0Bw1EXb27/LclSmEyevBMLDXRIeo5JX7/VR3T6nL
 XgbE2g0tvOosg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 044/107] util: fix missing aio_wait sym in qemu guest
 agent only build
Date: Tue, 12 May 2026 23:53:31 +0300
Message-ID: <20260512205437.360850-44-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620039943154100

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

Configure QEMU with

 --disable-system --disable-user --disable-tools --enable-guest-agent

and the build with fail with

  FAILED: [code=3D1] qga/qemu-ga
  ld: libqemuutil.a.p/qapi_qmp-dispatch.c.o: in function `do_qmp_dispatch_b=
h':
  qapi/qmp-dispatch.c:140:(.text+0x5c): undefined reference to `aio_wait_ki=
ck'

This aio_kick() usage was recently introduced in qmp-dispatch.c
without updating the build logic.

Fixes commit fc1a2ec7da531223b3473185dc2584f8a7c6c659
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 17fbf3e18c3dbc32ec07cfc24853d6654a813e90)
Fixes: a229ea19c7bf "monitor: Fix deadlock in monitor_cleanup" in 10.0.x
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/meson.build b/util/meson.build
index 780b5977a8..595d13543c 100644
--- a/util/meson.build
+++ b/util/meson.build
@@ -79,6 +79,7 @@ endif
=20
 if have_block or have_ga
   util_ss.add(files('aiocb.c', 'async.c'))
+  util_ss.add(files('aio-wait.c'))
   util_ss.add(files('base64.c'))
   util_ss.add(files('main-loop.c'))
   util_ss.add(files('qemu-coroutine.c', 'qemu-coroutine-lock.c', 'qemu-cor=
outine-io.c'))
@@ -89,7 +90,6 @@ if have_block or have_ga or have_user
   util_ss.add(files('qemu-sockets.c'))
 endif
 if have_block
-  util_ss.add(files('aio-wait.c'))
   util_ss.add(files('buffer.c'))
   util_ss.add(files('bufferiszero.c'))
   util_ss.add(files('hbitmap.c'))
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619936; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DGasYmxSYCHv66ea7wR+evX7TXGJFNGdApNNIJzlmaVE75stCXeP5wE2CYx6j7Za2jjCHuEj4oE6NWJxQb0duckbE4K5Yc4DRXJO0s32N/T3b9/BJlzVwqqQVVnYX96lmBaStjynvjKcPk+NeqDlOpmWF2rCU0pVmza72TSfoNY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619936;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=enPrpLCtqh4IgN/Bxk9mZFCYFDFAL6Hh7XGPNEyiMsU=;
	b=Y/k3mVWbvInNV8PITfne+XJ2BSSZJL0TYIc8l6TQsPtQ02b+MibpENAeSKO8ulpUf6HXov3aO5uLl4FRBVm/GmRKGm6IBdxm4hPxgcjrsODADqZbpZL2QFo0B1oyW8MRUD+v6uMRJw3r1uxuoXZDrarQxE4G8KkHSDOoMY3E0oY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619936081663.350870962345;
 Tue, 12 May 2026 14:05:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuD7-0004lO-TI; Tue, 12 May 2026 17:00:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCG-0002dl-9k; Tue, 12 May 2026 16:59:21 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuC8-0004u0-KD; Tue, 12 May 2026 16:59:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 32FFD1AA2F9;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3F5C73ABC6A;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=spMSY34vA7lTKqGmhvsZ7COBnm2jw9smcsjabY4pbwQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=w90I72TY2Ydd+Noxil8q0NZBNdBnbqkhw3Git17yVZrdy/Y1vq7wTZXJ1K28Uamoe
 bwvy9aZ7QC+fa9uvtg1HTSWNbkEyoUn1t1C3ILOxUVeT3UQkT71ble0WdkYgonH8c9
 z/LkEFvqfjeGj9tgGRmh4ILMy1hcPsgvSZG32CYhYDKIDI1hlZbDHnywGxiu8+t/GS
 9T+tyb+43kq6jl+ZkT53FqlnitUOXX4AXZqnEmWtTgI4yrfdXRJMc6UTT7tSW2mjtb
 z4rLMO0a7DlcJtnV17wzNc0maitAeE/NbZEkzYX8p62ivi55/4leWiKwUzQgKFxDL7
 tMONtiqqp9lGQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Clayton Craft <craftyguy@postmarketos.org>,
 Helge Deller <deller@gmx.de>, Peter Maydell <peter.maydell@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 045/107] linux-user: fix name_to_handle_at when
 AT_HANDLE_MNT_ID_UNIQUE flag is set
Date: Tue, 12 May 2026 23:53:32 +0300
Message-ID: <20260512205437.360850-45-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619937125158500
Content-Type: text/plain; charset="utf-8"

From: Clayton Craft <craftyguy@postmarketos.org>

Linux 6.12 added AT_HANDLE_MNT_ID_UNIQUE, which indicates that mount_id
is 64-bits. If name_to_handle_at is called with this flag set then qemu
passes a 4 byte int to the kernel, which then tries to store 8 bytes in
a 4 byte variable, causing a SIGSEGV[1][2].

This stores mount_id in a 64-bit var if the flag is set.

1. https://gitlab.postmarketos.org/postmarketOS/pmaports/-/work_items/4431
2. https://github.com/systemd/systemd/issues/41279

Signed-off-by: Clayton Craft <craftyguy@postmarketos.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Message-id: 20260325-fix-name-to-handle-at-v1-1-49fb922e6fd3@craftyguy.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 22966937f4130278259a79d6462d1a0887e22c6e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e6dd35d2a1..3f61dd732c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8040,6 +8040,9 @@ static int do_futex(CPUState *cpu, bool time64, targe=
t_ulong uaddr,
 #endif
=20
 #if defined(TARGET_NR_name_to_handle_at) && defined(CONFIG_OPEN_BY_HANDLE)
+#ifndef AT_HANDLE_MNT_ID_UNIQUE
+#define AT_HANDLE_MNT_ID_UNIQUE 0x001
+#endif
 static abi_long do_name_to_handle_at(abi_long dirfd, abi_long pathname,
                                      abi_long handle, abi_long mount_id,
                                      abi_long flags)
@@ -8047,6 +8050,7 @@ static abi_long do_name_to_handle_at(abi_long dirfd, =
abi_long pathname,
     struct file_handle *target_fh;
     struct file_handle *fh;
     int mid =3D 0;
+    uint64_t mid64 =3D 0;
     abi_long ret;
     char *name;
     unsigned int size, total_size;
@@ -8070,7 +8074,12 @@ static abi_long do_name_to_handle_at(abi_long dirfd,=
 abi_long pathname,
     fh =3D g_malloc0(total_size);
     fh->handle_bytes =3D size;
=20
-    ret =3D get_errno(name_to_handle_at(dirfd, path(name), fh, &mid, flags=
));
+    if (flags & AT_HANDLE_MNT_ID_UNIQUE) {
+        ret =3D get_errno(name_to_handle_at(dirfd, path(name), fh,
+                                          (int *)&mid64, flags));
+    } else {
+        ret =3D get_errno(name_to_handle_at(dirfd, path(name), fh, &mid, f=
lags));
+    }
     unlock_user(name, pathname, 0);
=20
     /* man name_to_handle_at(2):
@@ -8084,8 +8093,14 @@ static abi_long do_name_to_handle_at(abi_long dirfd,=
 abi_long pathname,
     g_free(fh);
     unlock_user(target_fh, handle, total_size);
=20
-    if (put_user_s32(mid, mount_id)) {
-        return -TARGET_EFAULT;
+    if (flags & AT_HANDLE_MNT_ID_UNIQUE) {
+        if (put_user_u64(mid64, mount_id)) {
+            return -TARGET_EFAULT;
+        }
+    } else {
+        if (put_user_s32(mid, mount_id)) {
+            return -TARGET_EFAULT;
+        }
     }
=20
     return ret;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619623; cv=none;
	d=zohomail.com; s=zohoarc;
	b=AzkbwZwfVNglPasUC0NA+JzlV6v0zogQBpttTOtz81efPv+TAmTKPYu88w1mr1Qm2mS9D72xFIv1qtCA5+MmyTMlWk0KeWI4OnGBa8D4/kFlu5JQIvtpSt/xvf4ZoejH204jSK+5LQ8wk/wZuF9RBRHteuQnKGqK2hBsh8GdBJc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619623;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=F9qgvIDS7yIS/IGXQ6XGWbu/9nyvGmPgpAgyDcdIdTo=;
	b=bs6/urH4QHaxAyc1tdlac88JRjXf5+v/hL4YCNmsMzfaE+mXZ2ruVNZp6Kh5mZ1b6PASElXlJSQcLfGsknvfVGcG/4dvkxBqQLyAOJLJinpQh16BtcaWBzuYAj+8wFpVqMwpbvErEDb4u47wUv17DCnAd3UDcXXqXSOBBuEY+hc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619623367515.1409566134275;
 Tue, 12 May 2026 14:00:23 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuD9-0004pq-92; Tue, 12 May 2026 17:00:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCF-0002dT-Ac; Tue, 12 May 2026 16:59:21 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuC8-0004u1-KE; Tue, 12 May 2026 16:59:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 400DF1AA2FA;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4D9DC3ABC6B;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=4szf9KeFaSpwBZSdaC/N9VtSabWOEteAg35uAYTXR3A=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=M15e3Dd9/AIOOJpIk6clOArH0vmpJ0i6DEfgw4wbB5Y5LmM/lvdeTcVeKA9+8lT2J
 8JsWCfh2muU1Edlf4kX5lNl+5AciTg45W2MDRKMKsJzQil0bhNdM6TYC8GaL5kalh/
 JD788PyIHO0dyzW2Zzrzy7dEjh2ZsGXihsZYb9pbUkQ+6yB7xrY119Y4S1/OXoXznY
 aXGuYU2QJq6Dz1F0k1ZWSeA8lbzH8kqcTZzMtPhLgmG5azeiZxDdXfDe5YDypoeGuE
 DSv3n2qwuLJg9TBzy34oDJG4KYTyJ1zAo2QlMoDcO4EM4rUKlnRGgGDaRQueQCGVLB
 v4iMCkIVvJjXQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Sun Haoyu <shyliuli@aosc.io>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 046/107] linux-user: update select timeout writeback
Date: Tue, 12 May 2026 23:53:33 +0300
Message-ID: <20260512205437.360850-46-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619625323154100
Content-Type: text/plain; charset="utf-8"

From: Sun Haoyu <shyliuli@aosc.io>

The Linux kernel writes back the remaining timeout for select-family
syscalls in poll_select_finish(). If that writeback fails, it keeps
the original return value.

However, QEMU only writes back the timeout on success. If the writeback
fails, QEMU returns -TARGET_EFAULT. This can lose the remaining
timeout and change the return value.

Update do_select(), do_pselect6(), and do_ppoll() to always write back
the timeout to match the Linux kernel's behavior. If the timeout
writeback fails, keep the original return value.

Tested with the issue reproducer.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3343
Signed-off-by: Sun Haoyu <shyliuli@aosc.io>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260320111647.138984-1-shyliuli@aosc.io
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 9b7d64686b82bb70315cc60e5630c70e27eef832)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 3f61dd732c..44675076ca 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1388,14 +1388,15 @@ static abi_long do_select(int n,
             return -TARGET_EFAULT;
         if (efd_addr && copy_to_user_fdset(efd_addr, &efds, n))
             return -TARGET_EFAULT;
-
-        if (target_tv_addr) {
-            tv.tv_sec =3D ts.tv_sec;
-            tv.tv_usec =3D ts.tv_nsec / 1000;
-            if (copy_to_user_timeval(target_tv_addr, &tv)) {
-                return -TARGET_EFAULT;
-            }
-        }
+    }
+    if (target_tv_addr) {
+        tv.tv_sec =3D ts.tv_sec;
+        tv.tv_usec =3D ts.tv_nsec / 1000;
+        /*
+         * Like the kernel, we deliberately ignore possible
+         * failures writing back to the timeout struct.
+         */
+        copy_to_user_timeval(target_tv_addr, &tv);
     }
=20
     return ret;
@@ -1523,14 +1524,16 @@ static abi_long do_pselect6(abi_long arg1, abi_long=
 arg2, abi_long arg3,
         if (efd_addr && copy_to_user_fdset(efd_addr, &efds, n)) {
             return -TARGET_EFAULT;
         }
+    }
+    if (ts_addr) {
+        /*
+         * Like the kernel, we deliberately ignore possible
+         * failures writing back to the timeout struct.
+         */
         if (time64) {
-            if (ts_addr && host_to_target_timespec64(ts_addr, &ts)) {
-                return -TARGET_EFAULT;
-            }
+            host_to_target_timespec64(ts_addr, &ts);
         } else {
-            if (ts_addr && host_to_target_timespec(ts_addr, &ts)) {
-                return -TARGET_EFAULT;
-            }
+            host_to_target_timespec(ts_addr, &ts);
         }
     }
     return ret;
@@ -1600,15 +1603,15 @@ static abi_long do_ppoll(abi_long arg1, abi_long ar=
g2, abi_long arg3,
         if (set) {
             finish_sigsuspend_mask(ret);
         }
-        if (!is_error(ret) && arg3) {
+        if (arg3) {
+            /*
+             * Like the kernel, we deliberately ignore possible
+             * failures writing back to the timeout struct.
+             */
             if (time64) {
-                if (host_to_target_timespec64(arg3, timeout_ts)) {
-                    return -TARGET_EFAULT;
-                }
+                host_to_target_timespec64(arg3, timeout_ts);
             } else {
-                if (host_to_target_timespec(arg3, timeout_ts)) {
-                    return -TARGET_EFAULT;
-                }
+                host_to_target_timespec(arg3, timeout_ts);
             }
         }
     } else {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619738; cv=none;
	d=zohomail.com; s=zohoarc;
	b=igXclC2ReTvzpZjvN0LdfQ+A8lWUJ2HV3p2M9bbz4SRD0Ih/CjEIX65vr++ah5ZRQ8p8DjSzkrKvfWjigGs0DCr69rZxvqK+71ojq8LlWDARL7DwjlQonjSIa81Xo0sJzwOBjTVvXI6n+9kx2wZoCOXTar/CjAggn1z575iZIVU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619738;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=EQ80EdhrQ+5/bj6cLOPEYy3v/Hd1YOGRzH1AwEv1Sls=;
	b=oFrjYfxUO21d6x8nnxI20WgOlDcoAJYJhThzO8CLyhAMc1ak71RjmY4kL7tJZzzV28xrUK4CUpoZNuHvw/+T80pfmuufOkKiguWchaICquALFwTtZEgYn4p9UmmV/q/RnUPTQ+qgHL87hyEc/KWASgMSswLndhImOk1g4jA+vjQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619738837639.521435583003;
 Tue, 12 May 2026 14:02:18 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuDE-0005AT-Jq; Tue, 12 May 2026 17:00:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCL-0002jN-2G; Tue, 12 May 2026 16:59:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCI-00059I-16; Tue, 12 May 2026 16:59:24 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4D0141AA2FB;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5A2D23ABC6C;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=VFlagQokGgpz+0rC+O44k+NQdOhi3YbBOoMVcjIcjZ4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=DVckJj4c2oMmOMw2BkLYrHPgxwZSPe+cxsuN2m8QE++vZ+Iu2uUqEODlvWCL81M7N
 EqEQmwXW77dcD70FFxTUiLACqFLrcf+9vHV9+drTJef96MsJ1bdrsqw9qzGy8BiQNq
 36pjRgBaD3s9maYOBafALQlMf1vH+/dqPsbIIP+TYv/FBvHPFZnKWNjo43wXs9qsSR
 aOG5OTS6oiiaTBxOTi/r5S5rvGoiyo0fUdrRiLgzZnMle9lYabzmLRlF20cxuhHOqS
 3gzhN/ox9JItZOUu8Qz7Id9hipL9ipn1PE0TkyCMEsV5TUeWK2KwHlSShzqjtC1HFj
 NiF7WFy3pKE8g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Sun Haoyu <shyliuli@aosc.io>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 047/107] linux-user: Make openat2() use -L for
 absolute paths
Date: Tue, 12 May 2026 23:53:34 +0300
Message-ID: <20260512205437.360850-47-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619740886158500
Content-Type: text/plain; charset="utf-8"

From: Sun Haoyu <shyliuli@aosc.io>

openat2() ignored the -L prefix and opened host files directly.
For example, openat2("/tmp/file") opened /tmp/file on the host, not
QEMU_LD_PREFIX/tmp/file like openat() does.

Fix this by using path() to rewrite absolute paths. Skip this
when RESOLVE_BENEATH or RESOLVE_IN_ROOT is set:
- RESOLVE_BENEATH rejects absolute paths anyway
- RESOLVE_IN_ROOT resolves relative to dirfd

Now openat() and openat2() work in the same way.

Link: https://gitlab.com/qemu-project/qemu/-/work_items/3341

Signed-off-by: Sun Haoyu <shyliuli@aosc.io>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260317053827.25051-1-shyliuli@aosc.io
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit fa6dfcc373c244a767be04d236e0cdd075b80e69)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 44675076ca..f2c8037356 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8723,7 +8723,16 @@ static int do_openat2(CPUArchState *cpu_env, abi_lon=
g dirfd,
     if (fd > -2) {
         ret =3D get_errno(fd);
     } else {
-        ret =3D get_errno(safe_openat2(dirfd, pathname, &how,
+        const char *host_pathname =3D pathname;
+        if (pathname[0] =3D=3D '/' &&
+            !(how.resolve & (RESOLVE_IN_ROOT | RESOLVE_BENEATH))) {
+            /*
+             * RESOLVE_BENEATH rejects absolute paths; RESOLVE_IN_ROOT
+             * resolves them relative to dirfd.
+             */
+            host_pathname =3D path(pathname);
+        }
+        ret =3D get_errno(safe_openat2(dirfd, host_pathname, &how,
                                      sizeof(struct open_how_ver0)));
     }
=20
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 5d22759992..b5a2ad3b2d 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2771,7 +2771,12 @@ struct target_open_how_ver0 {
 #ifndef RESOLVE_NO_SYMLINKS
 #define RESOLVE_NO_SYMLINKS     0x04
 #endif
-
+#ifndef RESOLVE_BENEATH
+#define RESOLVE_BENEATH         0x08
+#endif
+#ifndef RESOLVE_IN_ROOT
+#define RESOLVE_IN_ROOT         0x10
+#endif
 #if (defined(TARGET_I386) && defined(TARGET_ABI32)) || \
     (defined(TARGET_ARM) && defined(TARGET_ABI32)) || \
     defined(TARGET_M68K) || defined(TARGET_MICROBLAZE) || \
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619993; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eNpZ6G6VSQFCP0FgrM84AtSAQWemO3trKkbG6n6w724HBT4xWqfdVcTVEYFQYXJm2zCHu2YfwGxVtnS7XMwA0KkhpqqlP/wFQPwgFLxp0kegmWfGt4gxa30EJMYXp5btQl2IrhBHtFF3Mu9QDMpwJ5JWwwHXJrLDXD6p9Dye1A0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619993;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Wi3ZsaGRM+MajP5PuQU4OK/0j6A23NaJLrmH5Vw66Og=;
	b=e1/uub6Q8wvLMWSbpIT3JYufaLIJO9IjJfHVzrKBHQXfuPJWnXs1IW7jM7jckYQVpX3LlCZaS0BMDB28vKjQ4alPhxfWYgx4lgIQ88ZsUtfhA95FMJam3SRGQv/zqYgNvjW4euA4PXuGQGPezI0+NXAm+lJGJZq9AUEfn2J23ng=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619993256117.82161979569753;
 Tue, 12 May 2026 14:06:33 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuCp-0003CV-9l; Tue, 12 May 2026 16:59:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCJ-0002hT-VR; Tue, 12 May 2026 16:59:25 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCI-00059i-0p; Tue, 12 May 2026 16:59:23 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5DD701AA2FC;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 688AF3ABC6D;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=A3sWdzEE88fX84vpZI5a8Y4+pzypFbeon9w/rRqmL50=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=im6n1rpnCLezZ5GxcLZyV+IF+PdV4igDMLcZsTzqUvq/aYezgNBm7ggBXY1Dsg80f
 wUu91x5NbE8Va4js1Yk+NbZHQHx1wBKJ/iFDxLuqiR+ZMMmyAQwrO3dGKMkPZv2z9e
 2wlIUF5gPj4l27DSeF5h1X+fBLuTeCHnw1xSXoUGb+DaHyDak9E8qgWpRFTAn1kPiy
 173BghCS6ZHSN2BogKQ07qTbysjE7poR6lKhVBCGfi7W3DSwNAKsZpSCqYNU8hwidR
 s+3+dar9bqxGx1WCFY0/eT9Ur8AcvZrckk7nrsMb+VNLRyaektp5vU5AENoE4tZXvb
 TCdDBFloy0HeQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Nicholas Piggin <npiggin@gmail.com>,
 Warner Losh <imp@bsdimp.com>, Peter Maydell <peter.maydell@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 048/107] bsd-user,
 linux-user: signal: recursive signal delivery fix
Date: Tue, 12 May 2026 23:53:35 +0300
Message-ID: <20260512205437.360850-48-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619993685158500
Content-Type: text/plain; charset="utf-8"

From: Nicholas Piggin <npiggin@gmail.com>

Synchronous signals must accommodate a synchronous signal being
raised during delivery, as asynchronous ones do. For example
badframe errors during delivery will cause SIGSEGV to be raised.

Without this fix, cpu_loop() runs process_pending_signals() which
delivers the first synchronous signal (e.g., SIGILL) which fails
to set the handler and forces SIGSEGV, but that is not picked up.
process_pending_signals() returns. Then cpu_loop() runs cpu_exec()
again, which attempts to execute the same instruction, another
SIGILL.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321135624.581398-3-npiggin@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 7e966ef38f58f91e05a46fdfda4ba63a9a1567d6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/bsd-user/signal.c b/bsd-user/signal.c
index a8cfcca130..1c73f03d80 100644
--- a/bsd-user/signal.c
+++ b/bsd-user/signal.c
@@ -999,7 +999,12 @@ void process_pending_signals(CPUArchState *env)
                 sigdelset(&ts->signal_mask, target_to_host_signal(sig));
                 sigact_table[sig - 1]._sa_handler =3D TARGET_SIG_DFL;
             }
+            /*
+             * Restart scan from the beginning, as handle_pending_signal
+             * might have resulted in a new synchronous signal (eg SIGSEGV=
).
+             */
             handle_pending_signal(env, sig, &ts->sync_signal);
+            goto restart_scan;
         }
=20
         k =3D ts->sigtab;
@@ -1009,10 +1014,7 @@ void process_pending_signals(CPUArchState *env)
             if (k->pending &&
                 !sigismember(blocked_set, target_to_host_signal(sig))) {
                 handle_pending_signal(env, sig, k);
-                /*
-                 * Restart scan from the beginning, as handle_pending_sign=
al
-                 * might have resulted in a new synchronous signal (eg SIG=
SEGV).
-                 */
+                /* Restart scan, explained above. */
                 goto restart_scan;
             }
         }
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 4dafc2c3a2..c68b4e6c20 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1382,6 +1382,11 @@ void process_pending_signals(CPUArchState *cpu_env)
             }
=20
             handle_pending_signal(cpu_env, sig, &ts->sync_signal);
+            /*
+             * Restart scan from the beginning, as handle_pending_signal
+             * might have resulted in a new synchronous signal (eg SIGSEGV=
).
+             */
+            goto restart_scan;
         }
=20
         for (sig =3D 1; sig <=3D TARGET_NSIG; sig++) {
@@ -1392,9 +1397,7 @@ void process_pending_signals(CPUArchState *cpu_env)
                 (!sigismember(blocked_set,
                               target_to_host_signal_table[sig]))) {
                 handle_pending_signal(cpu_env, sig, &ts->sigtab[sig - 1]);
-                /* Restart scan from the beginning, as handle_pending_sign=
al
-                 * might have resulted in a new synchronous signal (eg SIG=
SEGV).
-                 */
+                /* Restart scan, explained above. */
                 goto restart_scan;
             }
         }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619839; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hxy5FlNVRKDfctEMFZke4xAkcwp0kpH9rnht8t9NUO7nOdbYifqK7kyLigJeGk1IkXuFKUBqB9i9gqigHkHBeBxtXJCb7uEXmEvFQvUUH2EsNVcF+VYiHB3xo/E+2nNqSVct9UpwHJmtFTi/nzjX+VpIqEX8Hws0IwTRVICJaSo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619839;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wlB+v3JQrDcA1wdvqbAr3z1hRwoaknXUAhDLxF/Ea+k=;
	b=CeW6z2IfDQU0gjxQ75m+BBKkLXUYxMcVYWu0n/E29W3z3A2CmKk7Nl2AA+7+wXfhbP7/NCeIAx0MLbqsGF2ZCesh76weHkkT0IPLjbceNRXKoEL4WgmBvGUFryNIJbt8dQVaMCxLqHN/WV1nuItaMqFkg0/aqoq3beQiCiMyBbk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619839171469.02893139123796;
 Tue, 12 May 2026 14:03:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuDH-0005QC-8z; Tue, 12 May 2026 17:00:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCP-0002of-Cq; Tue, 12 May 2026 16:59:29 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCL-0005AQ-Tj; Tue, 12 May 2026 16:59:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6E4731AA2FD;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 793273ABC6E;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=Wd06Sl27Ik4Ji/0yqKEE/zYZHKIiR5Fpe3ErN4GEkGU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=E5jU/WTAC2wkXY3zYoGeg0orqgUcK9UOFArHQx4UP+pak6mkWyPP7MkqMCSEGGm6o
 5sfbI3UkJxdOK2edl4pJRMrcpji22Ofe50ZGpTU4rvGQk3kKxdZk7dgYz9knKIeXYH
 Qg0CPsQfbBx7+BMWbGJ2wGVXx8tVJxyA2i0a4yS7LbnSqXwtt0gWOiFwioz9nk1mFQ
 1Z1jbchFfb2Q7V8tn63z+ibs2+TXlCiEiyZJLO0G2pCcDTdWoTYNKeTynX/zPWemrU
 xuNc9OS78qW41aup6pms6geJGMT8S26BrQcFN9L8va9IZ5MbbnrwbXcXkgwhzxEDqC
 s6epK/oyfVxlA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 049/107] target/arm: do_ats_write(): avoid assertion
 when ptw failed
Date: Tue, 12 May 2026 23:53:36 +0300
Message-ID: <20260512205437.360850-49-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619840267158500

From: Peter Maydell <peter.maydell@linaro.org>

In do_ats_write() we try to assert that the cacheattrs from
get_phys_addr_for_at() are in the form we expect:

    /*
     * ATS operations only do S1 or S1+S2 translations, so we never
     * have to deal with the ARMCacheAttrs format for S2 only.
     */
    assert(!res.cacheattrs.is_s2_format);

However, the GetPhysAddrResult struct documents that its fields are
only valid when the page table walk succeeded.  For a two stage page
table walk which fails during stage two, we will return early from
get_phys_addr_twostage() and depending on the fault type the
res.cacheattrs may have been initialized with the stage 2 cache attr
information in stage 2 format.  In this case we will incorrectly
assert here.

Fix the assertion to not look at the res fields if the lookup failed.

Note for stable backports: the do_ats_write() function is in
target/arm/helper.c in older QEMU versions, but the change to the
assert line is the same.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3328
Fixes: 9f225e607f21 ("target/arm: Postpone interpretation of stage 2 descri=
ptor attribute bits")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260331092305.2062580-1-peter.maydell@linaro.org
(cherry picked from commit 84771c64a5ae0f28d4bacc3f85a1f852a70c6edc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/helper.c b/target/arm/helper.c
index cd577e794f..e607f4a458 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -3507,8 +3507,9 @@ static uint64_t do_ats_write(CPUARMState *env, uint64=
_t value,
     /*
      * ATS operations only do S1 or S1+S2 translations, so we never
      * have to deal with the ARMCacheAttrs format for S2 only.
+     * (Note that res fields are only valid on ptw success.)
      */
-    assert(!res.cacheattrs.is_s2_format);
+    assert(ret || !res.cacheattrs.is_s2_format);
=20
     if (ret) {
         /*
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619814; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ilEVTAyL/JMLkxe5w96CAf4KiZm5G6vlcWAUXxDlCJTtJq2hHn7c8KvTefHQ+5FF7jaCgho6WJG2+7VfBc2ChWw95Zat5szihZcyZnvUqU86OPrDWlt+yZMepNGPB7Y+rtge7HGnI0C3OKeA73/vVEraQ5aNmdNt8K7wu4oztXo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619814;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=HgXjarmtogBb8rnKfQxvtQQ6vSQFgJvlY9MxcP2HDV0=;
	b=GHzC1No/pjLSOUFnhSfb2V44aHZr0xCtoyIGQbWCEhlsgYgAAk2WAbXZz8+loFXC8IhecV8oX/HxTn2df/iQWxWz4THNKjnIuPCOWfrNfyFmfKng3IC9c56kwNxcAfJoHxUGqa7SwInj99Di/o3mRhQyc3dVCOk8ArmgKiZjZ1g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861981444338.51895858068701;
 Tue, 12 May 2026 14:03:34 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuDL-0005hL-NY; Tue, 12 May 2026 17:00:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCR-0002ss-Ia; Tue, 12 May 2026 16:59:33 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCN-0005Af-TP; Tue, 12 May 2026 16:59:30 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7E2841AA2FE;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 89BE43ABC6F;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=mRfYhhFPyTdMLLP732EPpqtu+xKUKEHclKlwUfbvgzo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rHsagim5KYM841nNgr25Wey71Dvje5VoqwCNUGyx8wDJ2w5N6McN4ApgNy6aBGrJH
 LbvsR+yqJBjWMKn4Y0eHBB83eigORUDCFecv9we66dQw+NC1wC+ic+g1GiN9t+sSYp
 YcsyCCIs7hm7lGBNWYuHiNn2K41SiCw9uqE0RsZWjUjxKaPFdfutyE8hKnrTaeBMc8
 YDBy7EXRUSNmHhrJ7zL3bLUFrrIjPqr/fZTgH84RbYXLB0l0D7ympc7rsva+OyKO/1
 zLMEMudZ5lopVpC4lMIybi9DcLHv69yffD865O9zzyohg2A+DkjZZswUKK1lKx9ors
 AkkbooFy83Wew==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 050/107] target/arm: fix fault_s1ns for stage 2
 faults
Date: Tue, 12 May 2026 23:53:37 +0300
Message-ID: <20260512205437.360850-50-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619816007158500

From: Alex Benn=C3=A9e <alex.bennee@linaro.org>

The computation of s1ns was simply wrong. For Stage 2 faults, it
should indicate whether the faulting IPA is in the Non-Secure IPA
space. Correct the logic to check for ARMSS_NonSecure and drop the
extraneous s2_mmu_idx test.

This is effectively a change in the intended semantics of the
ARMMMUFaultInfo::s1ns field, so that we no longer try to make it
exactly match HPFAR_EL2.NS but instead set it for any stage 2 fault
on an NS IPA, relying on users of the field to check whether the
fault is to be taken to Secure EL2 before propagating the field to
the HPFAR_EL2.NS bit.  Since the actual writing of HPFAR_EL2.NS is
already gated by arm_is_secure_below_el3(env), we only need to update
the comments to document this change of semantics.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2568
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260405112410.603223-1-alex.bennee@linaro.org
[PMM: also update comments about the s1ns field]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 566594f10873723a179057a604d890bfaa1a9f0a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 17221c847d..e95f791ce0 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -717,7 +717,10 @@ typedef enum ARMGPCF {
  * @paddr_space: physical address space that caused a fault for gpc
  * @stage2: True if we faulted at stage 2
  * @s1ptw: True if we faulted at stage 2 while doing a stage 1 page-table =
walk
- * @s1ns: True if we faulted on a non-secure IPA while in secure state
+ * @s1ns: True if we faulted on a non-secure IPA. Note that (unlike the
+ * HPFAR_EL2.NS bit) this is set for any stage 2 fault for an NS IPA, so
+ * code must check that this is for a fault taken to Secure EL2 before
+ * propagating s1ns to HPFAR_EL2.NS.
  * @ea: True if we should set the EA (external abort type) bit in syndrome
  */
 typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 4330900348..92d6bd9d40 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -550,12 +550,14 @@ static ARMSecuritySpace S2_security_space(ARMSecurity=
Space s1_space,
 static bool fault_s1ns(ARMSecuritySpace space, ARMMMUIdx s2_mmu_idx)
 {
     /*
-     * For stage 2 faults in Secure EL22, S1NS indicates
-     * whether the faulting IPA is in the Secure or NonSecure
-     * IPA space. For all other kinds of fault, it is false.
+     * For stage 2 faults, S1NS indicates whether the faulting IPA is
+     * in the Non-Secure (true) or Secure (false) IPA space. For all
+     * other kinds of fault, it is false. Note that we do not
+     * distinguish "s2 fault on NS IPA taken to Secure EL2" from
+     * "s2 fault on NS IPA taken to NS EL2 or Realm EL2" here, but
+     * instead do that when setting HPFAR_EL2.NS.
      */
-    return space =3D=3D ARMSS_Secure && regime_is_stage2(s2_mmu_idx)
-        && s2_mmu_idx =3D=3D ARMMMUIdx_Stage2_S;
+    return space =3D=3D ARMSS_NonSecure && regime_is_stage2(s2_mmu_idx);
 }
=20
 /* Translate a S1 pagetable walk through S2 if needed.  */
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619638; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HF0qbbxa7CjzJFwGNx6dtyO8y7ZsbCLvjK5zFI8woS+KrcF0LoiFiZ9+/9dMHnSYlj/ciFldDZ5xl2yaj2jhEF0oAO0sJ/22KmhKSOoIZEEObS6ZL6vyhytdJ49uN5YfxQtT1YuIEDNtTReDJFQgKS39PrG2R+9iSY8UW1+2+Vw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619638;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=++zDijuaZ9tNGr7sDZDvcUNKMLMsA0H0kmRR9bpXzI8=;
	b=BjSeJNU6aIDbiyOBNesdeGXGaE3U9z4Vjc+BC9k+ZqfITJQhHr/sIYubtcHwV4tVvt2q9R1kQZWxJ3/ebCpx5jWOTPFJXzwz1AJtuGmeA4xswKgjPpXm55KN59Gqgz/Ylb/6auF80ewbuNhhtiPlLIrgfz6Fbf8Kvjte/8StO7A=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619638591835.1073153480777;
 Tue, 12 May 2026 14:00:38 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuDR-0006BZ-9l; Tue, 12 May 2026 17:00:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCn-00037o-S0; Tue, 12 May 2026 16:59:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCl-0005Dn-KT; Tue, 12 May 2026 16:59:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8DE081AA2FF;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 991FC3ABC70;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=KOc/DiAKjrRpadbwE3U+gOpNg38f5fy9LqaRl7wyL5Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=IZW2D//cqzpBbzNli/ugWD/4xIp1jus+n/w6E0RBxi9+yAvxEqg7HFS377VvY2bCd
 Cu2SYp1MR8olrRSxw0/BBMNl8u6XE3Wtkvmeha4xSjWIhXfn0euHdya2/cRClLNEoH
 r3fc+Ik8y4tEsTl5/4pGv8H7GjbUnqJJeVyb+5O0HxuXXU/BqQ3ftVYkZYGmN7IweP
 NwxACxtUbsUPodhdPQmwq4UtaIzM1Ktd4SvxZtpacwSdwxAGR1luMzI+7gjsflQOrm
 mPRGxuDSe3QbL0HtmOsNxBCZsqpbAdyD5qhhozK8gDeianTgZHydMkejB1W/YNQAqD
 HJQggRlWAT7Lg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Nguyen Dinh Phi <phind.uet@gmail.com>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 051/107] util/readline: Fix out-of-bounds access in
 readline_insert_char().
Date: Tue, 12 May 2026 23:53:38 +0300
Message-ID: <20260512205437.360850-51-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619639241158500

From: Nguyen Dinh Phi <phind.uet@gmail.com>

Currently, the readline_insert_char() function is guarded by the cursor
position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_s=
ize).
The current check is:
	if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)

This logic is flawed because if the command buffer is full and a user moves=
 the
cursor backward (e.g. by sending left arrow key), cmd_buf_index can be
decreased without descreasing of buffer size.
This allow subsequent insertions to increase cmd_buf_size past its maximum
limit of rs->cmd_buf.

Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is
immediately followed by the cmd_buf_index integer, once the buffer size is
sufficiently inflated, the memmove() operation inside readline_insert_char()
can write past the end of cmd_buf[] and overwrites cmd_buf_index itself.

The subsequent line:
	rs->cmd_buf[rs->cmd_buf_index] =3D ch;

then writes the input character to an address determined by the now-corrupt=
ed
index.

By providing a specifically crafted input sequence via HMP, this flaw can be
used to redirect the write operation to overwrite any field within the
ReadLineState structure, which can lead to unpredictable behavior or
application crashes.

Fix this by adding the guard to check for buffer fullness.

Cc: qemu-stable@nongnu.org
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Message-id: 20260406050454.284873-2-phind.uet@gmail.com
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 4e4832dd72db59cf9348a5cb787fe65b738d7601)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/readline.c b/util/readline.c
index 0f19674f52..e2664e48ca 100644
--- a/util/readline.c
+++ b/util/readline.c
@@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)
=20
 static void readline_insert_char(ReadLineState *rs, int ch)
 {
-    if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {
+    assert(rs->cmd_buf_index <=3D rs->cmd_buf_size);
+
+    if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {
         memmove(rs->cmd_buf + rs->cmd_buf_index + 1,
                 rs->cmd_buf + rs->cmd_buf_index,
                 rs->cmd_buf_size - rs->cmd_buf_index);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620324; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ebqrMHfilqmpK7DxrEKk+JmqCf7HS48b7iOZtwFsAdDQC4fsBxO0WzqU8eSYYO3Gc6hBxIVF9EvqXEecT1B40NPy5rEQuanKbtc8uYDIi1XECwx5hiaKIZlzY2eguaqrr3iWTj3wP5m4/ckiT+9sZjJVenyWEghrMu4PEf7t87g=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620324;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=psnvLPf0PQiLc4w3ZeHwpBMzybIa/JagqbX+4/jqOsM=;
	b=QU7viDMCRTI1CA2NVfA/7B7NEn9ub9oBhd0kVN0w5B7w1gYo6Mhbybfa0MSdITxIijEjhL37t3AYxFoDufUB/di0fD4c/qyBEK2XzwHolMCpEtzUT2lXOV8kcm8ZLsHkVD8lTb5JzgaOu75GSzseBIGFJrrMQjar461YiIfBC9Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620324954838.5564100057808;
 Tue, 12 May 2026 14:12:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuDW-0006Z9-JF; Tue, 12 May 2026 17:00:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCs-0003c4-BW; Tue, 12 May 2026 16:59:58 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCn-0005HT-C0; Tue, 12 May 2026 16:59:58 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9E1B81AA300;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A964C3ABC71;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=iSPboxQuGL2s0tBdLX2T+plxIBfc1ed31OajkLjth/I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ZWuShUs1g9BWz/19APdBNSR+xm5MS4f1PvGt3Ox5MudPi3HJecIKGS9f7s75ILsEa
 8nZw/hFMlpi6pzCxTxbfynv4gyE8WuKOsa6IrZCUi7m3w3MabvFYqIp5QJVkLsbY9J
 UU/Hl77pIESvoWy6udIftANrkakcCPz4+uGcFdJm1fDZZlvKlTXMiospIKB7hFH1X4
 JgPx3K03sbebEN7oOtW8MSZUz7x90C4jt5WMOPyXBzIA+i2rfc0xxH0+rNw+fATrKE
 CeQ/QfoeONqcPwf4T3KIVqReNzyTWB3oamR7bYbkBRQ5TMrZ1ur6mMUz+Muqwro8yH
 KWXzTxTciHTpg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Jihe Wang <wangjihe.mail@gmail.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 052/107] virtio-scsi: pass the same cdb_size to
 virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Date: Tue, 12 May 2026 23:53:39 +0300
Message-ID: <20260512205437.360850-52-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620326046158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Ensure that there is no allocation/usage mismatch when requests
are processed in virtio_scsi_handle_cmd_vq.  To do this,
retrieve the value once and pass it to both functions.

For other calls to virtio_scsi_pop_req the extra size
can be 0, because control and event requests fit
entirely in VirtIOSCSIReq.

Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: CVE-2026-5763
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 79971302935472232a68073faddb085177e3ca54)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 383521495f..ffa85fa25a 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -231,16 +231,16 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
     return 0;
 }
=20
-static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, Qe=
muMutex *vq_lock)
+static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, si=
ze_t extra_req_size,
+                                          QemuMutex *vq_lock)
 {
-    VirtIOSCSICommon *vs =3D (VirtIOSCSICommon *)s;
     VirtIOSCSIReq *req;
=20
     if (vq_lock) {
         qemu_mutex_lock(vq_lock);
     }
=20
-    req =3D virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
+    req =3D virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + extra_req_size);
=20
     if (vq_lock) {
         qemu_mutex_unlock(vq_lock);
@@ -686,7 +686,7 @@ static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, V=
irtQueue *vq)
 {
     VirtIOSCSIReq *req;
=20
-    while ((req =3D virtio_scsi_pop_req(s, vq, &s->ctrl_lock))) {
+    while ((req =3D virtio_scsi_pop_req(s, vq, 0, &s->ctrl_lock))) {
         virtio_scsi_handle_ctrl_req(s, req);
     }
 }
@@ -854,13 +854,14 @@ static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *r=
eq)
     virtio_scsi_complete_cmd_req(req);
 }
=20
-static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq=
 *req)
+static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq=
 *req,
+                                              size_t cdb_size)
 {
     VirtIOSCSICommon *vs =3D VIRTIO_SCSI_COMMON(s);
     SCSIDevice *d;
     int rc;
=20
-    rc =3D virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_s=
ize,
+    rc =3D virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + cdb_size,
                                sizeof(VirtIOSCSICmdResp) + vs->sense_size);
     if (rc < 0) {
         if (rc =3D=3D -ENOTSUP) {
@@ -882,7 +883,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCS=
I *s, VirtIOSCSIReq *req)
     }
     req->sreq =3D scsi_req_new(d, req->req.cmd.tag,
                              virtio_scsi_get_lun(req->req.cmd.lun),
-                             req->req.cmd.cdb, vs->cdb_size, req);
+                             req->req.cmd.cdb, cdb_size, req);
=20
     if (req->sreq->cmd.mode !=3D SCSI_XFER_NONE
         && (req->sreq->cmd.mode !=3D req->mode ||
@@ -917,12 +918,15 @@ static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, =
VirtQueue *vq)
     QTAILQ_HEAD(, VirtIOSCSIReq) reqs =3D QTAILQ_HEAD_INITIALIZER(reqs);
=20
     do {
+        VirtIOSCSICommon *vs =3D (VirtIOSCSICommon *)s;
+        size_t cdb_size =3D qatomic_read(&vs->cdb_size);
+
         if (suppress_notifications) {
             virtio_queue_set_notification(vq, 0);
         }
=20
-        while ((req =3D virtio_scsi_pop_req(s, vq, NULL))) {
-            ret =3D virtio_scsi_handle_cmd_req_prepare(s, req);
+        while ((req =3D virtio_scsi_pop_req(s, vq, cdb_size, NULL))) {
+            ret =3D virtio_scsi_handle_cmd_req_prepare(s, req, cdb_size);
             if (!ret) {
                 QTAILQ_INSERT_TAIL(&reqs, req, next);
             } else if (ret =3D=3D -EINVAL) {
@@ -993,7 +997,7 @@ static void virtio_scsi_set_config(VirtIODevice *vdev,
     }
=20
     vs->sense_size =3D virtio_ldl_p(vdev, &scsiconf->sense_size);
-    vs->cdb_size =3D virtio_ldl_p(vdev, &scsiconf->cdb_size);
+    qatomic_set(&vs->cdb_size, virtio_ldl_p(vdev, &scsiconf->cdb_size));
 }
=20
 static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
@@ -1054,7 +1058,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s,
         return;
     }
=20
-    req =3D virtio_scsi_pop_req(s, vs->event_vq, &s->event_lock);
+    req =3D virtio_scsi_pop_req(s, vs->event_vq, 0, &s->event_lock);
     WITH_QEMU_LOCK_GUARD(&s->event_lock) {
         if (!req) {
             s->events_dropped =3D true;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619894; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GZMnPxfwxnTJkV8W46/oZLpbvu1UauujPg3Amj+Nvq75Swr9WpmbZemH2ko85/G/RbnQRaGxnbcLmNgWmnMsE8axHMcVw7ohFBCbjGEla56GvwtweX6lMtK5raIDWQSAQNKJWywft02Pku1rPq+rBltVBcsgQUZVtR2fJpdgIH4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619894;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=AO00fiuFqOe7uGhJPX+OZXQMkKaK2ASgLE5tV18kTeQ=;
	b=Gxov3Ls1tCz5xa6Ms8jSfj21QUHSCMYCOjO8yENxeaM3cwF3ZUfdXmZSoq5zcTBS9iVU8Sv1XUB4LD8AWrBCBBNmm4U4u61gxfBszbxT0hV7zEUqKvflarhfEaE27XLuph4JdGZQDmOLP2wxJ/ikhUXI5kae/fxaLjUgEAaDufI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619894512979.6338355670586;
 Tue, 12 May 2026 14:04:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuE7-0006yH-T7; Tue, 12 May 2026 17:01:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCt-0003hS-9f; Tue, 12 May 2026 16:59:59 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCp-0005aT-MP; Tue, 12 May 2026 16:59:58 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AF4451AA301;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B93CD3ABC72;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=rJL1iSZupBtbEXDSlv7iUJmz8SeU3kNlkyt8hqBdeNg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=EwLM+c2x5y/FIif1wj7lKnm/5MHYPVlsXp5YSarS3Dzp8NHt2If/cpf4DSJzCVf3n
 H/Efv911MncqZrC44uII0F/WQRRC5K59YY1zjuNssQ13JA6QQMoLCpYlepPlTScW/C
 tLwNSAfn24WGFES0PFgkFA/lYKIBk3KFlCYWbKfbC8gbVygSyld6K+ZJFgis+J8sgE
 4oixNMv83Jv5wAbIQvHanQRa10io154Z68aCpWSFEY35zY1eNw5oRTmEtQORQORKQz
 tFGje/WOJwVVCd1MkQRYNrCYE8JxCrJJlWjpu11qlbxAxcep5tTi2/szQgOGcG2p9k
 jVAioKH89YfxQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Yuma Kurogome <yumak@ricsec.co.jp>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 053/107] hw/uefi: fix heap overflow (CVE-2026-5744)
Date: Tue, 12 May 2026 23:53:40 +0300
Message-ID: <20260512205437.360850-53-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619897008154100

From: Gerd Hoffmann <kraxel@redhat.com>

When copying the request response into the pio transfer buffer the code
skips the 'struct mm_header' but does not consider that when calculating
transfer size, so it will copy 24 (=3D=3D sizeof(struct mm_header)) extra
bytes, which can overflow uv->pio_xfer_buffer.

Fix that by copying the complete buffer, including the header, which
also makes the pio code path consistent with the (unaffected) dma code
path.

Fixes: CVE-2026-5744
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Yuma Kurogome <yumak@ricsec.co.jp>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Message-id: 20260408073403.3410541-1-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit af74c9e46bb55e2da042315a0c65666f59c61686)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 92fc121fe7..0a05ec4c9c 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -133,9 +133,8 @@ static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, b=
ool dma_mode)
                          uv->buffer, sizeof(*mhdr) + mhdr->length,
                          MEMTXATTRS_UNSPECIFIED);
     } else {
-        memcpy(uv->pio_xfer_buffer + sizeof(*mhdr),
-               uv->buffer + sizeof(*mhdr),
-               sizeof(*mhdr) + mhdr->length);
+        memcpy(uv->pio_xfer_buffer,
+               uv->buffer, sizeof(*mhdr) + mhdr->length);
     }
=20
     return retval;
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620159; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OwWrGTRrjOslrClDNQnrVEzMPiqirRhPlkS3nfUahCdHGmM7rtEbKSlPCLVEMwk6NSDrT8SXv8GEMTAs4akyaPrXpYFoDVlSuQXKE9EZvpMs0JNs9CiKLko3eiSbEo9NoumT3O001PMImVnl/FAmSSiVdPfrda1TwXcBo4RzNxE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620159;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=NfZ85sBYglccYiPz2JaQ8vbTs9PIwx0gwuAVM9gyWa0=;
	b=ZyJC74Sg5P2qYiy/XcjLyuLX/jAAUWlUPQ58rg0ZGBYCPfyP3hTD4TN3I0Z924XktBnuGA5i56IzrT9iF0+OCMLFa7QOCzI3fU3j3tqPm/jb0XKi/dYCsExf9AyQMbphPQC5J5wlGUoqqLDiB+MZuMdn6T7+kR/E0kXHnnq6KPw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620159062579.596464888816;
 Tue, 12 May 2026 14:09:19 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuEj-0007fs-0n; Tue, 12 May 2026 17:01:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCw-0003vL-B1; Tue, 12 May 2026 17:00:03 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCu-0005bw-5J; Tue, 12 May 2026 17:00:01 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C84CD1AA302;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CA8323ABC73;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=zvja2Ly8MOB+3TR7eyI+pbxqWtBhp+V27gwsfOW3bHU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=aCz5XHIs0SGyeaePO2bVEdfllga643qBrF4P1zb9ip0iS+r80x7amM/2pGg+dZGOl
 I4kBtjST4Dq9mp8nPiUsW5kAnsI9uv1/8zmysVOZwd1Rkgw+By0WGWJliV15Kec87F
 Nt1FwXq9p6xhc+ymv3D4uFJjpWw4YOAH0Vi9RccrB4QJ6CVgsMLk/GxHKd7dYhkzE2
 kCQMOCyFe7yZ9N5gKLsnqPkeJ70mN7vKxkOU034NgMB8kFAWuYL9Smu9XphL4Irn6p
 mQ2ljk0NWPmwn/HigD13I5Hctfv0cKHvNamG0X0FNFhQew2tpR9JEE4rBBGSGBKmJI
 8sUgvPgh2WscQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dietmar Maurer <dietmar@proxmox.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 054/107] qemu-keymap: fix altgr modifier lookup for
 newer xkeyboard-config
Date: Tue, 12 May 2026 23:53:41 +0300
Message-ID: <20260512205437.360850-54-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620160182154100

From: Dietmar Maurer <dietmar@proxmox.com>

xkeyboard-config 2.37 removed the "AltGr" virtual modifier in favor
of mapping upper groups directly to Mod5. Since then,
xkb_keymap_mod_get_index(map, "AltGr") returns XKB_MOD_INVALID, so
AltGr-based keysyms were never generated.

See: https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/com=
mit/473f9bc32f9ba869829cc0d06a75cd1f2560aa60

Try "AltGr" first, and fall back to "Mod5" for compatibility with
both old and new xkeyboard-config versions.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260408091459.4001711-1-dietmar@proxmox.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 4e6fb62fb0f33c815b089d0b59e1313b768c55d0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/qemu-keymap.c b/qemu-keymap.c
index 6707067fea..402815139a 100644
--- a/qemu-keymap.c
+++ b/qemu-keymap.c
@@ -231,6 +231,9 @@ int main(int argc, char *argv[])
     shift =3D get_mod(map, "Shift");
     ctrl =3D get_mod(map, "Control");
     altgr =3D get_mod(map, "AltGr");
+    if (!altgr) {
+        altgr =3D get_mod(map, "Mod5");
+    }
     numlock =3D get_mod(map, "NumLock");
=20
     state =3D xkb_state_new(map);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619848; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nBH9d7e0CyYQKGCZU1tgAMR+mYUc5srJmLoaizLgvuJM4wi8BeiKPyepcdwu0qJwxaa6kY/Ol150HVdp05+ic5l+/YPktdt/7EqaYE+/IwDe8PlDVAAxN/3K4GY+iqzza2299JeUS8XPAuDyRBiy85UCqHs/O9RVsaHltBMsAIY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619848;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vY0katPwE2U3et8n4KGwu6AiiLKelrgowQK9wRgmAOg=;
	b=edykqxXP/310FxJwJNDOqwlqkqAPWlo2p12CvDkQjo6dlAap0fuHXqHmMLdbvUJ7nTJmQdi0rPNG2WAoaHJoXM0qA9B2FlXmXDy9m6ubiqeGZ2RtsTfcMNCOMBy97pn2uTrAU16hSfeFufBmy9iuUeX1raJZcDb4d5OHHdSzGF4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619848798643.238333815638;
 Tue, 12 May 2026 14:04:08 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuEB-0006yG-F7; Tue, 12 May 2026 17:01:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCx-0003wt-Eu; Tue, 12 May 2026 17:00:03 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuCu-0005cT-Rs; Tue, 12 May 2026 17:00:03 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DCA6A1AA303;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E4B513ABC74;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=1HdcgX/LMaeNImKpnuqp9kdYf9fsxq1yKsfOxvZzWZE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kdvPqf3RbB3B3UsG6jnCBpk3Wfk4csICi9iKeUtqEAUEK8/FB4quPczWT79bdIIRK
 fqV2bfdG3exJcxLICIQDb4T0N3PU95D/0TUdRcVQS/x/oB22DH/shnBTRUUKYkNlss
 Ax0lR2BWBm2TEdwfzoWobTA5uDMcXuaXqHhFw739/J86CqBJH9xhbMhbO4DkTBNI3l
 5e/lJRVBZO8nYYx/r0XZRMonkBUZ8OUQuYLxmcip6Te66d1UYIZhxZGHI3HI2Eml+4
 BJPFj99Be7JFBnsUhliuGhh/eO+JYMI2BkD9feylIL7sQlbC0MFKsgQjsjO6ccO7VK
 gPL7hS6Y2TfGA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
 Sam Li <faithilikerun@gmail.com>, Damien Le Moal <dlemoal@kernel.org>,
 Dmitry Fomichev <dmitry.fomichev@wdc.com>,
 Mingyuan Luo <myluo24@m.fudan.edu.cn>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 055/107] virtio-blk: fix zone report buffer
 out-of-memory (CVE-2026-5761)
Date: Tue, 12 May 2026 23:53:42 +0300
Message-ID: <20260512205437.360850-55-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619850630154100
Content-Type: text/plain; charset="utf-8"

From: Stefan Hajnoczi <stefanha@redhat.com>

An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT
requests. The buffer's size is controlled by the guest. A large value
can result in g_malloc() failure and the QEMU process aborts, resulting
in a Denial of Service (DoS) (most likely in cases where an untrusted
guest application or a nested guest with virtio-blk passthrough is able
to abort QEMU).

Modify the zone report implementation to work incrementally with a
bounded buffer size.

This is purely a QEMU implementation issue and no VIRTIO spec changes
are needed.

Mingyuan Luo found this bug and provided a reproducer which I haven't
put into tests/qtest/ because it requires a zoned storage device (e.g.
root and modprobe null_blk):

1) Prepare a zoned nullblk backend (/dev/nullb0):

sudo modprobe -r null_blk || true
sudo modprobe null_blk nr_devices=3D1 zoned=3D1
sudo chmod 0666 /dev/nullb0
cat /sys/block/nullb0/queue/zoned

2) Create qtest input:

cat >/tmp/vblk-zone-report-oom.qtest <<'EOF'
outl 0xcf8 0x80002004
outw 0xcfc 0x0007
outl 0xcf8 0x80002010
outl 0xcfc 0x0000c001
outb 0xc012 0x00
outb 0xc012 0x01
outb 0xc012 0x03
outl 0xc004 0x00000000
outw 0xc00e 0x0000
outl 0xc008 0x00000100
outb 0xc012 0x07
writel 0x00020000 0x00000010
writel 0x00020004 0x00000000
writeq 0x00020008 0x0000000000000000
writeq 0x00100000 0x0000000000020000
writel 0x00100008 0x00000010
writew 0x0010000c 0x0001
writew 0x0010000e 0x0001
EOF

for i in $(seq 1 1022); do
d=3D$((0x00100000 + i * 16))
n=3D$((i + 1))
printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-o=
om.qtest
printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom=
.qtest
printf 'writew 0x%08x 0x0003\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qt=
est
printf 'writew 0x%08x 0x%04x\n' $((d + 14)) "$n" >> /tmp/vblk-zone-report-o=
om.qtest
done

d=3D$((0x00100000 + 1023 * 16))
printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-o=
om.qtest
printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom=
.qtest
printf 'writew 0x%08x 0x0002\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qt=
est
printf 'writew 0x%08x 0x0000\n' $((d + 14)) >> /tmp/vblk-zone-report-oom.qt=
est
cat >> /tmp/vblk-zone-report-oom.qtest <<'EOF'
writew 0x00104000 0x0000
writew 0x00104002 0x0001
writew 0x00104004 0x0000
outw 0xc010 0x0000
EOF

3) Run the qtest input with ASAN build (compile qemu with --enable-asan):

build/qemu-system-x86_64 -display none \
-accel qtest -qtest stdio \
-machine pc -nodefaults -m 512M -monitor none -serial none \
-blockdev driver=3Dhost_device,node-name=3Ddisk0,filename=3D/dev/nullb0 \
-device virtio-blk-pci-transitional,drive=3Ddisk0,addr=3D04.0,queue-size=3D=
1024 \
< /tmp/vblk-zone-report-oom.qtest

Cc: Sam Li <faithilikerun@gmail.com>
Cc: Damien Le Moal <dlemoal@kernel.org>
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Fixes: CVE-2026-5761
Fixes: 4f7366506a9 ("virtio-blk: add zoned storage emulation for zoned devi=
ces")
Reported-by: Mingyuan Luo <myluo24@m.fudan.edu.cn>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 4913ae36f9796c55d434dcbfa6bdb9ebb3e5e4b1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 5077793e5e..add6ad9d55 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -38,6 +38,9 @@
 #include "hw/virtio/virtio-blk-common.h"
 #include "qemu/coroutine.h"
=20
+/* Internal buffer size limit for zone report */
+#define VIRTIO_BLK_MAX_ZONES_PER_BATCH 4096
+
 static void virtio_blk_ioeventfd_attach(VirtIOBlock *s);
=20
 static void virtio_blk_init_request(VirtIOBlock *s, VirtQueue *vq,
@@ -451,15 +454,22 @@ err:
     return err_status;
 }
=20
+typedef struct {
+    unsigned int total_nr_zones;    /* max zones to fill in this request */
+    unsigned int nr_zones_done;     /* how many zones have been filled in =
*/
+    int64_t iov_offset;             /* current byte position in in_iov[] */
+    int64_t offset;                 /* current zone report disk offset */
+    unsigned int nr_zones;          /* for zone report calls */
+    unsigned int zones_per_batch;   /* size of zone report buffer */
+    BlockZoneDescriptor *zones;     /* zone report buffer */
+} ZoneReportData;
+
 typedef struct ZoneCmdData {
     VirtIOBlockReq *req;
     struct iovec *in_iov;
     unsigned in_num;
     union {
-        struct {
-            unsigned int nr_zones;
-            BlockZoneDescriptor *zones;
-        } zone_report_data;
+        ZoneReportData zone_report_data;
         struct {
             int64_t offset;
         } zone_append_data;
@@ -516,16 +526,15 @@ static bool check_zoned_request(VirtIOBlock *s, int64=
_t offset, int64_t len,
 static void virtio_blk_zone_report_complete(void *opaque, int ret)
 {
     ZoneCmdData *data =3D opaque;
+    ZoneReportData *zrd =3D &data->zone_report_data;
     VirtIOBlockReq *req =3D data->req;
     VirtIODevice *vdev =3D VIRTIO_DEVICE(req->dev);
     struct iovec *in_iov =3D data->in_iov;
     unsigned in_num =3D data->in_num;
-    int64_t zrp_size, n, j =3D 0;
-    int64_t nz =3D data->zone_report_data.nr_zones;
+    int64_t n;
+    unsigned nz =3D zrd->nr_zones;
     int8_t err_status =3D VIRTIO_BLK_S_OK;
-    struct virtio_blk_zone_report zrp_hdr =3D (struct virtio_blk_zone_repo=
rt) {
-        .nr_zones =3D cpu_to_le64(nz),
-    };
+    struct virtio_blk_zone_report zrp_hdr =3D {};
=20
     trace_virtio_blk_zone_report_complete(vdev, req, nz, ret);
     if (ret) {
@@ -533,28 +542,18 @@ static void virtio_blk_zone_report_complete(void *opa=
que, int ret)
         goto out;
     }
=20
-    zrp_size =3D sizeof(struct virtio_blk_zone_report)
-               + sizeof(struct virtio_blk_zone_descriptor) * nz;
-    n =3D iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));
-    if (n !=3D sizeof(zrp_hdr)) {
-        virtio_error(vdev, "Driver provided input buffer that is too small=
!");
-        err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD;
-        goto out;
-    }
-
-    for (size_t i =3D sizeof(zrp_hdr); i < zrp_size;
-        i +=3D sizeof(struct virtio_blk_zone_descriptor), ++j) {
+    for (unsigned j =3D 0; j < nz; j++) {
         struct virtio_blk_zone_descriptor desc =3D
             (struct virtio_blk_zone_descriptor) {
-                .z_start =3D cpu_to_le64(data->zone_report_data.zones[j].s=
tart
+                .z_start =3D cpu_to_le64(zrd->zones[j].start
                     >> BDRV_SECTOR_BITS),
-                .z_cap =3D cpu_to_le64(data->zone_report_data.zones[j].cap
+                .z_cap =3D cpu_to_le64(zrd->zones[j].cap
                     >> BDRV_SECTOR_BITS),
-                .z_wp =3D cpu_to_le64(data->zone_report_data.zones[j].wp
+                .z_wp =3D cpu_to_le64(zrd->zones[j].wp
                     >> BDRV_SECTOR_BITS),
         };
=20
-        switch (data->zone_report_data.zones[j].type) {
+        switch (zrd->zones[j].type) {
         case BLK_ZT_CONV:
             desc.z_type =3D VIRTIO_BLK_ZT_CONV;
             break;
@@ -568,7 +567,7 @@ static void virtio_blk_zone_report_complete(void *opaqu=
e, int ret)
             g_assert_not_reached();
         }
=20
-        switch (data->zone_report_data.zones[j].state) {
+        switch (zrd->zones[j].state) {
         case BLK_ZS_RDONLY:
             desc.z_state =3D VIRTIO_BLK_ZS_RDONLY;
             break;
@@ -598,18 +597,47 @@ static void virtio_blk_zone_report_complete(void *opa=
que, int ret)
         }
=20
         /* TODO: it takes O(n^2) time complexity. Optimizations required. =
*/
-        n =3D iov_from_buf(in_iov, in_num, i, &desc, sizeof(desc));
+        n =3D iov_from_buf(in_iov, in_num, zrd->iov_offset, &desc, sizeof(=
desc));
         if (n !=3D sizeof(desc)) {
             virtio_error(vdev, "Driver provided input buffer "
                                "for descriptors that is too small!");
             err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD;
+            goto out;
         }
+
+        zrd->iov_offset +=3D sizeof(desc);
+    }
+
+    if (nz > 0) {
+        BlockZoneDescriptor *zone =3D &zrd->zones[nz - 1];
+        zrd->offset =3D zone->start + zone->length;
+    }
+
+    zrd->nr_zones_done +=3D nz;
+
+    /* Call zone report again if the end hasn't been reached yet */
+    if (nz =3D=3D zrd->zones_per_batch &&
+        zrd->nr_zones_done < zrd->total_nr_zones) {
+        zrd->nr_zones =3D MIN(zrd->zones_per_batch,
+                            zrd->total_nr_zones - zrd->nr_zones_done);
+        blk_aio_zone_report(req->dev->blk, zrd->offset, &zrd->nr_zones,
+                            zrd->zones, virtio_blk_zone_report_complete, d=
ata);
+        return;
+    }
+
+    /* Fill in header now that all zones have been reported */
+    zrp_hdr.nr_zones =3D cpu_to_le64(zrd->nr_zones_done);
+    n =3D iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));
+    if (n !=3D sizeof(zrp_hdr)) {
+        virtio_error(vdev, "Driver provided input buffer that is too small=
!");
+        err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD;
+        goto out;
     }
=20
 out:
     virtio_blk_req_complete(req, err_status);
     g_free(req);
-    g_free(data->zone_report_data.zones);
+    g_free(zrd->zones);
     g_free(data);
 }
=20
@@ -621,7 +649,8 @@ static void virtio_blk_handle_zone_report(VirtIOBlockRe=
q *req,
     VirtIODevice *vdev =3D VIRTIO_DEVICE(s);
     unsigned int nr_zones;
     ZoneCmdData *data;
-    int64_t zone_size, offset;
+    ZoneReportData *zrd;
+    int64_t offset;
     uint8_t err_status;
=20
     if (req->in_len < sizeof(struct virtio_blk_inhdr) +
@@ -643,16 +672,21 @@ static void virtio_blk_handle_zone_report(VirtIOBlock=
Req *req,
     trace_virtio_blk_handle_zone_report(vdev, req,
                                         offset >> BDRV_SECTOR_BITS, nr_zon=
es);
=20
-    zone_size =3D sizeof(BlockZoneDescriptor) * nr_zones;
     data =3D g_malloc(sizeof(ZoneCmdData));
     data->req =3D req;
     data->in_iov =3D in_iov;
     data->in_num =3D in_num;
-    data->zone_report_data.nr_zones =3D nr_zones;
-    data->zone_report_data.zones =3D g_malloc(zone_size),
=20
-    blk_aio_zone_report(s->blk, offset, &data->zone_report_data.nr_zones,
-                        data->zone_report_data.zones,
+    zrd =3D &data->zone_report_data;
+    zrd->total_nr_zones =3D nr_zones;
+    zrd->nr_zones_done =3D 0;
+    zrd->iov_offset =3D sizeof(struct virtio_blk_zone_report);
+    zrd->offset =3D offset;
+    zrd->zones_per_batch =3D MIN(nr_zones, VIRTIO_BLK_MAX_ZONES_PER_BATCH);
+    zrd->zones =3D g_malloc(zrd->zones_per_batch * sizeof(BlockZoneDescrip=
tor));
+
+    zrd->nr_zones =3D zrd->zones_per_batch;
+    blk_aio_zone_report(s->blk, offset, &zrd->nr_zones, zrd->zones,
                         virtio_blk_zone_report_complete, data);
     return;
 out:
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619866; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PIMmNZhjwPWjZh4bvofnUAPvif0N00/pEr9bePT71UhEM0H14SSqISEzdMUJJJAQh4fzb7TUOux6lqjo8tjzl6fd3nz7nluMscPxG9JZU33dh1waeBKi4CC99jEh/72j/9VOnVFH83eh7/PeLfJ3qwL3UqRYlGAqnqAL85zw0sQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619866;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KSX2EuakFpesHalP6H1qnAeA83Evy6iwTKaDXddY8AE=;
	b=b2Stv0ocQyFRgfX/kavSzj1WPSJ6qVccMkitgmPLeTk7hXtdD6C7K6lmMjGYJFGfQ+sl71yLQMRGdhLyqZzhHrJSQmQodj8wvdSiRhnIlyse70M9AXcXo6M+F6zFESSqhH37Kkzi4pZJW1nTIGFRcUiSjIb6g3eOylJxBIKNNuw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619866323101.06628959025625;
 Tue, 12 May 2026 14:04:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuEm-0007yc-E8; Tue, 12 May 2026 17:01:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDK-0005eS-3y; Tue, 12 May 2026 17:00:26 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDI-0005de-34; Tue, 12 May 2026 17:00:25 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ECF521AA304;
 Tue, 12 May 2026 23:54:36 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 035673ABC75;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619276; bh=xcmbAb679+u1NHzSjARVhUGbo4dVqE2enyKyDONBdjA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lisVrl9e2FFV5/7OmyiOIK4TLyyf4WYa7vwiWjLrlC6jD9zUKrbxnI4fonjF2yDGV
 W7r9mFdEs/Nw6tKIqzY8UwsW0x9PUrfax4jYjNwXlltkwzYnm7QIbqwzoaTcRa29n9
 sphSbZ9rRjXTApPBLT2pfqIYc/h74dcabwhjv1jIR4nDAivNgV97ujD23NdD2EddRL
 PDiBj8dEE1L8mbyrfZY2NWynhIAK8JcSQP024tIftmzDJ4LruRDNtKnenlA/DHRBYe
 Z0uu9iXjUkZ1RPSF6Y5e3W/0XodcoIWDiWD8NUxdJEmGY8zFc9ijss4drFWlWAf9WA
 vwIvU+JjVJIUw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bernhard Beschow <shentey@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 056/107] util/cutils: Fix heap corruption under
 Windows
Date: Tue, 12 May 2026 23:53:43 +0300
Message-ID: <20260512205437.360850-56-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619868473154100

From: Bernhard Beschow <shentey@gmail.com>

Under Windows, QEMU would only sporadically start successfully. In the
G_OS_WIN32 case, get_relocated_path() first determines a cursor
to the end of the "result" string and then increases its size with
g_string_set_size(). Since g_string_set_size() may reallocate, the
cursor may become dangling. Windows may detect this and crash the QEMU
process with the following message:

  HEAP: Free Heap block 000000000499B640 modified at 000000000499B684 after=
 it was freed

Furthermore, QEMU crashes spontaneously, even long after the guest has
booted. For example, it presumably crashes due to the guest setting a
new cursor icon which may be a result of the heap corruption.

Fix this by determining the cursor on the resized string.

Fixes: cf60ccc3306c ("cutils: Introduce bundle mechanism")
Cc: qemu-stable@nongnu.org
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-id: 20260414114033.2360-1-shentey@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f1b1db98cc3b7212d7efffab516d38d0a913f432)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/cutils.c b/util/cutils.c
index 9803f11a59..76a9442085 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -1165,9 +1165,10 @@ char *get_relocated_path(const char *dir)
=20
         PCWSTR wdir_skipped_root;
         if (PathCchSkipRoot(wdir, &wdir_skipped_root) =3D=3D S_OK) {
+            char *cursor;
             size =3D wcsrtombs(NULL, &wdir_skipped_root, 0, &(mbstate_t){0=
});
-            char *cursor =3D result->str + result->len;
             g_string_set_size(result, result->len + size);
+            cursor =3D result->str + result->len - size;
             wcsrtombs(cursor, &wdir_skipped_root, size + 1, &(mbstate_t){0=
});
         } else {
             g_string_append(result, dir);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619866; cv=none;
	d=zohomail.com; s=zohoarc;
	b=edAhX+EK+lkQ2VjRgQ1eaMW/Vq83xB32btS64c6w4MSUq6Pi1U9to2+QmAqWhudhz4cc1T72WALkf9mOpYmNjdsRw0ie9nenK/p5uEx8WmbeeL5EPKkm4puX50JMjGAE+FAnwwJceZf5EbOZx5Oo9nuP1ezOVgGKXcDlM/mz4pg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619866;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nYl3KMS+IqPKH3ApJP93j4xPEFSCxoz562urrt9bOXM=;
	b=KjbH4q2z2e1jGJb6k/lCI5X/Mxh5YiqpMUuXDys9PbhMNydQsnpfnrKjmXYJ7u1AthsvVLusHrnfrcKmE+f1jvGCv34h/lTWkMNl9D8VMML0FQ5qRBA6udspubVRcIo6fduNyXIWKidqqErbIw6jaCbaSrTi2ubyMg7ws/Mh1nc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619866037918.1879846250692;
 Tue, 12 May 2026 14:04:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuF2-0000HV-V9; Tue, 12 May 2026 17:02:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDL-0005jn-Cu; Tue, 12 May 2026 17:00:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDJ-0005e3-8N; Tue, 12 May 2026 17:00:27 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 06D3C1AA305;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 138363ABC76;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=kZIkeKSO5sM3uiD2kSKg10e3vxHrK44x84Oc8zBf7w4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=XOOIq3jW6V8bc3npp6WTJnydj8wFUnrgnI4G4sTD9YrqHFx4UQWjkAblViQIpiB0n
 0TNJrHNBvWZTpJ1jsWSRb99BlJnp3gMNKcx5NMPzFhhG2tRQJDBuvw8Noq9inVOaRb
 anyPwou4kcj0YMY82u+JXswMHh4HG/9VEGA8iXNJcdtv+KMxahqabQn2KDin0+ekuG
 StXjPdueBzjValVn/V2VQXm6B4bdJsmyzHoB5U3HmNj1zaUT/bytXgQrnkyFfZtBPH
 e5Hbr3KLt4V9MrM2XmF4uYHGTHU3FX/nJB/F0q99W0+QhWoPGsaWZqxCtw7wQBVV9o
 v06xEJNrlWBVQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Werner de Carne <werner@carne.de>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 057/107] serial COM: windows serial COM PollingFunc
 don't sleep
Date: Tue, 12 May 2026 23:53:44 +0300
Message-ID: <20260512205437.360850-57-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619868648154100

From: Werner de Carne <werner@carne.de>

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1802
Signed-off-by: Werner de Carne <werner@carne.de>
[ Marc-Andr=C3=A9 - indentation fixes ]
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230807201443.2668-1-werner@carne.de>
(cherry picked from commit 7437b3eab6af1d31bb7fdfb3ac4e0a4de6ada50b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/chardev/char-win.c b/chardev/char-win.c
index d4fb44c4dc..a17c36cda6 100644
--- a/chardev/char-win.c
+++ b/chardev/char-win.c
@@ -28,7 +28,7 @@
 #include "qapi/error.h"
 #include "chardev/char-win.h"
=20
-static void win_chr_read(Chardev *chr, DWORD len)
+static int win_chr_read(Chardev *chr, DWORD len)
 {
     WinChardev *s =3D WIN_CHARDEV(chr);
     int max_size =3D qemu_chr_be_can_write(chr);
@@ -40,7 +40,7 @@ static void win_chr_read(Chardev *chr, DWORD len)
         len =3D max_size;
     }
     if (len =3D=3D 0) {
-        return;
+        return 0;
     }
=20
     ZeroMemory(&s->orecv, sizeof(s->orecv));
@@ -56,6 +56,8 @@ static void win_chr_read(Chardev *chr, DWORD len)
     if (size > 0) {
         qemu_chr_be_write(chr, buf, size);
     }
+
+    return size > 0 ? 1 : 0;
 }
=20
 static int win_chr_serial_poll(void *opaque)
@@ -67,8 +69,9 @@ static int win_chr_serial_poll(void *opaque)
=20
     ClearCommError(s->file, &comerr, &status);
     if (status.cbInQue > 0) {
-        win_chr_read(chr, status.cbInQue);
-        return 1;
+        if (win_chr_read(chr, status.cbInQue)) {
+            return 1;
+        }
     }
     return 0;
 }
@@ -147,8 +150,9 @@ int win_chr_pipe_poll(void *opaque)
=20
     PeekNamedPipe(s->file, NULL, 0, NULL, &size, NULL);
     if (size > 0) {
-        win_chr_read(chr, size);
-        return 1;
+        if (win_chr_read(chr, size)) {
+            return 1;
+        }
     }
     return 0;
 }
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620405; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UH3tmw7i0Oj+GdkYQqPlMf4fPD9urjADTWIMhk9jaSc+Gf56xeHRNTOimS9jThAD7aiBetkjTzMyX43sQFK6yAWSHowIE97P6CiCYqX0SrBDbzAuwSKUZCllv2epY9NIpwSFI8roHU9eMDjuphVJbYZfTDufkLhobOVPOUnIYmU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620405;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=lrAjd45F5zziNyWA4EHYIzX/YGMFP/o9/MXN1tqJuYI=;
	b=RIJX2mEboA0Cnlbq+bsd4bkGCHMxGT/QC6PIiQB4BvnxZQfOdQwdfmeTC7nwqqBkIbGXdqSpQOdoSfo10V5MVeMQNU3Od8kjXJMsM4faZjPRrVlnqk7dLlxpfVXy9TlbL7nu50SYbHzeX/eL9J9dJCIgERxF18+lXj9sFRqupO4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620405807699.4923677995442;
 Tue, 12 May 2026 14:13:25 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuFI-0000pJ-Ru; Tue, 12 May 2026 17:02:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDN-0005rl-Gx; Tue, 12 May 2026 17:00:29 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDL-0006Dn-NS; Tue, 12 May 2026 17:00:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 16A3F1AA306;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 22F953ABC77;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=NKASA8j8e/Rz3S+oKweDj6mSgKRTbS9+ieSzwNzV7Hk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=i1zeYV0oWTGEiQdwCKbtwPgHycW/eAazO5k6OZqrwpEQB84OA5tsBLcBIA5AS/pZ9
 64G+tsrr4cKoWac8kZ6/WyCf3lbNCDAhb5dmXQC50pX6d2uulVXSP8SPQCExgw4JMR
 d8Cc8FagPlJZDGOtlV84O1I8iLppt7xqwi7BWlRK9JLIUJo5PLZDOjjPYqSuF1CoZ8
 mTZuxrjX4Iufh9a9A8qYpeYIIDCoWg2mLfrwkZsu1d0TGaNf4LU0adNu3DIfUiYMnI
 y6GIrU95TkKUrMxoMl0ZuNWm83iUzk2Kw5Mhig8AYmhreycD9b+2Kbr2/8uojUUJLe
 kkMP95xPtIhig==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, GuoHan Zhao <zhaoguohan@kylinos.cn>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 058/107] ui/spice-app: detect runtime directory
 creation failures
Date: Tue, 12 May 2026 23:53:45 +0300
Message-ID: <20260512205437.360850-58-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620408199154100

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

spice_app_display_early_init() creates the per-VM runtime directory
with g_mkdir_with_parents() before setting up the Spice socket. The
code checks for "< -1", but g_mkdir_with_parents() returns -1 on
failure, so the error path is never taken.

This lets spice-app continue after a directory creation failure and
defers the problem to later setup steps.

Check for "< 0" instead so the failure is reported immediately and
spice-app exits before using an invalid runtime directory.

Fixes: d8aec9d9f129 ("display: add -display spice-app launching a Spice cli=
ent")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Message-ID: <20260408031725.641417-1-zhaoguohan@kylinos.cn>
(cherry picked from commit 52cf667ed2285aa2d08db6abed46cdba5c14f9aa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/spice-app.c b/ui/spice-app.c
index 91e258a621..f6d494fddd 100644
--- a/ui/spice-app.c
+++ b/ui/spice-app.c
@@ -153,7 +153,7 @@ static void spice_app_display_early_init(DisplayOptions=
 *opts)
     if (qemu_name) {
         app_dir =3D g_build_filename(g_get_user_runtime_dir(),
                                    "qemu", qemu_name, NULL);
-        if (g_mkdir_with_parents(app_dir, S_IRWXU) < -1) {
+        if (g_mkdir_with_parents(app_dir, S_IRWXU) < 0) {
             error_report("Failed to create directory %s: %s",
                          app_dir, strerror(errno));
             exit(1);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620085; cv=none;
	d=zohomail.com; s=zohoarc;
	b=IJ1Yw2/M50HBtxlJD4GcFMr7SpbGeQfVs7CGEZ6gz3aDji8rtp1mT49Y/fpEa44T5d3YUG0mrvKr/KUVG8Uda6lLWLWieUyMhMLO8fWbDO284DweF9l9BhlhA+n9g8b3a17agdXv/9f4xIK3twh8+bFhfjfRBGX0LFBERD4Tl7A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620085;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=hxs+1W8LEh0NXBL0+H4ua9UceNKI9QGV4NOGp03g2eA=;
	b=RY3+VzZL+2UJhynU7FrIg6KUSNCS5xfC3HyCYCf6dkVWMrvNDqhYGrw3vbRT3hU3J3I+2G1jEgV+boQm3uE3nlY7j0UKiXNON5pNQvd4/6BY9GQJSuqDrZxtlqJAIMoWAcuFgYEPXy1aDkrT8lOJKcZ/CLX++3SGnyW6zGgryMA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620085167437.5860051546356;
 Tue, 12 May 2026 14:08:05 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuFc-0001Ci-I4; Tue, 12 May 2026 17:02:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDO-0005xr-Pt; Tue, 12 May 2026 17:00:30 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDM-0006E6-Uu; Tue, 12 May 2026 17:00:30 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 30CD31AA307;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 31A743ABC78;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=Py7NJzypQwz5h80LC3W5+B+gYtnyfPaJkbxftS0PS+c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fOf7WqtPHekoJVoCA68G0IFL1vutrPv8S8yFouPanONT7P7Rm/+IEuyP2oAAOAI//
 gDB0Q+nwC5vrMbCw/saSZ7ExastQORF//PVi0zpdrEDpI/q3bhwrRivDbnVJ95Vgnt
 bwHEDGzHn8Q3FCf1g/HRrvIapbkj74VYehd5w+ugHSNX3v3QJupfCsfJYf7nQBuzJk
 lnDpSoWZOzOjCf3+v6dPkxEaPrMxB9k5E9ynHEocRoW9jrhsDb8cRAKaVyRxAOH5DE
 7DP5y5cUq0wBSXtzs3cdZXcYrV6SfjaRWdzItbV1fqzHxvElJ+OniyU+wTVfbNpInu
 28LHEbnb8r4iw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 059/107] ui/console-vc: fix off-by-one in CSI J 2
 (clear entire screen)
Date: Tue, 12 May 2026 23:53:46 +0300
Message-ID: <20260512205437.360850-59-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620086417158500

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

The loop condition used `y <=3D s->height` instead of `y < s->height`,
causing vc_clear_xy() to be called with y =3D=3D s->height. This clears
a row in the scrollback buffer beyond the visible screen.

Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 181fdf8a7e13c0460a26777ff9301e0ecdca3784)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/console-vc.c b/ui/console-vc.c
index df1341513d..f4aaf6950d 100644
--- a/ui/console-vc.c
+++ b/ui/console-vc.c
@@ -899,7 +899,7 @@ static void vc_putchar(VCChardev *vc, int ch)
                     break;
                 case 2:
                     /* clear entire screen */
-                    for (y =3D 0; y <=3D s->height; y++) {
+                    for (y =3D 0; y < s->height; y++) {
                         for (x =3D 0; x < s->width; x++) {
                             vc_clear_xy(vc, x, y);
                         }
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619946; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bpWzB8QdtQA9cCC6ODKKlHyA1IZ/wB6IHp/4XRm6S3dljCGSaRNbfGUWky3vdVcSHXLwwkv6JDs+k8/lredKRPh+c6SX6quRSC6fqpeJBGdmVQaYsCmnozLTl3e62Lpm0DF+hb2xq2lakLqQgFNuaawmIeRihrK/yl2vk+6mXqo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619946;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=VXIchmpTZMr9bWB6vjquPgd93w71+GzgJwgeO/eUSkw=;
	b=asYdfsI/3JiVZBI2cB9I2kVArsZGTwI2f2OdNbAshTErXtB0K9qhkyIE+90L5OeAmRYiq5AlIoPEhVdQznRbKFMfg+SMhvyOAn2R5fhn/s5aVURgEmdpE7cE/Tr+lVmyJp2KbHfnwg/DW/uUlw4xlcHXhERCIoMyIkag1zIeLcM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619946447471.55755584515055;
 Tue, 12 May 2026 14:05:46 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuEo-0008Bv-Ep; Tue, 12 May 2026 17:01:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDQ-0006Da-VA; Tue, 12 May 2026 17:00:33 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDP-0006Ed-41; Tue, 12 May 2026 17:00:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4C5151AA308;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4BFCD3ABC79;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=M+N+5W0ciyI4YcjsoclU0l9rS1hi0yRTWV8xVz+rWEY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=IZKWZmwC/JOKPTgybdkuKvX+aE9ca3qsVNEWvrAZUx0GoxTImej3kjzP+e22tkzBP
 UmzvFjUukqC5Up7Tr33VBHwdNN8VbYeCVZUdkQTrC6Q2qYQH2VOIXGY10BvgUSEqxj
 OemEDkgAQl8XrPM0qFcGSanjIgHCXU0w/Em+HkyOFkZGJ//I0YJfsRnOO3xvMw7y3L
 Kcjn528f2o9t3ridc+Kq9zFxu/NDNwi/OqFGXqBb5dxr/MiNjNlFcjF9qarxwV7J6n
 13gYiWeS3Vy5XqKIeVn107jWyVCevNdT7aNbV/byXWS1mAZS+xWgRmi4S1EY6A6E9q
 2HArlgFjU2OJg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 060/107] target/arm/tcg/translate.c: remove MO_TE
 usage
Date: Tue, 12 May 2026 23:53:47 +0300
Message-ID: <20260512205437.360850-60-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619947996154100
Content-Type: text/plain; charset="utf-8"

From: Pierrick Bouvier <pierrick.bouvier@linaro.org>

dc->be_data is already set just above in the same function:
```
    dc->be_data =3D EX_TBFLAG_ANY(tb_flags, BE_DATA) ? MO_BE : MO_LE;
```

Cc: qemu-stable@nongnu.org
Fixes: a729a46b05a ("target/arm: Add wrapper macros for accessing tbflags")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260407222208.271838-12-pierrick.bouvier@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 027ad866bd2984a8fc50b41d235aabf14711df3e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index 7e749fc15b..86a6888ab2 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -7602,7 +7602,6 @@ static void arm_tr_init_disas_context(DisasContextBas=
e *dcbase, CPUState *cs)
=20
     if (arm_feature(env, ARM_FEATURE_M)) {
         dc->vfp_enabled =3D 1;
-        dc->be_data =3D MO_TE;
         dc->v7m_handler_mode =3D EX_TBFLAG_M32(tb_flags, HANDLER);
         dc->v8m_secure =3D EX_TBFLAG_M32(tb_flags, SECURE);
         dc->v8m_stackcheck =3D EX_TBFLAG_M32(tb_flags, STACKCHECK);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619882; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NyohLa2nzTKOgMzllT17yzCVqIIFYdrSdkl8GMJcLVYDZSg42YQ2mvgq7A7W4EhDqdoJtyDBfMH1UkHlOzOrNtKuW3zGdw1Cayv7ylWrPKW0xnNkKKoCkHsulOFFK/5lBvyqwZ3bmbd/rvkX/g7ukiI+A0F3jnbpalj8APdbqQ8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619882;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=pDGP9A/YwwinD/lARtLc1IJqI2d98QBeT7x1GYYqA8g=;
	b=ZLQnyGdL4Nh7y8dWWwA6VdYYueFh4Gtu1vovepv8gPFe6n0jhNQtLjgUQJAlVhqnck18FmPLgnkafOSHCLhAzT/dehZbzKpljm2vsAxO1y1dJ0CL2x2ctZWqYV1akbZkXb0DB/DvKVjo3cmiwVBvDf2vfPOjjPhPF/AiuuDgGPE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619882979690.7631671935641;
 Tue, 12 May 2026 14:04:42 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuF2-0000Bx-9k; Tue, 12 May 2026 17:02:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDm-0006oE-U6; Tue, 12 May 2026 17:01:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDk-0006FH-Ch; Tue, 12 May 2026 17:00:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 65BF51AA309;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 679223ABC7A;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=xNZnN53MRSuQNw6Xs1J/vBuageW50TYXTiDQdVI4E9I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=U5rDH4SHBtBlRjX5H5PWmuw8mjNq4aDv5T9kiGggq9DBaT3L12eavuHP6UWRgFb1V
 rkVkt/Nr2uvbe6chM6nmNpMqJny05MImvso8AGvRfXcz5nrVrXvt24k4fJhtEXKgQc
 15VS8MEWFZdGrFDFg/LTuFmepaIDYxuv2WGEoaz3UoDX6X+JK8jkj4wJMmZ9zIae0s
 1EqSEGZYypBbA612A3RLm5xuouV7x9nnduUUlLWfW6RxyVMWlZ7MJwMf5Tls6R0Nl9
 hifRHGjNjjVTE/avrEahljBbyDY+K42V2tQl8RfcKKYbcqsmB5uWmxvt5AL0Rkky/8
 ctl8S1ltYIdDg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 061/107] target/i386: fix strList leak in
 x86_cpu_get_unavailable_features
Date: Tue, 12 May 2026 23:53:48 +0300
Message-ID: <20260512205437.360850-61-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619884760154100

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

The result list built by x86_cpu_list_feature_names() was never freed
after being visited, causing a memory leak detected by ASan.
(the getter visitor is VISITOR_OUTPUT kind and doesn't own data)

Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property")
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@r=
edhat.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 9401258a54..de9a0973d9 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -6221,6 +6221,7 @@ static void x86_cpu_get_unavailable_features(Object *=
obj, Visitor *v,
=20
     x86_cpu_list_feature_names(xc->filtered_features, &result);
     visit_type_strList(v, "unavailable-features", &result, errp);
+    qapi_free_strList(result);
 }
=20
 /* Print all cpuid feature names in featureset
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619948; cv=none;
	d=zohomail.com; s=zohoarc;
	b=a5tTRpl372QRP6ZGyiSDGJIWn8yisl1JarENnECvA0D+Rd7Ca5vQJV9vLq9bnlalOyrWEQemeilopb+EbA3WolqGW73JplRM21JI9Zkxz5rVkYdpWLbYAryb3LrlUcdlWciSAo+3+W55OdRSHMbk4S21WZF7tSynqwNIh6iTAGM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619948;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vkdc2Rstd5gricKVTJAa37WFK0Uu4WYyHDY6nfdk7TA=;
	b=OK73FMhlCnBkSWf6CHlwbg3idxWkQ0t3eEh/aQJJCmYq3kK9At+Jo7wTt1e3mD5E5hHoqucacgV+3YkqqbOEBo5lRvl8olgI/3mBF1jE3Km2DcyMqLJNgG8DegVzB3we/W9e0SUmzYBmdR0gnS6x3dLD1R+XAvpLmFPGYWVuEqo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619948408771.5018746967264;
 Tue, 12 May 2026 14:05:48 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGb-00027o-4H; Tue, 12 May 2026 17:03:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDo-0006qf-Jj; Tue, 12 May 2026 17:01:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDm-0006Fk-FF; Tue, 12 May 2026 17:00:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 748F81AA30A;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 80AD13ABC7B;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=NbkwXb1Gi680e8oCc6FrubMsy+d2+Gpa+KdzunAAzdM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ZUSDhPR6MbfXYfxaCX4duHMoDUiBmhUz+XvX0xWtEUMALTKSF7Zz5UfqE63kNX0NE
 /RpgPnnO4ZV2N+CRMdMEMy9ZI0F1v8Wab5oArhBIZTPgyjdc359lL8su4YvTsNVw2R
 N9BaMvnQasyRfBs6Y90tUWdEgSLnMoazf/D4ZqHTEh8mFLl/09RvyxOH2W/UzZJ5LV
 uXMrxpuIesB64TZk2/PIvElVWQP+k2d7EyamcNOZb8sEb8ssOAZwbP08OjT45aF5jX
 1dZF1Xpk8FXgeMdVVDUwj2QPmzIMFNauPwxH3c5qB3Q3S1zf6wuSvzeF2vUiMpAxw4
 YHu58Nh8XwRkQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Simon Scherer <scherer.simon89@gmail.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 062/107] target/i386: fix missing PF_INSTR in SIGSEGV
 context
Date: Tue, 12 May 2026 23:53:49 +0300
Message-ID: <20260512205437.360850-62-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619950067154100
Content-Type: text/plain; charset="utf-8"

From: Simon Scherer <scherer.simon89@gmail.com>

When running linux-user emulation, the SIGSEGV handler does not
correctly set the 4th bit (PF_INSTR) in the error_code variable of
the context argument (context->uc_mcontext.gregs[REG_ERR]).

Because this bit is never set, guest applications cannot distinguish
if a fault was due to missing executable permissions. This patch
ensures that when a page fault occurs during an instruction fetch,
the PF_INSTR flag is properly populated in the signal context.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384
Signed-off-by: Simon Scherer <scherer.simon89@gmail.com>
Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gma=
il.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp=
_helper.c
index b3bdb7831a..2bb088a4ee 100644
--- a/target/i386/tcg/user/excp_helper.c
+++ b/target/i386/tcg/user/excp_helper.c
@@ -37,9 +37,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr,
      * signal and set exception_index to EXCP_INTERRUPT.
      */
     env->cr[2] =3D addr;
-    env->error_code =3D ((access_type =3D=3D MMU_DATA_STORE) << PG_ERROR_W=
_BIT)
-                    | (maperr ? 0 : PG_ERROR_P_MASK)
-                    | PG_ERROR_U_MASK;
+    env->error_code =3D (maperr ? 0 : PG_ERROR_P_MASK)
+                    | ((access_type =3D=3D MMU_DATA_STORE) << PG_ERROR_W_B=
IT)
+                    | PG_ERROR_U_MASK
+                    | ((access_type =3D=3D MMU_INST_FETCH) ? PG_ERROR_I_D_=
MASK : 0);
     cs->exception_index =3D EXCP0E_PAGE;
=20
     /* Disable do_interrupt_user. */
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620176; cv=none;
	d=zohomail.com; s=zohoarc;
	b=n5kcWoCElT8MSQtTi6b23noV6h1PwSueZDISgo5DmHYa2rxZqH8zvOWeteo3agNlFBKKC0nBB0v6ogcxJhznGdDlan37fiC7tr64ne2S2HyP07HEvpAL07bewE07q6hGIcIagU6bwN8lICnaS2oJWa+CH7TUBCwfff93mUXWBSI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620176;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=leUK9sM4JHxSeaKW69gi2zqh1bis+Bdw5E876FpjvwE=;
	b=Aq3iR6O+P1EJbaULrzjHVuyuGvYSVHBadgkF9i3nIclqZzNgYoLcahAIi2IvQ0mQTC+R0FvSiIAcuCleWWDnET28tzx/E+HQokHfrmnrsTr/M6cu5Tcpbu2Kh1ANLNRqv9mS8mn4Hq275d4lylpC+JhpCSn9f7SjjOv8pEv246M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620176019422.18914050664296;
 Tue, 12 May 2026 14:09:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuFF-0000nE-4p; Tue, 12 May 2026 17:02:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDr-0006u1-Q5; Tue, 12 May 2026 17:01:04 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDo-0006Kp-Lz; Tue, 12 May 2026 17:00:58 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 82FCD1AA30B;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8FC663ABC7C;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=Qo7kYxkZn0wfyJNicK4URkwuAV21Bh94qqzwMeeJlk8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=U0hprS+hIMcwA4RpEMHVzRB7WIKduct0KLFHFlXwpfpd7BbzDW7qViILueLGDu1TC
 gcfU2AqAvaHrXwe3Yp4L5G3dII47ppeqglEYXBmP/WRkmDoXfnca0xite1GZNLetDg
 8sIfDBXVmdGBfhrpWLHHbkJbAo9RTbVJk2c9SKabYkI9QQ9IRi2+7bSSr0ZMW8ayIy
 ezYXt4FCGKi2UFWqMivyyF4Lmy9Ydf3SO/nxD0sK19wKqf3MyAqdObNXkMm9w72rIY
 lMg2S4E09c//Zv1fbfAyotahFTh/mdgBLIBtN6MvfGFAaDl54FxvpcKvUJyY8xUOY3
 Ncq3ZVXy0Ti3Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 063/107] target/i386/tcg: fix decoding of MOVBE and
 CRC32 in 16-bit mode
Date: Tue, 12 May 2026 23:53:50 +0300
Message-ID: <20260512205437.360850-63-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620178265154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Table A-4 of the SDM shows

                    F0                     F1
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
--------------------------------------------------------
     NP           MOVBE Gy,My           MOVBE My,Gy
     66           MOVBE Gw,Mw           MOVBW Mw,Gw
     F2           CRC32 Gd,Eb           CRC32 Gd,Ey
  66+F2           CRC32 Gd,Eb           CRC32 Gd,Ew

However, this is incorrect.  Both MOVBE and (for 0xF1) CRC32
take Gv, Ev or Mv operands.  In 16-bit mode therefore the
operand is of 16-bit size without prefix and 32-bit mode
with 0x66 (the data size override).

For example, with NASM you get:

                                 bits 16
   67 0F 38 F0 02                movbe ax, [edx]
   66 67 0F 38 F0 02             movbe eax, [edx]

   67 F2 0F 38 F1 02             crc32 ax, word [edx]
   66 67 F2 0F 38 F1 02          crc32 eax, dword [edx]

versus

                                 bits 32
   66 0F 38 F0 02                movbe ax, [edx]
   0F 38 F0 02                   movbe eax, [edx]

   66 F2 0F 38 F1 02             crc32 eax, word [edx]
   F2 0F 38 F1 02                crc32 eax, dword [edx]

The instruction is listed correctly in the APX documentation
as "SCALABLE" (which means it has v-size operands).

Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.=
c.inc
index a3dffec692..ea03b18b9e 100644
--- a/target/i386/tcg/decode-new.c.inc
+++ b/target/i386/tcg/decode-new.c.inc
@@ -751,19 +751,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] =3D {
=20
 /* five rows for no prefix, 66, F3, F2, 66+F2  */
 static const X86OpEntry opcodes_0F38_F0toFF[16][5] =3D {
+    /*
+     * MOVBE and CRC32 are incorrectly listed as always doing 32-bit opera=
tion
+     * without prefix and 16-bit operation with 0x66.
+     */
     [0] =3D {
-        X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)),
-        X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
         {},
         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
     },
     [1] =3D {
-        X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)),
-        X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
         {},
-        X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)),
-        X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)),
+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
     },
     [2] =3D {
         X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)),
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619811; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lf/PTwncgruoPDeP+PaG7B30RM6Z/0r49KHS7wcf6/Fj6+usE43DGGIhESh8fn1111Rd2WNCShmwUquIlKgqeC0C9qcOWT7WyfVsALKX0VKRQH/ZzOm4K0CVlejrmE0f+59gvz/vJAYuWSBuceC16RluA54xr++RGLGNLDyAoxA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619811;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=GaGIVT3/iBWFL/qUBoY6UsX6C9KcOROIa0glU5XfGyE=;
	b=TIs1hYLXBCwP7YlyxhEwpQmXdcDZlSNOa/rtMt1pCeZNcxqVILsqTdHJIsh3BFv/hOoWu9HDOeIaTdG7vsCtNk0qbmr3a2C9YRsFRVDVPdC0AmO6+f7vPPMMupDOdT+Jzs4l+YvhyV3henSvQxpJoe4E0GIeQwFlL8VYBv/hNm8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619811451818.7844312160528;
 Tue, 12 May 2026 14:03:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuFU-00012L-Aa; Tue, 12 May 2026 17:02:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDt-0006uL-Dr; Tue, 12 May 2026 17:01:04 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDr-0006LJ-76; Tue, 12 May 2026 17:01:01 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9D4EA1AA30C;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9DD5E3ABC7D;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=HTBE+4uWbe8jRkHSoc5EWVScW05kW5626zuV3t53MVk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HRIbijYcyi36aJqa5QfAt/a7V6e2VJT/0qlTLw3z6AOWPiScgb30AfGmR+58xlMYH
 Hrm1NNWuuPmTBL4J3GmyqjCw+/odZOGZj4Z5BGBJasDhoz/bKSGUmWYOJxlxyet7tX
 8OT8x8yHncdYbmc55M/1JOILJTcCZa9mQl1M5yxP8nLQJcDn2QBZrszmaqpWUDNMa+
 sBIWv6o1r8AoNY6sKqpBGpFON4at/xLOMEPZd3BtT5GuIUoGDhlvRyZtrsdbOf3tQV
 pOI4DFE0atBGk8uQBvOtOuhH8QNwTn92NO5mr1qICN2+pR1JRWgpDYEmUGgQNAEfzN
 /Q06Ke9AOIJ3w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Stepan Popov <Stepan.Popov@kaspersky.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 064/107] meson: add missing semicolon in
 pthread_condattr_setclock test
Date: Tue, 12 May 2026 23:53:51 +0300
Message-ID: <20260512205437.360850-64-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619811817158500

From: Stepan Popov <Stepan.Popov@kaspersky.com>

The test code was missing a semicolon after the pthread_condattr_t
variable declaration.

Signed-off-by: Stepan Popov <Stepan.Popov@kaspersky.com>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Fixes: 657ac98b58c ("thread-posix: use monotonic clock for QemuCond and Qem=
uSemaphore", 2022-02-22)
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Link: https://lore.kernel.org/r/20260330131406.87080-1-Stepan.Popov@kaspers=
ky.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 79bc1771867723cb70dac0fae8f2c26fda1a635d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/meson.build b/meson.build
index 327c1e19f8..0fb949de14 100644
--- a/meson.build
+++ b/meson.build
@@ -2845,7 +2845,7 @@ config_host_data.set('CONFIG_PTHREAD_CONDATTR_SETCLOC=
K', cc.links(osdep_prefix +
=20
   int main(void)
   {
-    pthread_condattr_t attr
+    pthread_condattr_t attr;
     pthread_condattr_init(&attr);
     pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);
     return 0;
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619939; cv=none;
	d=zohomail.com; s=zohoarc;
	b=L4bqBtWOEDlLQSmgFHYyM2CoY3SESNzr9FMnepHfxdXx4SYgE7d2DrA5QTfGEOZDvZKfByFhclhtwYQXO0UfZf2KvXtBD9qVohrLEn+rnTGOeeP8KG+7uQGrPyiRGI8BbVpeJ8ojIar87L4lFX3c+GW/G0I+B+GINNZ0XpjM79k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619939;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=SfP9GcB9H6qXDxZuEHGtn957wvbENjlgW+qppTfMl2Q=;
	b=DJKb1Lcfuzrr1QhcFtNOuKeXv7hqdprP4+36WNUCPn0afvNW9Z+Ll50vMu+noBZGfUnhrJT/f6BKzaIALwPeV5l7zLiOlbxjUgtRQiNxUBUftoj/3zKMe0hUY+KGVTLdAjUEYqh/cfKYxUIgLxmbl1vPgP1HYZPbPGqu1DIwwTI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619939820141.0449469739084;
 Tue, 12 May 2026 14:05:39 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGA-0001UL-5y; Tue, 12 May 2026 17:03:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDu-0006vg-Nx; Tue, 12 May 2026 17:01:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuDs-0006M4-OR; Tue, 12 May 2026 17:01:02 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AD4951AA30D;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B831C3ABC7E;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=v3SUpINWlqo+e3uyV/6RfKqswv5vmvgIs7RRwaHysZo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=OXzLhxrnOCnG+AZtUKo0FAO7sQeBInByWyKPA37+7ei5d/0rB1V7imB5PMpnhRCq4
 uH15rIAZg2aKyuzEJq3v2Ckqo3rDO0Ujpwqn4a3ITMv2RhztmXp1xm0mw2micC9Msi
 YFWhucq0syr9cw6E+sLvx/myFwHNqkWleCeTosHHPoFj+7Sqt22/OVmsg314NKyFyy
 skYVvsyRWpdWEnLAZ5HC3rM4KaScJ9atML37CP3ZrO4lm6wbIc48zd8ESu2QJLjg1Z
 +RxQ6k84OQc85564ZxId1EMmnqmRUXmYIDJM5k09NnR5ETH6sERfeMvI3zAF7P/it2
 oOZW7QDKZlQNQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Dmitry Osipenko <dmitry.osipenko@collabora.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 065/107] hw/display: don't accidentally autofree
 existing virgl resources
Date: Tue, 12 May 2026 23:53:52 +0300
Message-ID: <20260512205437.360850-65-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619941898154100

From: Alex Benn=C3=A9e <alex.bennee@linaro.org>

While sanity checking a create blob operation the use of the auto
freed res variable could lead to inadvertently freeing an existing
blob.

Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
the value is not needed anyway.

While at it add a comment to the end and use g_steal_pointer to make
it clearer the object lifetime exceeds the function bounds if we pass
all the checks.

Fixes: CVE-2026-6502
Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Cc: qemu-stable@nongnu.org
Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index a65fca9c62..030b329d5a 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -708,8 +708,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
         return;
     }
=20
-    res =3D virtio_gpu_virgl_find_resource(g, cblob.resource_id);
-    if (res) {
+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
                       __func__, cblob.resource_id);
         cmd->error =3D VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
@@ -762,8 +761,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
=20
     res->base.dmabuf_fd =3D info.fd;
=20
+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
-    res =3D NULL;
+    g_steal_pointer(&res);
 }
=20
 static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620156; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cHw0FDUP0uuy5dsEAMOgnz4Hx7pU65usdMvHey6SP83lSt8FHrkliCE/G0hY050YqMSOKG0/L2Gi7R6YgzkMLNGawpLlcH5nW8yZUpyIG3EdLDjk1V3a+ff26WLl2abqc2UDkfsg0dRt4Tk3FwnSJtPrJXsa1D4J9w0iTXKvgjE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620156;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=lTm/DicrGJbr8aAutdokSG0WgA7QWjZIKhZ8k3pTo5Y=;
	b=Qg2EfQC+MPzgxFF1huu9gBKK03L8NOmJ5sWnYzWF6HqkbJeod5YRoXi7+oIjZRn2cfgOcwIjZC9SHWLYUSKArmhoj5oBKKKdaOBYr9bihj6si7ioHpSlJlF5XPbfEbG5eMiZ5wLnuhct2wNZidaW8sgWboTmbgq0UCaReOONEpE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620155995922.2810710112761;
 Tue, 12 May 2026 14:09:15 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGi-00037b-6i; Tue, 12 May 2026 17:03:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEI-0007D9-9D; Tue, 12 May 2026 17:01:31 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEF-0006Ma-I3; Tue, 12 May 2026 17:01:25 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BD8C81AA30E;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C82C03ABC7F;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=J5+VJRCzbRNBfXbRXNW8A9al3nehZuIQu0HWw4ilJ7c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RSPh9ZQwzzU0UgHQv2rhtcvJ3OKkM/fbPymgVgum/gA5as9dEQPQCPU6VqgiWNpa+
 4GVCN8F0hS1B1cpMKNsGvX2dcWT8ZSEOOE94dAW/0dlUvlJYbwp3MLcsvtdPkGPXhm
 gvCz6mWL7zOOEOW3wpBIKHh6AzMso0zDN4kw8CfVh0rJExb5OBXfU6QmOd4vkYRE/X
 elbo8J0AGYyR9HUQ87fQ6dr58LYIs2t5WSMhdv96pr2qNlqesvaqrZeuqb1UiLG+qN
 xNkbisCggUuVvSdsM/xVdqOAEA0gFWlWn+uR/e4gYbOuZOcrYFqN/XNS3eVYxtOsA5
 9pqKwzyYNnGkQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Fabiano Rosas <farosas@suse.de>, Peter Xu <peterx@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 066/107] migration: vmstate_save_state_v: fix double
 error_setg
Date: Tue, 12 May 2026 23:53:53 +0300
Message-ID: <20260512205437.360850-66-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620157466158500
Content-Type: text/plain; charset="utf-8"

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

We may call error_setg twice on same errp if inner
vmstate_save_state_v() or vmstate_save_state() call fails. Next we will
crash on assertion in error_setv().

Fixes: 848a0503422d043 "migration: Update error description outside migrati=
on.c"
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov=
@yandex-team.ru
Signed-off-by: Fabiano Rosas <farosas@suse.de>
(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/migration/vmstate.c b/migration/vmstate.c
index 5feaa3244d..37316d2833 100644
--- a/migration/vmstate.c
+++ b/migration/vmstate.c
@@ -499,6 +499,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDesc=
ription *vmsd,
                 } else {
                     ret =3D inner_field->info->put(f, curr_elem, size,
                                                  inner_field, vmdesc_loop);
+                    if (ret < 0) {
+                        error_setg(errp, "put failed");
+                    }
                 }
=20
                 written_bytes =3D qemu_file_transferred(f) - old_offset;
@@ -511,8 +514,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDesc=
ription *vmsd,
                 }
=20
                 if (ret) {
-                    error_setg(errp, "Save of field %s/%s failed",
-                                vmsd->name, field->name);
+                    error_prepend(errp, "Save of field %s/%s failed: ",
+                                  vmsd->name, field->name);
                     if (vmsd->post_save) {
                         vmsd->post_save(opaque);
                     }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620110; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CUNSUwAdHHrjEXIEYdpAsPa7Pg/HBJxJ3ZAuxE4u93kbfE8S+BUgRiBFwjZ2BEdi/lUkg2FTSS1KaDF/BX4vPrPh/HVnQD+aESoAv8UO2w8uaYCvdCCf+GLsz5W3hX5QEiwrfamZ2w3EJLCFK/PKhgu7FwxF80HIj+xm3DJ8Hjc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620110;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=PIjFNtzon/4C6uK7AFR9ctlBIwomWR0ZWoCnUH74/mE=;
	b=KE/cV0KkhdV70AdfKtHNI1jRLyjoHDrO/swn7UMhG6nYvKFqAZOmMmSpML6ygT/YGltVw6/eaVWQGzD2/TL0iky4uhfwAK1+HhpELXMrqc8oH0jyYxt72xYpDLcowmmDsa9Sx2NU5co5auVzbBVoyEo+sDXTMIdosQeb/kjLaNI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620110144462.5802790503071;
 Tue, 12 May 2026 14:08:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGf-0002nP-Sa; Tue, 12 May 2026 17:03:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEJ-0007DB-D6; Tue, 12 May 2026 17:01:31 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEG-0006Q4-8d; Tue, 12 May 2026 17:01:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CE19A1AA30F;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D8C453ABC80;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=HBbppBk0F1Eq2yDKj74u9HuKV/1aqIdP6hioL/w2gdc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ZtKogPtj+zvggF1vGPyjDvfILf43E7i+CsTVf4i8NRwe40bfPtgH6kH+AjKf1Quah
 czhvhZd+mZCMK6JHjnXW9IhDVlh1MCbyDOizT0qS0Ni14qFDyLk5FCaqneqHwqJUHr
 9QhkcqS2KEY1RR/MY/nC4rxagA5vqKow9n0PjpBiEtcCfRVKkZyZySlb91lY9jmaZb
 A8PqbOEPR8O6YAZgta72NJgMK7RTGAthl0allLyHvmruAlO9xeIp9IoAaTOXGGTHHG
 UE2115ehsc6/jdHjc01QgRlh1N9zmSybHa17WdwRUL1/q/ssZE8/GUYihWwjASvwst
 xUhUlbqfsmSzA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Thomas Huth <thuth@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 067/107] hw/misc: Fix the valid access size to the
 avr-power device
Date: Tue, 12 May 2026 23:53:54 +0300
Message-ID: <20260512205437.360850-67-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620110612158500

From: Thomas Huth <thuth@redhat.com>

Accessing the device with in non-single byte mode currently causes
QEMU to abort:

 $ echo "writew 0x800064 0x4142" | \
   ./qemu-system-avr -M mega2560 -display none -qtest stdio -accel qtest
 [I 0.000000] OPENED
 [R +0.001784] writew 0x800064 0x4142
 qemu-system-avr: ../../devel/qemu/hw/misc/avr_power.c:58: avr_mask_write:
  Assertion `offset =3D=3D 0' failed.
 Aborted                    (core dumped)

Set the valid max access size to 1 to fix the problem.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3393
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260421082935.85995-1-thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit c0306d2b8f45a708f7ab45c846bb24851d6e17f2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/avr_power.c b/hw/misc/avr_power.c
index ac7b96f53e..1495ec5de4 100644
--- a/hw/misc/avr_power.c
+++ b/hw/misc/avr_power.c
@@ -73,6 +73,9 @@ static const MemoryRegionOps avr_mask_ops =3D {
     .impl =3D {
         .max_access_size =3D 1,
     },
+    .valid =3D {
+        .max_access_size =3D 1,
+    },
 };
=20
 static void avr_mask_init(Object *dev)
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619858; cv=none;
	d=zohomail.com; s=zohoarc;
	b=auSaXucb5v21aBeBJZV1hDZvHl/gX2VTyuyxo08KGxksiE75Z5RZ7hH6WZyHavcQBf/taou9zEB2UunWp/vUc+2HJoG77py56s25hmigOiwUmG6ITUWLh0H3J+tsrm0Vkx/9mGregw8b1jvEUMLfbTZcfupCCrFXEBjRn+E2jvg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619858;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=thhXaxwhUAIkyORFrk4HfwjfbyuA28VPt50XTdDlq40=;
	b=cULsC0jQiarFnQ63Z7kYGh22zoGN9lqenraH4iK/T9epJRCV9CMEvvXVwo5Pjquhnk9vh7NkLYfOtZZzm6PoSstWsSwECklrdIihxrEh/fpag17CKClnAET4SMgpEvFK7Yw1pOJxfIDtqjRCcf0gFbM0xjWZ4pAXv3vnlMAnVuE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786198584091.4629028735921565;
 Tue, 12 May 2026 14:04:18 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuF4-0000SZ-RA; Tue, 12 May 2026 17:02:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEL-0007Eq-Kg; Tue, 12 May 2026 17:01:33 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEJ-0006cI-OD; Tue, 12 May 2026 17:01:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DC3531AA310;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E8B8A3ABC81;
 Tue, 12 May 2026 23:54:41 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=A6SYzDkHySmBI5jBzgYpe0RWF4V85IUb4p7/AfOUadU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ZIkj/er9WIBjHuC7uAv5ylx7a1GOAuoNof3PfHX8q3geABpP+TvqpkhVRzeOt9CQs
 umSdXzVzwg/4xiBp2bzhObgl2s+og/udghPYjjjjUEpSY1ZtCblAasbzmgxN/54wi5
 hZUChwgzK9iMI78+4+vytxIAcW6H3Em8E7KD69Fe0qzZzb8GHfj0bAeo6v2iAoR4w9
 jGqub1Sn5NoKPpUcPmOEw9M3TOdYrMWfLO9ADpPe7JkTrJR3kq9naJOyNQHWh49p1+
 OVk68UlhLAClVDw4XjlXgr2InpuyiTppdsQMAY32kxAQm92hNcVKmmxlPS0NOaCA3J
 Aye2SV9pCvV7g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Thomas Huth <thuth@redhat.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 068/107] hw/sh4/sh7750: Remove forgotten abort() in
 the MM_ITLB_DATA handler
Date: Tue, 12 May 2026 23:53:55 +0300
Message-ID: <20260512205437.360850-68-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619860437158500

From: Thomas Huth <thuth@redhat.com>

QEMU currently aborts when the guest writes to the MM_ITLB_DATA register:

 echo "writel 0xf3000000 0x11223344" | \
  ./qemu-system-sh4 -M r2d -display none -accel qtest -qtest stdio
 [I 0.000000] OPENED
 [R +0.004476] writel 0xf3000000 0x11223344
 Aborted                    (core dumped)

Looking at the history of the code, the abort() here has likely just
been forgotten when the register handler had been implemented (it used
to be a reminder about unimplemented functionality initially):

 https://gitlab.com/qemu-project/qemu/-/commit/9f97309a70f12df5f9104f1f

Thus simply remove the abort() now to get rid of the problem.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3420
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260422075429.341409-1-thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 3ab47a47d716f8f2b7686cc06c8312db2e6fc2d4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/sh4/sh7750.c b/hw/sh4/sh7750.c
index 6faf0e3ca8..81c54d0b8c 100644
--- a/hw/sh4/sh7750.c
+++ b/hw/sh4/sh7750.c
@@ -687,7 +687,6 @@ static void sh7750_mmct_write(void *opaque, hwaddr addr,
         break;
     case MM_ITLB_DATA:
         cpu_sh4_write_mmaped_itlb_data(&s->cpu->env, addr, mem_value);
-        abort();
         break;
     case MM_OCACHE_ADDR:
     case MM_OCACHE_DATA:
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619892; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DrGWJfEPX0br5oJyMD2XG7EhOy2XG0NZlY9WMeGlXWgPb21RC9Pt/UXyIIfaOPtJwl9IfwVr9IdaLDY7uVPbxp2GRx8K2gvV/r72MbqwfKNySNW8GQ0W/ypo+CM0m/yNpIGR+vhgMiJDvkKJ7IJ1IwvHsVBFO/Agx84hgzt1Eh8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619892;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=1B1DbiYMv9G9AXAfmaeN75IjSzK+9a69S0ZajcvLJRU=;
	b=AuovEiBp4WpRHoiHyrix3cNjlhVKk+Abr645fnLbG0gZOMlo92gPeN13EGyOi2Y23U12Q0BQML5jMTV7Bi2qT8/sbbcmSENJaqIBhhz/tdbul2yuWd281Rd/MaovYXyG+waWWzydrMgo4LPeLabDLipx6NJqIBG7SeWAUd7yb+E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619892177367.65523322765193;
 Tue, 12 May 2026 14:04:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGl-0003Wq-Hh; Tue, 12 May 2026 17:03:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEO-0007FI-M5; Tue, 12 May 2026 17:01:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEL-0006ca-MH; Tue, 12 May 2026 17:01:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ED53C1AA311;
 Tue, 12 May 2026 23:54:37 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0391B3ABC82;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619277; bh=RI10+5zPGhJ/aOzuzHvVJ9FNHtrl/IeqoVNJcNULtVs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=BndFA9Fm0HBwyBMwkNLLZznFAODHXqJv0c6xeQnLWLyt43tHptLaMxYulhAfIkpUo
 KlpAgjxGFQVBTzYaiTiQtw98fyu2LP5l8KjFHM6VZwI2uk5NkKYiG3mswO4ebnnYSV
 tIGcKLDrhFk20mgg9TFrrDTqKxnK9WFQe0NGSxsmgWX79kpDrQ7qHnVwRU8NwrkP5v
 sYzwbtfQYZS5vWPaKVg4OI0hkof4Q63NgYR+ixnl8GJJ1fEEn61C9QU4MajL+MmhK3
 DWh2abS0+ZKMcPpBGOosKOVYDLauiHL4C38c55Px3RHKSWedIRc7qxwGu3jAo8qDRb
 UnZio+LUc46PA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Matt Turner <mattst88@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 069/107] linux-user/ppc: Fix ppc64 rt_sigframe stack
 offset
Date: Tue, 12 May 2026 23:53:56 +0300
Message-ID: <20260512205437.360850-69-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619892771158500
Content-Type: text/plain; charset="utf-8"

From: Matt Turner <mattst88@gmail.com>

The kernel's 64-bit signal delivery (signal_64.c) uses:

    newsp =3D frame - __SIGNAL_FRAMESIZE

while the 32-bit path (signal_32.c) uses:

    newsp =3D frame - (__SIGNAL_FRAMESIZE + 16)

The extra 16 bytes in the 32-bit case is to place siginfo and ucontext
at the same offsets as older kernels (see the comment in signal_32.c).
The 64-bit rt_sigframe starts with ucontext directly and does not need
this adjustment.

QEMU's setup_rt_frame() unconditionally used (SIGNAL_FRAMESIZE + 16)
for both 32-bit and 64-bit, placing the handler's SP 16 bytes too low
on ppc64. Signal delivery and return still worked because do_rt_sigreturn
had the matching wrong offset, but the vDSO DWARF unwind info encodes
the correct kernel offset. This caused any DWARF unwinder (libunwind,
libgcc, etc.) to compute a CFA that is 16 bytes off, reading garbage
register values from the signal frame.

Define RT_SIGFRAME_ADJUST (0 on ppc64, 16 on ppc32) and use it in both
setup_rt_frame and do_rt_sigreturn to match the kernel.

This was verified by A/B testing with libunwind's test suite:

  ppc64le: Gtest-bt, Ltest-bt, Gtest-concurrent, Ltest-concurrent,
           and Ltest-sig-context all change from FAIL to PASS.
  ppc64be: Gtest-bt, Ltest-bt, and Ltest-sig-context all change
           from FAIL to PASS.

Signed-off-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 654dce6c523612d38e8d53818dbc7c03cbe535a3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/ppc/signal.c b/linux-user/ppc/signal.c
index 24e5a02a78..a9c10e0987 100644
--- a/linux-user/ppc/signal.c
+++ b/linux-user/ppc/signal.c
@@ -210,6 +210,18 @@ QEMU_BUILD_BUG_ON(offsetof(struct target_rt_sigframe, =
uc.tuc_mcontext)
=20
 #endif
=20
+#ifdef TARGET_PPC64
+#define RT_SIGFRAME_ADJUST 0
+#else
+/*
+ * For 32-bit rt sigframes we have an extra 16 bytes of gap
+ * on top of __SIGNAL_FRAMESIZE; this is to get the siginfo
+ * and ucontext in the same positions as in older kernels.
+ * See Linux's arch/powerpc/kernel/signal_32.c.
+ */
+#define RT_SIGFRAME_ADJUST 16
+#endif
+
 #if defined(TARGET_PPC64)
=20
 struct target_func_ptr {
@@ -525,7 +537,7 @@ void setup_rt_frame(int sig, struct target_sigaction *k=
a,
     env->fpscr =3D 0;
=20
     /* Create a stack frame for the caller of the handler.  */
-    newsp =3D rt_sf_addr - (SIGNAL_FRAMESIZE + 16);
+    newsp =3D rt_sf_addr - (SIGNAL_FRAMESIZE + RT_SIGFRAME_ADJUST);
     err |=3D put_user(env->gpr[1], newsp, target_ulong);
=20
     if (err)
@@ -641,7 +653,7 @@ long do_rt_sigreturn(CPUPPCState *env)
     struct target_rt_sigframe *rt_sf =3D NULL;
     target_ulong rt_sf_addr;
=20
-    rt_sf_addr =3D env->gpr[1] + SIGNAL_FRAMESIZE + 16;
+    rt_sf_addr =3D env->gpr[1] + SIGNAL_FRAMESIZE + RT_SIGFRAME_ADJUST;
     if (!lock_user_struct(VERIFY_READ, rt_sf, rt_sf_addr, 1))
         goto sigsegv;
=20
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620306; cv=none;
	d=zohomail.com; s=zohoarc;
	b=W632JfMRwZWQP0eBzo3nmQ6hQ2Bww+Q23oICQ4rib5g5wgoczG4X8lftp/nek8mAxhOuS1odmIc45YJs4WzT9yNtcFK3O5+7oWaA2cRi9yFlJroP28e7pVNUYEDRp1g9Gg/wdOZsm6+xXg5eNsf9ZNY5M/RWePq8wLzmNfvraDQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620306;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=pN5w0CUJFFXZwiYUkJ1acdmG6yN3rUdrN1JDLjq33l4=;
	b=CwY2Dr1Pe3P3wMLz3aP6fi/QARI6Zl3HzByalCB2i7k91DXcYBOR+85RqH8XxBgwpYmBDFIJ1t7GCM8WB3RKB/MBU6UEENE4XbggS/LWAjsqZz2ihvRUgPxLhkezBY1VKceB0/wp3H2suD0cUYGRQVq3bvZVN2fUWOWRQ+v8388=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620306134485.634689083803;
 Tue, 12 May 2026 14:11:46 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGq-0004AZ-Du; Tue, 12 May 2026 17:04:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEQ-0007HD-Bk; Tue, 12 May 2026 17:01:42 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEN-0006dB-33; Tue, 12 May 2026 17:01:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0BA4A1AA312;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 14C2D3ABC83;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=Q5smFhmGfV1eJoYo0hYO8uCEZYCYBG7+b+hXPxKbpaY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=me3rDllJbGCQ++8eJivwE3ORwROdjVJQ6HRIYqjaxR4aBWYvJMT0DK7dJrG2RBMJM
 RyJqvsFtMH42Q70BpyntJd4aqggQjIj6Qo/7tuMvTcDNfHc2JWTiVsUtmpv129pf1m
 QoNfWsq0Z+m/QxxH/gTyJY+hBer64Nr3dIE4ZPzm/9CMHif6/CsYin9wi9B3sNkTxD
 JoUDe2vxRAbUcmFKfgCFN2MxIzSiSV5zz3DXvFeFhnaVxrAcpo4ukH63ZAcwSZpTwG
 ZqSp6oLGcMkWM4VPPf/gX58wVPQJMnLTwu0Vd6druzLVLqc43ky9eUf+RE+bskriOR
 AHDt1xRYF4HHQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Yixin Wei <easonwei1998@gmail.com>,
 Yixin Wei <yixinwei@meta.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 070/107] linux-user: fix off-by-one in
 host_to_target_for_each_rtattr()
Date: Tue, 12 May 2026 23:53:57 +0300
Message-ID: <20260512205437.360850-70-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620308062158500

From: Yixin Wei <easonwei1998@gmail.com>

host_to_target_for_each_rtattr() uses "len > sizeof(struct rtattr)"
as its loop condition. When the last rtattr in a netlink message has
exactly sizeof(struct rtattr) (4) bytes remaining, the loop exits
without byte-swapping its rta_len and rta_type. A big-endian guest
then reads rta_len in the wrong byte order and fails validation.

The companion function target_to_host_for_each_rtattr() correctly
uses ">=3D" (added in commit fa2229dbf8). The kernel's RTA_OK macro
also uses ">=3D". Fix the host_to_target direction to match.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2485
Signed-off-by: Yixin Wei <yixinwei@meta.com>
Fixes: 6c5b5645ae0 ("linux-user: add rtnetlink(7) support")
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 029f10e852780da846d3e7f1691c495474683b73)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/fd-trans.c b/linux-user/fd-trans.c
index f83d1f79d5..1045ae7b1a 100644
--- a/linux-user/fd-trans.c
+++ b/linux-user/fd-trans.c
@@ -482,7 +482,7 @@ static abi_long host_to_target_for_each_rtattr(struct r=
tattr *rtattr,
     unsigned short aligned_rta_len;
     abi_long ret;
=20
-    while (len > sizeof(struct rtattr)) {
+    while (len >=3D sizeof(struct rtattr)) {
         rta_len =3D rtattr->rta_len;
         if (rta_len < sizeof(struct rtattr) ||
             rta_len > len) {
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620185; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ANeNmmAc2vOM+YQ9rAP/fZKpHfQQKPXyuL8cMUxaL1qNhMUsjvmaVdSl+MiyQfj4s/6ncdjg7jZCl2jVq6ywsoHyV7ubkHPqe33Y3NDEzv7G3leigqPc0RV28GQbFZVI2rwaNH9WafxW/jXGeDx3mRPdo25aPm/b1dWEbU8Lbfw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620185;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=7AHizUuOtqv2oAd7AT+bS67Tk17CpCz5b7v280B8cxw=;
	b=Y7kDd7AlpHAfuU10Wcr6EFq04woJCyTb2ATWOiNm/hI0gORWOi5OvxHOzbUcV5n3SFhGT8JTKjahguGus1vmwMr+FzcbZ6/Qlxgzuf6W0UhwwQkl8IWpbbp8BO7xfiUDKlhNxgVOWs85kQODjnVuEQDta8pIuR5N3DRndCA1HGA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862018525782.48236092376396;
 Tue, 12 May 2026 14:09:45 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGs-0004PO-6C; Tue, 12 May 2026 17:04:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEp-0008Hr-Aq; Tue, 12 May 2026 17:02:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEk-0006dS-7Y; Tue, 12 May 2026 17:01:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1CEE71AA313;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 271323ABC84;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=3zIB+O/5vKEtmBM8C9ZQISmeP/fCK2GT7YLJ0pvkpPc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HhdTUaMCPXdmElX8jZxPqPVfhwP4n8NbXUHwwOn+miaCzYEX+gIJjMsE7a5nOWYne
 kTYgtyKVvXGMsQujCIrNCOvnn1yKJMm0HtucjPIyU+nggLtKi3pwqJW/23Cq9Q6twp
 iaOv9VxXZFM2KPLkpVDNNR4u5ZVYBqOxDBQvRAuw7w150UgarXe2MqcSUtVrZQvkLW
 VEr46Dc6/eJqYoM4xknPJ0R6g2G5IIu3IQ3ILkHIVxB+cYzqkuGSMdWBQm6py9q2Gf
 xjT+z77ueHHbs0n5NYidapX/qpNzwmmNqpO8yxMLYsA4RrowaNvk/Luyv2D9GZEGR5
 MUSK3ZgpfkP2A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gyorgy Tamasi <gyorgy.tamasi@gmail.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 071/107] linux-user: Don't define target_stat64
 struct for loongarch64
Date: Tue, 12 May 2026 23:53:58 +0300
Message-ID: <20260512205437.360850-71-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620187136158500
Content-Type: text/plain; charset="utf-8"

From: Gyorgy Tamasi <gyorgy.tamasi@gmail.com>

The kernel defines 'struct stat64' only if
__BITS_PER_LONG !=3D 64 || defined(__ARCH_WANT_STAT64).
loongarch64 doesn't set __ARCH_WANT_STAT64, and it isn't 32-bit,
so it won't get this struct.

QEMU incorrectly does define a target_stat64 struct. However this
isn't causing any guest-visible problems, because defining the
target_stat64 struct and TARGET_HAS_STRUCT_STAT64 affects these
syscalls:
 TARGET_NR_stat64
 TARGET_NR_lstat64
 TARGET_NR_fstat64
 TARGET_NR_fstatat64
 TARGET_NR_newfstatat

For loongarch64 the only one of those we provide is newfstatat,
and that is actually a separate QEMU bug, because the kernel does
not provide that syscall for this architecture. No real guest
code will be using a syscall that doesn't exist in the ABI.

(Some of these syscalls are present in the loongarch64 "ABI1.0",
but that ABI was never accepted in the upstream kernel, and
QEMU does not model that ABI, only the "ABI2.0".)

Stop defining TARGET_HAS_STRUCT_STAT64 anyway, for consistency
with the kernel and to avoid confusion.

Note:
Commit message suggested by Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Gyorgy Tamasi <gyorgy.tamasi@gmail.com>
Tested-by: Gyorgy Tamasi <gyorgy.tamasi@gmail.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 93484c768f2b66947a91d6372f408ae01c83e8c6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index b5a2ad3b2d..86bdf88be7 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2003,7 +2003,7 @@ struct target_stat {
     abi_uint __unused5;
 };
=20
-#if !defined(TARGET_RISCV64)
+#if !defined(TARGET_RISCV64) && !defined(TARGET_LOONGARCH64)
 #define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
     abi_ullong st_dev;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620516; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cv4lzHbSJGA2IBRA4xKNsRXDpjhdcxxbbXlolnESJDOrXXA3ozNSQ8w0nDxImGDrEiQ2KwEXxBa1/jywth9crcDMne54ugEwWDzDHShUn/21nfFGcKWWYXqZ6YxWyFL9zktmc/bYAd+c95DgYeXFOs2QXXrKbk/IcUS7zqdUSSk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620516;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=mSQv1OoDT5JgB3/Z9pR8Naw0NKFUgJujJC7uE0jhujI=;
	b=kS6l1OhRqYLxpUVMNH4FHOd3FMU6FJ6mMnntwBIBhvx9CpaVDqYV8WpzvWI6xa3IJYzEeLEZ2P5rHFi20hSS0l2dFoO0npZfvadARrgvLf1q6+uPK5UVNpclpelmqaYViTDDAqbXsZgrmQJfuGhQ6scJmsc+chiWN1SVjflP8uo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620516007955.5993721125543;
 Tue, 12 May 2026 14:15:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGu-0004iZ-OO; Tue, 12 May 2026 17:04:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEw-00009M-0v; Tue, 12 May 2026 17:02:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEq-0006df-BS; Tue, 12 May 2026 17:02:02 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2C8FF1AA314;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3801A3ABC85;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=4W0OyaGK6ZdguvnQ/kLnQO8AjuYIwk2zwEG402Qz6bs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PP92gBqU1aC2y/AAllFS+rO1dmhSPpl+JP5jKVLB1gxWPnCMseIN30iYenb2BdeUf
 X0VVLTvA5Rn8FLGTrhH6Ou8rIcZY+w/Ukx3FRRsHyq834lyggWnwrh6hudnckTY1sr
 EoEReKXEGxLbpYSjWXe/nFJGYKFbDc43Ysc7mrODuHwLcdtFrCmzuUmK5/jbz0uXC6
 I8lx5HklEPxqMpnqItm8X441Q4q1q1YUUCglzMCQsmmzkCqPf7FidO/j8HtD/nX0P1
 Z7BVUUhjjwvzBr/pWbHT5nVBrzTGjBsZOIJVcZ4XqirMtcHMpnIA+rDFqFmIKe6Fjt
 bu3V//l9FmacA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 072/107] linux-user/arm/nwfpe: Replace user_registers
 with current_cpu
Date: Tue, 12 May 2026 23:53:59 +0300
Message-ID: <20260512205437.360850-72-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620517929154100

From: Richard Henderson <richard.henderson@linaro.org>

Use the thread-local variable current_cpu instead of
a global variable to access the general registers.
This also means we don't need to pass env to EmulateAll.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit c8ea1759009a248cf331b275854d8b272e0f7d8a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c
index 098b54d10e..af01869620 100644
--- a/linux-user/arm/cpu_loop.c
+++ b/linux-user/arm/cpu_loop.c
@@ -231,7 +231,7 @@ static bool insn_is_linux_bkpt(uint32_t opcode, bool is=
_thumb)
 static bool emulate_arm_fpa11(CPUARMState *env, uint32_t opcode)
 {
     TaskState *ts =3D get_task_state(env_cpu(env));
-    int rc =3D EmulateAll(opcode, &ts->fpa, env);
+    int rc =3D EmulateAll(opcode, &ts->fpa);
     int raise, enabled;
=20
     if (rc =3D=3D 0) {
diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
index 0f1afbd91d..44783934b2 100644
--- a/linux-user/arm/nwfpe/fpa11.c
+++ b/linux-user/arm/nwfpe/fpa11.c
@@ -30,7 +30,6 @@
=20
=20
 FPA11* qemufpa =3D NULL;
-CPUARMState* user_registers;
=20
 /* Reset the FPA11 chip.  Called to initialize and reset the emulator. */
 void resetFPA11(void)
@@ -156,7 +155,7 @@ void SetRoundingPrecision(const unsigned int opcode)
=20
 /* Emulate the instruction in the opcode. */
 /* ??? This is not thread safe.  */
-unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qre=
gs)
+unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa)
 {
   unsigned int nRc =3D 0;
 //  unsigned long flags;
@@ -173,12 +172,6 @@ unsigned int EmulateAll(unsigned int opcode, FPA11* qf=
pa, CPUARMState* qregs)
   }
=20
   qemufpa=3Dqfpa;
-  user_registers=3Dqregs;
-
-#if 0
-  fprintf(stderr,"emulating FP insn 0x%08x, PC=3D0x%08x\n",
-          opcode, qregs[ARM_REG_PC]);
-#endif
   fpa11 =3D GET_FPA11();
=20
   if (fpa11->initflag =3D=3D 0)		/* good place for __builtin_expect */
diff --git a/linux-user/arm/nwfpe/fpa11.h b/linux-user/arm/nwfpe/fpa11.h
index d459c5da02..20f9d2eb81 100644
--- a/linux-user/arm/nwfpe/fpa11.h
+++ b/linux-user/arm/nwfpe/fpa11.h
@@ -25,15 +25,6 @@
=20
 #define GET_FPA11() (qemufpa)
=20
-/*
- * The processes registers are always at the very top of the 8K
- * stack+task struct.  Use the same method as 'current' uses to
- * reach them.
- */
-extern CPUARMState *user_registers;
-
-#define GET_USERREG() (user_registers)
-
 /* Need task_struct */
 //#include <linux/sched.h>
=20
@@ -91,25 +82,25 @@ void SetRoundingPrecision(const unsigned int);
=20
 static inline unsigned int readRegister(unsigned int reg)
 {
-    return (user_registers->regs[(reg)]);
+    CPUARMState *env =3D cpu_env(current_cpu);
+    return env->regs[reg];
 }
=20
 static inline void writeRegister(unsigned int x, unsigned int y)
 {
-#if 0
-	printf("writing %d to r%d\n",y,x);
-#endif
-        user_registers->regs[(x)]=3D(y);
+    CPUARMState *env =3D cpu_env(current_cpu);
+    env->regs[x] =3D y;
 }
=20
 static inline void writeConditionCodes(unsigned int x)
 {
-    cpsr_write(user_registers, x, CPSR_NZCV, CPSRWriteByInstr);
+    CPUARMState *env =3D cpu_env(current_cpu);
+    cpsr_write(env, x, CPSR_NZCV, CPSRWriteByInstr);
 }
=20
 #define ARM_REG_PC 15
=20
-unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qre=
gs);
+unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa);
=20
 unsigned int EmulateCPDO(const unsigned int);
 unsigned int EmulateCPDT(const unsigned int);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620409; cv=none;
	d=zohomail.com; s=zohoarc;
	b=h40t8sfjcTr241X42ZyuAC4DgjxphKviw/e6wH2wUySLmNfwkAk+fkgxOai6ORk8IwacwRwRlba9gFKs/spieWWzMuif5gbTBK1gwBZDSH6NEVgWbChT7z40skHUoFs4tbzy1ppZVicJspv0fAI+EKFv0svwumOWX4idwEAsUCE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620409;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=H4FIuXYNcXhcICyJotPi6hepQlNWKb0yCqilF49UBa0=;
	b=OIma3glR5ymtuDXsQh48agFAtZRBowj32gU0ffjudU11r5ZIdKx0zVQRkuVURznf3uN4hI2nSL7M3v3a5Tp0uzx6sbBxTkvfBxBoelflIFHgIa/nbk59L4V6Dle/d29/cnH2oDe+yILLg6l1RUQy/YCl3R7LiroPs3/lnFtMOLo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620409974678.3800195244736;
 Tue, 12 May 2026 14:13:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGu-0004g5-Ll; Tue, 12 May 2026 17:04:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEw-00009L-19; Tue, 12 May 2026 17:02:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEq-00073O-TV; Tue, 12 May 2026 17:02:03 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3BECD1AA315;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 479A73ABC86;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=IV1KOOsP62EAMhURr/iHTfOhWJ/M086I5KB7WEGlK5c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=LnIgyYzPHl/2KrQofrNAQqa2omYePzTJgRS85+raSS81R8WsIHV2+AQwPaEu5+sP1
 1SY1LyKWDCjvEA6rh2Nm5MGIldk1yHYCqODuLddVNb4wsxpQjDarInTBoVf85voXFF
 WcN5p21euUPADDK+87567EJy/jELl4VJ6MOI8XmgrYs7SKunI1EWE1AARSZ5g4+rl+
 l3uhhZKif8kezkBDqnhfedZfNBT1dcdl+XtOhgFNli3bADxG7GqIWMuGR+fSbYyVjC
 7dlVzYPONlNDzCO0KdMYh8HpWsgfPvT3OcSySsxNNsjdzWlsvD2j4oK/vi8k5K7M+4
 wAu2dZZon/+Pw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 073/107] linux-user/arm/nwfpe: Use thread-local
 storage for qemufpa
Date: Tue, 12 May 2026 23:54:00 +0300
Message-ID: <20260512205437.360850-73-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620410544158500

From: Richard Henderson <richard.henderson@linaro.org>

Fix the thread safety of the emulation by not storing a
pointer in global storage.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 784f1dde90df1ed57de0697adcd8ebfe7c342f58)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
index 44783934b2..15888463f7 100644
--- a/linux-user/arm/nwfpe/fpa11.c
+++ b/linux-user/arm/nwfpe/fpa11.c
@@ -29,7 +29,7 @@
 //#include <asm/system.h>
=20
=20
-FPA11* qemufpa =3D NULL;
+__thread FPA11* qemufpa =3D NULL;
=20
 /* Reset the FPA11 chip.  Called to initialize and reset the emulator. */
 void resetFPA11(void)
@@ -154,7 +154,6 @@ void SetRoundingPrecision(const unsigned int opcode)
 }
=20
 /* Emulate the instruction in the opcode. */
-/* ??? This is not thread safe.  */
 unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa)
 {
   unsigned int nRc =3D 0;
diff --git a/linux-user/arm/nwfpe/fpa11.h b/linux-user/arm/nwfpe/fpa11.h
index 20f9d2eb81..659d38ae3a 100644
--- a/linux-user/arm/nwfpe/fpa11.h
+++ b/linux-user/arm/nwfpe/fpa11.h
@@ -74,7 +74,7 @@ typedef struct tagFPA11 {
     float_status fp_status;      /* QEMU float emulator status */
 } FPA11;
=20
-extern FPA11* qemufpa;
+extern __thread FPA11* qemufpa;
=20
 void resetFPA11(void);
 void SetRoundingMode(const unsigned int);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619916; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mET11u7ByFvOT/N+lCk4uOGg6Y894F7zXsR2n+JyUie76fYuOIo7OhqjohV4+hp3aawJ13z9a0PW11CqkXHrwCgONvtirh+3H6wqRHmOE9mnh/NqqyUOxMAKw6jIxPLq/S0CcsJWfMKyNzT/OKfbPl5Opllq1pm3jHqJNqLDJRw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619916;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=UK4/2OmlZTz0w07BSrXpQlwexAfDiKFnj6kNbJAgr1o=;
	b=iB/0DC5RTBk0wrMTLB0CpNVLZUc0iU45FwS+6EqBJ7yoKz7kDQsAJjMpc/oj/XG6wEMcjWYwrNNraKz2snbugXD94CdeqZCzGcOMGXf+rsCCz2ziQaXrxnZbYZRelq40wbL8F1dnFk/ANaHYL9gvqijkJ94qjVVaYzK/2v2kcJU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619916598939.0371347553528;
 Tue, 12 May 2026 14:05:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGz-0005DI-6U; Tue, 12 May 2026 17:04:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuF4-0000VZ-BE; Tue, 12 May 2026 17:02:14 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEz-0007DS-Hx; Tue, 12 May 2026 17:02:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4C2661AA316;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 56C5F3ABC87;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=xQ0tfYZJImVR/Vx9+Xggt87X5l9btilef0bKAkoTapc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=jVrJC0OmSFdBCNasa3yaCvwrnt5v1wuWfAWawT9YcAfynsW+NvDOEZpYsY/pevm7N
 OFhpwUM+G/3aoNiWsoLi25Go3lVxK+AKmukrhXuXynKO+f2Ez+TO0hqexG8/awi9PG
 5kad0RvrFEZTXVM351EprHVlKAc/nFoWlckv6cgjSR+TRjkNKj3LQcC8u21q9oGM2D
 deOn6/5mwIwnq0ekYELPIR3NXSf5eIYI9q7ekKh4P1uZDj7uswIlhAh4pYNxtGhHzA
 z3WMyDbspjS1IdlueRSfKZdyeh7zQJrgiVRd+3V1jMBZjVrE7s6RJxeYUl+FvYdZu6
 fNd/L/LmIGOvg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Nutty Liu <nutty.liu@hotmail.com>, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 074/107] linux-user/strace: Use pointer type for read
 and write values
Date: Tue, 12 May 2026 23:54:01 +0300
Message-ID: <20260512205437.360850-74-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619916956158500
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

The stack pointer is being truncated as 32-bits for qemu-riscv64, so
let's use %p to print the syscall pointer argument.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 1730e6f33f9732658b88c2e4eda257f50531ef0e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/strace.list b/linux-user/strace.list
index 51b5ead969..eb1a414004 100644
--- a/linux-user/strace.list
+++ b/linux-user/strace.list
@@ -1114,7 +1114,7 @@
 { TARGET_NR_quotactl, "quotactl" , NULL, NULL, NULL },
 #endif
 #ifdef TARGET_NR_read
-{ TARGET_NR_read, "read" , "%s(%d,%#x,%d)", NULL, NULL },
+{ TARGET_NR_read, "read" , "%s(%d,%p,%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_readahead
 { TARGET_NR_readahead, "readahead" , NULL, NULL, NULL },
@@ -1674,7 +1674,7 @@
                      print_syscall_ret_waitpid },
 #endif
 #ifdef TARGET_NR_write
-{ TARGET_NR_write, "write" , "%s(%d,%#x,%d)", NULL, NULL },
+{ TARGET_NR_write, "write" , "%s(%d,%p,%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_writev
 { TARGET_NR_writev, "writev" , "%s(%d,%p,%#x)", NULL, NULL },
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619868; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NFAJMGgwYk32LBvZ0CZibrCkUOf15GlvptVE3Gm4rhl6QyKoEM4J28KMl5l2gvsGzwe7PMO2bpkk+TJHH6IqBFoKuT2XEyMVGGSSYuIOFauWF6nubg3s6NSDxl4SUFDu9J0gDcRWcTze22Us+ZHHVLgkj0BLkNrIl7iC3vCCSkM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619868;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=q9VDgEZ5JAlBqB6jEhFA9ZGAFfRsXcE+5wltH5cTDKk=;
	b=U1xHJkK9JNcZ41F1bc8gnjWGm2Wb6qrcgDnzuNc5q1Kl6Kw383x4lsDGEy6VL4jbe+jq51YrHl0NTudYs86koxUI+OWh1hVZlstBVEKSne9LsovgEQ71XM59cJmzaHIGptmXpIgRPKDiXQAffYYKmV8BWR4HqTiCLqzzUCHAORc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619868727765.663855542054;
 Tue, 12 May 2026 14:04:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGw-0004xD-Oh; Tue, 12 May 2026 17:04:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuF2-0000JD-DZ; Tue, 12 May 2026 17:02:12 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuEy-0007Da-LU; Tue, 12 May 2026 17:02:10 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5BE7C1AA317;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 672363ABC88;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=wjKFdBI2hTktfmkYGQ1QHrVajNpvah9EuFHX1c2i0+s=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=w+tb3EyPW5e6o6HamfPEy31xzzf1GfGUxd+02mfFJk3KgDB3kklj+4xPnnnIxB/nY
 eGWdPNrkC15Y4s4SqZJc8O4Xlo42DIf8YQNVR30naV1UCxXb06tWkXHPMw9g5rlj1P
 Z9nlaehOZHHeVExD5W061Ou1MooB+J3wUhFjgOScQOGjBTx1tpyzgAG0bTolu1CnL/
 WBpdKhYan1k4wg1OC3inWzx7U7BlM4wxhWF8kPtgmpAFOBSamRpwNjZQvRkGPaSREE
 8ef+spgqfcjfyyvdLaPKxx+Ff9oDceIFdeOf2xqa9Mn2yKz8aT20zCtVKGKi7miJNx
 4xpNpOBUPfjxw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, James Hilliard <james.hilliard1@gmail.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 075/107] linux-user/mips: sync k0 TLS for
 EF_MIPS_MACH_OCTEON userlands
Date: Tue, 12 May 2026 23:54:02 +0300
Message-ID: <20260512205437.360850-75-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619870599158501
Content-Type: text/plain; charset="utf-8"

From: James Hilliard <james.hilliard1@gmail.com>

Cavium Octeon userspace is not following a generic MIPS Linux TLS
ABI rule here. Older Octeon glibc uses the k0 register as the fast
thread pointer, while newer Octeon2 and Octeon3 glibc variants use
the normal rdhwr $29 path.

linux-user already updates CP0_UserLocal for cpu_set_tls() and
TARGET_NR_set_thread_area, but it does not keep gpr[26]
synchronized. That leaves EF_MIPS_MACH_OCTEON userlands able to
complete set_thread_area() and still reach pthread startup or
pthread_self() with a stale k0 value.

Use the existing MIPS ELF machine flags from linux-user/elfload.c and
mirror CP0_UserLocal into gpr[26] only for EF_MIPS_MACH_OCTEON.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 4c681ba3b82d9a9f00a3f361399a1bb7612f3535)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 0f05db4715..a791396ead 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -3405,6 +3405,9 @@ static void load_elf_image(const char *image_name, co=
nst ImageSource *src,
     /* Usual start for brk is after all sections of the main executable. */
     info->brk =3D TARGET_PAGE_ALIGN(hiaddr + load_bias);
     info->elf_flags =3D ehdr->e_flags;
+#ifdef TARGET_MIPS
+    info->use_k0_tls =3D (ehdr->e_flags & EF_MIPS_MACH) =3D=3D EF_MIPS_MAC=
H_OCTEON;
+#endif
=20
     prot_exec =3D PROT_EXEC;
 #ifdef TARGET_AARCH64
diff --git a/linux-user/mips/target_cpu.h b/linux-user/mips/target_cpu.h
index c375616c55..2bbd0a81c5 100644
--- a/linux-user/mips/target_cpu.h
+++ b/linux-user/mips/target_cpu.h
@@ -35,7 +35,12 @@ static inline void cpu_clone_regs_parent(CPUMIPSState *e=
nv, unsigned flags)
=20
 static inline void cpu_set_tls(CPUMIPSState *env, target_ulong newtls)
 {
+    TaskState *ts =3D get_task_state(env_cpu(env));
+
     env->active_tc.CP0_UserLocal =3D newtls;
+    if (ts->info->use_k0_tls) {
+        env->active_tc.gpr[26] =3D newtls;
+    }
 }
=20
 static inline abi_ulong get_sp_from_cpustate(CPUMIPSState *state)
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 5f00750151..f2b16ef54b 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -64,6 +64,7 @@ struct image_info {
         uint32_t        note_flags;
=20
 #ifdef TARGET_MIPS
+        bool            use_k0_tls;
         int             fp_abi;
         int             interp_fp_abi;
 #endif
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index f2c8037356..ea1711ff95 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -12972,7 +12972,7 @@ static abi_long do_syscall1(CPUArchState *cpu_env, =
int num, abi_long arg1,
 #ifdef TARGET_NR_set_thread_area
     case TARGET_NR_set_thread_area:
 #if defined(TARGET_MIPS)
-      cpu_env->active_tc.CP0_UserLocal =3D arg1;
+      cpu_set_tls(cpu_env, arg1);
       return 0;
 #elif defined(TARGET_I386) && defined(TARGET_ABI32)
       return do_set_thread_area(cpu_env, arg1);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620162; cv=none;
	d=zohomail.com; s=zohoarc;
	b=oIDbJOr2z5CYp/LL8PnhdaE7dZtpHQDea+WXHfE/n3bdZJuSzMbuysNrrnJ5g9AxUElP8hKES6VFtQ9M4UipA9tjdpP2QZPdJyw2wn8yjPVFHJisTPES1lkk7HCVW9PxnWMJcsMSoCUyl4U+9i0oUWBki/Fghm6/atUtWtluIro=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620162;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kR9RqGYAWYjZrvVSJalUG1JIkK8JgdhAwmLj9ZnB/Ak=;
	b=c/Qx7A5TmmimiyKzs/aw9akJLXl77liChqAWhelMC+XjhVS8YTIrojQuTbUHyMfcwU0sSC3KeKUN+zo8rzmNgRbAOZlXUpH8NeHyD550/sLwbJhYJxtYLcP7jwGZKjwPLdIy06aKbAhovnQEdvHatE+3ON/s73QzN3/2fYZ4ASE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620162145518.8076993550617;
 Tue, 12 May 2026 14:09:22 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGe-0002ZK-By; Tue, 12 May 2026 17:03:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuF9-0000nM-Eb; Tue, 12 May 2026 17:02:23 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuF4-0007Ro-Dt; Tue, 12 May 2026 17:02:17 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 686B21AA318;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 775163ABC89;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=3SPDU/MzEED/in/FPcMMdlRMZaMC11Nee7F0BCRqMtM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=SbDqQPZiITzQLY2R7PLoFNPmEXyAFJ9vuRGpiFJlSGMcJSGIdfiWDbf8r/vD3kV4v
 PkeTa5nc2Pp/QNdEo8MnWURQNAKBdwkrpyhB4U4TXouyyH5KuvpQ3kZS2paor+PXep
 PPllDVGe0o0/vzhjf2rhqVuT/ZbqlMgBoi4InTpodgOlsNC7D5SwpXhvi3gIyOjX/6
 ruST5gVRLmHL8Rx0IfFjrqGSFcboDri74jV2AfitYHsldZFym2w5Yh2lp+ASMmHsIk
 Hd1r5lSLtfu5zzKHFEGQrdvDUrGDVeonIqhWQGS4TBCuK5Jf6Np1WxtlfnppW+dgHo
 QJAnJvfFgDkQw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 076/107] linux-user: Define SO_TIMESTAMP*_NEW and
 SO_RCVTIMEIO_NEW
Date: Tue, 12 May 2026 23:54:03 +0300
Message-ID: <20260512205437.360850-76-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620164059154101
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Define the entries which always use the 64-bit timestamps.

Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 8b60ed835478a787dd60e0f7308a65f6d35b0268)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/alpha/sockbits.h b/linux-user/alpha/sockbits.h
index d54dc98c09..0201ab9374 100644
--- a/linux-user/alpha/sockbits.h
+++ b/linux-user/alpha/sockbits.h
@@ -75,6 +75,13 @@
 /* Instruct lower device to use last 4-bytes of skb data as FCS */
 #define TARGET_SO_NOFCS     43
=20
+#define TARGET_SO_TIMESTAMP_NEW        63
+#define TARGET_SO_TIMESTAMPNS_NEW      64
+#define TARGET_SO_TIMESTAMPING_NEW     65
+
+#define TARGET_SO_RCVTIMEO_NEW         66
+#define TARGET_SO_SNDTIMEO_NEW         67
+
 /* TARGET_O_NONBLOCK clashes with the bits used for socket types.  Therefo=
re we
  * have to define SOCK_NONBLOCK to a different value here.
  */
diff --git a/linux-user/generic/sockbits.h b/linux-user/generic/sockbits.h
index b3b4a8e44c..33e6c3a572 100644
--- a/linux-user/generic/sockbits.h
+++ b/linux-user/generic/sockbits.h
@@ -58,4 +58,12 @@
=20
 #define TARGET_SO_PROTOCOL             38
 #define TARGET_SO_DOMAIN               39
+
+#define TARGET_SO_TIMESTAMP_NEW        63
+#define TARGET_SO_TIMESTAMPNS_NEW      64
+#define TARGET_SO_TIMESTAMPING_NEW     65
+
+#define TARGET_SO_RCVTIMEO_NEW         66
+#define TARGET_SO_SNDTIMEO_NEW         67
+
 #endif
diff --git a/linux-user/hppa/sockbits.h b/linux-user/hppa/sockbits.h
index 23f69a3293..2304dbbf79 100644
--- a/linux-user/hppa/sockbits.h
+++ b/linux-user/hppa/sockbits.h
@@ -67,6 +67,13 @@
=20
 #define TARGET_SO_CNX_ADVICE           0x402E
=20
+#define TARGET_SO_TIMESTAMP_NEW        0x4038
+#define TARGET_SO_TIMESTAMPNS_NEW      0x4039
+#define TARGET_SO_TIMESTAMPING_NEW     0x403A
+
+#define TARGET_SO_RCVTIMEO_NEW         0x4040
+#define TARGET_SO_SNDTIMEO_NEW         0x4041
+
 /* TARGET_O_NONBLOCK clashes with the bits used for socket types.  Therefo=
re we
  * have to define SOCK_NONBLOCK to a different value here.
  */
diff --git a/linux-user/mips/sockbits.h b/linux-user/mips/sockbits.h
index 562cad88e2..1f479d54aa 100644
--- a/linux-user/mips/sockbits.h
+++ b/linux-user/mips/sockbits.h
@@ -71,6 +71,13 @@
 #define TARGET_SO_RCVBUFFORCE          33
 #define TARGET_SO_PASSSEC              34
=20
+#define TARGET_SO_TIMESTAMP_NEW        63
+#define TARGET_SO_TIMESTAMPNS_NEW      64
+#define TARGET_SO_TIMESTAMPING_NEW     65
+
+#define TARGET_SO_RCVTIMEO_NEW         66
+#define TARGET_SO_SNDTIMEO_NEW         67
+
 /** sock_type - Socket types
  *
  * Please notice that for binary compat reasons MIPS has to
diff --git a/linux-user/sparc/sockbits.h b/linux-user/sparc/sockbits.h
index 0a822e3e1f..42ecfdc8f9 100644
--- a/linux-user/sparc/sockbits.h
+++ b/linux-user/sparc/sockbits.h
@@ -61,6 +61,13 @@
 #define TARGET_SO_TIMESTAMPING         0x0023
 #define TARGET_SCM_TIMESTAMPING        TARGET_SO_TIMESTAMPING
=20
+#define TARGET_SO_TIMESTAMP_NEW        0x0046
+#define TARGET_SO_TIMESTAMPNS_NEW      0x0042
+#define TARGET_SO_TIMESTAMPING_NEW     0x0043
+
+#define TARGET_SO_RCVTIMEO_NEW         0x0044
+#define TARGET_SO_SNDTIMEO_NEW         0x0045
+
 #define TARGET_SO_RXQ_OVFL             0x0024
=20
 #define TARGET_SO_WIFI_STATUS          0x0025
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619917; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LByTLcBQ+9uIQxfzZ11Gj2BY+4on3Qjuh4XT8r2oALYrHZZpPeehs9T+DcuDAREYQb3EfNeC83Qx6eTaDNYgKh/nmzY81RcFSx4YXZlu9hw/m6GdoBL97xmahKBznDX3sBXPZ0gZpdgWMAc8WTHnzW8razMD7ZAPWP7ZHLkoD0M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619917;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=LRF1liiYZgDhhocDjWrV3RHg5WiX6tI1wrbffYsy+xA=;
	b=mtktO3mgd2VNS3orhWwNXoVWvGuPRJBTCSyg/0dsrcbixu5bvYVV2I16YumqJ7SQrUPaza5bNoucuq/YCs7+PnO/aiPP+IsYQ8OqeIMifO7Oo6WgYeQHBEKC0dhJA1d8xNr0Ui6OR4l4Xjxjr/eKHGvQl5A2G26DJ5vLNCob/+k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619917918278.2843092919268;
 Tue, 12 May 2026 14:05:17 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHB-0005d6-8N; Tue, 12 May 2026 17:04:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFC-0000o8-OB; Tue, 12 May 2026 17:02:24 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuF6-0007SE-Jr; Tue, 12 May 2026 17:02:19 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7424D1AA319;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 82AF53ABC8A;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=1/TSLzjAVYRRv/xzNNyBNBSMJT7PrimQSolihAgh+ZM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Uc86UziMEtirRkNjKJFenKAxX715FRnwXU49Lo9mMxt+AymtP5Da6gmKgcYLvPDy9
 Z9S6ehUTU+vLK7PbcZHDZVWFFxh145HIOdhZkXr9oqKwmJAtamapv9rMubGIJYpgLH
 E5voQmQTfY4hNih1UA0sGAHMzOEkMwaLPh+qmIjuzBxkXYONKKNsu4QvJDHq6PB2op
 5XGrtVKhlfnHR9hdt6fRmVhxDtTvy0iOiNiSE/eTiPLbEfP7qNSfawLOKTRStDFaKt
 SeXyCFHu7W8T4TGIiLLlMwkwOAUcBqf1Igy7eO76y9icTkWj2Xs/5eRC7OktHBdZbN
 ABn9BXqPsFnRQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 077/107] linux-user: Add setsockopt() for
 SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
Date: Tue, 12 May 2026 23:54:04 +0300
Message-ID: <20260512205437.360850-77-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619918934158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Add handlers for both sockopts which use 64-bit time_t from userspace.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/885
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit edb4588309a753dea40f338fb8e02e3cfc2eed70)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ea1711ff95..d2c98b7237 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1147,7 +1147,6 @@ static inline abi_long copy_to_user_timeval(abi_ulong=
 target_tv_addr,
     return 0;
 }
=20
-#if defined(TARGET_NR_clock_adjtime64) && defined(CONFIG_CLOCK_ADJTIME)
 static inline abi_long copy_from_user_timeval64(struct timeval *tv,
                                                 abi_ulong target_tv_addr)
 {
@@ -1164,7 +1163,6 @@ static inline abi_long copy_from_user_timeval64(struc=
t timeval *tv,
=20
     return 0;
 }
-#endif
=20
 static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
                                               const struct timeval *tv)
@@ -2395,6 +2393,25 @@ static abi_long do_setsockopt(int sockfd, int level,=
 int optname,
                                 &tv, sizeof(tv)));
                 return ret;
         }
+        case TARGET_SO_RCVTIMEO_NEW:
+        case TARGET_SO_SNDTIMEO_NEW:
+        {
+                struct timeval tv;
+
+                if (optlen !=3D sizeof(struct target__kernel_sock_timeval)=
) {
+                    return -TARGET_EINVAL;
+                }
+
+                if (copy_from_user_timeval64(&tv, optval_addr)) {
+                    return -TARGET_EFAULT;
+                }
+
+                ret =3D get_errno(setsockopt(sockfd, SOL_SOCKET,
+                                optname =3D=3D TARGET_SO_RCVTIMEO_NEW ?
+                                    SO_RCVTIMEO : SO_SNDTIMEO,
+                                &tv, sizeof(tv)));
+                return ret;
+        }
         case TARGET_SO_ATTACH_FILTER:
         {
                 struct target_sock_fprog *tfprog;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620171; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m3U6Zo1Ka9RGM4jsSCW8st55VAZKyS2QvYuqIJTo8BdBqv4GYqEQbOirfFz0K2cvr1X1uUo/2o4vkjkrrRsQDJEioj6zmus0AuBTWa3bfWhTaiz3tvCPKwQ/59+nYDgnmPeuCEXZ8HqMuwDddOlrVaM2/7/X8S3m2raEupLJY6c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620171;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=DYehDwPVay4T0h7junsGWmjXJAJHAxqNa3/4DGISm1Q=;
	b=HMscSBk3MvMZvVL1bpOCDA0mkoeRM5V1uEaOPwSGPCmg15wnaaZUvA1675gnI55IO8hmCBbcNyLm1QEIDakcqdHe+hTERkwaMkCbhqgoCzpvDuZyXbBEHUay+K69B1P5sBGuoAwX/WFsjpMwk7McBSGsvwIM5Fj3bdQne//egik=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620171904968.5852312054506;
 Tue, 12 May 2026 14:09:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGm-0003Yi-9R; Tue, 12 May 2026 17:04:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFX-0001Ga-W6; Tue, 12 May 2026 17:02:47 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFW-0007T1-8X; Tue, 12 May 2026 17:02:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 800A91AA31A;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8E5653ABC8B;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=8qtCYuQfI++Z6qR7z8uRfyCP0yY4AcPXt1QMjS9zDdM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=H9rE72WjZxIz52gGyBrenKeArtUaj4P6AxDobMrfFG3v0xsud/jwMSaloLfk+FGE9
 M8dVytFhJ3VYbdCXEzfQgLU2cLvEexcvoKYxyZ3iWqX/f7R2Y8qrS8f2LyZCirkJ5x
 XxiN51G+rnweyt8a8A+gusEiA/z4nhpGy6R2PmlGJvjG6Uq3dRpbSqpj5Ds3I/Px0j
 fITq4Y55eje4MIkmYoHQjiJgZzTOxXHhSGajjNZbNwpT4xs/w10CcA/Y2kXKd9PLis
 PwO+DO0bSdYev0QzTWkquBuO+S1yhrVe6+OwRx+9jP2TGnijb4tBAFFAzt5q+RlkzS
 waUZeh/CbHRFw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 078/107] linux-user: Add getsockopt() for
 SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
Date: Tue, 12 May 2026 23:54:05 +0300
Message-ID: <20260512205437.360850-78-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620173033158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Add handlers for both sockopts which use 64-bit time_t from userspace.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/885
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 07c7decaa54a83bd1656b2645074380714b83374)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index d2c98b7237..76b655da2b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2625,7 +2625,8 @@ static abi_long do_getsockopt(int sockfd, int level, =
int optname,
         /* These don't just return a single integer */
         case TARGET_SO_PEERNAME:
             goto unimplemented;
-        case TARGET_SO_RCVTIMEO: {
+        case TARGET_SO_RCVTIMEO:
+        case TARGET_SO_RCVTIMEO_NEW: {
             struct timeval tv;
             socklen_t tvlen;
=20
@@ -2645,11 +2646,17 @@ get_timeout:
             if (ret < 0) {
                 return ret;
             }
-            if (len > sizeof(struct target_timeval)) {
-                len =3D sizeof(struct target_timeval);
-            }
-            if (copy_to_user_timeval(optval_addr, &tv)) {
-                return -TARGET_EFAULT;
+            if (len =3D=3D sizeof(struct target__kernel_sock_timeval)) {
+                if (copy_to_user_timeval64(optval_addr, &tv)) {
+                    return -TARGET_EFAULT;
+                }
+            } else {
+                if (len >=3D sizeof(struct target_timeval)) {
+                    len =3D sizeof(struct target_timeval);
+                    if (copy_to_user_timeval(optval_addr, &tv)) {
+                        return -TARGET_EFAULT;
+                    }
+                }
             }
             if (put_user_u32(len, optlen)) {
                 return -TARGET_EFAULT;
@@ -2657,6 +2664,7 @@ get_timeout:
             break;
         }
         case TARGET_SO_SNDTIMEO:
+        case TARGET_SO_SNDTIMEO_NEW:
             optname =3D SO_SNDTIMEO;
             goto get_timeout;
         case TARGET_SO_PEERCRED: {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619917; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UK/7Ov3UcBypy+GZsyxDk6NT9K593QSxhUB+P0RVZ1FkNwqy5CUuN8E8vHZjpjQbeoVNNKc5LVIbBvoEDYkEpFY99zaqK7Xdmxr+zzLRDDrSPoFNGk2jipCW0HPMyBjkZL4k9dkCZWapI4A1YV8cgbFZNBxwr+9tnKWhHeSbnGg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619917;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=7QfsIh7+ZV3gSR4GJ69eXNnnkTYuUwP5yTMt6z2DLmk=;
	b=WHge0dLGh54a4nut2y16U+fPswsBJ123NAoYMTWtDWFxpjQb0HqSwEQuzmss5kZv3NoC/TEHlsoLtulsdmaudGl8YdXfko8g6U5WjWFMdYnIofsFKvbETu3ARTwGIGze8kcAX6bEztkhLgO8qY+cNvxr+CT2yIcTuhFKFHn3/3w=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619917891529.106571488772;
 Tue, 12 May 2026 14:05:17 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuH7-0005Um-0I; Tue, 12 May 2026 17:04:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFc-0001Hc-8L; Tue, 12 May 2026 17:02:50 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFZ-0007TN-8G; Tue, 12 May 2026 17:02:47 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8D48B1AA31B;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9AA123ABC8C;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=Oxnn/p4hWsGbo0BtdSTt1klBit61xfYZcqMMePjFsvc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=YDAMNwObEz144sBcVM7BVMD1L/4Q+uEul090gzgg/qdbhsRO25QRjtMoVuZ9j9VkY
 i9qtIHp3zYWF2lgB1P8W+lnV9lHA1MIiSC4UEH75irn+0X0UojplIHHRgWmnXXW9bF
 Ae7o4n+a2F0KjxyZGelho/Mm7Gy+IXhhLedEfwnkz7sm+locs81rtCOM6+UykIl8uC
 vgeCk9kjg4xnkGN/N5+VxbjQ+4OOjNL9zIrgkfrs8hRNhXV2XwyiHqbLQwlNNyAl4I
 4hlMWkhMV+vsVl6w7WgBbXJzTdGjNlUzM9CeExXAHLIdTNdbzX8FxOLNJKZgopUCo6
 XuBhCUxTtyv+g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 079/107] linux-user: Fix CLONE_PARENT_SETTID when
 using fork-like clone
Date: Tue, 12 May 2026 23:54:06 +0300
Message-ID: <20260512205437.360850-79-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619919392154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

The CLONE_PARENT_SETTID option requires the implementation to store the
child thread ID at the location pointed to by parent_tid in the parent's
memory.

Fix our implementation and move the code from the client side (where
fork returned 0), to the parent side and store the return value from the
fork call (which is the client TID) in the parent_tid pointer.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3340
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit b03a6ac6fa5d7775b9f912fa5c39f7b92388c6a2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 76b655da2b..b8b256c430 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6918,8 +6918,6 @@ static int do_fork(CPUArchState *env, unsigned int fl=
ags, abi_ulong newsp,
                the child process gets its own copy of the lock.  */
             if (flags & CLONE_CHILD_SETTID)
                 put_user_u32(sys_gettid(), child_tidptr);
-            if (flags & CLONE_PARENT_SETTID)
-                put_user_u32(sys_gettid(), parent_tidptr);
             ts =3D get_task_state(cpu);
             if (flags & CLONE_SETTLS)
                 cpu_set_tls (env, newtls);
@@ -6927,6 +6925,8 @@ static int do_fork(CPUArchState *env, unsigned int fl=
ags, abi_ulong newsp,
                 ts->child_tidptr =3D child_tidptr;
         } else {
             cpu_clone_regs_parent(env, flags);
+            if (flags & CLONE_PARENT_SETTID)
+                put_user_u32(ret, parent_tidptr);
             if (flags & CLONE_PIDFD) {
                 int pid_fd =3D 0;
 #if defined(__NR_pidfd_open) && defined(TARGET_NR_pidfd_open)
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619936; cv=none;
	d=zohomail.com; s=zohoarc;
	b=aLt9mZNJlqqEsfo6jtIXqK0DUJVOCfHjZ3rf8XlTb3+HnasDCqBVzCm6WaUuOBTMwVAnGpgQMqjsOp58xn29Rjt8QtQTyiXQcMjZZJGdeTVePzqLGuHIFg0pbw/sWeh0WdRvCYIgahCcQMMhMSwxQ7wecDa2r58SZ+gEHe4ICVI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619936;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=AaAhf1m86vnIolAQJntg4N6w0H3ya1wFt1ziRZqCQgE=;
	b=SanJcAf8FoQBasq1FkEcwDu7MVHh7KchjbNQofP03G0koyE56RpwfZUUNgA1ZYBOFi+LR35wNDWqWUCHmOXG9Q6PEV1x3KYyUjNeViW3oTKZCdh0kUHuS8LaVqtH4jEHA3kjp9xAFRMtffm6Rr5miD410y+iEII+Q/6Jo1cssGg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619936674513.5705736386826;
 Tue, 12 May 2026 14:05:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHK-0006BK-MW; Tue, 12 May 2026 17:04:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFd-0001Hz-Fz; Tue, 12 May 2026 17:02:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFa-0007ga-Rv; Tue, 12 May 2026 17:02:49 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9B4031AA31C;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A80913ABC8D;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=MIEzqSu2UCJqfnFNsi6ybVFRhFehRgAJkGf+Ac9Sm7Y=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=C950thBGTEHn+OHsk5wrK/SmssvmzRB+rjc/wikE2wepRhlBo5m95JVZzKkpgFq1H
 gzLyuqXiMEMj6KTBVm9S71oPZwFQ1LB5l61NbOSPqBSvVm5BW9b+PniyCSIVBniv1/
 l4uMkJC4cdsUoTTGR9bWHALS0cTbyTpXnTSnC9gVLYQG9BJZXJv6h0mMYWSG4sM+xg
 ixTPLiBTn83NUHDu5WIoR4egmX3j+Y00PD+dKk9IrW4O2s6AJT6Mx4x/8Ef77RWG4E
 We1EqruCDOf0PcYKJjGgxBCmDzmwNSSWjAWmKlx1NLMdQT5C66Ajs9HNYvi4QdF6SS
 2m35mJ7e5ZTFA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Peter Hartley <peter@talesfromthearmchair.net>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 080/107] linux-user: Use abi_int for imr_ifindex in
 ip_mreqn struct
Date: Tue, 12 May 2026 23:54:07 +0300
Message-ID: <20260512205437.360850-80-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619937261158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Peter Hartley noticed, that in the qemu code the imr_ifindex member of
struct target_ip_mreq needs to be of type "int" instead of "long", which
is what the Linux kernel uses on all architectures.

Adjust the type accordingly, and add a QEMU_BUILD_BUG_ON() checker to
prevent such issues in the future.

This change should fix multicast issues when using hosts and guests with
different endianess or bit size.

Reported-by: Peter Hartley <peter@talesfromthearmchair.net>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2553
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit e2af3eadc09b3672017c650e0abfd29a08521921)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index b8b256c430..905db117ff 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2165,6 +2165,8 @@ static abi_long do_setsockopt(int sockfd, int level, =
int optname,
=20
             QEMU_BUILD_BUG_ON(sizeof(struct ip_mreq) !=3D
                               sizeof(struct target_ip_mreq));
+            QEMU_BUILD_BUG_ON(sizeof(struct ip_mreqn) !=3D
+                              sizeof(struct target_ip_mreqn));
=20
             if (optname =3D=3D IP_MULTICAST_IF) {
                 min_size =3D sizeof(struct in_addr);
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 86bdf88be7..1c546ce1a0 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -210,7 +210,7 @@ struct target_ip_mreq {
 struct target_ip_mreqn {
     struct target_in_addr imr_multiaddr;
     struct target_in_addr imr_address;
-    abi_long imr_ifindex;
+    abi_int imr_ifindex;
 };
=20
 struct target_ip_mreq_source {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620166; cv=none;
	d=zohomail.com; s=zohoarc;
	b=A6Aaas35i125r8NjFPe9YOC9SS1OopGGTARpU1UwZa2mzrjEMD9K78P9ciWAXFXUBqOZXCoA83y1EjBHPeVyPgeez7dVm1UWdigXXwQMF29Ktfy3Duh2c21aytvAgX2+xuRIsO6hDosHGewqACKZhmWP3vBBHGrJSC+JCQzcVck=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620166;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=K1tfsoCKIEyh4SHZ9cNosH6WWPm5tShyjtuGsP1cw9k=;
	b=ajMjeytQuIf32L+Fv3y1OnX8o5QH3crGzzoL2aZRrxn5YGsomLdgcgzEwhqvru/+bV9gOKSwB0zERojLSITtFulwn/uAbH82T9nZleXHQm+xpXl+85FqHXpXZ6kKuryhAK9xXaPt1EeZrTN6BO/FR/8klBJjzqePdvXDCtRP4B8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620166515995.4736563935018;
 Tue, 12 May 2026 14:09:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGs-0004VM-SP; Tue, 12 May 2026 17:04:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFi-0001Qy-EO; Tue, 12 May 2026 17:03:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFe-0007gx-RA; Tue, 12 May 2026 17:02:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B20551AA31D;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B61A93ABC8E;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=58bcFKJKFzhLq1flbHeG42oCoSB9ipPrqaov/X5rH4k=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rBStogTxb4xE5rFVMYAMFDNj7uCfvt5CaNnHI/Uz0kBlfYskiyP6tKfVvy+VCEnmE
 X5OP3EQJvpN3d5AMVWf1saSNk9DClKd4Z1XoXVqQlloZiSuOSPm0cJnvvmvVIrCOnK
 qJY7dAopW5rjcWtWiJ0HTS5TcHz69IHlxQjTw/aNyxCMoSNhxX/gsNrxe4r3gouTN2
 J/vP6q8HYrOW36XZeUjUWmPmOqP7u77EubJHW1vbUQFJ2BKbP/9RjHTCwqPhzv7Eig
 waDukelkBTTMtEeD4kjny7FUpVgO8rrB4dcAMoquCTMK14QrNDTahc0VjSgwLrvu3M
 RaWPb2uMRKawg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 081/107] linux-user: Flush errors by using exit()
 instead of _exit() in error path
Date: Tue, 12 May 2026 23:54:08 +0300
Message-ID: <20260512205437.360850-81-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620167003158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Qemu user mode does not properly flushes error messages related to bad
arguments when exiting (at least when the output is piped to a file
instead of running on a terminal).
Ensure that we always flush by using exit() instead of _exit().

Reported by: Tobias Bergkvist
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2544
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 9e7734ead149d73f1d25f61d0b7f075d4b2cb07d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/main.c b/linux-user/main.c
index db99160d2d..39ac98a74a 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -786,7 +786,7 @@ int main(int argc, char **argv, char **envp)
         execfd =3D open(exec_path, O_RDONLY);
         if (execfd < 0) {
             printf("Error while loading %s: %s\n", exec_path, strerror(err=
no));
-            _exit(EXIT_FAILURE);
+            exit(EXIT_FAILURE);
         }
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620634; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bFsGXgCvSjukRFNGl7SDwRiLHq7tY0oD03s5WmbCJng3Ra5nJetd987xGdF//0KuXgxPPXPeFwDENvp45jF0Fd5M4prm2ndIwwHWJkdBNP+ZJ28GJC11PzOo3MPAvhBd3MiuySpAODLa4uLeUljrYt1Cme3WVpueCXbtpDUvQis=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620634;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=/y8jIGtWlCHAvB7KdZ2np7C0VJtkegXq/FWXWjf7/uA=;
	b=bd5dGsp1G2qjmopgmK4lZrcCbkac82cYnqLHkGhTMw4nqHeWq/JYd3VRXBseQyfFlQV7u7CjcZW9kezCzdJ7SHSsP+wpuI/P3o330PBRv7tLjFnpy8cfWLhv7cjq90MJPQ0gQUwa9cKvwA4BhQy4J/JXqnKQOyMMu2xglh1loDg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620634077331.4247702581989;
 Tue, 12 May 2026 14:17:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHI-0005qx-En; Tue, 12 May 2026 17:04:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFi-0001RK-VU; Tue, 12 May 2026 17:03:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFg-0007hG-Sa; Tue, 12 May 2026 17:02:54 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C2A201AA31E;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CD4593ABC8F;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=52jW1o5cTK1eBP4U9ksmYyUiRueyfsgrbtC3bQ945eg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=cyADw254LxGNCpQZjySo38m/Rm1zQVUyMNb/jPC1FNZN4yyoYmvafrnLZZLpXA/tE
 PcN5vWG5XJ8P/bQmtBJqPZWGdLFl3fxq6GzqG83F+apKc5b7xAZ1oRmUm4pS35harJ
 a2XITI2ml9cPoMxK9b81RzIOiuKQSYyq61NJ6/nA7HVy9DBHrN0tGk5eBtgI1Ry4nJ
 Y33kr9qtE+xedm7GAlePgaVbjtUv2HQ4FKxUXwZC5X68tefEY/Nf/BI9kHIQC2HSnU
 ohPvWfG7GXqxcK0HLiz8PWg4sN+AGXBKAunYlCt3nVzaaJZkDBNLFVgiJl81oJ0e+F
 6vK/VeymnN2cA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Yicong Yang <yang.yicong@picoheart.com>,
 Andrew Jones <andrew.jones@oss.qualcomm.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 082/107] hw/riscv/virt-acpi-build.c: Use kvm timer
 frequency when kvm enabled
Date: Tue, 12 May 2026 23:54:09 +0300
Message-ID: <20260512205437.360850-82-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620634274158500
Content-Type: text/plain; charset="utf-8"

From: Yicong Yang <yang.yicong@picoheart.com>

The timer frequency is decided by the host(kvm) rather than a fixed
RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ on kvm accelerated VM. So build
RCHT with KVM provided timer frequency if KVM is enabled, just like
how we build the timer node on DT based VM.

Fixes: ebfd39289370 ("hw/riscv/virt: virt-acpi-build.c: Add RHCT Table")
Signed-off-by: Yicong Yang <yang.yicong@picoheart.com>
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-ID: <20260325081314.57089-1-yang.yicong@picoheart.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 4cb2f91773e8ec9511002de851734820f7ba64fe)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/riscv/virt-acpi-build.c b/hw/riscv/virt-acpi-build.c
index 1ad6800508..e2b8229168 100644
--- a/hw/riscv/virt-acpi-build.c
+++ b/hw/riscv/virt-acpi-build.c
@@ -35,9 +35,11 @@
 #include "hw/riscv/virt.h"
 #include "hw/riscv/numa.h"
 #include "hw/virtio/virtio-acpi.h"
+#include "kvm/kvm_riscv.h"
 #include "migration/vmstate.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
+#include "system/kvm.h"
 #include "system/reset.h"
=20
 #define ACPI_BUILD_TABLE_SIZE             0x20000
@@ -273,7 +275,10 @@ static void build_rhct(GArray *table_data,
=20
     /* Time Base Frequency */
     build_append_int_noprefix(table_data,
-                              RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ, 8);
+                              kvm_enabled() ?
+                              kvm_riscv_get_timebase_frequency(&s->soc->ha=
rts[0]) :
+                              RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ,
+                              8);
=20
     /* ISA + N hart info */
     num_rhct_nodes =3D 1 + ms->smp.cpus;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620200; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HcW73CMu2RMZJnB+EfgbFISL7HFJkvcC5Of2zzMVkVheW4UAKCgIcmPnwPNY0ZDlzGxs5GcYcHBwcT3h5mxkc3C4Xf9Tbk8kKl3x2QhoRFSyzIinJnVBqJvJ//LzZZoUpQaacJwskckdAfPEyRV3T89lqFk5z3ziKiRQcXHp1rI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620200;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ZHSPPzf40VNcph7gnD7xTKKWjcM5ZCca2SDKFvNZGDE=;
	b=ezBDGRrOFYbnJSwmG5nMNmRSgcfaLwgd9nnhs7XZGEP+w6s5Lk5UZdH8qUp12BXwRJck9B6GyVW/1xV26C5rBRXcv142ZAFvUuG78dkHtzJJUA05DJiFrVWsBaAuuTf1FpCvMnwOYOu6+I0iFMEHmjXU59qFl10cvBD4VpJVTsg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620200380497.947141113959;
 Tue, 12 May 2026 14:10:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuGq-0004CE-V9; Tue, 12 May 2026 17:04:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFm-0001RX-8T; Tue, 12 May 2026 17:03:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuFk-0007iG-HI; Tue, 12 May 2026 17:02:57 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D0EA81AA31F;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id DD8A63ABC90;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=47PV4KDwdEjUMJ/Zc8drwI4urMG+7UCxJfkg0P8+Zfs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kJKlItkY1tm64jGTjwjufwGUYTfeqwZ6bErFb4STlUeZeWX2fHZ8ouMJ/rIEkWCCL
 hRxRhmzvfr5ltjPRU8nOI40JhI/yHZquc2SC59NFPNVdebfRmsT1XG019BvreQPSe/
 3qccLDSaCeV95k3sQpIpVn6rGRrTEbOT/yfeYnW8KDLBsT+QNKU+DBI3fe8aID3Mvy
 /DER0bUo8c+vAjQIGGkgqH/TcHoNapyoynU52jksm1l/deEbbsoVhBFm3EaYh4bje+
 7N4HGRzHgFK3+OKdKrWeHla9RZ/KBWJVHhmqmj5wQW7PgLV3URoODeNO8U5ZETygTm
 Edz7KsjfJZtgg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Sebasti=C3=A1n=20Alba=20Vives?= <sebasjosue84@gmail.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 083/107] target/riscv: fix stale ptshift and base on
 page walk restart
Date: Tue, 12 May 2026 23:54:10 +0300
Message-ID: <20260512205437.360850-83-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620202664154100

From: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>

When the atomic compare-and-swap for updating A/D bits in the page
table entry fails due to a concurrent PTE modification by another
vCPU, get_physical_address() jumps to the 'restart' label to re-walk
the page table from the root.

However, neither 'ptshift' nor 'base' are re-initialized before the
restart. After the walk completes, ptshift has been decremented to
its final value and base has been overwritten with an inner PTE PPN.
On goto restart, the for loop resets i=3D0 but ptshift and base remain
stale, causing the restarted walk to compute incorrect PTE addresses.

In an SMP guest with MTTCG and Svadu active, this can result in
incorrect physical address mappings or guest crashes.

Fix by saving the root base address and re-initializing both ptshift
and base on each restart.

Fixes: 0c3e702aca ("RISC-V CPU Helpers")
Signed-off-by: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-1-sebasjosue84@gmail.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit b2e874bfec59f6150b49a70df0529458efa0726b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 25619c556c..59f6d00774 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1410,12 +1410,15 @@ static int get_physical_address(CPURISCVState *env,=
 hwaddr *physical,
         adue =3D adue && (env->henvcfg & HENVCFG_ADUE);
     }
=20
-    int ptshift =3D (levels - 1) * ptidxbits;
+    int ptshift;
     target_ulong pte;
     hwaddr pte_addr;
+    const hwaddr base_root =3D base;
     int i;
=20
  restart:
+    ptshift =3D (levels - 1) * ptidxbits;
+    base =3D base_root;
     for (i =3D 0; i < levels; i++, ptshift -=3D ptidxbits) {
         target_ulong idx;
         if (i =3D=3D 0) {
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620163; cv=none;
	d=zohomail.com; s=zohoarc;
	b=W4M13Vxx33lG3hq5lfQHHAkC8nhVj0XCUMZ4jzBweMJAbHxcrflw+IXBzlLUxeI02Btkjys/9MVNEeYY1klOk2O4pcaprlnxQhOZna/RJGZG8o+y2coATjGZHAOrQ8f1jq8xiTgsHZriZmL4pHeE1J8FMbWOqWlhhDfTHBr+q20=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620163;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=3E7KZIT1CpKVgDCRUwc+JcEJ/tSKhUlh8cQYl2XMj6I=;
	b=HBT5I2gkOLkHLe4oa2A62/wlPV5jNv/BwUgD1PagFDN2PUEo5G847uWjsL9vWBVq9CoNqiBilJnhMly0mr+5YaDdXVubj+LfxT0uXWpTbEFV9G84DUjTALq8qg+TexwV6aY4tn/9ksJk1PoMELu1eMF2S6OsYea6A3lsAXSnIKc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620163346574.2998041120237;
 Tue, 12 May 2026 14:09:23 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHS-0006tk-La; Tue, 12 May 2026 17:04:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGH-0001f1-Ko; Tue, 12 May 2026 17:03:31 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGE-0007iS-Ue; Tue, 12 May 2026 17:03:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E009F1AA320;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id EBA423ABC91;
 Tue, 12 May 2026 23:54:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=73xJyPD9yGKtrmlmYxd2Q/JcUXWWpSzu0GQtOcbk+DQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=nN/1SfKqO0S7H6vBdqHuz/H/82eg5nUSA3zt5DrKEUkzVD8nHveUCzObs6eCO4kAh
 Wej5FZcxTwtr6wuja0MgSfIQQuKB7mHnjagSmptZVUhW2p47viunQmWF6ioBL+cIM7
 PQwbeenRXzseYk2mIAqS2B5MaAQDNT0/9F0vtw1beo94f8WHXxJi8+6X7sx8eimTMk
 11KaK6NFVIqos6S9QoFhmki8yJDDb/gwv5e4LZdvBaPOExgb2TtjL5EkPMiw5H80a/
 41Z4+3Eg111SKLtTWETmMneMziBXXco89XQqPUDGZzejstvWynZwqAgQ3YUP/+dVCX
 mCwNE3n7pzIxg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Sebasti=C3=A1n=20Alba=20Vives?= <sebasjosue84@gmail.com>,
 qemu-security@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 084/107] hw/intc: fix heap OOB in ACLINT MTIMER
 multi-socket
Date: Tue, 12 May 2026 23:54:11 +0300
Message-ID: <20260512205437.360850-84-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620165039158500

From: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>

The MMIO read/write handlers index timecmp[] with the absolute hartid
(hartid_base + offset) but the array is allocated with num_harts
elements. In multi-socket configurations with hartid_base > 0 this
causes heap OOB access in the QEMU process.

Fix by using the relative offset for array indexing.

Cc: qemu-security@nongnu.org
Signed-off-by: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-2-sebasjosue84@gmail.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit d5b33fc180f557ee3574cef9c64650174d0ef5dd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/intc/riscv_aclint.c b/hw/intc/riscv_aclint.c
index db374a7c2d..7ee91b14f1 100644
--- a/hw/intc/riscv_aclint.c
+++ b/hw/intc/riscv_aclint.c
@@ -130,6 +130,7 @@ static uint64_t riscv_aclint_mtimer_read(void *opaque, =
hwaddr addr,
         addr < (mtimer->timecmp_base + (mtimer->num_harts << 3))) {
         size_t hartid =3D mtimer->hartid_base +
                         ((addr - mtimer->timecmp_base) >> 3);
+        size_t hartid_offset =3D hartid - mtimer->hartid_base;
         CPUState *cpu =3D cpu_by_arch_id(hartid);
         CPURISCVState *env =3D cpu ? cpu_env(cpu) : NULL;
         if (!env) {
@@ -137,11 +138,11 @@ static uint64_t riscv_aclint_mtimer_read(void *opaque=
, hwaddr addr,
                           "aclint-mtimer: invalid hartid: %zu", hartid);
         } else if ((addr & 0x7) =3D=3D 0) {
             /* timecmp_lo for RV32/RV64 or timecmp for RV64 */
-            uint64_t timecmp =3D mtimer->timecmp[hartid];
+            uint64_t timecmp =3D mtimer->timecmp[hartid_offset];
             return (size =3D=3D 4) ? (timecmp & 0xFFFFFFFF) : timecmp;
         } else if ((addr & 0x7) =3D=3D 4) {
             /* timecmp_hi */
-            uint64_t timecmp =3D mtimer->timecmp[hartid];
+            uint64_t timecmp =3D mtimer->timecmp[hartid_offset];
             return (timecmp >> 32) & 0xFFFFFFFF;
         } else {
             qemu_log_mask(LOG_UNIMP,
@@ -173,6 +174,7 @@ static void riscv_aclint_mtimer_write(void *opaque, hwa=
ddr addr,
         addr < (mtimer->timecmp_base + (mtimer->num_harts << 3))) {
         size_t hartid =3D mtimer->hartid_base +
                         ((addr - mtimer->timecmp_base) >> 3);
+        size_t hartid_offset =3D hartid - mtimer->hartid_base;
         CPUState *cpu =3D cpu_by_arch_id(hartid);
         CPURISCVState *env =3D cpu ? cpu_env(cpu) : NULL;
         if (!env) {
@@ -181,7 +183,7 @@ static void riscv_aclint_mtimer_write(void *opaque, hwa=
ddr addr,
         } else if ((addr & 0x7) =3D=3D 0) {
             if (size =3D=3D 4) {
                 /* timecmp_lo for RV32/RV64 */
-                uint64_t timecmp_hi =3D mtimer->timecmp[hartid] >> 32;
+                uint64_t timecmp_hi =3D mtimer->timecmp[hartid_offset] >> =
32;
                 riscv_aclint_mtimer_write_timecmp(mtimer, RISCV_CPU(cpu), =
hartid,
                     timecmp_hi << 32 | (value & 0xFFFFFFFF));
             } else {
@@ -192,7 +194,7 @@ static void riscv_aclint_mtimer_write(void *opaque, hwa=
ddr addr,
         } else if ((addr & 0x7) =3D=3D 4) {
             if (size =3D=3D 4) {
                 /* timecmp_hi for RV32/RV64 */
-                uint64_t timecmp_lo =3D mtimer->timecmp[hartid];
+                uint64_t timecmp_lo =3D mtimer->timecmp[hartid_offset];
                 riscv_aclint_mtimer_write_timecmp(mtimer, RISCV_CPU(cpu), =
hartid,
                     value << 32 | (timecmp_lo & 0xFFFFFFFF));
             } else {
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620128; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cnZrQyVJES3TkEHU4pmvQ+dMLQl073NpqUPHMeOAvanLymhmcp5Lm8L1PZP4YrcUwmcLE0KWp3uMz3M5SVD17ImM81sXqlZ/uZsay/7DDPro5VDoFVMM7rJHFnU0JGtT43LmWvpmfMmS2jFQiFB+uchbb9yp/lyxW/JvkOOX2mY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620128;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=5bZtrlQ+VwB+NdrdhxQ1Aqu2JOmzIR9MdZXqpHA9m5w=;
	b=DlyUFnI87IU76MQOFf6hmbePUfZFKFKAjqIfOd2ak/gKcIVTqZd3Wj7LB8046QaYPWYqkqcHH8Ts4rhzHeIfJLs8CupLado4Wb2Ptqs804ewlftjn+m+eC+NVJU9ntGyoP9ztJV98fmhrtzW9AeZTMe/wNvfEpSmtwIPgu/dfBc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862012815582.83796113408232;
 Tue, 12 May 2026 14:08:48 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHP-0006i2-I5; Tue, 12 May 2026 17:04:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGC-0001cR-AG; Tue, 12 May 2026 17:03:29 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuG8-0007iz-8S; Tue, 12 May 2026 17:03:22 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id F26011AA321;
 Tue, 12 May 2026 23:54:38 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 06C653ABC92;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619278; bh=fCNCBMnBBK8+ZfC0tn3wIGwaiNYfxPk/ThzrHDtsMbQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fkVxa/vzuVKD7Du6FvyZuOuj2Lfc4vGu5bTeiP3x60COOr2tcFboUqg1f/0rajhoj
 xYUOTTRoohujieWdNuZiEgrxzgksAH7NkbQneZ80QYXQcXlphFMPCrUiJHighht6I0
 1eCSUJHoQXCNeI7A7n173G/GoSzq8ocffb+gPFFBah8Bi/awU4nD8YhbGOmVczjMiW
 cQI6yCE1/xpJnfkB3RG0H52GAaHgP+nwOCnNlFu1chFzQuzEPdvKH+9nP00zckpu+v
 orGlROlKIkJNwW2ljjYT2XdlYoNgAGhSGJSnf2deiHRdk3vH9OwYNm2gEA+hU+N8+w
 pthMk6I43AwCQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Tao Tang <tangtao1634@phytium.com.cn>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 085/107] riscv_htif: reject invalid signature ranges
 (end <= begin)
Date: Tue, 12 May 2026 23:54:12 +0300
Message-ID: <20260512205437.360850-85-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620129937154100

From: Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com>

Prevents huge allocations and crashes caused by malformed HTIF signature
addresses.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3205
Signed-off-by: Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251209085349.61510-1-munkhuu0825@gmail.com>
[ Squashed with following commit to fix build failures
    hw/char/riscv_htif: Fix format specifier for uint64_t

    Message-ID: <20260415134826.1742308-1-chao.liu.zevorn@gmail.com>
    Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
]
Tested-by: Tao Tang <tangtao1634@phytium.com.cn>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 14808578ccbcd17d474c98bb53b60452888f8529)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/char/riscv_htif.c b/hw/char/riscv_htif.c
index ec5db5a597..e7328a596f 100644
--- a/hw/char/riscv_htif.c
+++ b/hw/char/riscv_htif.c
@@ -171,6 +171,12 @@ static void htif_handle_tohost_write(HTIFState *s, uin=
t64_t val_written)
                  * begin/end_signature symbols exist.
                  */
                 if (sig_file && begin_sig_addr && end_sig_addr) {
+                    if (end_sig_addr <=3D begin_sig_addr) {
+                        error_report("Invalid HTIF signature range:"
+                                     " begin=3D0x%" PRIx64 " end=3D0x%" PR=
Ix64,
+                                     begin_sig_addr, end_sig_addr);
+                        return;
+                    }
                     uint64_t sig_len =3D end_sig_addr - begin_sig_addr;
                     char *sig_data =3D g_malloc(sig_len);
                     dma_memory_read(&address_space_memory, begin_sig_addr,
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620224; cv=none;
	d=zohomail.com; s=zohoarc;
	b=k8gk0RMiVm2U+9RzNcJ89M5hNP6Wk79AJrYQX/AlgMNAKfU07Ux9LNO28DXdZVi0Uc1wW3zr3Sewn2GbO8VvG3UdVoqmewDT4iIn4saOFOCE/d4NXp+IJpQ2o7+ZrjFp4FtuEEOowJYTVRmG8WDnqwfrbU8TTVtt2JjxFU/vrYU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620224;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kx83nd2UqCjTQti5XAfC2zZePaIqkdUAf7rKVwci0vg=;
	b=SIrkXjNOcnao0QMtXoyWzBdsE6Zz1468I2iI5d90/HJlVgLM1v4crWMg6rmXDN85X4MTLUbdrpaeJ+3Uf/rvCftlS0x4Ky6XflLUDCOwCqDMdq2nweder4H+rQ48Ev/sTpy7mrpG0nuJ0sokgkca1b75Az13uxjTtCs8swgpphU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620224992892.1746922701244;
 Tue, 12 May 2026 14:10:24 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHM-0006Ms-2t; Tue, 12 May 2026 17:04:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGH-0001f2-NC; Tue, 12 May 2026 17:03:31 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGE-0007sI-6H; Tue, 12 May 2026 17:03:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0DC7E1AA322;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1940B3ABC93;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=QuwoT57byzYi7Qen6aQQJBdiy2CgG9IKvDtAL+D2tBo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PF0kvWE3xIyJsv66Hwv9rGIlmp9rJns0V3ZVYgHXqRsogdWo4IcgSglsXFRYmCtZZ
 vMxHfSiL+e59NX6ttdMui5F1CdvPjHdjncUJ4BuSnZ2XhuQEKFpZYwGKvZba82gAIm
 0bLpeWtAEhMNBAgrq8rxoKzUj3rPoqvZiqaEQdUMvpT38Qr36h8P+UQT7xtbErmi+e
 /JVqR9bECxbM9Gblqjxbjb9rVfR1wrL5lyMvkx0t0iyBC/r0MxH0a0RASzJhZHrZMl
 pbsA4o//ejaS7AfcuMj5no/kgEwhtXwsvKARSuXI1/ZV/0lQKs1tCyNAKMG4T+eMqt
 +8CGlI9WYHNFQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 086/107] target/riscv: Generate access fault if sc
 comparison fails
Date: Tue, 12 May 2026 23:54:13 +0300
Message-ID: <20260512205437.360850-86-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620225422158500
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states:

"For the purposes of memory protection, a failed SC.W may be treated
like a store."

So if the comparison in sc.w fails we should still check for alignment
and do a probe access to check permissions.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260415233740.3027321-2-alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit d107b748072cea3f86089a4a7b2e83f1a62745f2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index ddb07ca3d1..68e76a3c28 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_1(ssamoswap_disabled, void, env)
 #endif
+
+/* Zalrsc SC write probe */
+DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_tr=
ans/trans_rva.c.inc
index 9cf3ae8019..a1b45cbd2c 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -84,6 +84,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, Mem=
Op mop)
      */
     TCGBar bar_strl =3D (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
     tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
+    /*
+     * "For the purposes of memory protection, a failed SC.W may be treated
+     * like a store." so let's check the write access permissions
+     */
+    gen_helper_sc_probe_write(tcg_env, src1,
+                              tcg_constant_tl(memop_size(mop)));
     gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
=20
     gen_set_label(l2);
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index c34d8a4a9c..0cdbb0138c 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -265,6 +265,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong=
 address)
     /* We don't emulate the cache-hierarchy, so we're done. */
 }
=20
+void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
+                           target_ulong size)
+{
+    uintptr_t ra =3D GETPC();
+    int mmu_idx =3D riscv_env_mmu_index(env, false);
+
+    if (addr & (size - 1)) {
+        env->badaddr =3D addr;
+        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
+    }
+
+    probe_write(env, addr, size, mmu_idx, ra);
+}
+
 #ifndef CONFIG_USER_ONLY
=20
 target_ulong helper_sret(CPURISCVState *env)
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620225; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hjsnxuv8DLVHp1StYmQeAmA3fE+UCihDg8GNt2POYj+OLb9fjQ159sHf2i2aiJFT9ptIefXEsm0uGlc0X3cRsLt6Sw5WTBxd5BR/fEzsgBbujjrBvxr5MiBXS/5GIwNoEW1wwgnKfcCTld1VTA3IhKlSfBmv5Pw0KIlVWZCFSpo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620225;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=3sU6sb9RESJurj8uW2vYueZa5sUgoZd3OW5/9SRfKlQ=;
	b=Hy0GMqiAT4tRPHkZhgk55LIR1AKO7hWySUSZaVFkuNX6MLVI2tzesP4Pzc4PD6Kx8JbzPNZ4mBGULrkeOyAmI4/tLZtDfSLQvH4i+kHmkIJ/vlaG8QHN/Fyeknbj3fkxfhE2u0Mj3eiZPK0AOdKDeEDoQg7yvoQ9ht63Ov67Muw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620225071468.0095475474594;
 Tue, 12 May 2026 14:10:25 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHl-0007hi-Is; Tue, 12 May 2026 17:05:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGM-0001o8-8Y; Tue, 12 May 2026 17:03:35 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGK-0007uu-8S; Tue, 12 May 2026 17:03:33 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1DB031AA323;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 287D23ABC94;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=PB4u+XmKjWYxlifJ9ZAPe5qLq6Km8O5AkJn0KxIN3p4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=LOa1rL7KnTJVvir64RlB5fs/41UqsjT2x1+YrgIg5DJgEK+p33t5fSQf3wzw2GgAU
 FOuiZE2faanpwaojI7bGcDV6n/s28CsBwzTJu6cJcSLSxEUltxT6zrhuA1R2O17h9n
 vErCspNRPbiEhbyvtjOUT5B/MP/JaNchmv+EYcpWtlGFhna2bd7rPvwilVif85tuku
 LCiLCzW/oLkERW6M3HPzdyqq6H9HLeNB0ZAg3AP9ycHjGgaUk5qoi4luJ3OKhtKTHa
 hZf3SYFwe4mIL9jSB8DtjvcuG7hB2U/8kc3yvWw9+cXp4XO/YrkFyHUKIQSnrVmDoh
 GpJMXgQWh0RAw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Nutty Liu <nutty.liu@hotmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 087/107] target/riscv: Don't OR mip.SEIP when mvien
 is one
Date: Tue, 12 May 2026 23:54:14 +0300
Message-ID: <20260512205437.360850-87-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620225387158500

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states that

"""
But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
is simply the supervisor external interrupt signal from the hart=E2=80=99s
external interrupt controller (APLIC or IMSIC).
"""

As such let's mark the mip.SEIP in rmw_mip64().

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Message-ID: <20260415233740.3027321-4-alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 175afdb0d155a7429e2ac0c568c1c807953444a4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 76e77ae2d1..7d4191c792 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3633,6 +3633,14 @@ static RISCVException rmw_mip64(CPURISCVState *env, =
int csrno,
     uint64_t old_mip, mask =3D wr_mask & delegable_ints;
     uint32_t gin;
=20
+    /*
+     * When mvien[9]=3D1, mip.SEIP is read-only and reflects only
+     * the external interrupt signal from the interrupt controller.
+     */
+    if (env->mvien & MIP_SEIP) {
+        mask &=3D ~MIP_SEIP;
+    }
+
     if (mask & MIP_SEIP) {
         env->software_seip =3D new_val & MIP_SEIP;
         new_val |=3D env->external_seip * MIP_SEIP;
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620170; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DEVMUnJeluQKh9Qul30xp6EhTtNU1IgIDaykGZlyL72EM8dIKRyVqccpmGFg0YViBNfCax8+e06FzXlwDqjCGlHtpwPK0Ip91LEBosUcWwIqkzNf4YOjR1r7fgZSLIAOAMjXxbV2wXUiy/6OjivTRiqEv2WX/Z9hqZwtZjDZrLw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620170;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=fgFCZGKmGFjqmzmgoB9IxbamVcxTwCtTVeQrvQe3AtY=;
	b=L8IqYE+PzA8K8kDirWf0ccnGl7gEIGh/ICXDeWSQXrWqSBZEDg34zcpAIendsAtIHO/A1mJA68wTX6Uy0StIT8D64Ca0U/2EEzQQDW4wtPdL0YG45MrVigIcfbL/S1S84voL8EJQEy3W/sOkOPtY2vltvsg+o5db4aiMk3knsEY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620170515222.4705809683819;
 Tue, 12 May 2026 14:09:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHn-00081x-VE; Tue, 12 May 2026 17:05:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGM-0001o7-60; Tue, 12 May 2026 17:03:35 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGK-0007uw-7h; Tue, 12 May 2026 17:03:33 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2F4971AA324;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 381E33ABC95;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=3UBmiwhklaMMCQIuMMY+JsjZprKUs4g2nt+W2GxRZWk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=SqBavK95QmNHC19QrSH/UiB6o3OMt5dHy27J9eobNXYX1BoqLPyXmBTId0gcYt3TI
 Gl60gun5mqHq+x7vusJDBM+Zxdekwx7A9rgKfUUxEymln9lvNO1ZF5KIXC8gbm3+OO
 F9uAwld9V6VcrXHiSGD9QVJ44NBb+HstFgjvVKlRh2ZXbBk/ALnCIwPxG19tDm+0kA
 ILf3c120XLu6iZQJoI3cY6gnO7yVEnau5BAbBZyi8I6Os+8G4kIVsZ1rCXtjgEY5tp
 UHnfb24nZ6WjmOW2qNGLooi0OHMcPjE5Qby5MtW8qoStjOWkFrI8lucvyX8DLSczJj
 +8GJNO/UnYU8A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>,
 LIU Zhiwei <zhiwei_liu@linux.alibaba.com>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Max Chou <max.chou@sifive.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 088/107] target/riscv: Use ELEN for Fractional LMUL
 check
Date: Tue, 12 May 2026 23:54:15 +0300
Message-ID: <20260512205437.360850-88-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620172252154100
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states that

"""
For a given supported fractional LMUL setting, implementations
must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
"""

We were previously checking VLEN, instead of ELEN, so let's update to
check ELEN instead of VLEN for fractional scaling.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260415233740.3027321-5-alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 5dcc64828dc79c2426905db5fae885f6ccf93347)
(Mjt: context fixup)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 466fe4d10c..6c94fdcdb4 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -45,18 +45,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_=
ulong s1,
     target_ulong reserved =3D s2 &
                             MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
                                             xlen - 1 - R_VTYPE_RESERVED_SH=
IFT);
-    uint16_t vlen =3D cpu->cfg.vlenb << 3;
     int8_t lmul;
=20
     if (vlmul & 4) {
         /*
          * Fractional LMUL, check:
          *
-         * VLEN * LMUL >=3D SEW
-         * VLEN >> (8 - lmul) >=3D sew
-         * (vlenb << 3) >> (8 - lmul) >=3D sew
+         * ELEN * LMUL >=3D SEW
+         * ELEN >> (8 - vlmul) >=3D sew
          */
-        if (vlmul =3D=3D 4 || (vlen >> (8 - vlmul)) < sew) {
+        if (vlmul =3D=3D 4 ||
+            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
             vill =3D true;
         }
     }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620139; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Fj7yxtbQtN2WammvBYAOpUD+YGFTCEcyDzB0ncJr1X0qaYjObfi292gPfdsPwwJdXvWFffnojFT0Jh+Pr5su6dykDgcMKtLIENmEr+Ig6jkU40La+teqEbGAMkGmNwna/LY3fxYA1ETATm/atQ6XqIxPgx+Owvp1Tanppyr5QDs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620139;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Kr69M++KAyvvMxp865C20nOin67IapzZm1S+6FNLhwA=;
	b=d3ToEsKSAcqjUFb6IsuhXgOJpqioXkKIl9NRQMsmSbrdvrFmxfonk82mRYw9kR7xSD0ELfpKPQpH1nhu+FU4KOEHiHOnOuyJnrHKbX2fsZsY+dHgzlUHGReMXElZO6gVbdWwcCCjtNtfFohTmvHlr4lIIAyegKpT8fcNKAEjrPI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620139634214.44089802702172;
 Tue, 12 May 2026 14:08:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHO-0006XF-4B; Tue, 12 May 2026 17:04:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGP-0001sF-Cn; Tue, 12 May 2026 17:03:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGN-0007yP-He; Tue, 12 May 2026 17:03:37 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3C9271AA325;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4A9083ABC96;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=eCM7vXILxrJ1WoMGxOFmd/DjA6B0QwwTpBYgsE7b4/A=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=U0jUOnxVp0qmQjU0e+N0Q+pJGTC7PDs70OXFgTczLwdVjLuUCW0cMqHG1m6jRHWA8
 dhJgQYb+AJ9BoWRENFTh/oliJhxPXFKExSyrJ84M8M7KjGcEuFGmZOYB1lGFV2ovre
 LJZo/GFPguvKSjZ54qGwEM7P6vSYzYILBQXHDe3QVX7hQxLYgyDlZGkGhLPNqpWazE
 5/Jvw92xzX3XINOH/lNs7TzdaMbe36XrTVxL7IeUov8/XaueO5L/DbwxQReSwynhKI
 6d6VjHBz09Bo/KBKle9g+e+NnCWw4Fv/3Q2LdJnJKlCepw0n4UnygJgx6awSVuz2hN
 Ek3LDzJhSyMQg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 089/107] linux-user: Add missing CDROM ioctls
Date: Tue, 12 May 2026 23:54:16 +0300
Message-ID: <20260512205437.360850-89-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 UPPERCASE_75_100=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620140886158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Add the missing CDROM ioctls and bring them in same order as
documentation.

Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit dcb6e96257eea926aef16854bed0871b0605a8b9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 5b7d00e92f..aa485ee6e5 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -416,19 +416,18 @@
 #endif
=20
   IOCTL(CDROMPAUSE, 0, TYPE_NULL)
-  IOCTL(CDROMSTART, 0, TYPE_NULL)
-  IOCTL(CDROMSTOP, 0, TYPE_NULL)
   IOCTL(CDROMRESUME, 0, TYPE_NULL)
-  IOCTL(CDROMEJECT, 0, TYPE_NULL)
-  IOCTL(CDROMEJECT_SW, 0, TYPE_INT)
-  IOCTL(CDROMCLOSETRAY, 0, TYPE_NULL)
-  IOCTL(CDROMRESET, 0, TYPE_NULL)
   IOCTL(CDROMPLAYMSF, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMPLAYTRKIND, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMREADTOCHDR, IOC_R, MK_PTR(TYPE_INT))
   IOCTL(CDROMREADTOCENTRY, IOC_RW, MK_PTR(TYPE_INT))
+  IOCTL(CDROMSTOP, 0, TYPE_NULL)
+  IOCTL(CDROMSTART, 0, TYPE_NULL)
+  IOCTL(CDROMEJECT, 0, TYPE_NULL)
   IOCTL(CDROMVOLCTRL, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMSUBCHNL, IOC_RW, MK_PTR(TYPE_INT))
+  IOCTL(CDROMEJECT_SW, IOC_W, TYPE_INT)
+  IOCTL(CDROMRESET, 0, TYPE_NULL)
   /* XXX: incorrect (need specific handling) */
   IOCTL(CDROMREADAUDIO, IOC_W, MK_PTR(MK_STRUCT(STRUCT_cdrom_read_audio)))
   IOCTL(CDROMREADCOOKED, IOC_RW, MK_PTR(TYPE_INT))
@@ -438,16 +437,22 @@
   IOCTL(CDROMREADALL, IOC_RW, MK_PTR(TYPE_INT))
   IOCTL(CDROMMULTISESSION, IOC_RW, MK_PTR(TYPE_INT))
   IOCTL(CDROM_GET_UPC, IOC_R, MK_PTR(TYPE_INT))
+  IOCTL(CDROM_LAST_WRITTEN, IOC_R, MK_PTR(TYPE_LONG))
   IOCTL(CDROMVOLREAD, IOC_R, MK_PTR(TYPE_INT))
   IOCTL(CDROMSEEK, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMPLAYBLK, IOC_W, MK_PTR(TYPE_INT))
-  IOCTL(CDROM_MEDIA_CHANGED, 0, TYPE_NULL)
-  IOCTL(CDROM_SET_OPTIONS, 0, TYPE_INT)
-  IOCTL(CDROM_CLEAR_OPTIONS, 0, TYPE_INT)
-  IOCTL(CDROM_SELECT_SPEED, 0, TYPE_INT)
-  IOCTL(CDROM_SELECT_DISC, 0, TYPE_INT)
-  IOCTL(CDROM_DRIVE_STATUS, 0, TYPE_NULL)
+  IOCTL(CDROMCLOSETRAY, 0, TYPE_NULL)
+  IOCTL(CDROM_SET_OPTIONS, IOC_W, TYPE_INT)
+  IOCTL(CDROM_CLEAR_OPTIONS, IOC_W, TYPE_INT)
+  IOCTL(CDROM_SELECT_SPEED, IOC_W, TYPE_INT)
+  IOCTL(CDROM_SELECT_DISC, IOC_W, TYPE_INT)
+  IOCTL(CDROM_MEDIA_CHANGED, IOC_W, TYPE_INT)
+  IOCTL(CDROM_DRIVE_STATUS, IOC_W, TYPE_INT)
   IOCTL(CDROM_DISC_STATUS, 0, TYPE_NULL)
+  IOCTL(CDROM_CHANGER_NSLOTS, 0, TYPE_NULL)
+  IOCTL(CDROM_LOCKDOOR, IOC_W, TYPE_INT)
+  IOCTL(CDROM_DEBUG, IOC_W, TYPE_INT)
+  IOCTL(CDROM_GET_CAPABILITY, 0, TYPE_NULL)
   IOCTL(CDROMAUDIOBUFSIZ, 0, TYPE_INT)
=20
 #if 0
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620007; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZDYA2PO2imN9FdSkPwMzHvtnjdVRnRyf6qqMvP+yKOyi/5BRkBS/puAIPvDvfzB9uVeWkAXIYhMM6z43E5FP8Qkl33aTJU9WmVfbiDFSfLIS0kk+/u293GBWtS19b6ekS7jn3vSNth9opG3D9IgddGtXzkyKxY078/9uhrzTJGk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620007;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=bXchfwuemBDD0YE5oTCGRu2Bs3Z5FY+bkovFcVP4O8A=;
	b=W1UxNObFOA2d4ho0Cv5G2Bd9E6na9YkCdpdfFWGGPDRM0eysYVN+wO750eu9DsBqKnWTIJLMG64iqh0XFft2SoyvEnX1dI9RDVjRj1esTaGOQ05mQcagQtBlsghznmVoLlY7hpRNTFVvgm1BIlQStH7M2nZNeQTwiSfTjqR/U04=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620007511527.330577236893;
 Tue, 12 May 2026 14:06:47 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIB-0001Pn-EU; Tue, 12 May 2026 17:05:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGj-0003M4-GX; Tue, 12 May 2026 17:03:57 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGh-0007yj-Ky; Tue, 12 May 2026 17:03:57 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 53FA71AA326;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 574D63ABC97;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=jlweqHsRclPjzVpESFSnRSyHSwik9MIMl7d+JoYYJZ8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RqS6VlfolG3RdVuEKV4v36EUxvx6xTScHPKStZtchB73eZe3waZIF+3ydFs1tfm6j
 p+vmfRr7gzgz9gouhBWfSaNqafyBdHpOO6epWm4UEUrX5pVUxFesA0gDcjQ651lEuo
 ocub517nVV0Ene5FnxVS9t8GKUVzzD+3YWmwV2Wsrh/Ep5LXhHp9UIeiTKPeYItBsu
 W4waBACei52AM0sEbuHpG5d5t/WAEF47d119SKL16VMSow063dqFmW6/ArO6zeblqD
 wBYXtKs7mM2Gqig2zv6X2/oJUuVff3yDyZYtfOvl+3p14qMlY/H7QeU1Yp2Zk9XmAt
 /Uiufc7xzvvEg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Warner Losh <imp@bsdimp.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 090/107] linux-user: Flush errors by using exit()
 instead of _exit() in error path
Date: Tue, 12 May 2026 23:54:17 +0300
Message-ID: <20260512205437.360850-90-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620009370154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Similiar to previous patch - ensure that we always flush I/O by using
exit() instead of _exit().

Reported by: Tobias Bergkvist <tobias@bergkv.ist>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2544
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 9fb681792d65fa570cb3e1a769945c10bf276d25)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/main.c b/linux-user/main.c
index 39ac98a74a..57fc568e72 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -987,7 +987,7 @@ int main(int argc, char **argv, char **envp)
         info, &bprm);
     if (ret !=3D 0) {
         printf("Error while loading %s: %s\n", exec_path, strerror(-ret));
-        _exit(EXIT_FAILURE);
+        exit(EXIT_FAILURE);
     }
=20
     for (wrk =3D target_environ; *wrk; wrk++) {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620236; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fq5OWxA3dvIJ/nHBNXTfSAK/MRnf2ebyNSlSOrOKfIZv24rXaP1WDq8jrhyd5w/0FFiw155hoCvzYzUOYc4xTDKS3QwnqWOJihsUquW5A50KtKA3QLZcVC7n8amXTOllLuorTw+zXjkbuhPJ4n4mnKlT+zrXZLbAZZO2R10SYbY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620236;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=W9zVn2UyML+pFIyauf9LxVAiQxp8u9JydqehEdAjbT8=;
	b=Y60p9qpKIfFHVQvJlEhUdMhGtcuIDAYftT2Jgpab4f3fO10mo0sF3A1FYz61jPja+O3gVbmsIXydpLI1twnVyF8ZxxtP5m7YFWQP7ehxTuZRHCUwHtLaEWrdmZzW75jcHQaYwGgv1KgayQmrnVEIvuwR+2771hXxMoaPvAIy2r4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862023648010.276987693460683;
 Tue, 12 May 2026 14:10:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHl-0007ls-SS; Tue, 12 May 2026 17:05:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGn-0003o5-7N; Tue, 12 May 2026 17:04:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGl-00088f-0G; Tue, 12 May 2026 17:04:00 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 61D4C1AA327;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6ED6F3ABC98;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=6V5+Hj3bIvptEvL5eLeiiqm5HnD/IjfEcLx4vNh3fEo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=nnGe6Osli0I/8EW9ctIKS2Jka7rlYfNs7/+AFlSMLBkgDsKkL1YqWXRKnaiXMgX2O
 AFXatafVC4+e5LJsh1+jXVdq27A51aKcEs09afFbzjZzr1RMnqoaR+g4qJryJey7r+
 YoYKv44R8JRcOQKj3cARCMy/R+c3ykUneUaLV9igAsgRHE8wlpWzDFk1KVsw+ySUHx
 SI1sQzuTISSTa0K/zM8yTOLRYr99tp8YQa0gSIvOA4exeKWO4/e/GBv6dsRcAdu+Xw
 3t546S1FRXGClMp8tQ6JMEE/95KALEAcBS9jSHV8UBndaWEuBvJw0U0bBUiUAmUd2z
 QjNMlW9RoVbvg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 091/107] linux-user: Allow getsockopt() with NULL
 optval address
Date: Tue, 12 May 2026 23:54:18 +0300
Message-ID: <20260512205437.360850-91-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620237445158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Some programs test availability of socket options by asking for the
value with an NULL optval address, which currenrly always trigger an
EFAULT in qemu.  Fix it by allowing a NULL address, in the same manner
as the Linux kernel on physical machines.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2390
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
(cherry picked from commit 08dc3e240fc00213c0eb29b71569dc0ca9301337)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 905db117ff..3a1b41e84b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2648,6 +2648,10 @@ get_timeout:
             if (ret < 0) {
                 return ret;
             }
+            /* special case: destination address is NULL, return 0 */
+            if (optval_addr) {
+                len =3D 0;
+            }
             if (len =3D=3D sizeof(struct target__kernel_sock_timeval)) {
                 if (copy_to_user_timeval64(optval_addr, &tv)) {
                     return -TARGET_EFAULT;
@@ -2848,7 +2852,10 @@ get_timeout:
         }
         if (len > lv)
             len =3D lv;
-        if (len =3D=3D 4) {
+        if (!optval_addr) {
+            /* writing to NULL does not give error */
+            len =3D 0;
+        } else if (len =3D=3D 4) {
             if (put_user_u32(val, optval_addr))
                 return -TARGET_EFAULT;
         } else {
@@ -2881,18 +2888,24 @@ get_timeout:
                 return -TARGET_EINVAL;
             lv =3D sizeof(lv);
             ret =3D get_errno(getsockopt(sockfd, level, optname, &val, &lv=
));
+write_ret:
             if (ret < 0)
                 return ret;
-            if (len < sizeof(int) && len > 0 && val >=3D 0 && val < 255) {
+            if (!optval_addr) {
+                len =3D 0;
+            } else if (len < sizeof(int) && len > 0 && val >=3D 0 && val <=
 255) {
                 len =3D 1;
-                if (put_user_u32(len, optlen)
-                    || put_user_u8(val, optval_addr))
+                if (put_user_u8(val, optval_addr)) {
                     return -TARGET_EFAULT;
+                }
             } else {
                 if (len > sizeof(int))
                     len =3D sizeof(int);
-                if (put_user_u32(len, optlen)
-                    || put_user_u32(val, optval_addr))
+                if (put_user_u32(val, optval_addr)) {
+                    return -TARGET_EFAULT;
+                }
+            }
+            if (put_user_u32(len, optlen)) {
                     return -TARGET_EFAULT;
             }
             break;
@@ -2943,20 +2956,7 @@ get_timeout:
                 return -TARGET_EINVAL;
             lv =3D sizeof(lv);
             ret =3D get_errno(getsockopt(sockfd, level, optname, &val, &lv=
));
-            if (ret < 0)
-                return ret;
-            if (len < sizeof(int) && len > 0 && val >=3D 0 && val < 255) {
-                len =3D 1;
-                if (put_user_u32(len, optlen)
-                    || put_user_u8(val, optval_addr))
-                    return -TARGET_EFAULT;
-            } else {
-                if (len > sizeof(int))
-                    len =3D sizeof(int);
-                if (put_user_u32(len, optlen)
-                    || put_user_u32(val, optval_addr))
-                    return -TARGET_EFAULT;
-            }
+            goto write_ret;
             break;
         default:
             ret =3D -TARGET_ENOPROTOOPT;
@@ -2990,8 +2990,14 @@ get_timeout:
             if (ret < 0) {
                 return ret;
             }
-            if (put_user_u32(lv, optlen)
-                || put_user_u32(val, optval_addr)) {
+            if (optval_addr) {
+                if (put_user_u32(val, optval_addr)) {
+                    return -TARGET_EFAULT;
+                }
+            } else {
+                lv =3D 0;
+            }
+            if (put_user_u32(lv, optlen)) {
                 return -TARGET_EFAULT;
             }
             break;
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620511; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XV2jYyZRmkkr+cUqf0lQkSUBrCSNDSbHVV9hIfq8PhiuCIKgongOPg1opDVTjqgA2wRdX7wtofFb++RS3pzJC/aykTGT5DWOEAJnXJVo9eb283LhikplSrKLI3Nu2HvbbXStiY9hOme45+ftOgqIfTR7xFThbM+/NXxsJzyxPco=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620511;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KsgNFcJGOWUrosbSBcQWGfVRG2rwpz+hit8mUaypcpg=;
	b=IOBb9jrkGOMaJtJeFHzQy7OBRI3VqWDs7KO7rkFGZ+NAThRIV+icN3d3qxWafr/rj7HBNmDDOWXjBEeecefJJ2siZpJOxEwULO/ROhQ5jp4NuoraM8KOOEB8GmTfDeKpDaGiJrGYfko9F4TIBMsXk+vHC+etAYntVNDR/H7oEqc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620511372257.81433443131345;
 Tue, 12 May 2026 14:15:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIE-0001gc-4y; Tue, 12 May 2026 17:05:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGn-0003o8-6y; Tue, 12 May 2026 17:04:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGl-0008LS-5R; Tue, 12 May 2026 17:04:00 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6E5391AA328;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7CDDB3ABC99;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=S6OeWIYWpdze0jNIEzXI9Hn4xVi7VLIwpbcLJIIergo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Xx3DOXl4YELQD9J9V39wyW9otu28vVY4Nxw/be6zjN2UCMfrX/np4KNQ3PGlnOPyQ
 K3ucnTiAB09NS21xgLj9fN5CTQU58FogubXjdibryjCJ3U0IsaU2c7yhdZjJ4og5jd
 JLfl8nlK3p8vAP15HPLwTbBv2/ayI/+6jRUcGQbYoV8LKpt36MQqLgm3a5l0bGi0NP
 r97+qZI12QgBNW+53iZXomLvMhh5aAJcao4vyTizZFkQk8b+qqUcX9BPs5AbZ0nqJu
 o6nBYv0vyc7r1wmLxJVW/fV0HLJPL1CpWYHd2ZrW1b1SyDw8q738DWuk5lneNMqtUj
 DVgRX8yIctOug==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 092/107] linux-user: Translate errno in IP_RECVERR
 and IPV6_RECVERR
Date: Tue, 12 May 2026 23:54:19 +0300
Message-ID: <20260512205437.360850-92-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620513786154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Translate host error codes of IP_RECVERR and IPV6_RECVERR control messages =
to
target error codes before returning to the caller.
For example, this is important for architectures (e.g. hppa, alpha, sparc,
mips) on which the value of ECONNREFUSED is different to the value on a x86=
_64
host.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/602
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 9667bf3249256788245c6ca07bc12106f3e4fa22)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 3a1b41e84b..b6c57dbd07 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2012,7 +2012,8 @@ static inline abi_long host_to_target_cmsg(struct tar=
get_msghdr *target_msgh,
                     tgt_len !=3D sizeof(struct errhdr_t)) {
                     goto unimplemented;
                 }
-                __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno);
+                __put_user(host_to_target_errno(errh->ee.ee_errno),
+                           &target_errh->ee.ee_errno);
                 __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin);
                 __put_user(errh->ee.ee_type,  &target_errh->ee.ee_type);
                 __put_user(errh->ee.ee_code, &target_errh->ee.ee_code);
@@ -2066,7 +2067,8 @@ static inline abi_long host_to_target_cmsg(struct tar=
get_msghdr *target_msgh,
                     tgt_len !=3D sizeof(struct errhdr6_t)) {
                     goto unimplemented;
                 }
-                __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno);
+                __put_user(host_to_target_errno(errh->ee.ee_errno),
+                           &target_errh->ee.ee_errno);
                 __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin);
                 __put_user(errh->ee.ee_type,  &target_errh->ee.ee_type);
                 __put_user(errh->ee.ee_code, &target_errh->ee.ee_code);
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620222; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TahOv86063PWJiujQD06VeVcTNwXQBWMj1yRVrBVYzuMCRLVWwvP8Tn1krH/6S4Ch2ozdS32ux1KzwgpzxRXXJGiq33RY4f1eKJGmkWbgw12toWSU7M1rq5QN6WWZpqZP0kSZl89HsP01y2y0AdxuGcx0YVfIqykicGwdUAIM04=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620222;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=COaWsKq5xKcZkLmKbvl4PA2Wh1Ptp49MzpoYhp2sqyQ=;
	b=NbJ50uZBdYodRRS3ZrLd0+7n3T74fjxgsfWoc5V47+furKR3uD2AlcEzqF0hQmxMjywFyv0QFbNtL+6e3KQaiRqXY5YV2dkAV249ltno7hJ9vkbRx0m1nnev+LbbpA8bbhUF7DT9Y8/SjMjyaKQy4gOEOh8FjHwm4nHRCsX51tQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620222766636.688827950312;
 Tue, 12 May 2026 14:10:22 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIJ-0002I6-Gt; Tue, 12 May 2026 17:05:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGq-0004Ht-SO; Tue, 12 May 2026 17:04:04 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuGo-0008P6-NR; Tue, 12 May 2026 17:04:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 819301AA329;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 89D473ABC9A;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=Vut12cKrYEMDYJI0A2fmodC3YuLClaDx8d3dnGQh++w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Z/9WhT3+XR7Y+6hwsPBBo8C/WnSMsSZVMhtaecB6VIQx86wHLSDDtUqnjZBn0bJrO
 Iic6/QLm56k5MD9doTtNPtDBUyvVkdHAll+I63MV4Xmimo2rUUB2E+Ti5tg+G68L9b
 HyyrvQfLqY3jMAtJAPmYJBt5jVN/r3DBNQhgJHJdLbPbgcPqkq82i8cclhr6mQnvPQ
 55G1xkhFUvpydwbklpTNpWDQeDHCjQBag81Q2IXH2zkjqGlBvhlu3R99BffCt2+OlS
 c5ixj5V0s7/uPvYMAJZ/cffSb9yr+VmpiJ57OpJt0C+qb7EBXlwespB5ksb+yMvJnV
 72tyR2oC6t+UA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, kiki <Chan9Yan9@gmail.com>,
 Zexiang Zhang <chan9yan9@gmail.com>,
 Gautam Menghani <gautam@linux.ibm.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 093/107] hw/intc/xics: Add a check for an invalid
 server id
Date: Tue, 12 May 2026 23:54:20 +0300
Message-ID: <20260512205437.360850-93-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620225029154100

From: kiki <Chan9Yan9@gmail.com>

A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.

Fix this by validating the server id before using it and ignoring
invalid values.

Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3324
Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260428103645.50617-1-Gautam.Meng=
hani@ibm.com
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
(cherry picked from commit 1aee8067fce95d15061eca8fbb6772d8a90ea699)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index bb8504f53d..bb328eb0df 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -26,6 +26,7 @@
  */
=20
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "qapi/error.h"
 #include "trace.h"
 #include "qemu/timer.h"
@@ -222,6 +223,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_=
t priority)
=20
     trace_xics_icp_irq(server, nr, priority);
=20
+    if (!icp) {
+        qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x=
%x\n",
+                      server, nr);
+        ics_reject(ics, nr);
+        return;
+    }
+
     if ((priority >=3D CPPR(icp))
         || (XISR(icp) && (icp->pending_priority <=3D priority))) {
         ics_reject(ics, nr);
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620236; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HrcFnk2MwHZp9HhP7Yocg6fAM81TyW9KsWfJQ+USYl7rASbJXDv523l6v1Gda84/5R4iWHfkaerR2Svp+Np6Ze8pJFiIOp1rNtJwt3qdUQbqRQX7MuRyiUIRiBNpLsf8Hcn46kDKcB8smde/V/Q9cPWPEp+1ECEi+UVz3BWp3wg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620236;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=arIhjlEmQ8cmkb9xgc1T0HBjBchaYnkDM33P0FCipt8=;
	b=YdCJD5g492TNuTeX8fhy9kak/FjI/denFNJ6dw1JAZnYuw/f0Ps8LJkfD0cnCO+5QEioEnKzzL5QNPVOYzt6vsnfphpkHT1GqL8PfPNK4BquAAzgCyVhnwjQEhUOqm4Z41cU8ZmFOd92QD6GRRcooPAO6qbQUrypc6VfrWWt0Zs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620236780917.5292893516173;
 Tue, 12 May 2026 14:10:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHy-0008NP-Cx; Tue, 12 May 2026 17:05:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHB-0005iH-Q4; Tue, 12 May 2026 17:04:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuH8-0008PD-Ob; Tue, 12 May 2026 17:04:25 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8FBD61AA32A;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9CB683ABC9B;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=Q3lCuv4X+Ag/LDgtUcJpyEVJ8Rrvluf+nuqZHXrk1hg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=qq9LXjvKM4iu0YuqSfnhXfOwAX7tDPuQ5LW5OEuiDdJ/0QTArzh0ZjwRVjDfs33OC
 k5qv6X3e6zz/99uivijzmMKui2dyBgoq+Ab51++H0WTFpswddUtPTW/noDD+rowBPC
 QXSH++tuVQHc3MiPSYDasi9P10shlf8ma6o/3whxJPQUFgd+MEyDxs6SIEQjYCLCwT
 Z5yAt3kmOF33u7C0adcDs5J4qwEEWwanhpZgZhfOv3jR6DXykRbSvoPaigCIQeTIPk
 84bv/fYhulbWGYijtV2LcMSBPSRY3cG8OirfPO8psJhUxeKIWUih6YrAcwM1ezwSkI
 AvnoKJIstU3gQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 094/107] tests/rcutorture: Fix build error
Date: Tue, 12 May 2026 23:54:21 +0300
Message-ID: <20260512205437.360850-94-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620237465158500

From: C=C3=A9dric Le Goater <clg@redhat.com>

Newer gcc compiler (version 16.0.0 20260103 (Red Hat 16.0.0-0) (GCC))
detects an unused variable error:

  ../tests/unit/rcutorture.c: In function =E2=80=98rcu_read_stress_test=E2=
=80=99:
  ../tests/unit/rcutorture.c:251:18: error: variable =E2=80=98garbage=E2=80=
=99 set but not used [-Werror=3Dunused-but-set-variable=3D]
    251 |     volatile int garbage =3D 0;
        |                  ^~~~~~~

Since the 'garbage' variable is used to generate memory reads from the
CPU while holding the RCU lock, it can not be removed. Tag it as
((unused)) instead to silence the compiler warnings/errors.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260112163350.1251114-1-clg@redha=
t.com
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
(cherry picked from commit 7a05be8c70bb789c23076b1ca2563ed7d87c6fb8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tests/unit/rcutorture.c b/tests/unit/rcutorture.c
index 7662081683..2f19d479a3 100644
--- a/tests/unit/rcutorture.c
+++ b/tests/unit/rcutorture.c
@@ -248,7 +248,7 @@ static void *rcu_read_stress_test(void *arg)
     int pc;
     long long n_reads_local =3D 0;
     long long rcu_stress_local[RCU_STRESS_PIPE_LEN + 1] =3D { 0 };
-    volatile int garbage =3D 0;
+    volatile int garbage __attribute__ ((unused)) =3D 0;
=20
     rcu_register_thread();
=20
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620204; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KFRe78NJdcnmWM9hV74202kSK/dZzxZhY3kqzEq7UHTbMnGCFUOFVThrjL+GomNqAdvrpM/lZ1IzXCAw/klkCC1+kgckqZN+jiJxeLLb3h6g2DOrpp2pv/+WFQFbKA2q2nz7gzgZD67hbKG8sZt+9xqscozyNkPnwftXxIPwVPc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620204;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=F0+aFUT9CQuGeIH9m5TXxDDRmYVRiv2LpqBcbADPENo=;
	b=S3rDGHpBL0iG5gdIbPjsSdP6KnxDkiKpqlehvi91hHYE0U6yTWRrYpvR1Uf0xs42ZosKwH709emiR7HTUINbBV8waYHQPoSNYxscKrZIBYuSB8JBhIq1WAHsc8hNoVdT9yzO1xNJQ9nLTbRDVM+1SAL8U9phTmjKVkpFWcXQmD8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620204883372.0754101218895;
 Tue, 12 May 2026 14:10:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIM-0002iw-9K; Tue, 12 May 2026 17:05:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHE-0005rh-Rc; Tue, 12 May 2026 17:04:30 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHC-0008W2-HU; Tue, 12 May 2026 17:04:28 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A001C1AA32B;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AA1DF3ABC9C;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=OerGX+5xDnr3duzGefULOnLdS4RvrTLOQ1p4qTB/1Q4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=VewuWkfK+GUiVPWwNwg58aPXitLOyLdng1zlBC+uOsdhS4bBAhPVxXdCxk/JBaMau
 HDOAM5v/SnfLXGBNs929g/09j2mAbSTyazkVvVjCbhqSlrqveeISS/dUrgzikHKOWb
 ffWgJlsOsG4fY7wskq1FsybgReMZ3Hs9TECgGB0djT4EKDf3vlH7pTfVH3aapyu88a
 H3xkFPhh4/BfHKDvb64457OxM8l9BrA9wwxiFLSRgsSAA7exxQzkLZjruX4Us+3VTg
 NJLNM40+GwOzMThpSXPp2A4ABkos8RD/sX+QQk9GdFEGWMM0z9+byyFTjbHY4JNJYe
 Sz4BIHenM3nVA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, BALATON Zoltan <balaton@eik.bme.hu>,
 Bernhard Beschow <shentey@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 095/107] hw/ppc/e500: Move clock and TB frequency to
 machine class
Date: Tue, 12 May 2026 23:54:22 +0300
Message-ID: <20260512205437.360850-95-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620206921154100

From: BALATON Zoltan <balaton@eik.bme.hu>

Different machines have different frequencies so make this
configurable in machine class instead of using a hard coded constant.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Acked-by: Bernhard Beschow <shentey@gmail.com>
Message-ID: <431166f96ff12ff3dbc670d40544974415f11305.1748012109.git.balato=
n@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit ea585b1022f7c1ac6e465aa1fe869de4c20ca943)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 7cc988b2be..de99c9381f 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -79,8 +79,6 @@
 #define MPC85XX_ESDHC_IRQ          72
 #define RTC_REGS_OFFSET            0x68
=20
-#define PLATFORM_CLK_FREQ_HZ       (400 * 1000 * 1000)
-
 struct boot_info
 {
     uint32_t dt_base;
@@ -120,7 +118,7 @@ static uint32_t *pci_map_create(void *fdt, uint32_t mpi=
c, int first_slot,
 }
=20
 static void dt_serial_create(void *fdt, unsigned long long offset,
-                             const char *soc, const char *mpic,
+                             const char *soc, uint32_t freq, const char *m=
pic,
                              const char *alias, int idx, bool defcon)
 {
     char *ser;
@@ -131,7 +129,7 @@ static void dt_serial_create(void *fdt, unsigned long l=
ong offset,
     qemu_fdt_setprop_string(fdt, ser, "compatible", "ns16550");
     qemu_fdt_setprop_cells(fdt, ser, "reg", offset, 0x100);
     qemu_fdt_setprop_cell(fdt, ser, "cell-index", idx);
-    qemu_fdt_setprop_cell(fdt, ser, "clock-frequency", PLATFORM_CLK_FREQ_H=
Z);
+    qemu_fdt_setprop_cell(fdt, ser, "clock-frequency", freq);
     qemu_fdt_setprop_cells(fdt, ser, "interrupts", 42, 2);
     qemu_fdt_setprop_phandle(fdt, ser, "interrupt-parent", mpic);
     qemu_fdt_setprop_string(fdt, "/aliases", alias, ser);
@@ -382,8 +380,7 @@ static int ppce500_load_device_tree(PPCE500MachineState=
 *pms,
     int fdt_size;
     void *fdt;
     uint8_t hypercall[16];
-    uint32_t clock_freq =3D PLATFORM_CLK_FREQ_HZ;
-    uint32_t tb_freq =3D PLATFORM_CLK_FREQ_HZ;
+    uint32_t clock_freq, tb_freq;
     int i;
     char compatible_sb[] =3D "fsl,mpc8544-immr\0simple-bus";
     char *soc;
@@ -484,6 +481,9 @@ static int ppce500_load_device_tree(PPCE500MachineState=
 *pms,
         if (kvmppc_get_hasidle(env)) {
             qemu_fdt_setprop(fdt, "/hypervisor", "has-idle", NULL, 0);
         }
+    } else {
+        clock_freq =3D pmc->clock_freq;
+        tb_freq =3D pmc->tb_freq;
     }
=20
     /* Create CPU nodes */
@@ -564,12 +564,12 @@ static int ppce500_load_device_tree(PPCE500MachineSta=
te *pms,
      */
     if (serial_hd(1)) {
         dt_serial_create(fdt, MPC8544_SERIAL1_REGS_OFFSET,
-                         soc, mpic, "serial1", 1, false);
+                         soc, pmc->clock_freq, mpic, "serial1", 1, false);
     }
=20
     if (serial_hd(0)) {
         dt_serial_create(fdt, MPC8544_SERIAL0_REGS_OFFSET,
-                         soc, mpic, "serial0", 0, true);
+                         soc, pmc->clock_freq, mpic, "serial0", 0, true);
     }
=20
     /* i2c */
@@ -967,7 +967,7 @@ void ppce500_init(MachineState *machine)
         env->spr_cb[SPR_BOOKE_PIR].default_value =3D cs->cpu_index =3D i;
         env->mpic_iack =3D pmc->ccsrbar_base + MPC8544_MPIC_REGS_OFFSET + =
0xa0;
=20
-        ppc_booke_timers_init(cpu, PLATFORM_CLK_FREQ_HZ, PPC_TIMER_E500);
+        ppc_booke_timers_init(cpu, pmc->tb_freq, PPC_TIMER_E500);
=20
         /* Register reset handler */
         if (!i) {
diff --git a/hw/ppc/e500.h b/hw/ppc/e500.h
index 01db102625..00f490519c 100644
--- a/hw/ppc/e500.h
+++ b/hw/ppc/e500.h
@@ -5,6 +5,8 @@
 #include "hw/platform-bus.h"
 #include "qom/object.h"
=20
+#define PLATFORM_CLK_FREQ_HZ (400 * 1000 * 1000)
+
 struct PPCE500MachineState {
     /*< private >*/
     MachineState parent_obj;
@@ -37,6 +39,8 @@ struct PPCE500MachineClass {
     hwaddr pci_mmio_base;
     hwaddr pci_mmio_bus_base;
     hwaddr spin_base;
+    uint32_t clock_freq;
+    uint32_t tb_freq;
 };
=20
 void ppce500_init(MachineState *machine);
diff --git a/hw/ppc/e500plat.c b/hw/ppc/e500plat.c
index 70a8033373..a68a54db9e 100644
--- a/hw/ppc/e500plat.c
+++ b/hw/ppc/e500plat.c
@@ -93,6 +93,8 @@ static void e500plat_machine_class_init(ObjectClass *oc, =
void *data)
     pmc->pci_mmio_base =3D 0xC00000000ULL;
     pmc->pci_mmio_bus_base =3D 0xE0000000ULL;
     pmc->spin_base =3D 0xFEF000000ULL;
+    pmc->clock_freq =3D PLATFORM_CLK_FREQ_HZ;
+    pmc->tb_freq =3D PLATFORM_CLK_FREQ_HZ;
=20
     mc->desc =3D "generic paravirt e500 platform";
     mc->init =3D e500plat_init;
diff --git a/hw/ppc/mpc8544ds.c b/hw/ppc/mpc8544ds.c
index d74af766ee..fa891d5c6c 100644
--- a/hw/ppc/mpc8544ds.c
+++ b/hw/ppc/mpc8544ds.c
@@ -55,6 +55,8 @@ static void mpc8544ds_machine_class_init(ObjectClass *oc,=
 void *data)
     pmc->pci_mmio_bus_base =3D 0xC0000000ULL;
     pmc->pci_pio_base =3D 0xE1000000ULL;
     pmc->spin_base =3D 0xEF000000ULL;
+    pmc->clock_freq =3D PLATFORM_CLK_FREQ_HZ;
+    pmc->tb_freq =3D PLATFORM_CLK_FREQ_HZ;
=20
     mc->desc =3D "mpc8544ds";
     mc->init =3D mpc8544ds_init;
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620306; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XYWuUNSV2Sp+3Uw9l7Iv+5od4uHJYWxcFKCmyMDQ4q8FvtPuMiGCknJFlKk5UXCoVF8/w5dxwI7avdO8pt9481VZCJzjQU6Qv9Bz1GQYDxcHi3gkAOGOPeUqGswq/F1jyxlIx9tbs27y7UlpRl+ckraho1ObGi2KFlwlIY18zgY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620306;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=F5ykb/TNwhIKlsfxnDKp60iD1e1QEv3AJ/59KOWEuKE=;
	b=PnT4YEOPY5ydj3YfrDtgmXphHFnCjkj7J0KjBi6iz/5mbwX92FVVHSlUzTf4CHrjmgfL6IHlV40PNk2rjBCi0zp+rs7YDqlUZmt/Lwg68aUMIlWUnHgkbrgu0DHkLoPD4gy1+58c4IZRvH/XFuHJvqTFaEZ38ejFIip/PZeu1pM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620305688739.7662103711147;
 Tue, 12 May 2026 14:11:45 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuI6-0000tv-95; Tue, 12 May 2026 17:05:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHF-0005uo-Qh; Tue, 12 May 2026 17:04:30 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHD-0000HW-VQ; Tue, 12 May 2026 17:04:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AD8461AA32C;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B99853ABC9D;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=nhWXsxNrPYLu3VKB1DCONPNIdY0rFdWqzYGRO6zAFTM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=OVYU2hBFHpYzeGkzPEoa+B3VTT1uirwr7TsmXni3jdJ7j+G9SpdTWBvgp3m0WZadx
 ebLTW2WPFsbb0j5URQqy+i3I34oqEri89vHSHsYuAiolJSl9zCL6MN2/7ggE5IZbxo
 ZMJslPSg/t9+FLqi4gEVkzliDa85Xq/V0ymNtjbJFMfYX9wv6jY+2E++zkM7mtHYwJ
 GUYjcyjfb+YhihI1LpdN0U+VGTJbXm1maL6/k6SQB5zmeCP8phuKozTJxny00M53MC
 tL+jhPh3BtTdIu05B5pEC84NGgonHpdzPP0QtdS4u8Rrmp/efdpC7fNnqnP/GRXAfp
 UOCFPGGYfVOZQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Vivien LEGER <vivien.leger@gmail.com>,
 Bernhard Beschow <shentey@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 096/107] hw/ppc/e500: fix bus-frequency property
 hardcoded to zero in CPU FDT node
Date: Tue, 12 May 2026 23:54:23 +0300
Message-ID: <20260512205437.360850-96-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620310020158500

From: Vivien LEGER <vivien.leger@gmail.com>

The bus-frequency property in the CPU FDT node was hardcoded to 0.
This is incorrect - it should reflect the actual platform bus clock
frequency, as firmware and RTOSes use it to derive peripheral clock
rates.

Notably, the RTEMS QorIQ BSP uses bus-frequency to program the MPIC
global timer interval. With bus-frequency=3D0, the timer interval
overflows to ~85 seconds, preventing any clock interrupts from firing.

Fix by adding a bus_freq field to PPCE500MachineClass and using it in
the FDT generator. Set bus_freq =3D PLATFORM_CLK_FREQ_HZ (400MHz) for
existing machines, matching the existing clock_freq value.

Signed-off-by: Vivien LEGER <vivien.leger@gmail.com>
Reviewed-by: Bernhard Beschow <shentey@gmail.com>
Message-ID: <20260411154535.1451361-1-vivien.leger@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 774e6f5c1533aba9e04f95cb8cfba64d8329fcb0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index de99c9381f..7fb0bbebee 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -516,7 +516,7 @@ static int ppce500_load_device_tree(PPCE500MachineState=
 *pms,
                               env->icache_line_size);
         qemu_fdt_setprop_cell(fdt, cpu_name, "d-cache-size", 0x8000);
         qemu_fdt_setprop_cell(fdt, cpu_name, "i-cache-size", 0x8000);
-        qemu_fdt_setprop_cell(fdt, cpu_name, "bus-frequency", 0);
+        qemu_fdt_setprop_cell(fdt, cpu_name, "bus-frequency", pmc->bus_fre=
q);
         if (cpu->cpu_index) {
             qemu_fdt_setprop_string(fdt, cpu_name, "status", "disabled");
             qemu_fdt_setprop_string(fdt, cpu_name, "enable-method",
diff --git a/hw/ppc/e500.h b/hw/ppc/e500.h
index 00f490519c..858684d569 100644
--- a/hw/ppc/e500.h
+++ b/hw/ppc/e500.h
@@ -40,6 +40,7 @@ struct PPCE500MachineClass {
     hwaddr pci_mmio_bus_base;
     hwaddr spin_base;
     uint32_t clock_freq;
+    uint32_t bus_freq;
     uint32_t tb_freq;
 };
=20
diff --git a/hw/ppc/e500plat.c b/hw/ppc/e500plat.c
index a68a54db9e..1fff5b55d0 100644
--- a/hw/ppc/e500plat.c
+++ b/hw/ppc/e500plat.c
@@ -94,6 +94,7 @@ static void e500plat_machine_class_init(ObjectClass *oc, =
void *data)
     pmc->pci_mmio_bus_base =3D 0xE0000000ULL;
     pmc->spin_base =3D 0xFEF000000ULL;
     pmc->clock_freq =3D PLATFORM_CLK_FREQ_HZ;
+    pmc->bus_freq =3D PLATFORM_CLK_FREQ_HZ;
     pmc->tb_freq =3D PLATFORM_CLK_FREQ_HZ;
=20
     mc->desc =3D "generic paravirt e500 platform";
diff --git a/hw/ppc/mpc8544ds.c b/hw/ppc/mpc8544ds.c
index fa891d5c6c..c0a1075625 100644
--- a/hw/ppc/mpc8544ds.c
+++ b/hw/ppc/mpc8544ds.c
@@ -56,6 +56,7 @@ static void mpc8544ds_machine_class_init(ObjectClass *oc,=
 void *data)
     pmc->pci_pio_base =3D 0xE1000000ULL;
     pmc->spin_base =3D 0xEF000000ULL;
     pmc->clock_freq =3D PLATFORM_CLK_FREQ_HZ;
+    pmc->bus_freq =3D PLATFORM_CLK_FREQ_HZ;
     pmc->tb_freq =3D PLATFORM_CLK_FREQ_HZ;
=20
     mc->desc =3D "mpc8544ds";
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619974; cv=none;
	d=zohomail.com; s=zohoarc;
	b=b0KOwFiuSlTTsIggZHyUQmYxc0FQ7Twb4AoO2MqXB98BTEicNrALvEWf6MxPLKkYWNdO19XHKPWZ1qgrNXYVIvG6AyPptem6O18ix2y3XbBaqUXMlVIsbTnGZFOVEM2Uy8ZE5nfxuu/AvXwq5UVrSEIUHlFR93bzb8w1UIe6r+A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619974;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ymK4YKx88ekoYuIrD2fwYwqUHjVQFgVDXjoirF3i+9g=;
	b=QHwHWrXIgJvnbfip1Sdp/fcndmcJtRCl/H5EBw8W63RvDb9BQXwYnJ9ytaIyUZGTyE/G5LP5EnFeREcosADeggqCTyN8aI8HkZNQA1z6mFy5nzbgY5v5RFf8XkkZ6aN5E8qQ/X5wWWvCCAHwY1N2WKUN8hY0zZ6Swqo02F+d5Tg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778619974152541.3405087323666;
 Tue, 12 May 2026 14:06:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuI9-0001Fb-OR; Tue, 12 May 2026 17:05:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHI-0005x9-0J; Tue, 12 May 2026 17:04:32 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHG-0000KM-D2; Tue, 12 May 2026 17:04:31 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BA9271AA32D;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C7E783ABC9E;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=YQmwLk+vRBI6splGcyyvXUTSOTFLsL68b5MyI8XXBH8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vhwHwb85bbmNtcVBO57tVDvzrJdsDR52xR0aESzZyEaHo/VWujsyrHSa8aROIOo+u
 KnlmCxxq02q6XYHr2DisFcWF5q7XqWUtR5tkq0nqXwKNDv7z7PhO/AxzDFaswFHpfF
 sshhw9KmalWdI7queP0tvikq4KREKkrBjSunjVARPU94lUMOo192rrC6BVmND8NKqn
 dkCaL2DJSd+bcKlVD8dolKiKn03WW/Esg8pguSQs80u1u4fKB078LTMJ35fg6KC7G0
 EDumZj0kGZ817xhWky1lv/SvHEhvLwqu+ME7e3c/+hN9NaclYglXnHRoRbDWpNcKja
 PySW5jkX1E3lQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@member.fsf.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 097/107] hw/net/allwinner-sun8i-emac: Flush queued
 packets when rx is enabled
Date: Tue, 12 May 2026 23:54:24 +0300
Message-ID: <20260512205437.360850-97-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619975560158500

From: =E5=AE=8B=E6=96=87=E6=AD=A6 <iyzsong@member.fsf.org>

The RX_CTL_0 register includes the RX_EN receive-enable bit,
which allwinner_sun8i_emac_can_receive() checks. That means that
if the guest sets it we need to call qemu_flush_queued_packets()
as we might now be able to handle them.

This fixes a bug where networking didn't work in u-boot on the
orangepi-pc machine.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3459
Signed-off-by: =E5=AE=8B=E6=96=87=E6=AD=A6 <iyzsong@member.fsf.org>
Message-id: 20260430040753.3337-1-iyzsong@envs.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: expanded commit message, removed unneeded RX_EN test]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit a7f27d6903b30bcea21c46986cb7507edcbc970c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
index 5adb41dc46..5c1b75897d 100644
--- a/hw/net/allwinner-sun8i-emac.c
+++ b/hw/net/allwinner-sun8i-emac.c
@@ -727,6 +727,9 @@ static void allwinner_sun8i_emac_write(void *opaque, hw=
addr offset,
         break;
     case REG_RX_CTL_0:          /* Receive Control 0 */
         s->rx_ctl0 =3D value;
+        if (allwinner_sun8i_emac_can_receive(nc)) {
+            qemu_flush_queued_packets(nc);
+        }
         break;
     case REG_RX_CTL_1:          /* Receive Control 1 */
         s->rx_ctl1 =3D value | RX_CTL1_RX_MD;
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619936; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LZobrjYKrUxtHU7q0pCDSqJi4VmNi7if3Yur0yv7A8Z4/cHI4iVnIalFvUicWxPG32WnqHHP+FH+BrB9tAQBrwW2xJnTLRCCQlgzdBZJ6GJlApjbfAEg1715sbL/+5wN3Ad6JFT81yOwVrcIJP8YgRrztqsYvJ0tMs5gOlPeafA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619936;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Uw8UyDR/CzHgrSIyh2oVhdcUQxgJAC0az4N70spYeks=;
	b=Qg6MlncUv+r89lR+lURnz8/yiiE3V7lSEquf+YtrHDoYI7CigCjabxPwSj1Bv/Do0ud/g/4rH2imNuhrRPD17KS4y6UNKS27z1GcIsRqcGOyL+gEkAqlxUpGX/1TXgARIp7GmppJGLI10dC4MjCvcdapEXMiSDabxKE41Yv4Lgo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861993657716.257605591539686;
 Tue, 12 May 2026 14:05:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHS-0006ti-Lx; Tue, 12 May 2026 17:04:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHJ-00063s-5b; Tue, 12 May 2026 17:04:33 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHH-0000KU-8O; Tue, 12 May 2026 17:04:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C72C21AA32E;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D4C183ABC9F;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=ZpvhcFTgDOJ58EjibxnNPFQRXpWbyZBOdYXSzIq1qlg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=JCAm7nEUyN8sdDXdKxkExA+NLRcT4zE00qjklFQCK0inEGquQfRQTam65mZ7zHFOh
 Rz3hpaiRJGdmEG2D8lqgEIsWFNOKKZ7D/8N+a8h57L3UTP1SrtE8gZg+gjq2Npfr4u
 hrviBM2XhwBJXZoRTZ3nTvC0D5oqDOd/qkywofuOYgssGhbuAddRosqPytUUHsd76I
 MwWOriVpK1bL692xPwshFGDJPPDzKOlotqgqcJnCXnrllOYGSB5MUuQe2fbam5bzLQ
 H0qM0DtdT4X3scM4LX9VulGqF2Otj+Jl0I7CuczBakzCq9jxI/RZWurtC6DZ0YUz2M
 aukXYG1UHKzSQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, liugan1 <liugan1@lixiang.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 098/107] hw/intc/arm_gicv3: Fix NS write to
 ICC_AP1Rn_EL1 when prebits < 7
Date: Tue, 12 May 2026 23:54:25 +0300
Message-ID: <20260512205437.360850-98-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619938038154100
Content-Type: text/plain; charset="utf-8"

From: liugan1 <liugan1@lixiang.com>

The existing code uses a blanket `regno < 2` check to make
ICC_AP1R0_EL1 and ICC_AP1R1_EL1 writes from Non-secure code WI
(Write Ignore) when EL3 is present. This is intended to prevent
NS code from claiming active interrupts in the Secure priority
range, which could block Secure interrupt delivery.

However, that check assumes prebits=3D7 (4 APR registers), where the
NS priority range (128..255) maps entirely to AP1R2/AP1R3. Since
commit 39f29e599355 ("hw/intc/arm_gicv3: Use correct number of
priority bits for the CPU", first in 7.1), all QEMU AArch64 CPUs
are initialised with gic_pribits=3D5 (one APR register), so NS
priorities map to AP1R0 bits [16:31]. Blanket WI of the entire
AP1R0 register prevents NS code from clearing its own NS active
priority bits. Machines using hw_compat_7_0 (e.g. virt-7.0) still
force pribits=3D8 via force-8-bit-prio and are therefore unaffected.

A concrete consequence observed in virtualisation scenarios: when
a guest VM acknowledges an SPI interrupt but does not perform EOI,
is force-killed and restarted, the new guest's attempt to clear
the residual active state by writing ICC_AP1R0_EL1=3D0 is silently
ignored. The running priority (RPR) remains stuck at the old
interrupt's priority, preventing all equal-or-lower priority
interrupts (including timer interrupts) from being delivered, and
hanging the guest.

Fix this by computing the exact Secure/NS boundary within the APR
bank based on prebits. For registers entirely in the Secure range,
keep the WI behaviour. For the register that straddles the
boundary, preserve only the Secure bits while allowing NS bits to
be modified. For registers entirely in the NS range, allow full
write access.

The new logic produces identical behaviour to the old code when
prebits=3D7, preserving existing behaviour for machines that use
force-8-bit-prio.

Fixes: 39f29e599355 ("hw/intc/arm_gicv3: Use correct number of priority bit=
s for the CPU")
Cc: qemu-stable@nongnu.org
Signed-off-by: liugan1 <liugan1@lixiang.com>
Message-id: 20260428083119.1400110-1-gs_liugan@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f35f0f1ca121fb4931fe98570cda3aeb06b7a87f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index de37465bc8..43831cb9a4 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -1870,9 +1870,40 @@ static void icc_ap_write(CPUARMState *env, const ARM=
CPRegInfo *ri,
      * at a priority outside the Non-secure range (128..255), since this
      * would otherwise allow malicious NS code to block delivery of S inte=
rrupts
      * by writing a bad value to these registers.
+     *
+     * The NS priority range (128..255) maps to APR bits starting at
+     * aprbit =3D 0x80 >> (8 - prebits). Depending on prebits, this bounda=
ry
+     * may fall within AP1R0 or AP1R1, so we cannot simply WI the entire
+     * register. Instead we calculate which bits within each register
+     * correspond to the Secure range and preserve those, while allowing
+     * NS code to modify only the NS range bits.
+     *
+     *   prebits=3D4: num_aprs=3D1, NS starts at AP1R0[8]
+     *   prebits=3D5: num_aprs=3D1, NS starts at AP1R0[16]
+     *   prebits=3D6: num_aprs=3D2, NS starts at AP1R1[0]
+     *   prebits=3D7: num_aprs=3D4, NS starts at AP1R2[0]
      */
-    if (grp =3D=3D GICV3_G1NS && regno < 2 && arm_feature(env, ARM_FEATURE=
_EL3)) {
-        return;
+    if (grp =3D=3D GICV3_G1NS && arm_feature(env, ARM_FEATURE_EL3)) {
+        int ns_start_bit =3D 0x80 >> (8 - cs->prebits);
+        int ns_start_regno =3D ns_start_bit / 32;
+        int ns_start_regbit =3D ns_start_bit % 32;
+
+        if (regno < ns_start_regno) {
+            /* This entire register is in the Secure range: WI */
+            return;
+        } else if (regno =3D=3D ns_start_regno && ns_start_regbit > 0) {
+            /*
+             * This register is split: low bits are Secure, high bits are =
NS.
+             * Preserve the Secure bits (below ns_start_regbit) from the
+             * current value, and take the NS bits (at and above
+             * ns_start_regbit) from the written value.
+             */
+            uint32_t secure_mask =3D MAKE_64BIT_MASK(0, ns_start_regbit);
+
+            value =3D (cs->icc_apr[grp][regno] & secure_mask) |
+                    (value & ~secure_mask);
+        }
+        /* else: regno > ns_start_regno, entire register is NS: allow writ=
e */
     }
=20
     if (cs->nmi_support) {
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620201; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UivMdQGcq/BSi5F3ULm/7bH6Nf5g6f5WbTTlNgt6eay2DYOJzbzi1tYl7Se0UosxRmn9J5I8qbmxYp51qlpaa2FGlxMnJUNBCELQ6eLeocf62wqtpewbfMBt9tZy9Iu66sLxqHySZvtvEWBLTePAn9+mpNs0VdTMQSvpWUn6v2k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620201;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=b+rkwHiKhVFvZPpWC47+v7iCMi2Iv1E1fL1Pna10w+8=;
	b=ecwDaIXy85vVYkPBEgzq6rzgIMGTRSceqJuIc+UYfj239fcSdaD0dYa2jxXJ6ejfYIUWLDo0rGp9fKrqvw85cClvCavLxzbhE199fqpcozjuJxUIyJlfVRiNusgAfW/NaQLG0us95lhnF2in39Em0jC1AFFeeMDMU47aDa0NUU4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620201736560.6185849425567;
 Tue, 12 May 2026 14:10:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIQ-00039M-Gj; Tue, 12 May 2026 17:05:42 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHh-0007Xh-5e; Tue, 12 May 2026 17:04:58 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHd-0000Kn-OI; Tue, 12 May 2026 17:04:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D5D701AA32F;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E217F3ABCA0;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=ts+MNMwf78Jow+SqL35Rvtf4EaxowBVDzGBkQTpwObE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=VoWEsLj9s4zlqundERzzDIPl1pYOYkygWq0EuEp6o0SmC4+BTsRlJusgH/mnb8Fom
 3ECRR3GBhz/s/oFiZdVH7mJ2hw5s4eYNllkDDXdidqndrmzLOsRVAZ/boWLw2due4M
 8Oy37ngwAyRScfKluzx55oOnCtZZdVCzO6cf6QxLPlJsNWnIuR8dDoqFHN5VKCoumL
 qy24yDwM7TvJIQi2uc3oFVKyIohJKomL2q7Kglg2Xa8GrfZiXALoQ5xy9vmMNHdPH0
 //qO2N32gaHdbt/PejA7GhwDuvCRTcPGadyF+mCU8SUfCQUaczN2GumaC9wGZzi4Ma
 34031ZwxKtVhQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 099/107] target/microblaze: Fix endianness used to
 disassemble
Date: Tue, 12 May 2026 23:54:26 +0300
Message-ID: <20260512205437.360850-99-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620203245158500

From: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>

MicroBlaze CPU model has a "little-endian" property, pointing to
the @endi internal field. Commit c36ec3a9655 ("hw/microblaze:
Explicit CPU endianness") took care of having all MicroBlaze
boards with an explicit default endianness (similarly with
commit 91fc6d8101d for linux-user binaries), so later commit
415aae543ed ("target/microblaze: Consider endianness while
translating code") could infer the endianness at runtime from
the @endi field, and not a compile time via the TARGET_BIG_ENDIAN
definition. Doing so, we forgot to propagate that runtime change
to the disassemble_info structure. Do it now to display the
opcodes in correct endianness order.

Cc: qemu-stable@nongnu.org
Fixes: 415aae543ed ("target/microblaze: Consider endianness while translati=
ng code")
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-Id: <20260423100612.27278-3-philmd@linaro.org>
(cherry picked from commit 41c417290df91c31a70adeb8f5271896a8c5f802)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/microblaze/cpu.c b/target/microblaze/cpu.c
index f3bebea856..5fec3819dc 100644
--- a/target/microblaze/cpu.c
+++ b/target/microblaze/cpu.c
@@ -226,8 +226,8 @@ static void mb_disas_set_info(CPUState *cpu, disassembl=
e_info *info)
 {
     info->mach =3D bfd_arch_microblaze;
     info->print_insn =3D print_insn_microblaze;
-    info->endian =3D TARGET_BIG_ENDIAN ? BFD_ENDIAN_BIG
-                                     : BFD_ENDIAN_LITTLE;
+    info->endian =3D MICROBLAZE_CPU(cpu)->cfg.endi ? BFD_ENDIAN_LITTLE
+                                                 : BFD_ENDIAN_BIG;
 }
=20
 static void mb_cpu_realizefn(DeviceState *dev, Error **errp)
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620061; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lDH40mPXWGcGVJGAtEaaQGTOtiZYW6Redg2FwDq8lbgKQdJeQYSELSNpT4vloWK2ho0ryLvOvSBFrXDiIFiQhoSzX2qoxkzQ7x3hXK8Rw0ohsW4h8BPQvOFFtefTs1lDuhLEQ31bqNBUT+YyG07RRhnNjLtQDIlDeox3JZU68Vs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620061;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=6s/xcdsJXkUmIbMI24TFElhs3BRMBlrTM1WTVTFLij4=;
	b=X5kVm3uowPomkLBRMM2+LxQxQ44/KQ6Oc5zssUaURdWNDYyJWES68vc7rShVfeGzzl5A0gwCKaeYk6PbYfLEHI+J8yHE6qWSInRBl6ZWYFcGE3a7gGRmdKS5SjY1zkez6paFNv2Gw5redL4PbYhf3u/Cb/jTAW2mQ2Hg1DjgFDc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620061135986.3358710659743;
 Tue, 12 May 2026 14:07:41 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIH-00024p-Bn; Tue, 12 May 2026 17:05:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHh-0007Xs-69; Tue, 12 May 2026 17:04:58 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHe-0000LE-P9; Tue, 12 May 2026 17:04:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EB2C81AA330;
 Tue, 12 May 2026 23:54:39 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id F19943ABCA1;
 Tue, 12 May 2026 23:54:43 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619279; bh=ddWdw2NLGdChqVXUrkv4rqHqMhC4QUJX2/bL7Y1xnDM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=wvA3vW422otzQDJCV9BRMhAPITMDbaZyQZTyfc72fnNhuDIhQpia13UVrIRwWQY/c
 PyrfNDmTVum6gaIVSolWeJYA/ro9w+IE3icL2PF8IaoG9/WrVPVcx9Ftz19Cf3sP8f
 GediiX+eQfVX4TNdtasGzHSpGfIdZwoPuED6NrOGdztbRYE9/AJZAK9FolV9qQ+Kyb
 oDw6t1S+1B2Li/jJpGUHx4u0ltPEU95+/iKGdnEba2oUgu/1zwxnaPj220rBR8TJaY
 2OkEA+BsWgI7cqMOkFVg/Iw31wwAMMAbABvuA4UIN1fVBnydjH9lQ6DJ1REkxqWUMC
 54YVCywrprtiQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 100/107] target/arm: Report IL=0 for Thumb 16-bit
 BKPT insn
Date: Tue, 12 May 2026 23:54:27 +0300
Message-ID: <20260512205437.360850-100-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620062305158500

From: Peter Maydell <peter.maydell@linaro.org>

The Thumb BKPT insn is 16-bit, and the ESR_ELx syndrome register
definition requires that we set the IL bit to 0 for this, and 1 for
the 32-bit A32 and A64 BKPT/BRK.

We used to do this correctly, but accidentally lost it in the
conversion to decodetree, because we converted the A32 BKPT first,
and then when we converted the T16 BKPT we forgot that trans_BKPT()
was unconditionally setting IL=3D1.

Pass the right value for syn_aa32_bkpt()'s is_16bit argument.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3474
Fixes: 43f7e42c7d515f ("target/arm: Convert T16, Miscellaneous 16-bit instr=
uctions")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260505103726.419195-1-peter.maydell@linaro.org
(cherry picked from commit f443b687636205b7f70029692b244f1f90532cf2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index 86a6888ab2..426445ae69 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -4815,7 +4815,7 @@ static bool trans_BKPT(DisasContext *s, arg_BKPT *a)
         (a->imm =3D=3D 0xab)) {
         gen_exception_internal_insn(s, EXCP_SEMIHOST);
     } else {
-        gen_exception_bkpt_insn(s, syn_aa32_bkpt(a->imm, false));
+        gen_exception_bkpt_insn(s, syn_aa32_bkpt(a->imm, curr_insn_len(s) =
=3D=3D 2));
     }
     return true;
 }
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620056; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m8mYEr/nAJo44uxJcWnN4OzCHiZGLMfRmHo40QfYSJ6anCm2c8kOK/FAhXLFqz2jRKwR0LyPm3Re7HVI5ZqFVhk2f7EwapBPNx7xmJiGFwOQTM0wwkLIGjPGkOo/GEV+wMLNxdLLYXplzSbnBlDmzF/xpdjbWwW4FOzwPh/nIYw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620056;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=AEkZFHZc8CZ3ckqewEYqv6Lxk4Yych4DUhTUN6/f8Hs=;
	b=H4Xt7Ad+zWsNj3jOfTsLbN7+etk3jwETyYhr8tEQ1Dkeip9xBcg6tRuCAsoZCr8pp5Eo80x5/68EAgsM/+U5vJV+2Cp1vtqlZaNMclDWHbdXFnJMMAsk0w6uTCbuhi44CNSGXqZYjUFJvCuTzT/sVRHbecrz0lqEoKZQAi6Mbtg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620056132647.8094581346755;
 Tue, 12 May 2026 14:07:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHo-00086q-Ho; Tue, 12 May 2026 17:05:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHk-0007j7-99; Tue, 12 May 2026 17:05:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHi-0000cY-LK; Tue, 12 May 2026 17:04:59 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0DC3E1AA331;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0ED2A3ABCA2;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=lVkiPLhQFpcRhi3T36fgp8Oi5yTHlcTnOEdKtu/L8sc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RgHsDdw9uvl++zPp4GZhjYgoX19jVJxWxWHUTWNPfAhmouUKfdf0H9DYmkumZNmn1
 rDMWUkuu9FDC6tpDvH2dnlRJEJRn8RDphOLWp/80Y2rQIH03Z3KbHltRTRzT3+C1Z+
 2tyh2SF2N1snfRXBOhWGbF1KL99FxtpCizloFUgZocRVIgpMV3cJwPgHoff7g5L/T3
 6/eKjyRAOdNT8rWlAs5tLdJiyNWOs/I/ERCeKFPM4NZ3bcJqUDWpwYhVtTL/qh9q8N
 Z8afxgaKp64RSqRqoUIQ5iS4Lmt8shbcIP3RyWq3zYs9IS3XhzbjuohI0lgTeouwTW
 DHNssS6mNrh3A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 101/107] hw/misc/bcm2835_rng: Specify valid memory
 access sizes
Date: Tue, 12 May 2026 23:54:28 +0300
Message-ID: <20260512205437.360850-101-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620058309158500

From: Peter Maydell <peter.maydell@linaro.org>

The BCM2835 RNG has 32-bit registers only; specify this in
the MemoryRegionOps so wrong-sized accesses are rejected rather
than getting to the assertions in the read and write functions,
and for clarity add the matching .impl constraints.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3394
Fixes: 54a5ba13a9f ("target-arm: Implement BCM2835 hardware RNG")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-id: 20260501162700.4092512-1-peter.maydell@linaro.org
(cherry picked from commit 18b664c90085b0d2be9c2ad8c747e00a7a733402)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/bcm2835_rng.c b/hw/misc/bcm2835_rng.c
index 06f40817df..665f833b7d 100644
--- a/hw/misc/bcm2835_rng.c
+++ b/hw/misc/bcm2835_rng.c
@@ -93,6 +93,10 @@ static const MemoryRegionOps bcm2835_rng_ops =3D {
     .read =3D bcm2835_rng_read,
     .write =3D bcm2835_rng_write,
     .endianness =3D DEVICE_NATIVE_ENDIAN,
+    .impl.min_access_size =3D 4,
+    .impl.max_access_size =3D 4,
+    .valid.min_access_size =3D 4,
+    .valid.max_access_size =3D 4,
 };
=20
 static const VMStateDescription vmstate_bcm2835_rng =3D {
--=20
2.47.3


From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778619963; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C18IULXQvTwKFX5k/eu+BvKdQZDICM2XshfK7AVE3yywyMbCohDo8ZKkrCEn5y++wcNc79W8khXK3mDlpm3iNzF1lTPGgBJflAYSt+1U5o3PTHvdGL4tLeXqxXwt0Wrq+IWoO9/mXEWj6MleS0v+aYCR8NBoWujJUIrBnsADGjo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778619963;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=mvahyQUfC1H2zhymDMM1wbBIPSkkVSxp50ATsvjqHyY=;
	b=H6dXfGEp9eFOhQG1bgYqy1rJwUlte5yB8fMM3olls1iazdDRPmEpILOCerPrdUm2gxUGoFVQEcr4TlW7wJ98PwKo2YbQn7cBXUHCn8ulP5EaC3uhBbHVXVZeyJI7w0C5k5IIJ2BHkfzBd0KM/TFvMO0F72Y4vJDdft8FxxplMoA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177861996334936.60321049994127;
 Tue, 12 May 2026 14:06:03 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuHz-0008Rk-2z; Tue, 12 May 2026 17:05:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHl-0007lV-9E; Tue, 12 May 2026 17:05:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHi-0000ca-Op; Tue, 12 May 2026 17:05:00 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1D4D61AA332;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2912B3ABCA3;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=NcJd8nN8udITBb8kuubjKg36rc3x3Tj18jI98dI1A5o=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=luZkXaLOh2NsSqC6gh+9G67uXSTzsuU9AXOqbTxXyh1Y6+ORtmXqyXmoTBvgN0NBS
 lQcFBxjiAxfnCSjqCcP/jlZJO926W2jNJVdLmBIdEsV/uB+wrzXB6YaclGgeCUKxVL
 QmCqxe9EzxhX2PzI6Uhld2PKh/mIphPhW8NkhmOkfyjFZtjyzOcmRWNE6p1HuejMWi
 S3mWCpExmpsWK0pWlTCVim/3WFHruSDESsbmRfq/ZLqKRLIrmFte6ydJPnN60wFYS/
 b+fc3x6W7ZP2uPldjpiVSfJiXdY/961XL0vmYyRMQwYmpuPB9UKDvCKFB47kpUtNH+
 D9igGeuFPvi6g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 102/107] hw/uefi: fix buffer overruns
Date: Tue, 12 May 2026 23:54:29 +0300
Message-ID: <20260512205437.360850-102-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778619964316154100
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

The buffer size checks do not consider the mm_header size, simliar to
CVE-2026-5744.  Factor out the repeated size check to a small helper
function, fix the check, update all places to use the new helper.

Fixes: CVE-2026-41435
Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-2-kraxel@redhat.com>
(cherry picked from commit f252769a23e67765f9b95d8944ca3da6c9edf58b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 27421c6e2d..82ff4e429a 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -260,6 +260,17 @@ static size_t uefi_vars_mm_error(mm_header *mhdr, mm_v=
ariable *mvar,
     return sizeof(*mvar);
 }
=20
+static bool check_buffer_size(uefi_vars_state *uv, uint64_t length)
+{
+    /* uefi_vars_cmd_mm() checks that */
+    g_assert(uv->buf_size >=3D sizeof(mm_header));
+
+    if (uv->buf_size - sizeof(mm_header) < length) {
+        return false;
+    }
+    return true;
+}
+
 static size_t uefi_vars_mm_get_variable(uefi_vars_state *uv, mm_header *mh=
dr,
                                         mm_variable *mvar, void *func)
 {
@@ -307,7 +318,7 @@ static size_t uefi_vars_mm_get_variable(uefi_vars_state=
 *uv, mm_header *mhdr,
     if (uadd64_overflow(length, va->data_size, &length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
@@ -377,7 +388,7 @@ uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_=
header *mhdr,
     }
=20
     length =3D sizeof(*mvar) + sizeof(*nv) + var->name_size;
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
@@ -567,7 +578,7 @@ static size_t uefi_vars_mm_variable_info(uefi_vars_stat=
e *uv, mm_header *mhdr,
     uint64_t length;
=20
     length =3D sizeof(*mvar) + sizeof(*vi);
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
@@ -588,7 +599,7 @@ uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_h=
eader *mhdr,
     uint64_t length;
=20
     length =3D sizeof(*mvar) + sizeof(*ps);
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620172; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iFY55/IYJ0/mq+nl+vbRgzKubvQL/Aq8D50j56BKZXGoWZyWJroTliYu4LlN8/v5bNIUok1L8nV7vkVyeNe3fUZ8zTVrZvxQzbmkvY+ZnHl6BXbxdfYDTgYD2UIp1MXFn3RxXjxUEz9YnN5SHpPqYfgODdceTPKVsQjWOFC+wEA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620172;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=san3f42UyTwmC+hflmotCkx43QiaW+v4LDS2W7wPHyg=;
	b=g/P5MpTN6GWYdn5MSEuM7uVHDsQ/Md6Td2mH2hJNR8uIwAJFDUhrpaubV/ukrI85yzwX0L0LG6TZkqfu2fwK9jbvxkqhtzvop8DakaeW6Xlcf6vrAENlZ/0nSUlcRUdjcyn2ymthJIEWKzqcaCTSpw3q5lm5r01Wm4wbSvI9Bd0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620172327936.5798347901283;
 Tue, 12 May 2026 14:09:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuI5-0000li-K2; Tue, 12 May 2026 17:05:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHn-00083H-G0; Tue, 12 May 2026 17:05:03 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuHl-0000dV-Qw; Tue, 12 May 2026 17:05:03 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 37D801AA333;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 390293ABCA4;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=cELnmoErs9KMFB4E7GoUF8HDV6d7Qtq6N+nR7aXB3vg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=voocRGzGp+omTi3A17conA0Uj+6U63xrLIrbQeWhf3ty2GkVk0GHzrmlshN2nCgO2
 bIwcelbwkzZlppDHXNWGtd0pxH/vTFoqY30DOO0nPhzfgTstY3WJi6lnVoRLRLPtD2
 2IhactfZ640wEQtZoHFiIvBbOK2/yRfkM8sa7A/FKDygcE4gsZNS+Y5aLI5M2iSIe7
 JFs2lpt1B01E5FxafY7cRltEOtH5gKhf8gGdv5N06Nyi55wO82Bf4Ly78V7TacaJTG
 yv+lRl+uu1vqrG22OtmLyBZW4eBq4/QgZ8vyiZVnj8nO38vhiP+gE33P5otQz6uJN9
 qceip/hWniwKw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 103/107] hw/uefi: verify pio_xfer_offset before
 calculating buffer checksum
Date: Tue, 12 May 2026 23:54:30 +0300
Message-ID: <20260512205437.360850-103-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620173017158500
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Without that it is possible to do trigger OOB reads by first
advancing offset, then making the buffer smaller, finally
asking for a checksum.

Fixes: CVE-2026-41436
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-3-kraxel@redhat.com>
(cherry picked from commit 94d9a8b2c9e6962aa7f7673229d2db7b110cfac6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 0a05ec4c9c..1b9ca3dc77 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -229,6 +229,10 @@ static uint64_t uefi_vars_read(void *opaque, hwaddr ad=
dr, unsigned size)
         uv->pio_xfer_offset +=3D size;
         break;
     case UEFI_VARS_REG_PIO_BUFFER_CRC32C:
+        if (uv->pio_xfer_offset > uv->buf_size) {
+            retval =3D 0;
+            break;
+        }
         retval =3D crc32c(0xffffffff, uv->pio_xfer_buffer, uv->pio_xfer_of=
fset);
         break;
     case UEFI_VARS_REG_FLAGS:
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620335; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EfP/oKlo9GqODcQyrGY1uzUxGGrhWL1W8f2SlkDaFlJcgFoOFgUBschus2Yx7vG0zhhOZpvjY05GD9xjv0lqd1DHMSMdNbWkvubn+IRf8cLS4ix8NxkJAH/Bn80cU23V2PYkWD2f0kcUywN66oU01T7BiGqSgtEhFfLx9xzkRfA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620335;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=73YeYAh+UwfkskeIGoxJm8uAUZweYzxpOKiNFiYn1G8=;
	b=g7aUgeIa7+if7dhjwK4Kcadv/l3qSPvsbgBJrHUI3Son3W7z62wMuQRKUBvopeb0Hl0ZKbYX9+41C9aFGBAnESjeKvLof3NW9pmP8yFLY25BoUkjVcNJcS8eVCiOx6ONlX3ZGCVwRih75fLQ6J6Q1MTXWtOeun9ogYFz0gKbwCI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620335373991.2506414961308;
 Tue, 12 May 2026 14:12:15 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIQ-0003AJ-LO; Tue, 12 May 2026 17:05:42 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIB-0001QZ-2R; Tue, 12 May 2026 17:05:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuI6-0000dm-U7; Tue, 12 May 2026 17:05:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 471CA1AA334;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 52A193ABCA5;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=4rkkLGqTdBX+oCD8jRNrc2w3UKNXIdoSZtlA4EO+SVY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lL0KyROcKhvdq2flGlI8r3vbgelnJUpiZDpzYaPufeTFnivS+KL/GmlJvBFXG0FCb
 bU/rnETqnKBhXsoHylJJbrxomQBCgKMZj6HtLetaYCiLKpJaL6u6Bj+wM2zHmRB/jM
 GtGyfcRsspz/fgcBjcVIKX79jPaQkIcCvKpqzAnUE64qpIV7+I/O82BPqjC8uO3WmS
 iPVW7xgP7j7w70Qf0XhsXABbPb0ckzPSIKQSAQzeH4+QJXuyyo3Bhmb02aaHSY4xrQ
 OlJNK2UF/dxYKt1WAxf/+ln7u186Ww6ntZohiTtHCpv+Yx1lfZbOf8B704UJcYuCMH
 dksXMExNMfdBQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 104/107] hw/uefi: fix ucs2 string helper functions
Date: Tue, 12 May 2026 23:54:31 +0300
Message-ID: <20260512205437.360850-104-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620336174158500
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

The length passed in is in bytes not characters.  Rename the
parameters to make that clear.  Calculate the number of chars
if needed.  Fix length checks to use the number of chars not
bytes to avoid OOB reads.

Fixes: CVE-2026-41437
Fixes: 1ebc319c8ca7 ("hw/uefi: add var-service-utils.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-4-kraxel@redhat.com>
(cherry picked from commit 5247b3034c23bdfd91a7f78587c3b3e37f90568c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-utils.c b/hw/uefi/var-service-utils.c
index c9ef46570f..71631e9f3c 100644
--- a/hw/uefi/var-service-utils.c
+++ b/hw/uefi/var-service-utils.c
@@ -19,13 +19,18 @@
  * sometimes when they are not (for example in variable policies).
  */
=20
-gboolean uefi_str_is_valid(const uint16_t *str, size_t len,
+gboolean uefi_str_is_valid(const uint16_t *str, size_t bytes,
                            gboolean must_be_null_terminated)
 {
+    size_t chars =3D bytes / 2;
     size_t pos =3D 0;
=20
+    if ((bytes % 2) !=3D 0) {
+        return false;
+    }
+
     for (;;) {
-        if (pos =3D=3D len) {
+        if (pos =3D=3D chars) {
             if (must_be_null_terminated) {
                 return false;
             } else {
@@ -47,12 +52,13 @@ gboolean uefi_str_is_valid(const uint16_t *str, size_t =
len,
     }
 }
=20
-size_t uefi_strlen(const uint16_t *str, size_t len)
+size_t uefi_strlen(const uint16_t *str, size_t bytes)
 {
+    size_t chars =3D bytes / 2;
     size_t pos =3D 0;
=20
     for (;;) {
-        if (pos =3D=3D len) {
+        if (pos =3D=3D chars) {
             return pos;
         }
         if (str[pos] =3D=3D 0) {
@@ -62,25 +68,25 @@ size_t uefi_strlen(const uint16_t *str, size_t len)
     }
 }
=20
-gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen,
-                           const uint16_t *b, size_t blen,
+gboolean uefi_str_equal_ex(const uint16_t *a, size_t a_bytes,
+                           const uint16_t *b, size_t b_bytes,
                            gboolean wildcards_in_a)
 {
+    size_t a_chars =3D a_bytes / 2;
+    size_t b_chars =3D b_bytes / 2;
     size_t pos =3D 0;
=20
-    alen =3D alen / 2;
-    blen =3D blen / 2;
     for (;;) {
-        if (pos =3D=3D alen && pos =3D=3D blen) {
+        if (pos =3D=3D a_chars && pos =3D=3D b_chars) {
             return true;
         }
-        if (pos =3D=3D alen && b[pos] =3D=3D 0) {
+        if (pos =3D=3D a_chars && b[pos] =3D=3D 0) {
             return true;
         }
-        if (pos =3D=3D blen && a[pos] =3D=3D 0) {
+        if (pos =3D=3D b_chars && a[pos] =3D=3D 0) {
             return true;
         }
-        if (pos =3D=3D alen || pos =3D=3D blen) {
+        if (pos =3D=3D a_chars || pos =3D=3D b_chars) {
             return false;
         }
         if (a[pos] =3D=3D 0 && b[pos] =3D=3D 0) {
@@ -100,18 +106,18 @@ gboolean uefi_str_equal_ex(const uint16_t *a, size_t =
alen,
     }
 }
=20
-gboolean uefi_str_equal(const uint16_t *a, size_t alen,
-                        const uint16_t *b, size_t blen)
+gboolean uefi_str_equal(const uint16_t *a, size_t a_bytes,
+                        const uint16_t *b, size_t b_bytes)
 {
-    return uefi_str_equal_ex(a, alen, b, blen, false);
+    return uefi_str_equal_ex(a, a_bytes, b, b_bytes, false);
 }
=20
-char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size)
+char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_bytes)
 {
-    char *str =3D g_malloc0(ucs2_size / 2 + 1);
+    char *str =3D g_malloc0(ucs2_bytes / 2 + 1);
     int i;
=20
-    for (i =3D 0; i * 2 < ucs2_size; i++) {
+    for (i =3D 0; i * 2 < ucs2_bytes; i++) {
         if (ucs2[i] =3D=3D 0) {
             break;
         }
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620031; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OQsxm1Rnd+URGxNWwmCh5A1qpFirvnBic0CX2MbMGQqjrVQxdEZZLkkqovyguLcBM2gRY5317fmGBZmJbTjNFc+Tinv/op0suqTYTnIoMvSOr/Y2hg1pjHE0dZMsrMVGAHVXg4bqyfyLjQ23M/vzI7CDx8findnDtudni841zy0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620031;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=V0MS6G98/AG+3kdNYQkriRGsmejL1T7IXDKnqRmq5Lg=;
	b=I1D75Uw9/LOCcWS3c5IdtbGqaFrFxB5sHHhQF0LASV6EpCHinAs6hqZdWB33FSbkg2DNU1JBSsmV3SQkBxmBvP8lXzX3bhfr0O8PxNYLM2rOjG3+k+viLa7YKrdQrIKSQbX3UxpAJt2eP6AzmYu0KWOLLdAhw2k+UuHcWtq8nTY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620031704618.3250496854604;
 Tue, 12 May 2026 14:07:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIY-0003y2-Dk; Tue, 12 May 2026 17:05:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIB-0001Va-Pn; Tue, 12 May 2026 17:05:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuI9-0000mC-VS; Tue, 12 May 2026 17:05:27 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 61F961AA335;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 630EF3ABCA6;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=vKBvvgfYaWo7Ae6DKuGvnLAh6yOso0d5PFdAZLgvEj0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=IyeQSy3IXH6Ky9FrNY/lUmWzbjBmPvIbrYNJpky3mz8m1crwcbvwyiL/IZdFIYYBG
 Daqo0AKNArqjJQgL31ZxB75zC7B5GIwpsR5civqfkPbj44Q3SBnhLaDxAQFsPg/cxq
 Jzj+WcMls5MX3++pgBORwoZYuldAGLl1pjfbQjQZnp9HUtb3P68yru1hf6SCM/Ho4Y
 ql4NgItcLiY5bKA+HbwFkBjP4Q+pKJ5JyQd2tlF3xHzYF74aMlaqdMv7hkTFvo7t+c
 DFFUklVpFtfn/w0jCgI/TfENuWTIUTsPpnFa7i4zOcdpTMFq6nuetw2l9xTfsotY8S
 HBomBU7FlScfw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 105/107] hw/uefi: add name_size check to
 uefi_vars_mm_lock_variable()
Date: Tue, 12 May 2026 23:54:32 +0300
Message-ID: <20260512205437.360850-105-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620031996158500
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Make sure the total variable_policy_entry size stays below
64k so the (16-bit) size field can not wrap.

Fixes: CVE-2026-41438
Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-5-kraxel@redhat.com>
(cherry picked from commit c45b460d16f991ff3f753623f3423e1adc4077a2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 82ff4e429a..ef8a3db873 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -629,6 +629,9 @@ uefi_vars_mm_lock_variable(uefi_vars_state *uv, mm_head=
er *mhdr,
     if (mhdr->length < length) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
+    if (sizeof(*pe) + lv->name_size > UINT16_MAX) {
+        return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+    }
=20
     uefi_trace_variable(__func__, lv->guid, name, lv->name_size);
=20
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620176; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lhovFymMB8NI2ekxqKQw9n5OAtyueIil0Zbed6X2shK1aNq1YlkdBeYFS729Gb14ZBigvgLffnbxrsrRkXcmrMVfqhFYSvfns+lpriUPImoduMtqlhVtggWtRDJDvDjiI/k3RLGZdoJA87QXNoM0kUlrCfhLK9vJCY64PHRIXTI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620176;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=RALOQ1sONAPVBPsNYlKmR16ceV8GnLF36LNysNH/IP8=;
	b=JzF39YgNuYmboRaqpH77TnXT+JvKO8kAOAzSDtON2jJ72qBgZYmunyiWgh2I8/IvEMFvkwSVsOk4dcwqOWbldwoiTsgmLIPCH2/05LAIQNvKENAXok2fDqfA98UDpHfjDQPto6wNGRNHSbrEYkBz6vtXsR0bxSPH/5JTGCBjvGY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620176209813.5226644918615;
 Tue, 12 May 2026 14:09:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIT-0003VG-R1; Tue, 12 May 2026 17:05:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIE-0001oZ-JF; Tue, 12 May 2026 17:05:30 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIC-0000uL-OB; Tue, 12 May 2026 17:05:30 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7C1741AA336;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7CEB33ABCA7;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=6yNTHyY4n+czwCDJOviiZkYDpnz4dMyJaeqmCz/8sP8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=th1enPlCGj7WKrKTEOLcDRsgb4Jp59yqtVdDQY0oe6n4lMPxv4NQTf1DDmSWoqZ3s
 lnijZcqj2T+lzOx/1pVJxTViWuCMp+SkmxYkBW4PvYyqoSCC8FsbZObJsYxxMtRlzQ
 iRHobmSUnkgSepCshgjX6RoyF3x4YslQun6IQodsI7bBdloM1oSbT3RkMlTXAjaXWn
 EvhFZ+zMaPXNtS3Fg4oCfTR5E/Wz0yK4pYzKKxgocN8ikg1OKILH8ewx0hEN/wI4PW
 SlhNHIqff3iB/4R+g/qadGnJ55xbh8M44fvr9Uu47LwWAbHEC709qGHvhWN+bvqKaX
 Sbbxb3MkgdtuA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 106/107] hw/uefi: verify data size before accessing
 it in wrap_pkcs7
Date: Tue, 12 May 2026 23:54:33 +0300
Message-ID: <20260512205437.360850-106-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620178244154100
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Fixes: CVE-2026-41439
Fixes: 3e33af2cb306 ("hw/uefi: add var-service-pkcs7.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-6-kraxel@redhat.com>
(cherry picked from commit 22b7b222d8f5428be8b5d4787f36efd0a0b75292)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index 32accf4e44..f17ad6872f 100644
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -73,7 +73,8 @@ static void wrap_pkcs7(gnutls_datum_t *pkcs7)
     };
     gnutls_datum_t wrap;
=20
-    if (pkcs7->data[4] =3D=3D 0x06 &&
+    if (pkcs7->size > 16 &&
+        pkcs7->data[4] =3D=3D 0x06 &&
         pkcs7->data[5] =3D=3D 0x09 &&
         memcmp(pkcs7->data + 6, signed_data_oid, sizeof(signed_data_oid)) =
=3D=3D 0 &&
         pkcs7->data[15] =3D=3D 0x0a &&
--=20
2.47.3
From nobody Sat May 30 17:46:17 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620408; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dI4aEveavfTCdMqf8Uyyid0eQZNduthVXlPWZkkhgEbhk7kzjktYgd02GgcUp88TYT8wzVlSok3YmJPbaVEqOL9HOYK57tgZTqExjhJYkYc/ysEBwAp/m1vLE9KE9lKeFygGQSvl6Z+m1XwkAimYXpaeZkVQNL/Nf3Hc+3OPxr0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620408;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=M9bu+U3Hrsqqix84wJNlpaZbqtoIRpRWopYtEb7vdHk=;
	b=eJqxD7O7mz+AdIo1NPNmDL7T6WqV5uRCxx4Zq4PG8omtOwVMBtqa3+oEKaZ0lbWLbd72prTlsT/K44ob2MUH1OfuKuzScIa6yPfACtfl/r5zn3xRSotdYrlvHvRALQUoz1uw0eB9/Hg2eK6kBEAyZV29UbBR+mM+onsWmnRFItk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620408809834.8125317976638;
 Tue, 12 May 2026 14:13:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIK-0002Vn-RC; Tue, 12 May 2026 17:05:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIF-0001ux-EM; Tue, 12 May 2026 17:05:31 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuID-0000up-D2; Tue, 12 May 2026 17:05:31 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8A5851AA337;
 Tue, 12 May 2026 23:54:40 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 96D953ABCA8;
 Tue, 12 May 2026 23:54:44 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619280; bh=qG6ii2l7hCb7dAKBoB+JAL6Fy6hY5WJKV7Caap/hyCY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Pf4jwpKt4DGouGlOzpC4SawgJzZqJuKyPaZZ55go3yl/DHW2dJ1k5SAaeTx4waDzi
 j/i31hSVYTvGktK1ELDXTkZpE5eOJqDNKy5hNWjXEMHZYJYJsYi6GnDKi/B2GsJZ4K
 ve/NiqQoIK0S1f7GL4gDUOFzP2UvytRyzVYx2z34ecBAcNanyuBAghxEfurO6BI1+d
 x95R6SzjVrhbH0Inb2M9Imk3krIwNL24SjY845QFLRsTfkD/E8VT/0w81VEvT7Zv7g
 FGcQDALpFNN13kZYdVq1XQR7LyuJLX6LtH5gzrIr2CVJnaAzHfSHm5x6CY4MogQGy8
 A8EAOSP2OY/og==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.10 107/107] hw/uefi: avoid possibly unaligned
 variable_auth_2 struct field access
Date: Tue, 12 May 2026 23:54:34 +0300
Message-ID: <20260512205437.360850-107-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
References: <qemu-stable-10.0.10-20260512103844@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620410524158500
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Copy data to stack-allocated struct before accessing it
to make sure it is properly aligned.

Fixes: CVE-2026-41440
Fixes: f1488fac0584 ("hw/uefi: add var-service-auth.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-7-kraxel@redhat.com>
(cherry picked from commit b4680c02b8e838c75691656ee2c4450b454d1ca7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c
index fba5a0956a..795f2f54e4 100644
--- a/hw/uefi/var-service-auth.c
+++ b/hw/uefi/var-service-auth.c
@@ -180,9 +180,10 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_=
state *uv,
                                             void *data,
                                             uint64_t data_offset)
 {
-    variable_auth_2 *auth =3D data;
+    variable_auth_2 auth;
     uefi_variable *siglist;
=20
+    memcpy(&auth, data, sizeof(auth));
     if (custom_mode_is_active(uv)) {
         /* no authentication in custom mode */
         return EFI_SUCCESS;
@@ -193,7 +194,7 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_s=
tate *uv,
         return EFI_SUCCESS;
     }
=20
-    if (auth->hdr_length =3D=3D 24) {
+    if (auth.hdr_length =3D=3D 24) {
         /* no signature (auth->cert_data is empty) */
         return EFI_SECURITY_VIOLATION;
     }
@@ -218,23 +219,25 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars=
_state *uv,
 efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,
                                   mm_variable_access *va, void *data)
 {
-    variable_auth_2 *auth =3D data;
+    variable_auth_2 auth;
     uint64_t data_offset;
     efi_status status;
=20
-    if (va->data_size < sizeof(*auth)) {
+    if (va->data_size < sizeof(auth)) {
         return EFI_SECURITY_VIOLATION;
     }
-    if (uadd64_overflow(sizeof(efi_time), auth->hdr_length, &data_offset))=
 {
+    memcpy(&auth, data, sizeof(auth));
+
+    if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {
         return EFI_SECURITY_VIOLATION;
     }
     if (va->data_size < data_offset) {
         return EFI_SECURITY_VIOLATION;
     }
=20
-    if (auth->hdr_revision !=3D 0x0200 ||
-        auth->hdr_cert_type !=3D WIN_CERT_TYPE_EFI_GUID ||
-        !qemu_uuid_is_equal(&auth->guid_cert_type, &EfiCertTypePkcs7Guid))=
 {
+    if (auth.hdr_revision !=3D 0x0200 ||
+        auth.hdr_cert_type !=3D WIN_CERT_TYPE_EFI_GUID ||
+        !qemu_uuid_is_equal(&auth.guid_cert_type, &EfiCertTypePkcs7Guid)) {
         return EFI_UNSUPPORTED;
     }
=20
@@ -255,7 +258,7 @@ efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, =
uefi_variable *var,
     }
=20
     /* checks passed, set variable data */
-    var->time =3D auth->timestamp;
+    var->time =3D auth.timestamp;
     if (va->data_size - data_offset > 0) {
         var->data =3D g_malloc(va->data_size - data_offset);
         memcpy(var->data, data + data_offset, va->data_size - data_offset);
diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index f17ad6872f..c859743e86 100644
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -21,17 +21,20 @@
  */
 static gnutls_datum_t *build_signed_data(mm_variable_access *va, void *dat=
a)
 {
-    variable_auth_2 *auth =3D data;
-    uint64_t data_offset =3D sizeof(efi_time) + auth->hdr_length;
+    variable_auth_2 auth;
+    uint64_t data_offset;
     uint16_t *name =3D (void *)va + sizeof(mm_variable_access);
     gnutls_datum_t *sdata;
     uint64_t pos =3D 0;
=20
+    memcpy(&auth, data, sizeof(auth));
+    data_offset =3D sizeof(efi_time) + auth.hdr_length;
+
     sdata =3D g_new(gnutls_datum_t, 1);
     sdata->size =3D (va->name_size - 2
                    + sizeof(QemuUUID)
                    + sizeof(va->attributes)
-                   + sizeof(auth->timestamp)
+                   + sizeof(auth.timestamp)
                    + va->data_size - data_offset);
     sdata->data =3D g_malloc(sdata->size);
=20
@@ -48,8 +51,8 @@ static gnutls_datum_t *build_signed_data(mm_variable_acce=
ss *va, void *data)
     pos +=3D sizeof(va->attributes);
=20
     /* TimeStamp */
-    memcpy(sdata->data + pos, &auth->timestamp, sizeof(auth->timestamp));
-    pos +=3D sizeof(auth->timestamp);
+    memcpy(sdata->data + pos, &auth.timestamp, sizeof(auth.timestamp));
+    pos +=3D sizeof(auth.timestamp);
=20
     /* Variable Content */
     memcpy(sdata->data + pos, data + data_offset, va->data_size - data_off=
set);
@@ -105,11 +108,12 @@ static void wrap_pkcs7(gnutls_datum_t *pkcs7)
=20
 static gnutls_datum_t *build_pkcs7(void *data)
 {
-    variable_auth_2 *auth =3D data;
+    variable_auth_2 auth;
     gnutls_datum_t *pkcs7;
=20
+    memcpy(&auth, data, sizeof(auth));
     pkcs7 =3D g_new(gnutls_datum_t, 1);
-    pkcs7->size =3D auth->hdr_length - 24;
+    pkcs7->size =3D auth.hdr_length - 24;
     pkcs7->data =3D g_malloc(pkcs7->size);
     memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
=20
--=20
2.47.3