From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787548139833.7709580759331; Fri, 21 Nov 2025 20:59:08 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd27-0001HT-V6; Fri, 21 Nov 2025 21:07:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcGm-0001gd-0N; Fri, 21 Nov 2025 20:18:32 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcEj-0005uF-G4; Fri, 21 Nov 2025 20:18:27 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id AF1EC16CA3C; Fri, 21 Nov 2025 21:44:19 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 6849C321C78; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Thomas Huth , Richard Henderson , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Michael Tokarev Subject: [Stable-10.0.7 01/81] tests/tcg/multiarch/linux/linux-test: Don't try to test atime update Date: Fri, 21 Nov 2025 21:43:00 +0300 Message-ID: <20251121184424.1137669-1-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787548533018900 From: Peter Maydell The linux-test test includes an attempt to check the utime and stat syscalls by setting the atime and mtime of a file to specific values, and then calling stat() to check that the values read back correctly. Unfortunately this is flaky, as it will fail if some other process (for instance a virus scanner, backup program, etc) gets in and reads the file between the utime() and stat() call, resulting in a host syscall sequence like this: utimensat(AT_FDCWD, "file2", [{tv_sec=3D1001, tv_nsec=3D0} /* 1970-01-01T01:16:41+0100 */, {tv_sec=3D1000, tv_nsec=3D0} /* 1970-01-01T01:16:40+0100 */], 0) =3D 0 # successfully set atime to 1001 and mtime to 1000 statx(AT_FDCWD, "file2", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT, STATX_BASIC_STATS, {stx_mask=3DSTATX_BASIC_STATS|STATX_MNT_ID, stx_blksize=3D4096, stx_attributes=3D0, stx_nlink=3D1, stx_uid=3D32808, stx_gid=3D32808, stx_mode=3DS_IFREG|0600, stx_ino=3D21659016, stx_size=3D100, stx_blocks=3D8, stx_attributes_mask=3DSTATX_ATTR_COMPRESSED|STATX_ATTR_IMMUTABLE| STATX_ATTR_APPEND|STATX_ATTR_NODUMP|STATX_ATTR_ENCRYPTED| STATX_ATTR_AUTOMOUNT|STATX_ATTR_MOUNT_ROOT|STATX_ATTR_VERITY| STATX_ATTR_DAX, stx_atime=3D{tv_sec=3D1760091862, tv_nsec=3D63509009} /* 2025-10-10T11:2= 4:22.063509009+0100 */, stx_ctime=3D{tv_sec=3D1760091862, tv_nsec=3D63509009} /* 2025-10-10T11:2= 4:22.063509009+0100 */, stx_mtime=3D{tv_sec=3D1000, tv_nsec=3D0} /* 1970-01-01T01:16:40+0100 */, stx_rdev_major=3D0, stx_rdev_minor=3D0, stx_dev_major=3D252, stx_dev_minor=3D0, stx_mnt_id=3D0x1f}) =3D 0 # but when we statx the file, we get back an mtime of 1000 # but an atime corresponding to when the other process read it and which will cause the test program to fail with the error message "stat time". In theory we could defend against this by e.g. operating on files in a dummy loopback mount filesystem which we mounted as 'noatime', but this isn't worth the hassle. Just drop the check on atime. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Thomas Huth Reviewed-by: Richard Henderson Message-ID: <20251016150357.876415-4-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 77dc9d662f80b9f4eb450df27f60a0a9b3c97785) Signed-off-by: Michael Tokarev diff --git a/tests/tcg/multiarch/linux/linux-test.c b/tests/tcg/multiarch/l= inux/linux-test.c index 64f57cb287..bf6e0fda26 100644 --- a/tests/tcg/multiarch/linux/linux-test.c +++ b/tests/tcg/multiarch/linux/linux-test.c @@ -155,9 +155,14 @@ static void test_file(void) error("stat mode"); if ((st.st_mode & 0777) !=3D 0600) error("stat mode2"); - if (st.st_atime !=3D 1001 || - st.st_mtime !=3D 1000) + /* + * Only check mtime, not atime: other processes such as + * virus scanners might race with this test program and get + * in and update the atime, causing random failures. + */ + if (st.st_mtime !=3D 1000) { error("stat time"); + } =20 chk_error(stat(tmpdir, &st)); if (!S_ISDIR(st.st_mode)) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176378721586290.00813834548728; Fri, 21 Nov 2025 20:53:35 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd8p-0006Mt-5a; Fri, 21 Nov 2025 21:14:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcun-0000MY-3g; Fri, 21 Nov 2025 20:59:53 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMctH-00080E-Kh; Fri, 21 Nov 2025 20:59:48 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 09DFF16CA3D; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7FFED321C79; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Dongwon Kim , Dmitry Osipenko , =?UTF-8?q?Alex=20Benn=C3=A9e?= , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Vivek Kasireddy , Michael Tokarev Subject: [Stable-10.0.7 02/81] ui/gtk-gl-area: Remove extra draw call in refresh Date: Fri, 21 Nov 2025 21:43:01 +0300 Message-ID: <20251121184424.1137669-2-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787217140018900 From: Dongwon Kim This partially reverts commit 77bf310084dad38b3a2badf01766c659056f1cf2 which causes some guest display corruption when gtk-gl-area is used for GTK rendering (e.g. Wayland Compositor) possibly due to simulataneous accesses on the guest frame buffer by host compositor and the guest. Fixes: 77bf310084 ("ui/gtk: Draw guest frame at refresh cycle") Reported-by: Dmitry Osipenko Reported-by: Alex Benn=C3=A9e Tested-by: Alex Benn=C3=A9e Tested-by: Dmitry Osipenko Reviewed-by: Alex Benn=C3=A9e Reviewed-by: Dmitry Osipenko Cc: Marc-Andr=C3=A9 Lureau Cc: Vivek Kasireddy Signed-off-by: Dongwon Kim Message-Id: <20250214170813.2234754-1-dongwon.kim@intel.com> Message-ID: <20250603110204.838117-12-alex.bennee@linaro.org> Cc: qemu-stable@nongnu.org Message-ID: <20251016150357.876415-6-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 0c6d6d79a5cbd538c6c0798b1068f37bfbbf9693) Signed-off-by: Michael Tokarev diff --git a/ui/gtk-gl-area.c b/ui/gtk-gl-area.c index db93cd6204..ddb51efd5f 100644 --- a/ui/gtk-gl-area.c +++ b/ui/gtk-gl-area.c @@ -137,7 +137,22 @@ void gd_gl_area_refresh(DisplayChangeListener *dcl) =20 if (vc->gfx.guest_fb.dmabuf && qemu_dmabuf_get_draw_submitted(vc->gfx.guest_fb.dmabuf)) { - gd_gl_area_draw(vc); + /* + * gd_egl_refresh() calls gd_egl_draw() if a DMA-BUF draw has alre= ady + * been submitted, but this function does not call gd_gl_area_draw= () in + * such a case due to display corruption. + * + * Calling gd_gl_area_draw() is necessary to prevent a situation w= here + * there is a scheduled draw event but it won't happen bacause the= window + * is currently in inactive state (minimized or tabified). If draw= is not + * done for a long time, gl_block timeout and/or fence timeout (on= the + * guest) will happen eventually. + * + * However, it is found that calling gd_gl_area_draw() here causes= guest + * display corruption on a Wayland Compositor. The display corrupt= ion is + * more serious than the possible fence timeout so gd_gl_area_draw= () is + * omitted for now. + */ return; } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763807129609232.59979744065754; Sat, 22 Nov 2025 02:25:29 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcug-0000ME-GY; Fri, 21 Nov 2025 20:59:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc4B-0003BF-7K; Fri, 21 Nov 2025 20:05:32 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc3y-0003CD-Ub; Fri, 21 Nov 2025 20:05:26 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2329E16CA3E; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id CE233321C7A; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Thomas Huth , Bernhard Beschow , Harsh Prateek Bora , BALATON Zoltan , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 03/81] hw/ppc/e500: Check for compatible CPU type instead of aborting ungracefully Date: Fri, 21 Nov 2025 21:43:02 +0300 Message-ID: <20251121184424.1137669-3-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763807134482018900 From: Thomas Huth When using the ppce500 machine with an embedded CPU type that has the right MMU model, but is not part of the e500 CPU family, QEMU currently aborts ungracefully: $ ./qemu-system-ppc -machine ppce500 -cpu e200z5 -nographic qemu-system-ppc: ../qemu/hw/core/gpio.c:108: qdev_get_gpio_in_named: Assertion `n >=3D 0 && n < gpio_list->num_in' failed. Aborted (core dumped) The ppce500 machine expects a CPU with certain GPIO interrupt pins, so let's replace the coarse check for the MMU_BOOKE206 model with a more precise check that only allows CPUs from the e500 family. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3162 Signed-off-by: Thomas Huth Acked-by: Bernhard Beschow Reviewed-by: Harsh Prateek Bora Reviewed-by: BALATON Zoltan Message-ID: <20251015111243.1585018-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit 270b28681e369082dc17f58eae2871b75d3e8e6c) Signed-off-by: Michael Tokarev diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c index 69269aa24c..7cc988b2be 100644 --- a/hw/ppc/e500.c +++ b/hw/ppc/e500.c @@ -19,6 +19,7 @@ #include "qemu/units.h" #include "qemu/guest-random.h" #include "qapi/error.h" +#include "cpu-models.h" #include "e500.h" #include "e500-ccsr.h" #include "net/net.h" @@ -942,9 +943,8 @@ void ppce500_init(MachineState *machine) env =3D &cpu->env; cs =3D CPU(cpu); =20 - if (env->mmu_model !=3D POWERPC_MMU_BOOKE206) { - error_report("MMU model %i not supported by this machine", - env->mmu_model); + if (!(POWERPC_CPU_GET_CLASS(cpu)->svr & POWERPC_SVR_E500)) { + error_report("This machine needs a CPU from the e500 family"); exit(1); } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779315223372.6727827648341; Fri, 21 Nov 2025 18:41:55 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcs0-0006ls-5F; Fri, 21 Nov 2025 20:57:01 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbmL-00017J-Lr; Fri, 21 Nov 2025 19:47:05 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbm8-00084D-RB; Fri, 21 Nov 2025 19:47:01 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 36ED816CA3F; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E7A9D321C7B; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Richard Henderson , Michael Tokarev Subject: [Stable-10.0.7 04/81] target/arm: Fix reads of CNTFRQ_EL0 in linux-user mode Date: Fri, 21 Nov 2025 21:43:03 +0300 Message-ID: <20251121184424.1137669-4-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779317054018900 From: Peter Maydell In commit bd8e9ddf6f6 ("target/arm: Refactor default generic timer frequency handling") we changed how we initialized the generic timer frequency as reported in the CNTFRQ_EL0 register. As part of that, we chanegd the linux-user version of the CNTFRQ_EL0 sysreg from having a constant value set at compile time through the .resetvalue field to having a reset value which we compute in a .resetfn. This accidentally broke the reading of CNTFRQ_EL0 in linux-user mode, because the cpreg is marked as ARM_CP_CONST, which means we translate it as a read of the compile-time constant value in the .resetvalue field. This is now zero, so userspace sees a 0 frequency value. Fix the bug by dropping the ARM_CP_CONST marking. This will cause us to translate the read as a load of the value from the CPU state struct cp15.c14_cntfrq field, which is where the real frequency value now lives. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3159 Fixes: bd8e9ddf6f6 ("target/arm: Refactor default generic timer frequency h= andling") Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Richard Henderson Message-id: 20251013161040.216819-1-peter.maydell@linaro.org (cherry picked from commit 3f462d79a080060e54e39d31ce10fdf1a20317ef) Signed-off-by: Michael Tokarev diff --git a/target/arm/helper.c b/target/arm/helper.c index b3ca49a6de..f694b266d9 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -3420,7 +3420,7 @@ static uint64_t gt_virt_cnt_read(CPUARMState *env, co= nst ARMCPRegInfo *ri) static const ARMCPRegInfo generic_timer_cp_reginfo[] =3D { { .name =3D "CNTFRQ_EL0", .state =3D ARM_CP_STATE_AA64, .opc0 =3D 3, .opc1 =3D 3, .crn =3D 14, .crm =3D 0, .opc2 =3D 0, - .type =3D ARM_CP_CONST, .access =3D PL0_R /* no PL1_RW in linux-user= */, + .access =3D PL0_R /* no PL1_RW in linux-user */, .fieldoffset =3D offsetof(CPUARMState, cp15.c14_cntfrq), .resetfn =3D arm_gt_cntfrq_reset, }, --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777423888957.658128588161; Fri, 21 Nov 2025 18:10:23 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd1m-00014f-0n; Fri, 21 Nov 2025 21:07:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcGp-0001jI-0G; Fri, 21 Nov 2025 20:18:35 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcEk-0005uG-0J; Fri, 21 Nov 2025 20:18:31 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 55ABC16CA40; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 06993321C7C; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Zejun Zhao , Daniel Henrique Barboza , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 05/81] hw/riscv: Correct mmu-type property of sifive_u harts in device tree Date: Fri, 21 Nov 2025 21:43:04 +0300 Message-ID: <20251121184424.1137669-5-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777426469018900 Content-Type: text/plain; charset="utf-8" From: Zejun Zhao Correct mmu-type property of sifive_u harts from Sv48 to Sv39 in 64-bit mode since it's the only supported SATP mode. Signed-off-by: Zejun Zhao Reviewed-by: Daniel Henrique Barboza Message-ID: <20251013133242.1945681-1-jelly.zhao.42@gmail.com> Signed-off-by: Alistair Francis Cc: qemu-stable@nongnu.org (cherry picked from commit e41139eaad1d6ea7c52b8ebb5def2dcb84ff57e1) Signed-off-by: Michael Tokarev diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c index 679f2024bc..50eb2a1a66 100644 --- a/hw/riscv/sifive_u.c +++ b/hw/riscv/sifive_u.c @@ -176,7 +176,7 @@ static void create_fdt(SiFiveUState *s, const MemMapEnt= ry *memmap, if (is_32_bit) { qemu_fdt_setprop_string(fdt, nodename, "mmu-type", "riscv,= sv32"); } else { - qemu_fdt_setprop_string(fdt, nodename, "mmu-type", "riscv,= sv48"); + qemu_fdt_setprop_string(fdt, nodename, "mmu-type", "riscv,= sv39"); } riscv_isa_write_fdt(&s->soc.u_cpus.harts[cpu - 1], fdt, nodena= me); } else { --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783502431649.9907871520891; Fri, 21 Nov 2025 19:51:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd6W-0004MK-M2; Fri, 21 Nov 2025 21:12:01 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMchS-0007Uv-9B; Fri, 21 Nov 2025 20:46:06 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcfP-00042j-O9; Fri, 21 Nov 2025 20:46:02 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 9DCF616CA41; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 2629B321C7D; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Jialong Yang , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 06/81] aplic: fix mask for smsiaddrcfgh Date: Fri, 21 Nov 2025 21:43:05 +0300 Message-ID: <20251121184424.1137669-6-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783503224018900 Content-Type: text/plain; charset="utf-8" From: Jialong Yang 4.5.4. Supervisor MSI address configuration (smsiaddrcfg and smsiaddrcfgh) smsiaddrcfgh: bits 22:20 LHXS(WARL) bits 11:0 High Base PPN(WARL) Signed-off-by: Jialong Yang Acked-by: Alistair Francis Message-ID: <44f3e0d1.161.199d0c338b0.Coremail.z_bajeer@yeah.net> Signed-off-by: Alistair Francis Cc: qemu-stable@nongnu.org (cherry picked from commit 5e3e066e4ac894aff3e8dd3a072bca9c1986b2ff) Signed-off-by: Michael Tokarev diff --git a/hw/intc/riscv_aplic.c b/hw/intc/riscv_aplic.c index cab8f0cd4d..0d9be9a584 100644 --- a/hw/intc/riscv_aplic.c +++ b/hw/intc/riscv_aplic.c @@ -96,7 +96,7 @@ (APLIC_xMSICFGADDR_PPN_HHX_MASK(__hhxw) << \ APLIC_xMSICFGADDR_PPN_HHX_SHIFT(__hhxs)) =20 -#define APLIC_xMSICFGADDRH_VALID_MASK \ +#define APLIC_MMSICFGADDRH_VALID_MASK \ (APLIC_xMSICFGADDRH_L | \ (APLIC_xMSICFGADDRH_HHXS_MASK << APLIC_xMSICFGADDRH_HHXS_SHIFT) | \ (APLIC_xMSICFGADDRH_LHXS_MASK << APLIC_xMSICFGADDRH_LHXS_SHIFT) | \ @@ -104,6 +104,10 @@ (APLIC_xMSICFGADDRH_LHXW_MASK << APLIC_xMSICFGADDRH_LHXW_SHIFT) | \ APLIC_xMSICFGADDRH_BAPPN_MASK) =20 +#define APLIC_SMSICFGADDRH_VALID_MASK \ + ((APLIC_xMSICFGADDRH_LHXS_MASK << APLIC_xMSICFGADDRH_LHXS_SHIFT) | \ + APLIC_xMSICFGADDRH_BAPPN_MASK) + #define APLIC_SETIP_BASE 0x1c00 #define APLIC_SETIPNUM 0x1cdc =20 @@ -184,7 +188,7 @@ void riscv_aplic_set_kvm_msicfgaddr(RISCVAPLICState *ap= lic, hwaddr addr) addr >>=3D APLIC_xMSICFGADDR_PPN_SHIFT; aplic->kvm_msicfgaddr =3D extract64(addr, 0, 32); aplic->kvm_msicfgaddrH =3D extract64(addr, 32, 32) & - APLIC_xMSICFGADDRH_VALID_MASK; + APLIC_MMSICFGADDRH_VALID_MASK; } #endif } @@ -409,13 +413,8 @@ static void riscv_aplic_msi_send(RISCVAPLICState *apli= c, msicfgaddr =3D aplic->kvm_msicfgaddr; msicfgaddrH =3D ((uint64_t)aplic->kvm_msicfgaddrH << 32); } else { - if (aplic->mmode) { - msicfgaddr =3D aplic_m->mmsicfgaddr; - msicfgaddrH =3D aplic_m->mmsicfgaddrH; - } else { - msicfgaddr =3D aplic_m->smsicfgaddr; - msicfgaddrH =3D aplic_m->smsicfgaddrH; - } + msicfgaddr =3D aplic_m->mmsicfgaddr; + msicfgaddrH =3D aplic_m->mmsicfgaddrH; } =20 lhxs =3D (msicfgaddrH >> APLIC_xMSICFGADDRH_LHXS_SHIFT) & @@ -427,6 +426,14 @@ static void riscv_aplic_msi_send(RISCVAPLICState *apli= c, hhxw =3D (msicfgaddrH >> APLIC_xMSICFGADDRH_HHXW_SHIFT) & APLIC_xMSICFGADDRH_HHXW_MASK; =20 + if (!aplic->kvm_splitmode && !aplic->mmode) { + msicfgaddrH =3D aplic_m->smsicfgaddrH; + msicfgaddr =3D aplic_m->smsicfgaddr; + + lhxs =3D (msicfgaddrH >> APLIC_xMSICFGADDRH_LHXS_SHIFT) & + APLIC_xMSICFGADDRH_LHXS_MASK; + } + group_idx =3D hart_idx >> lhxw; =20 addr =3D msicfgaddr; @@ -771,7 +778,7 @@ static void riscv_aplic_write(void *opaque, hwaddr addr= , uint64_t value, } else if (aplic->mmode && aplic->msimode && (addr =3D=3D APLIC_MMSICFGADDRH)) { if (!(aplic->mmsicfgaddrH & APLIC_xMSICFGADDRH_L)) { - aplic->mmsicfgaddrH =3D value & APLIC_xMSICFGADDRH_VALID_MASK; + aplic->mmsicfgaddrH =3D value & APLIC_MMSICFGADDRH_VALID_MASK; } } else if (aplic->mmode && aplic->msimode && (addr =3D=3D APLIC_SMSICFGADDR)) { @@ -792,7 +799,7 @@ static void riscv_aplic_write(void *opaque, hwaddr addr= , uint64_t value, (addr =3D=3D APLIC_SMSICFGADDRH)) { if (aplic->num_children && !(aplic->mmsicfgaddrH & APLIC_xMSICFGADDRH_L)) { - aplic->smsicfgaddrH =3D value & APLIC_xMSICFGADDRH_VALID_MASK; + aplic->smsicfgaddrH =3D value & APLIC_SMSICFGADDRH_VALID_MASK; } } else if ((APLIC_SETIP_BASE <=3D addr) && (addr < (APLIC_SETIP_BASE + aplic->bitfield_words * 4))) { --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779325832271.47109378233654; Fri, 21 Nov 2025 18:42:05 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd5F-0003M0-Tc; Fri, 21 Nov 2025 21:10:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMccd-0004mO-QH; Fri, 21 Nov 2025 20:41:07 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcac-00031B-91; Fri, 21 Nov 2025 20:41:04 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id B2A5216CA42; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 6E8CB321C7E; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Daniel Henrique Barboza , Andrew Jones , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 07/81] target/riscv/kvm: add senvcfg CSR Date: Fri, 21 Nov 2025 21:43:06 +0300 Message-ID: <20251121184424.1137669-7-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779326999018900 Content-Type: text/plain; charset="utf-8" From: Daniel Henrique Barboza We're missing the senvcfg CSRs which is already present in the KVM UAPI. Reported-by: Andrew Jones Signed-off-by: Daniel Henrique Barboza Reviewed-by: Andrew Jones Acked-by: Alistair Francis Message-ID: <20250429124421.223883-8-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis (cherry picked from commit 86b8c3821496898cd3bd8eaa1bac71f5c784a2db) Signed-off-by: Michael Tokarev diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c index 8001ca153e..2bc0dcb804 100644 --- a/target/riscv/kvm/kvm-cpu.c +++ b/target/riscv/kvm/kvm-cpu.c @@ -249,6 +249,7 @@ static KVMCPUConfig kvm_csr_cfgs[] =3D { KVM_CSR_CFG("stval", stval, RISCV_CSR_REG(stval)), KVM_CSR_CFG("sip", mip, RISCV_CSR_REG(sip)), KVM_CSR_CFG("satp", satp, RISCV_CSR_REG(satp)), + KVM_CSR_CFG("senvcfg", senvcfg, RISCV_CSR_REG(senvcfg)), }; =20 static void *kvmconfig_get_env_addr(RISCVCPU *cpu, KVMCPUConfig *csr_cfg) @@ -698,6 +699,7 @@ static void kvm_riscv_reset_regs_csr(CPURISCVState *env) env->stval =3D 0; env->mip =3D 0; env->satp =3D 0; + env->senvcfg =3D 0; } =20 static int kvm_riscv_get_regs_fp(CPUState *cs) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779659007193.0814988889092; Fri, 21 Nov 2025 18:47:39 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd7F-0004tH-Hz; Fri, 21 Nov 2025 21:12:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcmK-0002eU-KI; Fri, 21 Nov 2025 20:51:08 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMckG-0005R8-UW; Fri, 21 Nov 2025 20:51:03 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C5FB316CA43; Fri, 21 Nov 2025 21:44:20 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 82698321C7F; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Daniel Henrique Barboza , Andrew Jones , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 08/81] target/riscv/kvm: read/write KVM regs via env size Date: Fri, 21 Nov 2025 21:43:07 +0300 Message-ID: <20251121184424.1137669-8-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779660546018900 Content-Type: text/plain; charset="utf-8" From: Daniel Henrique Barboza We're going to add support for scounteren in the next patch. KVM defines as a target_ulong CSR, while QEMU defines env->scounteren as a 32 bit field. This will cause the current code to read/write a 64 bit CSR in a 32 bit field when running in a 64 bit CPU. To prevent that, change the current logic to honor the size of the QEMU storage instead of the KVM CSR reg. Suggested-by: Andrew Jones Signed-off-by: Daniel Henrique Barboza Reviewed-by: Alistair Francis Reviewed-by: Andrew Jones Message-ID: <20250429124421.223883-9-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis (cherry picked from commit 775ac57e0a54b9127bd2ad005675772870cd1932) Signed-off-by: Michael Tokarev diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c index 2bc0dcb804..66bdd6bf17 100644 --- a/target/riscv/kvm/kvm-cpu.c +++ b/target/riscv/kvm/kvm-cpu.c @@ -135,6 +135,7 @@ typedef struct KVMCPUConfig { const char *description; target_ulong offset; uint64_t kvm_reg_id; + uint32_t prop_size; bool user_set; bool supported; } KVMCPUConfig; @@ -237,6 +238,7 @@ static void kvm_riscv_update_cpu_misa_ext(RISCVCPU *cpu= , CPUState *cs) =20 #define KVM_CSR_CFG(_name, _env_prop, reg_id) \ {.name =3D _name, .offset =3D ENV_CSR_OFFSET(_env_prop), \ + .prop_size =3D sizeof(((CPURISCVState *)0)->_env_prop), \ .kvm_reg_id =3D reg_id} =20 static KVMCPUConfig kvm_csr_cfgs[] =3D { @@ -646,9 +648,9 @@ static int kvm_riscv_get_regs_csr(CPUState *cs) return ret; } =20 - if (KVM_REG_SIZE(csr_cfg->kvm_reg_id) =3D=3D sizeof(uint32_t)) { - kvm_cpu_csr_set_u32(cpu, csr_cfg, reg); - } else if (KVM_REG_SIZE(csr_cfg->kvm_reg_id) =3D=3D sizeof(uint64_= t)) { + if (csr_cfg->prop_size =3D=3D sizeof(uint32_t)) { + kvm_cpu_csr_set_u32(cpu, csr_cfg, (uint32_t)reg); + } else if (csr_cfg->prop_size =3D=3D sizeof(uint64_t)) { kvm_cpu_csr_set_u64(cpu, csr_cfg, reg); } else { g_assert_not_reached(); @@ -671,9 +673,9 @@ static int kvm_riscv_put_regs_csr(CPUState *cs) continue; } =20 - if (KVM_REG_SIZE(csr_cfg->kvm_reg_id) =3D=3D sizeof(uint32_t)) { + if (csr_cfg->prop_size =3D=3D sizeof(uint32_t)) { reg =3D kvm_cpu_csr_get_u32(cpu, csr_cfg); - } else if (KVM_REG_SIZE(csr_cfg->kvm_reg_id) =3D=3D sizeof(uint64_= t)) { + } else if (csr_cfg->prop_size =3D=3D sizeof(uint64_t)) { reg =3D kvm_cpu_csr_get_u64(cpu, csr_cfg); } else { g_assert_not_reached(); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783656347210.306304468794; Fri, 21 Nov 2025 19:54:16 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd5G-0003Ma-Bh; Fri, 21 Nov 2025 21:10:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcaF-0003Tv-OY; Fri, 21 Nov 2025 20:38:40 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcYD-0002Si-7N; Fri, 21 Nov 2025 20:38:35 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1C01E16CA44; Fri, 21 Nov 2025 21:44:21 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 96B56321C80; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Daniel Henrique Barboza , Andrew Jones , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 09/81] target/riscv/kvm: add scounteren CSR Date: Fri, 21 Nov 2025 21:43:08 +0300 Message-ID: <20251121184424.1137669-9-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783657867018900 Content-Type: text/plain; charset="utf-8" From: Daniel Henrique Barboza Add support for the scounteren KVM CSR. Note that env->scounteren is a 32 bit and all KVM CSRs are target_ulong, so scounteren will be capped to 32 bits read/writes. Reported-by: Andrew Jones Signed-off-by: Daniel Henrique Barboza Reviewed-by: Andrew Jones Reviewed-by: Alistair Francis Message-ID: <20250429124421.223883-10-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis (cherry picked from commit 8ab99a05f34bab3f9fae49299ee407ead78f0470) Signed-off-by: Michael Tokarev diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c index 66bdd6bf17..92240c6e4b 100644 --- a/target/riscv/kvm/kvm-cpu.c +++ b/target/riscv/kvm/kvm-cpu.c @@ -251,6 +251,7 @@ static KVMCPUConfig kvm_csr_cfgs[] =3D { KVM_CSR_CFG("stval", stval, RISCV_CSR_REG(stval)), KVM_CSR_CFG("sip", mip, RISCV_CSR_REG(sip)), KVM_CSR_CFG("satp", satp, RISCV_CSR_REG(satp)), + KVM_CSR_CFG("scounteren", scounteren, RISCV_CSR_REG(scounteren)), KVM_CSR_CFG("senvcfg", senvcfg, RISCV_CSR_REG(senvcfg)), }; =20 @@ -701,6 +702,7 @@ static void kvm_riscv_reset_regs_csr(CPURISCVState *env) env->stval =3D 0; env->mip =3D 0; env->satp =3D 0; + env->scounteren =3D 0; env->senvcfg =3D 0; } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777941370991.7762299425617; Fri, 21 Nov 2025 18:19:01 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcum-0000MS-At; Fri, 21 Nov 2025 20:59:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbsP-0004v9-Ml; Fri, 21 Nov 2025 19:53:22 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbsF-0000us-8g; Fri, 21 Nov 2025 19:53:18 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6219416CA45; Fri, 21 Nov 2025 21:44:21 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E044E321C81; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Daniel Henrique Barboza , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 10/81] target/riscv/kvm: fix env->priv setting in reset_regs_csr() Date: Fri, 21 Nov 2025 21:43:09 +0300 Message-ID: <20251121184424.1137669-10-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777942091018900 Content-Type: text/plain; charset="utf-8" From: Daniel Henrique Barboza This patch was originally made by Gitlab user Bo Gan (@ganboing) 4 months ago in the context of issue [1]. I asked the author to send a patch to the mailing list ~3 months ago and got no reply. I'm sending the patch myself because we already missed 10.1 without this fix. I'll also just post verbatim Bo Gan comment in the commit msg: "In RISCV Linux with KVM enabled, gdbstub is broken. The get_physical_address isn't able to page-walk correctly and resolve the physical page. This is due to that the vcpu is being treated as starting in M mode even if KVM enabled. However, with KVM, the vcpu is actually started in S mode. The mmu_idx will give 3 (M), instead of 1 (S), resulting in Guest PA =3D=3D VA (wrong)!" Set env->priv to PRV_S in kvm_riscv_reset_regs_csr() since the VCPU is always started in S-mode for KVM. [1] https://gitlab.com/qemu-project/qemu/-/issues/2991 Cc: qemu-stable@nongnu.org Closes: https://gitlab.com/qemu-project/qemu/-/issues/2991 Originally-by: Bo Gan (@ganboing in Gitlab) Signed-off-by: Daniel Henrique Barboza Reviewed-by: Alistair Francis Message-ID: <20251022111105.483992-1-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis (cherry picked from commit 2a21cbee47a124edf43fc9ee156d7093e2f957fd) Signed-off-by: Michael Tokarev diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c index 92240c6e4b..7b4a2aecbb 100644 --- a/target/riscv/kvm/kvm-cpu.c +++ b/target/riscv/kvm/kvm-cpu.c @@ -704,6 +704,7 @@ static void kvm_riscv_reset_regs_csr(CPURISCVState *env) env->satp =3D 0; env->scounteren =3D 0; env->senvcfg =3D 0; + env->priv =3D PRV_S; } =20 static int kvm_riscv_get_regs_fp(CPUState *cs) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777390299730.3049057153551; Fri, 21 Nov 2025 18:09:50 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd03-0004ab-UL; Fri, 21 Nov 2025 21:05:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcBO-0007L2-9S; Fri, 21 Nov 2025 20:12:58 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcBC-0004z3-9U; Fri, 21 Nov 2025 20:12:54 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A881B16CA46; Fri, 21 Nov 2025 21:44:21 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 3248D321C82; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Daniel Henrique Barboza , Alistair Francis , Michael Tokarev Subject: [Stable-10.0.7 11/81] target/riscv: fix riscv_cpu_sirq_pending() mask Date: Fri, 21 Nov 2025 21:43:10 +0300 Message-ID: <20251121184424.1137669-11-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777399278018900 Content-Type: text/plain; charset="utf-8" From: Daniel Henrique Barboza We're filtering out (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP) from S-mode pending interrupts without apparent reason. There's no special treatment for these ints as far as the spec goes, and this filtering is causing read_stopi() to miss those VS interrupts [1]. We shouldn't return delegated VS interrupts in S-mode though, so change the current mask with "~env->hideleg". Note that this is the same handling we're doing in riscv_cpu_mirq_pending() and env->mideleg. [1] https://gitlab.com/qemu-project/qemu/-/issues/2820 Closes: https://gitlab.com/qemu-project/qemu/-/issues/2820 Signed-off-by: Daniel Henrique Barboza Reviewed-by: Alistair Francis Message-ID: <20251022124340.493358-1-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis Cc: qemu-stable@nongnu.org (cherry picked from commit 06e01941ffca3c246a9770f477e43118793fde59) Signed-off-by: Michael Tokarev diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c index 3233b66e7e..25619c556c 100644 --- a/target/riscv/cpu_helper.c +++ b/target/riscv/cpu_helper.c @@ -539,8 +539,7 @@ int riscv_cpu_mirq_pending(CPURISCVState *env) =20 int riscv_cpu_sirq_pending(CPURISCVState *env) { - uint64_t irqs =3D riscv_cpu_all_pending(env) & env->mideleg & - ~(MIP_VSSIP | MIP_VSTIP | MIP_VSEIP); + uint64_t irqs =3D riscv_cpu_all_pending(env) & env->mideleg & ~env->hi= deleg; uint64_t irqs_f =3D env->mvip & env->mvien & ~env->mideleg & env->sie; =20 return riscv_cpu_pending_to_irq(env, IRQ_S_EXT, IPRIO_DEFAULT_S, --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784348653473.58713898776625; Fri, 21 Nov 2025 20:05:48 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd7B-0004oE-Mn; Fri, 21 Nov 2025 21:12:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcoj-0004dW-PJ; Fri, 21 Nov 2025 20:53:38 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcmh-00062d-3A; Fri, 21 Nov 2025 20:53:33 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C401716CA47; Fri, 21 Nov 2025 21:44:21 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7873A321C83; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eric Blake , Michael Tokarev Subject: [Stable-10.0.7 12/81] io: release active GSource in TLS channel finalizer Date: Fri, 21 Nov 2025 21:43:11 +0300 Message-ID: <20251121184424.1137669-12-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784350201018900 From: Daniel P. Berrang=C3=A9 While code is supposed to call qio_channel_close() before releasing the last reference on an QIOChannel, this is not guaranteed. QIOChannelFile and QIOChannelSocket both cleanup resources in their finalizer if the close operation was missed. This ensures the TLS channel will do the same failsafe cleanup. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 2c147611cf568eb1cd7dc8bf4479b272bad3b9d6) Signed-off-by: Michael Tokarev diff --git a/io/channel-tls.c b/io/channel-tls.c index caf8301a9e..f8b03aa63c 100644 --- a/io/channel-tls.c +++ b/io/channel-tls.c @@ -337,6 +337,16 @@ static void qio_channel_tls_finalize(Object *obj) { QIOChannelTLS *ioc =3D QIO_CHANNEL_TLS(obj); =20 + if (ioc->hs_ioc_tag) { + trace_qio_channel_tls_handshake_cancel(ioc); + g_clear_handle_id(&ioc->hs_ioc_tag, g_source_remove); + } + + if (ioc->bye_ioc_tag) { + trace_qio_channel_tls_bye_cancel(ioc); + g_clear_handle_id(&ioc->bye_ioc_tag, g_source_remove); + } + object_unref(OBJECT(ioc->master)); qcrypto_tls_session_free(ioc->session); } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779038813721.3287293652442; Fri, 21 Nov 2025 18:37:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd2w-0001k8-K1; Fri, 21 Nov 2025 21:08:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcLd-0004FS-26; Fri, 21 Nov 2025 20:23:33 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcJb-0007Kq-KU; Fri, 21 Nov 2025 20:23:29 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id D663D16CA48; Fri, 21 Nov 2025 21:44:21 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 94456321C84; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eric Blake , Michael Tokarev Subject: [Stable-10.0.7 13/81] io: move websock resource release to close method Date: Fri, 21 Nov 2025 21:43:12 +0300 Message-ID: <20251121184424.1137669-13-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779040061018900 From: Daniel P. Berrang=C3=A9 The QIOChannelWebsock object releases all its resources in the finalize callback. This is later than desired, as callers expect to be able to call qio_channel_close() to fully close a channel and release resources related to I/O. The logic in the finalize method is at most a failsafe to handle cases where a consumer forgets to call qio_channel_close. This adds equivalent logic to the close method to release the resources, using g_clear_handle_id/g_clear_pointer to be robust against repeated invocations. The finalize method is tweaked so that the GSource is removed before releasing the underlying channel. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63) Signed-off-by: Michael Tokarev diff --git a/io/channel-websock.c b/io/channel-websock.c index 55192b770a..5c0df9d6af 100644 --- a/io/channel-websock.c +++ b/io/channel-websock.c @@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj) buffer_free(&ioc->encinput); buffer_free(&ioc->encoutput); buffer_free(&ioc->rawinput); - object_unref(OBJECT(ioc->master)); if (ioc->io_tag) { g_source_remove(ioc->io_tag); } if (ioc->io_err) { error_free(ioc->io_err); } + object_unref(OBJECT(ioc->master)); } =20 =20 @@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc, QIOChannelWebsock *wioc =3D QIO_CHANNEL_WEBSOCK(ioc); =20 trace_qio_channel_websock_close(ioc); + buffer_free(&wioc->encinput); + buffer_free(&wioc->encoutput); + buffer_free(&wioc->rawinput); + if (wioc->io_tag) { + g_clear_handle_id(&wioc->io_tag, g_source_remove); + } + if (wioc->io_err) { + g_clear_pointer(&wioc->io_err, error_free); + } return qio_channel_close(wioc->master, errp); } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763804649408589.7075331791177; Sat, 22 Nov 2025 01:44:09 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcwg-0001vk-DN; Fri, 21 Nov 2025 21:01:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbyy-0000Q5-ST; Fri, 21 Nov 2025 20:00:08 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbyn-00028R-Dg; Fri, 21 Nov 2025 20:00:04 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id EB5FC16CA49; Fri, 21 Nov 2025 21:44:21 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id A6BE9321C85; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Grant Millar | Cylo , Eric Blake , Michael Tokarev Subject: [Stable-10.0.7 14/81] io: fix use after free in websocket handshake code Date: Fri, 21 Nov 2025 21:43:13 +0300 Message-ID: <20251121184424.1137669-14-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763804654828018900 From: Daniel P. Berrang=C3=A9 If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This was observed in the VNC server with the following trace from valgrind: =3D=3D2523108=3D=3D Invalid read of size 4 =3D=3D2523108=3D=3D at 0x4054A24: vnc_disconnect_start (vnc.c:1296) =3D=3D2523108=3D=3D by 0x4054A24: vnc_client_error (vnc.c:1392) =3D=3D2523108=3D=3D by 0x4068A09: vncws_handshake_done (vnc-ws.c:105) =3D=3D2523108=3D=3D by 0x44863B4: qio_task_complete (task.c:197) =3D=3D2523108=3D=3D by 0x448343D: qio_channel_websock_handshake_io (chan= nel-websock.c:588) =3D=3D2523108=3D=3D by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) =3D=3D2523108=3D=3D by 0x6EDB862: g_main_context_dispatch_unlocked.lto_p= riv.0 (gmain.c:4249) =3D=3D2523108=3D=3D by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) =3D=3D2523108=3D=3D by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) =3D=3D2523108=3D=3D by 0x45EC79F: os_host_main_loop_wait (main-loop.c:31= 0) =3D=3D2523108=3D=3D by 0x45EC79F: main_loop_wait (main-loop.c:589) =3D=3D2523108=3D=3D by 0x423A56D: qemu_main_loop (runstate.c:835) =3D=3D2523108=3D=3D by 0x454F300: qemu_default_main (main.c:37) =3D=3D2523108=3D=3D by 0x73D6574: (below main) (libc_start_call_main.h:5= 8) =3D=3D2523108=3D=3D Address 0x57a6e0dc is 28 bytes inside a block of size = 103,608 free'd =3D=3D2523108=3D=3D at 0x5F2FE43: free (vg_replace_malloc.c:989) =3D=3D2523108=3D=3D by 0x6EDC444: g_free (gmem.c:208) =3D=3D2523108=3D=3D by 0x4053F23: vnc_update_client (vnc.c:1153) =3D=3D2523108=3D=3D by 0x4053F23: vnc_refresh (vnc.c:3225) =3D=3D2523108=3D=3D by 0x4042881: dpy_refresh (console.c:880) =3D=3D2523108=3D=3D by 0x4042881: gui_update (console.c:90) =3D=3D2523108=3D=3D by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-time= r.c:562) =3D=3D2523108=3D=3D by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495) =3D=3D2523108=3D=3D by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:57= 6) =3D=3D2523108=3D=3D by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.= c:663) =3D=3D2523108=3D=3D by 0x45EC765: main_loop_wait (main-loop.c:600) =3D=3D2523108=3D=3D by 0x423A56D: qemu_main_loop (runstate.c:835) =3D=3D2523108=3D=3D by 0x454F300: qemu_default_main (main.c:37) =3D=3D2523108=3D=3D by 0x73D6574: (below main) (libc_start_call_main.h:5= 8) =3D=3D2523108=3D=3D Block was alloc'd at =3D=3D2523108=3D=3D at 0x5F343F3: calloc (vg_replace_malloc.c:1675) =3D=3D2523108=3D=3D by 0x6EE2F81: g_malloc0 (gmem.c:133) =3D=3D2523108=3D=3D by 0x4057DA3: vnc_connect (vnc.c:3245) =3D=3D2523108=3D=3D by 0x448591B: qio_net_listener_channel_func (net-lis= tener.c:54) =3D=3D2523108=3D=3D by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) =3D=3D2523108=3D=3D by 0x6EDB862: g_main_context_dispatch_unlocked.lto_p= riv.0 (gmain.c:4249) =3D=3D2523108=3D=3D by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) =3D=3D2523108=3D=3D by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) =3D=3D2523108=3D=3D by 0x45EC79F: os_host_main_loop_wait (main-loop.c:31= 0) =3D=3D2523108=3D=3D by 0x45EC79F: main_loop_wait (main-loop.c:589) =3D=3D2523108=3D=3D by 0x423A56D: qemu_main_loop (runstate.c:835) =3D=3D2523108=3D=3D by 0x454F300: qemu_default_main (main.c:37) =3D=3D2523108=3D=3D by 0x73D6574: (below main) (libc_start_call_main.h:5= 8) =3D=3D2523108=3D=3D The above can be reproduced by launching QEMU with $ qemu-system-x86_64 -vnc localhost:0,websocket=3D5700 and then repeatedly running: for i in {1..100}; do (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 & done CVE-2025-11234 Reported-by: Grant Millar | Cylo Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9) Signed-off-by: Michael Tokarev diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h index e180827c57..6700cf8946 100644 --- a/include/io/channel-websock.h +++ b/include/io/channel-websock.h @@ -61,7 +61,8 @@ struct QIOChannelWebsock { size_t payload_remain; size_t pong_remain; QIOChannelWebsockMask mask; - guint io_tag; + guint hs_io_tag; /* tracking handshake task */ + guint io_tag; /* tracking watch task */ Error *io_err; gboolean io_eof; uint8_t opcode; diff --git a/io/channel-websock.c b/io/channel-websock.c index 5c0df9d6af..7f8eded4ff 100644 --- a/io/channel-websock.c +++ b/io/channel-websock.c @@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC= hannel *ioc, trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err= )); qio_task_set_error(task, err); qio_task_complete(task); + wioc->hs_io_tag =3D 0; return FALSE; } =20 @@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC= hannel *ioc, trace_qio_channel_websock_handshake_complete(ioc); qio_task_complete(task); } + wioc->hs_io_tag =3D 0; return FALSE; } trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT); @@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOCha= nnel *ioc, trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err= )); qio_task_set_error(task, err); qio_task_complete(task); + wioc->hs_io_tag =3D 0; return FALSE; } if (ret =3D=3D 0) { @@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOCha= nnel *ioc, error_propagate(&wioc->io_err, err); =20 trace_qio_channel_websock_handshake_reply(ioc); - qio_channel_add_watch( + wioc->hs_io_tag =3D qio_channel_add_watch( wioc->master, G_IO_OUT, qio_channel_websock_handshake_send, @@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock = *ioc, =20 trace_qio_channel_websock_handshake_start(ioc); trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN); - qio_channel_add_watch(ioc->master, - G_IO_IN, - qio_channel_websock_handshake_io, - task, - NULL); + ioc->hs_io_tag =3D qio_channel_add_watch( + ioc->master, + G_IO_IN, + qio_channel_websock_handshake_io, + task, + NULL); } =20 =20 @@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj) buffer_free(&ioc->encinput); buffer_free(&ioc->encoutput); buffer_free(&ioc->rawinput); + if (ioc->hs_io_tag) { + g_source_remove(ioc->hs_io_tag); + } if (ioc->io_tag) { g_source_remove(ioc->io_tag); } @@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc, buffer_free(&wioc->encinput); buffer_free(&wioc->encoutput); buffer_free(&wioc->rawinput); + if (wioc->hs_io_tag) { + g_clear_handle_id(&wioc->hs_io_tag, g_source_remove); + } if (wioc->io_tag) { g_clear_handle_id(&wioc->io_tag, g_source_remove); } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781697515247.3401902507144; Fri, 21 Nov 2025 19:21:37 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcqV-0005Sj-4l; Fri, 21 Nov 2025 20:55:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbmV-0001DC-ED; Fri, 21 Nov 2025 19:47:15 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbkS-0007hH-Oa; Fri, 21 Nov 2025 19:47:11 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 47C8916CA4A; Fri, 21 Nov 2025 21:44:22 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id BD013321C86; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eric Blake , Michael Tokarev Subject: [Stable-10.0.7 15/81] crypto: stop requiring "key encipherment" usage in x509 certs Date: Fri, 21 Nov 2025 21:43:14 +0300 Message-ID: <20251121184424.1137669-15-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781699672018900 From: Daniel P. Berrang=C3=A9 This usage flag was deprecated by RFC8813, such that it is forbidden to be present for certs using ECDSA/ECDH algorithms, and in TLS 1.3 is conceptually obsolete. As such many valid certs will no longer have this key usage flag set, and QEMU should not be rejecting them, as this prevents use of otherwise valid & desirable algorithms. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 3995fc238e0599e0417ba958ffc5c7a609e82a7f) Signed-off-by: Michael Tokarev diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 24ec584922..2983409301 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -144,7 +144,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX= 509 *creds, if (status < 0) { if (status =3D=3D GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { usage =3D isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT; + GNUTLS_KEY_DIGITAL_SIGNATURE; } else { error_setg(errp, "Unable to query certificate %s key usage: %s", @@ -171,14 +171,6 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCreds= X509 *creds, return -1; } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - if (critical) { - error_setg(errp, - "Certificate %s usage does not permit key " - "encipherment", certFile); - return -1; - } - } } =20 return 0; diff --git a/docs/system/tls.rst b/docs/system/tls.rst index e284c82801..a4f6781d62 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -118,7 +118,6 @@ information for each server, and use it to issue server= certificates. ip_address =3D 2620:0:cafe::87 ip_address =3D 2001:24::92 tls_www_server - encryption_key signing_key EOF # certtool --generate-privkey > server-hostNNN-key.pem @@ -134,9 +133,8 @@ the subject alt name extension data. The ``tls_www_serv= er`` keyword is the key purpose extension to indicate this certificate is intended for usage in a web server. Although QEMU network services are not in fact HTTP servers (except for VNC websockets), setting this key purpose is -still recommended. The ``encryption_key`` and ``signing_key`` keyword is -the key usage extension to indicate this certificate is intended for -usage in the data session. +still recommended. The ``signing_key`` keyword is the key usage extension +to indicate this certificate is intended for usage in the data session. =20 The ``server-hostNNN-key.pem`` and ``server-hostNNN-cert.pem`` files should now be securely copied to the server for which they were @@ -171,7 +169,6 @@ certificates. organization =3D Name of your organization cn =3D hostNNN.foo.example.com tls_www_client - encryption_key signing_key EOF # certtool --generate-privkey > client-hostNNN-key.pem @@ -187,9 +184,8 @@ the ``dns_name`` and ``ip_address`` fields are not incl= uded. The ``tls_www_client`` keyword is the key purpose extension to indicate this certificate is intended for usage in a web client. Although QEMU network clients are not in fact HTTP clients, setting this key purpose is still -recommended. The ``encryption_key`` and ``signing_key`` keyword is the -key usage extension to indicate this certificate is intended for usage -in the data session. +recommended. The ``signing_key`` keyword is the key usage extension to +indicate this certificate is intended for usage in the data session. =20 The ``client-hostNNN-key.pem`` and ``client-hostNNN-cert.pem`` files should now be securely copied to the client for which they were @@ -222,7 +218,6 @@ client and server instructions in one. ip_address =3D 2001:24::92 tls_www_server tls_www_client - encryption_key signing_key EOF # certtool --generate-privkey > both-hostNNN-key.pem diff --git a/tests/unit/crypto-tls-x509-helpers.h b/tests/unit/crypto-tls-x= 509-helpers.h index 2a0f7c04fd..7e9a508ad6 100644 --- a/tests/unit/crypto-tls-x509-helpers.h +++ b/tests/unit/crypto-tls-x509-helpers.h @@ -148,8 +148,7 @@ void test_tls_cleanup(const char *keyfile); .basicConstraintsIsCA =3D false, \ .keyUsageEnable =3D true, \ .keyUsageCritical =3D true, \ - .keyUsageValue =3D \ - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ + .keyUsageValue =3D GNUTLS_KEY_DIGITAL_SIGNATURE, \ .keyPurposeEnable =3D true, \ .keyPurposeCritical =3D true, \ .keyPurposeOID1 =3D GNUTLS_KP_TLS_WWW_CLIENT, \ @@ -168,8 +167,7 @@ void test_tls_cleanup(const char *keyfile); .basicConstraintsIsCA =3D false, \ .keyUsageEnable =3D true, \ .keyUsageCritical =3D true, \ - .keyUsageValue =3D \ - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ + .keyUsageValue =3D GNUTLS_KEY_DIGITAL_SIGNATURE, \ .keyPurposeEnable =3D true, \ .keyPurposeCritical =3D true, \ .keyPurposeOID1 =3D GNUTLS_KP_TLS_WWW_SERVER, \ diff --git a/tests/unit/test-crypto-tlscredsx509.c b/tests/unit/test-crypto= -tlscredsx509.c index 3c25d75ca1..2025d75365 100644 --- a/tests/unit/test-crypto-tlscredsx509.c +++ b/tests/unit/test-crypto-tlscredsx509.c @@ -166,14 +166,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -196,7 +196,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -211,7 +211,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -226,7 +226,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -250,7 +250,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* no-basic */ @@ -264,7 +264,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* Key usage:dig-sig:critical */ @@ -278,7 +278,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -303,7 +303,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T | + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); @@ -406,7 +406,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T | + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); @@ -508,21 +508,21 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertexp1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, -1); TLS_CERT_REQ(clientcertexp1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, -1); =20 @@ -546,21 +546,21 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertnew1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 1, 2); TLS_CERT_REQ(clientcertnew1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 1, 2); =20 @@ -599,14 +599,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 diff --git a/tests/unit/test-crypto-tlssession.c b/tests/unit/test-crypto-t= lssession.c index 554054e934..e8b2e0201c 100644 --- a/tests/unit/test-crypto-tlssession.c +++ b/tests/unit/test-crypto-tlssession.c @@ -472,14 +472,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -487,7 +487,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -506,7 +506,7 @@ int main(int argc, char **argv) "192.168.122.1", "fec0::dead:beaf", true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* This intentionally doesn't replicate */ @@ -515,7 +515,7 @@ int main(int argc, char **argv) "192.168.122.1", "fec0::dead:beaf", true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -619,14 +619,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 diff --git a/tests/unit/test-io-channel-tls.c b/tests/unit/test-io-channel-= tls.c index e036ac5df4..c2115d45fe 100644 --- a/tests/unit/test-io-channel-tls.c +++ b/tests/unit/test-io-channel-tls.c @@ -302,14 +302,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779437389311.41609071535265; Fri, 21 Nov 2025 18:43:57 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd2F-0001LI-2i; Fri, 21 Nov 2025 21:07:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcJA-00031Q-03; Fri, 21 Nov 2025 20:21:00 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcH8-0006al-JB; Fri, 21 Nov 2025 20:20:56 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 5A3A216CA4B; Fri, 21 Nov 2025 21:44:22 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 183EF321C87; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Fiona Ebner , Stefan Hajnoczi , Michael Tokarev Subject: [Stable-10.0.7 16/81] hw/scsi: avoid deadlock upon TMF request cancelling with VirtIO Date: Fri, 21 Nov 2025 21:43:15 +0300 Message-ID: <20251121184424.1137669-16-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779439704018900 Content-Type: text/plain; charset="utf-8" From: Fiona Ebner When scsi_req_dequeue() is reached via scsi_req_cancel_async() virtio_scsi_tmf_cancel_req() virtio_scsi_do_tmf_aio_context(), there is a deadlock when trying to acquire the SCSI device's requests lock, because it was already acquired in virtio_scsi_do_tmf_aio_context(). In particular, the issue happens with a FreeBSD guest (13, 14, 15, maybe more), when it cancels SCSI requests, because of timeout. This is a regression caused by commit da6eebb33b ("virtio-scsi: perform TMFs in appropriate AioContexts") and the introduction of the requests_lock earlier. To fix the issue, only cancel the requests after releasing the requests_lock. For this, the SCSI device's requests are iterated while holding the requests_lock and the requests to be cancelled are collected in a list. Then, the collected requests are cancelled one by one while not holding the requests_lock. This is safe, because only requests from the current AioContext are collected and acted upon. Originally reported by Proxmox VE users: https://bugzilla.proxmox.com/show_bug.cgi?id=3D6810 https://forum.proxmox.com/threads/173914/ Fixes: da6eebb33b ("virtio-scsi: perform TMFs in appropriate AioContexts") Suggested-by: Stefan Hajnoczi Signed-off-by: Fiona Ebner Message-id: 20251017094518.328905-1-f.ebner@proxmox.com [Changed g_list_append() to g_list_prepend() to avoid traversing the list each time. --Stefan] Signed-off-by: Stefan Hajnoczi (cherry picked from commit 6910f04aa646f63a0257f77201ad8ea15992b816) Signed-off-by: Michael Tokarev diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c index f5a3aa2366..383521495f 100644 --- a/hw/scsi/virtio-scsi.c +++ b/hw/scsi/virtio-scsi.c @@ -343,6 +343,7 @@ static void virtio_scsi_do_tmf_aio_context(void *opaque) SCSIDevice *d =3D virtio_scsi_device_get(s, tmf->req.tmf.lun); SCSIRequest *r; bool match_tag; + g_autoptr(GList) reqs =3D NULL; =20 if (!d) { tmf->resp.tmf.response =3D VIRTIO_SCSI_S_BAD_TARGET; @@ -378,10 +379,21 @@ static void virtio_scsi_do_tmf_aio_context(void *opaq= ue) if (match_tag && cmd_req->req.cmd.tag !=3D tmf->req.tmf.tag) { continue; } - virtio_scsi_tmf_cancel_req(tmf, r); + /* + * Cannot cancel directly, because scsi_req_dequeue() would de= adlock + * when attempting to acquire the request_lock a second time. = Taking + * a reference here is paired with an unref after cancelling b= elow. + */ + scsi_req_ref(r); + reqs =3D g_list_prepend(reqs, r); } } =20 + for (GList *elem =3D g_list_first(reqs); elem; elem =3D g_list_next(el= em)) { + virtio_scsi_tmf_cancel_req(tmf, elem->data); + scsi_req_unref(elem->data); + } + /* Incremented by virtio_scsi_do_tmf() */ virtio_scsi_tmf_dec_remaining(tmf); =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781258311844.0628214893391; Fri, 21 Nov 2025 19:14:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcuR-0000Hs-8z; Fri, 21 Nov 2025 20:59:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbvP-0006rA-A5; Fri, 21 Nov 2025 19:56:27 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbtM-000189-Nx; Fri, 21 Nov 2025 19:56:23 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6E1FE16CA4C; Fri, 21 Nov 2025 21:44:22 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 2AD52321C88; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Helge Deller , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 17/81] target/hppa: Set FPCR exception flag bits for non-trapped exceptions Date: Fri, 21 Nov 2025 21:43:16 +0300 Message-ID: <20251121184424.1137669-17-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781260571018900 From: Peter Maydell In commit ebd394948de4e8 ("target/hppa: Fix FPE exceptions") when we added the code for setting up the registers correctly on trapping FP exceptions, we accidentally broke the handling of the flag bits for non-trapping exceptions. In update_fr0_op() we incorrectly zero out the flag bits and the C bit, so any fp operation would clear previously set flag bits. We also stopped setting the flag bits when the fp operation raises an exception and the trap is not enabled. Adjust the code so that we set the Flag bits for every exception that happened and where the trap is not enabled. (This is the correct behaviour for the case where an instruction triggers two exceptions, one of which traps and one of which does not; that can only happen for inexact + underflow or inexact + overflow.) Cc: qemu-stable@nongnu.org Fixes: ebd394948de4e8 ("target/hppa: Fix FPE exceptions") Fixes: 6966e0ba1d4a9e ("target/hppa: Fix FPE exceptions") in 10.0.1 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3158 Signed-off-by: Peter Maydell Reviewed-by: Helge Deller Tested-by: Helge Deller Message-ID: <20251017085350.895681-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit 1a8ffd6172f3d9ad8232189adb879a16ec416f89) Signed-off-by: Michael Tokarev diff --git a/target/hppa/fpu_helper.c b/target/hppa/fpu_helper.c index 294ce0a970..9ffcda66b8 100644 --- a/target/hppa/fpu_helper.c +++ b/target/hppa/fpu_helper.c @@ -95,7 +95,8 @@ static void update_fr0_op(CPUHPPAState *env, uintptr_t ra) { uint32_t soft_exp =3D get_float_exception_flags(&env->fp_status); uint32_t hard_exp =3D 0; - uint32_t shadow =3D env->fr0_shadow & 0x3ffffff; + uint32_t shadow =3D env->fr0_shadow; + uint32_t to_flag =3D 0; uint32_t fr1 =3D 0; =20 if (likely(soft_exp =3D=3D 0)) { @@ -123,6 +124,10 @@ static void update_fr0_op(CPUHPPAState *env, uintptr_t= ra) fr1 |=3D hard_exp << (R_FPSR_FLAGS_SHIFT - R_FPSR_ENABLES_SHIF= T); } } + /* Set the Flag bits for every exception that was not enabled */ + to_flag =3D hard_exp & ~shadow; + shadow |=3D to_flag << (R_FPSR_FLAGS_SHIFT - R_FPSR_ENABLES_SHIFT); + env->fr0_shadow =3D shadow; env->fr[0] =3D (uint64_t)shadow << 32 | fr1; =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783854033235.40321573610083; Fri, 21 Nov 2025 19:57:34 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMctW-0007rg-0u; Fri, 21 Nov 2025 20:58:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbqP-0003k7-Re; Fri, 21 Nov 2025 19:51:17 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbqF-0000UC-CA; Fri, 21 Nov 2025 19:51:14 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 8A46416CA4D; Fri, 21 Nov 2025 21:44:22 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 3DF7F321C89; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Akihiko Odaki , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 18/81] nw/nvram/ds1225y: Fix nvram MemoryRegion owner Date: Fri, 21 Nov 2025 21:43:17 +0300 Message-ID: <20251121184424.1137669-18-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783854311018900 From: Akihiko Odaki s points to the MemoryRegion itself. dev points to DS1225Y, the real owner. Signed-off-by: Akihiko Odaki Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-ID: <20251027-ds1225y-v1-1-406888eb495f@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit 575264e9083bd839ce6ce265fd606c44135799c3) Signed-off-by: Michael Tokarev diff --git a/hw/nvram/ds1225y.c b/hw/nvram/ds1225y.c index 6b2aa8c7d2..09ab0bd67d 100644 --- a/hw/nvram/ds1225y.c +++ b/hw/nvram/ds1225y.c @@ -126,7 +126,7 @@ static void nvram_sysbus_realize(DeviceState *dev, Erro= r **errp) =20 s->contents =3D g_malloc0(s->chip_size); =20 - memory_region_init_io(&s->iomem, OBJECT(s), &nvram_ops, s, + memory_region_init_io(&s->iomem, OBJECT(dev), &nvram_ops, s, "nvram", s->chip_size); sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem); =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176378225464727.905376430022557; Fri, 21 Nov 2025 19:30:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMdUC-0007pL-4J; Fri, 21 Nov 2025 21:36:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcBv-0007c9-DU; Fri, 21 Nov 2025 20:13:31 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcBk-00057i-W4; Fri, 21 Nov 2025 20:13:28 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A77CE16CA4E; Fri, 21 Nov 2025 21:44:22 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 597D4321C8A; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Helge Deller , Richard Henderson , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 19/81] hw/hppa: Fix interrupt of LASI parallel port Date: Fri, 21 Nov 2025 21:43:18 +0300 Message-ID: <20251121184424.1137669-19-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763782255619018900 From: Helge Deller Fix wrong assignment where the LASI parallel port was using the IRQ line of= the LASI LAN card. Signed-off-by: Helge Deller Reviewed-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit fb722e1dc2d84529ab9aa597315b7d5ca6e2a23e) Signed-off-by: Michael Tokarev diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c index c5f247633e..0fbf980e11 100644 --- a/hw/hppa/machine.c +++ b/hw/hppa/machine.c @@ -573,7 +573,7 @@ static void machine_HP_B160L_init(MachineState *machine) =20 /* Parallel port */ parallel_mm_init(addr_space, translate(NULL, LASI_LPT_HPA + 0x800), 0, - qdev_get_gpio_in(lasi_dev, LASI_IRQ_LAN_HPA), + qdev_get_gpio_in(lasi_dev, LASI_IRQ_LPT_HPA), parallel_hds[0]); =20 /* PS/2 Keyboard/Mouse */ --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784738990140.44450761697954; Fri, 21 Nov 2025 20:12:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd2Z-0001VC-Df; Fri, 21 Nov 2025 21:07:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcJF-00034B-2c; Fri, 21 Nov 2025 20:21:05 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcHC-0006d7-IK; Fri, 21 Nov 2025 20:21:00 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id F01B216CA4F; Fri, 21 Nov 2025 21:44:22 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 77E6A321C8B; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Mark Cave-Ayland , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 20/81] esp.c: fix esp_cdb_ready() FIFO wraparound limit calculation Date: Fri, 21 Nov 2025 21:43:19 +0300 Message-ID: <20251121184424.1137669-20-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784741548018900 From: Mark Cave-Ayland The original calculation in commit 3cc70889a3 ("esp.c: prevent cmdfifo over= flow in esp_cdb_ready()") subtracted cmdfifo_cdb_offset from fifo8_num_used() to calculate the outstanding cmdfifo length, but this is incorrect because fifo8_num_used() can also include wraparound data. Instead calculate the maximum offset used by scsi_cdb_length() which is just the first byte after cmdfifo_cdb_offset, and then peek the entire content of the cmdfifo. The fifo8_peek_bufptr() result will then return the maximum length of remaining data up to the end of the internal cmdfifo array, which can then be used for the overflow check. Signed-off-by: Mark Cave-Ayland Fixes: 3cc70889a3 ("esp.c: prevent cmdfifo overflow in esp_cdb_ready()") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3082 Reviewed-by: Philippe Mathieu-Daud=C3=A9 Link: https://lore.kernel.org/r/20250925122846.527615-2-mark.cave-ayland@il= ande.co.uk Signed-off-by: Paolo Bonzini (cherry picked from commit 36ec1a829a07cd9a926b2f0ddfa5079c8dc9dae5) Signed-off-by: Michael Tokarev diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c index ac841dc32e..59df9ee683 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c @@ -447,7 +447,9 @@ static void write_response(ESPState *s) =20 static bool esp_cdb_ready(ESPState *s) { - int len =3D fifo8_num_used(&s->cmdfifo) - s->cmdfifo_cdb_offset; + /* scsi_cdb_length() only reads the first byte */ + int limit =3D s->cmdfifo_cdb_offset + 1; + int len =3D fifo8_num_used(&s->cmdfifo); const uint8_t *pbuf; uint32_t n; int cdblen; @@ -457,7 +459,7 @@ static bool esp_cdb_ready(ESPState *s) } =20 pbuf =3D fifo8_peek_bufptr(&s->cmdfifo, len, &n); - if (n < len) { + if (n < limit) { /* * In normal use the cmdfifo should never wrap, but include this c= heck * to prevent a malicious guest from reading past the end of the --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783266975864.0481770931265; Fri, 21 Nov 2025 19:47:46 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd4W-0002p1-Td; Fri, 21 Nov 2025 21:09:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcXq-0002Gy-Mc; Fri, 21 Nov 2025 20:36:10 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcVo-00020h-4Q; Fri, 21 Nov 2025 20:36:06 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 11A2C16CA50; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id C096C321C8C; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Mark Cave-Ayland , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 21/81] qtest/am53c974-test: add additional test for cmdfifo overflow Date: Fri, 21 Nov 2025 21:43:20 +0300 Message-ID: <20251121184424.1137669-21-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783268332018900 From: Mark Cave-Ayland Based upon the qtest reproducer posted to Gitlab issue #3082 at https://gitlab.com/qemu-project/qemu/-/issues/3082. Signed-off-by: Mark Cave-Ayland Reviewed-by: Philippe Mathieu-Daud=C3=A9 Link: https://lore.kernel.org/r/20250925122846.527615-3-mark.cave-ayland@il= ande.co.uk Signed-off-by: Paolo Bonzini (cherry picked from commit e9d02b59316fcbc9650d747b06e2755374ab3b70) Signed-off-by: Michael Tokarev diff --git a/tests/qtest/am53c974-test.c b/tests/qtest/am53c974-test.c index ed3ac7db20..a3667275ac 100644 --- a/tests/qtest/am53c974-test.c +++ b/tests/qtest/am53c974-test.c @@ -109,6 +109,44 @@ static void test_cmdfifo_overflow2_ok(void) qtest_quit(s); } =20 +/* Reported as https://issues.oss-fuzz.com/issues/439878564 */ +static void test_cmdfifo_overflow3_ok(void) +{ + QTestState *s =3D qtest_init( + "-device am53c974,id=3Dscsi -device scsi-hd,drive=3Ddisk0 " + "-drive id=3Ddisk0,if=3Dnone,file=3Dnull-co://,format=3Draw -nodef= aults"); + qtest_outl(s, 0xcf8, 0x80001010); + qtest_outl(s, 0xcfc, 0xc000); + qtest_outl(s, 0xcf8, 0x80001004); + qtest_outw(s, 0xcfc, 0x01); + qtest_outb(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00b, 0x9100); + qtest_outl(s, 0xc009, 0x02000000); + qtest_outl(s, 0xc000, 0x0b); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0xc200); + qtest_outl(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc00b, 0x9000); + qtest_outb(s, 0xc008, 0x00); + qtest_outb(s, 0xc008, 0x00); + qtest_outl(s, 0xc03f, 0x0300); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x4200); + qtest_outl(s, 0xc00b, 0x00); + qtest_outw(s, 0xc00b, 0x1200); + qtest_outl(s, 0xc00b, 0x00); + qtest_outb(s, 0xc00c, 0x43); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc00b, 0x00); + qtest_outl(s, 0xc007, 0x00); + qtest_outl(s, 0xc007, 0x00); + qtest_outl(s, 0xc007, 0x00); + qtest_outl(s, 0xc00b, 0x1000); + qtest_outl(s, 0xc007, 0x00); + qtest_quit(s); +} + /* Reported as crash_0900379669 */ static void test_fifo_pop_buf(void) { @@ -266,6 +304,8 @@ int main(int argc, char **argv) test_cmdfifo_overflow_ok); qtest_add_func("am53c974/test_cmdfifo_overflow2_ok", test_cmdfifo_overflow2_ok); + qtest_add_func("am53c974/test_cmdfifo_overflow3_ok", + test_cmdfifo_overflow3_ok); qtest_add_func("am53c974/test_fifo_pop_buf", test_fifo_pop_buf); qtest_add_func("am53c974/test_target_selected_ok", --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787548763732.9893826798117; Fri, 21 Nov 2025 20:59:08 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcz7-00044K-MT; Fri, 21 Nov 2025 21:04:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc9Y-0006Lb-C4; Fri, 21 Nov 2025 20:11:04 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc9M-0004Uw-V8; Fri, 21 Nov 2025 20:11:00 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 289B116CA51; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D601B321C8D; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Bastian Blank , Bastian Blank , Peter Maydell , Helge Deller , Michael Tokarev Subject: [Stable-10.0.7 22/81] linux-user: Use correct type for FIBMAP and FIGETBSZ emulation Date: Fri, 21 Nov 2025 21:43:21 +0300 Message-ID: <20251121184424.1137669-22-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787550355018900 Content-Type: text/plain; charset="utf-8" From: Bastian Blank Both the FIBMAP and FIGETBSZ ioctl get "int *" (pointer to 32bit integer) as argument, not "long *" as specified in qemu. Using the correct type makes the emulation work in cross endian context. Both ioctl does not seem to be documented. However the kernel implementation has always used "int *". Signed-off-by: Bastian Blank Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3185 Reviewed-by: Peter Maydell Reviewed-by: Helge Deller Reviwed-by: Michael Tokarev Signed-off-by: Michael Tokarev (cherry picked from commit 7c7089321670fb51022a1c4493cbcc69aa288a0f) Signed-off-by: Michael Tokarev diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h index 3b41128fd7..2f62fd2cb9 100644 --- a/linux-user/ioctls.h +++ b/linux-user/ioctls.h @@ -130,7 +130,7 @@ IOCTL(FDTWADDLE, 0, TYPE_NULL) IOCTL(FDEJECT, 0, TYPE_NULL) =20 - IOCTL(FIBMAP, IOC_W | IOC_R, MK_PTR(TYPE_LONG)) + IOCTL(FIBMAP, IOC_W | IOC_R, MK_PTR(TYPE_INT)) #ifdef FICLONE IOCTL(FICLONE, IOC_W, TYPE_INT) IOCTL(FICLONERANGE, IOC_W, MK_PTR(MK_STRUCT(STRUCT_file_clone_range))) @@ -145,7 +145,7 @@ IOCTL(FITRIM, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_fstrim_range))) #endif =20 - IOCTL(FIGETBSZ, IOC_R, MK_PTR(TYPE_LONG)) + IOCTL(FIGETBSZ, IOC_R, MK_PTR(TYPE_INT)) #ifdef CONFIG_FIEMAP IOCTL_SPECIAL(FS_IOC_FIEMAP, IOC_W | IOC_R, do_ioctl_fs_ioc_fiemap, MK_PTR(MK_STRUCT(STRUCT_fiemap))) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787647949512.0989626476853; Fri, 21 Nov 2025 21:00:47 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcqs-0005Wz-3Z; Fri, 21 Nov 2025 20:55:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbn3-0001XF-CN; Fri, 21 Nov 2025 19:47:50 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbmr-0008DF-UI; Fri, 21 Nov 2025 19:47:45 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3CFD716CA52; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id ED3A7321C8E; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Michael Tokarev , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Richard Henderson Subject: [Stable-10.0.7 23/81] linux-user: permit sendto() with NULL buf and 0 len Date: Fri, 21 Nov 2025 21:43:22 +0300 Message-ID: <20251121184424.1137669-23-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787648743018900 From: Peter Maydell If you pass sendto() a NULL buffer, this is usually an error (causing an EFAULT return); however if you pass a 0 length then we should not try to validate the buffer provided. Instead we skip the copying of the user data and possible processing through fd_trans_target_to_host_data, and call the host syscall with NULL, 0. (unlock_user() permits a NULL buffer pointer for "do nothing" so we don't need to special case the unlock code.) Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3102 Signed-off-by: Peter Maydell Reviewed-by: Michael Tokarev Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Richard Henderson Message-ID: <20251028142001.3011630-1-peter.maydell@linaro.org> (cherry picked from commit 0db2de22fcbf90adafab9d9dd1fc8203c66bfa75) Signed-off-by: Michael Tokarev diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 3a25abfaca..dcca90cfee 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3582,7 +3582,7 @@ static abi_long do_sendto(int fd, abi_ulong msg, size= _t len, int flags, abi_ulong target_addr, socklen_t addrlen) { void *addr; - void *host_msg; + void *host_msg =3D NULL; void *copy_msg =3D NULL; abi_long ret; =20 @@ -3590,16 +3590,19 @@ static abi_long do_sendto(int fd, abi_ulong msg, si= ze_t len, int flags, return -TARGET_EINVAL; } =20 - host_msg =3D lock_user(VERIFY_READ, msg, len, 1); - if (!host_msg) - return -TARGET_EFAULT; - if (fd_trans_target_to_host_data(fd)) { - copy_msg =3D host_msg; - host_msg =3D g_malloc(len); - memcpy(host_msg, copy_msg, len); - ret =3D fd_trans_target_to_host_data(fd)(host_msg, len); - if (ret < 0) { - goto fail; + if (len !=3D 0) { + host_msg =3D lock_user(VERIFY_READ, msg, len, 1); + if (!host_msg) { + return -TARGET_EFAULT; + } + if (fd_trans_target_to_host_data(fd)) { + copy_msg =3D host_msg; + host_msg =3D g_malloc(len); + memcpy(host_msg, copy_msg, len); + ret =3D fd_trans_target_to_host_data(fd)(host_msg, len); + if (ret < 0) { + goto fail; + } } } if (target_addr) { --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763799008188509.25619350597185; Sat, 22 Nov 2025 00:10:08 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcsJ-00073o-3o; Fri, 21 Nov 2025 20:57:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbk6-0008BF-5j; Fri, 21 Nov 2025 19:44:46 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbi3-0007B2-LJ; Fri, 21 Nov 2025 19:44:41 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 4E26916CA53; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 0D323321C8F; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 24/81] target/i386: clear CPU_INTERRUPT_SIPI for all accelerators Date: Fri, 21 Nov 2025 21:43:23 +0300 Message-ID: <20251121184424.1137669-24-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763799010898018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini Similar to what commit df32e5c5 did for TCG; fixes boot with multiple processors on WHPX and probably more accelerators Fixes: df32e5c568c ("i386/cpu: Prevent delivering SIPI during SMM in TCG mo= de", 2025-10-14) Fixes: 1e8a7c403a7 ("i386/cpu: Prevent delivering SIPI during SMM in TCG mo= de", in 10.0.x) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3178 Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit d5e1d2dea11b803ba9121fc12d3c1662b79ad941) (Mjt: context fix due to missing v10.1.0-119-g87511341c30d "add cpu_test_interrupt()/cpu_set_interrupt() helpers and use them tree wi= de") Signed-off-by: Michael Tokarev diff --git a/target/i386/hvf/x86hvf.c b/target/i386/hvf/x86hvf.c index 531a340b37..caebd64da1 100644 --- a/target/i386/hvf/x86hvf.c +++ b/target/i386/hvf/x86hvf.c @@ -447,6 +447,7 @@ int hvf_process_events(CPUState *cs) cs->halted =3D 0; } if (cs->interrupt_request & CPU_INTERRUPT_SIPI) { + cpu_reset_interrupt(cs, CPU_INTERRUPT_SIPI); cpu_synchronize_state(cs); do_cpu_sipi(cpu); } diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index f251286eb3..e77fb752c2 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -5637,6 +5637,7 @@ int kvm_arch_process_async_events(CPUState *cs) cs->halted =3D 0; } if (cs->interrupt_request & CPU_INTERRUPT_SIPI) { + cpu_reset_interrupt(cs, CPU_INTERRUPT_SIPI); kvm_cpu_synchronize_state(cs); do_cpu_sipi(cpu); } diff --git a/target/i386/nvmm/nvmm-all.c b/target/i386/nvmm/nvmm-all.c index 04e5f7e637..396c59661d 100644 --- a/target/i386/nvmm/nvmm-all.c +++ b/target/i386/nvmm/nvmm-all.c @@ -704,6 +704,7 @@ nvmm_vcpu_loop(CPUState *cpu) cpu->halted =3D false; } if (cpu->interrupt_request & CPU_INTERRUPT_SIPI) { + cpu_reset_interrupt(cpu, CPU_INTERRUPT_SIPI); nvmm_cpu_synchronize_state(cpu); do_cpu_sipi(x86_cpu); } diff --git a/target/i386/whpx/whpx-all.c b/target/i386/whpx/whpx-all.c index 41fb8c5a4e..7a95198dc4 100644 --- a/target/i386/whpx/whpx-all.c +++ b/target/i386/whpx/whpx-all.c @@ -1624,6 +1624,7 @@ static void whpx_vcpu_process_async_events(CPUState *= cpu) } =20 if (cpu->interrupt_request & CPU_INTERRUPT_SIPI) { + cpu_reset_interrupt(cpu, CPU_INTERRUPT_SIPI); whpx_cpu_synchronize_state(cpu); do_cpu_sipi(x86_cpu); } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779814389302.5253737359152; Fri, 21 Nov 2025 18:50:14 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcux-0000OX-Si; Fri, 21 Nov 2025 21:00:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbt0-0005Cc-7B; Fri, 21 Nov 2025 19:53:59 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbso-00010K-EJ; Fri, 21 Nov 2025 19:53:53 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6057416CA54; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 1DCFA321C90; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, peng guo , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.0.7 25/81] hw/i386/pc: Avoid overlap between CXL window and PCI 64bit BARs in QEMU 10.0.x Date: Fri, 21 Nov 2025 21:43:24 +0300 Message-ID: <20251121184424.1137669-25-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779815144018900 Content-Type: text/plain; charset="utf-8" From: peng guo This is a backport of the fix from commit 8b1c560937467d0d9 to the QEMU 10.0.x LTS series. When using a CXL Type 3 device together with a virtio 9p device in QEMU on a physical server, the 9p device fails to initialize properly. The kernel rep= orts the following error: virtio: device uses modern interface but does not have VIRTIO_F_VERSION= _1 9pnet_virtio virtio0: probe with driver 9pnet_virtio failed with error = -22 Further investigation revealed that the 64-bit BAR space assigned to the 9p= net device was overlapped by the memory window allocated for the CXL devices. A= s a result, the kernel could not correctly access the BAR region, causing the virtio device to malfunction. An excerpt from /proc/iomem shows: 480010000-cffffffff : CXL Window 0 480010000-4bfffffff : PCI Bus 0000:00 4c0000000-4c01fffff : PCI Bus 0000:0c 4c0000000-4c01fffff : PCI Bus 0000:0d 4c0200000-cffffffff : PCI Bus 0000:00 4c0200000-4c0203fff : 0000:00:03.0 4c0200000-4c0203fff : virtio-pci-modern To address this issue, this patch adds the reserved memory end calculation for cxl devices to reserve sufficient address space and ensure that CXL mem= ory windows are allocated beyond all PCI 64-bit BARs. This prevents overlap with 64-bit BARs regions such as those used by virtio or other pcie devices, resolving the conflict. Tested on intel Granite Rapids(GNR) servers using QEMU 10.0 LTS, resolving the issue without causing regressions. QEMU Build Configuration: ./configure --prefix=3D/home/work/qemu_master/build/ \ --target-list=3Dx86_64-softmmu \ --enable-kvm \ --enable-virtfs QEMU Boot Command: sudo /home/work/qemu_master/qemu/build/qemu-system-x86_64 \ -nographic -machine q35,cxl=3Don -enable-kvm -m 16G -smp 8 \ -hda /home/work/gp_qemu/rootfs.img \ -virtfs local,path=3D/home/work/gp_qemu/share,mount_tag=3Dhost0,sec= urity_model=3Dpassthrough,id=3Dhost0 \ -kernel /home/work/linux_output/arch/x86/boot/bzImage \ --append "console=3DttyS0 crashkernel=3D256M root=3D/dev/sda rootfs= type=3Dext4 rw loglevel=3D8" \ -device pci-testdev,membar=3D2G \ -object memory-backend-ram,id=3Dvmem0,share=3Don,size=3D4096M \ -device pxb-cxl,bus_nr=3D12,bus=3Dpcie.0,id=3Dcxl.1 \ -device cxl-rp,port=3D0,bus=3Dcxl.1,id=3Droot_port13,chassis=3D0,sl= ot=3D2 \ -device cxl-type3,bus=3Droot_port13,volatile-memdev=3Dvmem0,id=3Dcx= l-vmem0,sn=3D0x123456789 \ -M cxl-fmw.0.targets.0=3Dcxl.1,cxl-fmw.0.size=3D4G Fixes: 03b39fcf64bc ("hw/cxl: Make the CXL fixed memory window setup a mach= ine parameter") Signed-off-by: peng guo Tested-by: peng guo Reviewed-by: Michael S. Tsirkin Message-ID: <20250805142300.15226-1-engguopeng@buaa.edu.cn> Signed-off-by: Michael S. Tsirkin (cherry picked from commit d1193481dee63442fc41e47ca6ebc4cd34f1f69c) (backport for missing-in-10.0.x v10.0.0-1264-g8b1c56093746 "hw/i386/pc: Remove PCMachineClass::broken_reserved_end field" by peng quo) Signed-off-by: Michael Tokarev diff --git a/hw/i386/pc.c b/hw/i386/pc.c index 01d0581f62..502cf8a47d 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -840,6 +840,7 @@ void pc_memory_init(PCMachineState *pcms, hwaddr maxphysaddr, maxusedaddr; hwaddr cxl_base, cxl_resv_end =3D 0; X86CPU *cpu =3D X86_CPU(first_cpu); + uint64_t res_mem_end; =20 assert(machine->ram_size =3D=3D x86ms->below_4g_mem_size + x86ms->above_4g_mem_size); @@ -993,17 +994,19 @@ void pc_memory_init(PCMachineState *pcms, =20 rom_set_fw(fw_cfg); =20 - if (machine->device_memory) { - uint64_t *val =3D g_malloc(sizeof(*val)); - uint64_t res_mem_end =3D machine->device_memory->base; - + if (pcms->cxl_devices_state.is_enabled) { + res_mem_end =3D cxl_resv_end; + } else if (machine->device_memory) { + res_mem_end =3D machine->device_memory->base; if (!pcmc->broken_reserved_end) { res_mem_end +=3D memory_region_size(&machine->device_memory->m= r); } + } else { + res_mem_end =3D 0; + } =20 - if (pcms->cxl_devices_state.is_enabled) { - res_mem_end =3D cxl_resv_end; - } + if (res_mem_end) { + uint64_t *val =3D g_malloc(sizeof(*val)); *val =3D cpu_to_le64(ROUND_UP(res_mem_end, 1 * GiB)); fw_cfg_add_file(fw_cfg, "etc/reserved-memory-end", val, sizeof(*va= l)); } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763798047385100.50701779925294; Fri, 21 Nov 2025 23:54:07 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd18-0000kE-9M; Fri, 21 Nov 2025 21:06:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcEM-0000Vf-4r; Fri, 21 Nov 2025 20:16:02 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcCI-0005Gy-WE; Fri, 21 Nov 2025 20:15:57 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A959816CA55; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 30C23321C91; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Xiaoyao Li , Peter Maydell , Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 26/81] i386/kvm/cpu: Init SMM cpu address space for hotplugged CPUs Date: Fri, 21 Nov 2025 21:43:25 +0300 Message-ID: <20251121184424.1137669-26-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763798051480018900 Content-Type: text/plain; charset="utf-8" From: Xiaoyao Li The SMM cpu address space is initialized in a machine_init_done notifier. It only runs once when QEMU starts up, which leads to the issue that for any hotplugged CPU after the machine is ready, SMM cpu address space doesn't get initialized. Fix the issue by initializing the SMM cpu address space in x86_cpu_plug() when the cpu is hotplugged. Fixes: 591f817d819f ("target/i386: Define enum X86ASIdx for x86's address s= paces") Reported-by: Peter Maydell Closes: https://lore.kernel.org/qemu-devel/CAFEAcA_3kkZ+a5rTZGmK8W5K6J7qpYD= 31HkvjBnxWr-fGT2h_A@mail.gmail.com/ Signed-off-by: Xiaoyao Li Link: https://lore.kernel.org/r/20251014094216.164306-2-xiaoyao.li@intel.com Signed-off-by: Paolo Bonzini (cherry picked from commit 639a29422754f62b4bfd26cff936b3c981758010) (Mjt: the original Fixes: line is wrong: https://lore.kernel.org/qemu-devel/57d3c5b2-8b07-41ee-bf41-a9eac16eb6da@in= tel.com/T/#u ) Fixes: 0516f4b70264 ("i386/cpu: Enable SMM cpu address space under KVM") Fixes: 232d5c627589 ("i386/cpu: Enable SMM cpu address space under KVM"), 1= 0.1.5 Signed-off-by: Michael Tokarev diff --git a/hw/i386/x86-common.c b/hw/i386/x86-common.c index 1b0671c523..0ab27c053f 100644 --- a/hw/i386/x86-common.c +++ b/hw/i386/x86-common.c @@ -182,6 +182,17 @@ void x86_cpu_plug(HotplugHandler *hotplug_dev, fw_cfg_modify_i16(x86ms->fw_cfg, FW_CFG_NB_CPUS, x86ms->boot_cpus); } =20 + /* + * Non-hotplugged CPUs get their SMM cpu address space initialized in + * machine init done notifier: register_smram_listener(). + * + * We need initialize the SMM cpu address space for the hotplugged CPU + * specifically. + */ + if (kvm_enabled() && dev->hotplugged && x86_machine_is_smm_enabled(x86= ms)) { + kvm_smm_cpu_address_space_init(cpu); + } + found_cpu =3D x86_find_cpu_slot(MACHINE(x86ms), cpu->apic_id, NULL); found_cpu->cpu =3D CPU(dev); out: diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c index e77fb752c2..98e99374e7 100644 --- a/target/i386/kvm/kvm.c +++ b/target/i386/kvm/kvm.c @@ -2722,6 +2722,12 @@ static void register_smram_listener(Notifier *n, voi= d *unused) } } =20 +/* It should only be called in cpu's hotplug callback */ +void kvm_smm_cpu_address_space_init(X86CPU *cpu) +{ + cpu_address_space_init(CPU(cpu), X86ASIdx_SMM, "cpu-smm", &smram_as_ro= ot); +} + static void *kvm_msr_energy_thread(void *data) { KVMState *s =3D data; diff --git a/target/i386/kvm/kvm_i386.h b/target/i386/kvm/kvm_i386.h index 88565e8dba..b5f274c27f 100644 --- a/target/i386/kvm/kvm_i386.h +++ b/target/i386/kvm/kvm_i386.h @@ -59,6 +59,7 @@ void kvm_update_msi_routes_all(void *private, bool global, =20 #endif /* CONFIG_KVM */ =20 +void kvm_smm_cpu_address_space_init(X86CPU *cpu); void kvm_pc_setup_irq_routing(bool pci_enabled); =20 #endif --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763786868639232.60149833556045; Fri, 21 Nov 2025 20:47:48 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd7p-0005gS-KG; Fri, 21 Nov 2025 21:13:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcr9-0005wx-UX; Fri, 21 Nov 2025 20:56:07 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcp7-0006m6-L6; Fri, 21 Nov 2025 20:56:03 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C02A116CA56; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7996F321C92; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Thomas Huth , Eric Blake , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 27/81] block: remove 'detached-header' option from opts after use Date: Fri, 21 Nov 2025 21:43:26 +0300 Message-ID: <20251121184424.1137669-27-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763786869912018900 From: Daniel P. Berrang=C3=A9 The code for creating LUKS devices references a 'detached-header' option in the QemuOpts data, but does not consume (remove) the option. Thus when the code later tries to convert the remaining unused QemuOpts into a QCryptoBlockCreateOptions struct, an error is reported by the QAPI code that 'detached-header' is not a valid field. This fixes a regression caused by commit e818c01ae6e7c54c7019baaf307be59d99ce80b9 Author: Daniel P. Berrang=C3=A9 Date: Mon Feb 19 15:12:59 2024 +0000 qapi: drop unused QCryptoBlockCreateOptionsLUKS.detached-header which identified that the QAPI field was unused, but failed to realize the QemuOpts -> QCryptoBlockCreateOptions conversion was seeing the left-over 'detached-header' option which had not been removed from QemuOpts. This problem was identified by the 'luks-detached-header' I/O test, but unfortunately I/O tests are not run regularly for the LUKS format. Fixes: e818c01ae6e7c54c7019baaf307be59d99ce80b9 Reported-by: Thomas Huth Signed-off-by: Daniel P. Berrang=C3=A9 Message-ID: <20250919103810.1513109-1-berrange@redhat.com> Reviewed-by: Eric Blake Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 6eda39a87f4fda78befa4085e3644e4440afc1dd) Signed-off-by: Michael Tokarev diff --git a/block/crypto.c b/block/crypto.c index d4226cc68a..17b4749a1e 100644 --- a/block/crypto.c +++ b/block/crypto.c @@ -792,7 +792,7 @@ block_crypto_co_create_opts_luks(BlockDriver *drv, cons= t char *filename, char *buf =3D NULL; int64_t size; bool detached_hdr =3D - qemu_opt_get_bool(opts, "detached-header", false); + qemu_opt_get_bool_del(opts, "detached-header", false); unsigned int cflags =3D 0; int ret; Error *local_err =3D NULL; --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784634499211.5204550847675; Fri, 21 Nov 2025 20:10:34 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd4O-0002bt-Au; Fri, 21 Nov 2025 21:09:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcNz-0005YT-OK; Fri, 21 Nov 2025 20:25:59 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcLx-0007w9-W3; Fri, 21 Nov 2025 20:25:56 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id D34D316CA57; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 90AC6321C93; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 28/81] block: fix luks 'amend' when run in coroutine Date: Fri, 21 Nov 2025 21:43:27 +0300 Message-ID: <20251121184424.1137669-28-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784639814018900 From: Daniel P. Berrang=C3=A9 Launch QEMU with $ qemu-img create \ --object secret,id=3Dsec0,data=3D123456 \ -f luks -o key-secret=3Dsec0 demo.luks 1g $ qemu-system-x86_64 \ --object secret,id=3Dsec0,data=3D123456 \ -blockdev driver=3Dluks,key-secret=3Dsec0,file.filename=3Ddemo.luks,= file.driver=3Dfile,node-name=3Dluks Then in QMP shell attempt x-blockdev-amend job-id=3Dfish node-name=3Dluks options=3D{'state':'activ= e','new-secret':'sec0','driver':'luks'} It will result in an assertion #0 __pthread_kill_implementation (threadid=3D, signo=3Dsi= gno@entry=3D6, no_tid=3Dno_tid@entry=3D0) at pthread_kill.c:44 #1 0x00007fad18b73f63 in __pthread_kill_internal (threadid=3D, signo=3D6) at pthread_kill.c:89 #2 0x00007fad18b19f3e in __GI_raise (sig=3Dsig@entry=3D6) at ../sysdeps/= posix/raise.c:26 #3 0x00007fad18b016d0 in __GI_abort () at abort.c:77 #4 0x00007fad18b01639 in __assert_fail_base (fmt=3D, assertion=3D, file=3D, line=3D, function=3D) at assert.c:118 #5 0x00007fad18b120af in __assert_fail (assertion=3D, fil= e=3D, line=3D, function=3D) at assert.c:127 #6 0x000055ff74fdbd46 in bdrv_graph_rdlock_main_loop () at ../block/grap= h-lock.c:260 #7 0x000055ff7548521b in graph_lockable_auto_lock_mainloop (x=3D) at /usr/src/debug/qemu-9.2.4-1.fc42.x86_64/include/block/graph-lock.h= :266 #8 block_crypto_read_func (block=3D, offset=3D4096, buf= =3D0x55ffb6d66ef0 "", buflen=3D256000, opaque=3D0x55ffb5edcc30, errp=3D0x55= ffb6f00700) at ../block/crypto.c:71 #9 0x000055ff75439f8b in qcrypto_block_luks_load_key (block=3Dblock@entry=3D0x55ffb5edbe90, slot_idx=3Dslot_idx@entry=3D0,= password=3Dpassword@entry=3D0x55ffb67dc260 "123456", masterkey=3Dmasterkey= @entry=3D0x55ffb5fb0c40 "", readfunc=3Dreadfunc@entry=3D0x55ff754851e0 , opaque=3Dopaque@entry=3D0x55ffb5edcc30, errp=3D0x55ff= b6f00700) at ../crypto/block-luks.c:927 #10 0x000055ff7543b90f in qcrypto_block_luks_find_key (block=3D, password=3D, masterkey=3D, readfunc=3D, opaque=3D, errp=3D= ) at ../crypto/block-luks.c:1045 #11 qcrypto_block_luks_amend_add_keyslot (block=3D0x55ffb5edbe90, readfunc=3D0x55ff754851e0 , writefunc=3D0x55ff75485100 , opaque=3D0x55= ffb5edcc3, opts_luks=3D0x7fad1715aef8, force=3D, errp=3D0x55= ffb6f00700) at ../crypto/block-luks.c:1673 #12 qcrypto_block_luks_amend_options (block=3D0x55ffb5edbe90, readfunc=3D0x55ff754851e0 , writefunc=3D0x55ff75485100 , opaque=3D0x55= ffb5edcc30, options=3D0x7fad1715aef0, force=3D, errp=3D0x55f= fb6f00700) at ../crypto/block-luks.c:1865 #13 0x000055ff75485b95 in block_crypto_amend_options_generic_luks (bs=3D, amend_options=3D, force=3D, errp=3D) at ../block/crypto.c:949 #14 0x000055ff75485c28 in block_crypto_co_amend_luks (bs=3D, opts=3D, force=3D, errp=3D) at ../block/crypto.c:1008 #15 0x000055ff754778e5 in blockdev_amend_run (job=3D0x55ffb6f00640, errp= =3D0x55ffb6f00700) at ../block/amend.c:52 #16 0x000055ff75468b90 in job_co_entry (opaque=3D0x55ffb6f00640) at ../jo= b.c:1106 #17 0x000055ff755a0fc2 in coroutine_trampoline (i0=3D, i1= =3D) at ../util/coroutine-ucontext.c:175 This changes the read/write callbacks to not assert that they are run in mainloop context if already in a coroutine. This is also reproduced by qemu-iotests cases 295 and 296. Fixes: 1f051dcbdf2e4b6f518db731c84e304b2b9d15ce Signed-off-by: Daniel P. Berrang=C3=A9 Message-ID: <20250919112213.1530079-1-berrange@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit c86488abaf017ed3f5a636c3247cd640a93d3b08) Signed-off-by: Michael Tokarev diff --git a/block/crypto.c b/block/crypto.c index 17b4749a1e..7c37b23e36 100644 --- a/block/crypto.c +++ b/block/crypto.c @@ -67,11 +67,18 @@ static int block_crypto_read_func(QCryptoBlock *block, BlockCrypto *crypto =3D bs->opaque; ssize_t ret; =20 - GLOBAL_STATE_CODE(); - GRAPH_RDLOCK_GUARD_MAINLOOP(); + if (qemu_in_coroutine()) { + GRAPH_RDLOCK_GUARD(); =20 - ret =3D bdrv_pread(crypto->header ? crypto->header : bs->file, - offset, buflen, buf, 0); + ret =3D bdrv_co_pread(crypto->header ? crypto->header : bs->file, + offset, buflen, buf, 0); + } else { + GLOBAL_STATE_CODE(); + GRAPH_RDLOCK_GUARD_MAINLOOP(); + + ret =3D bdrv_pread(crypto->header ? crypto->header : bs->file, + offset, buflen, buf, 0); + } if (ret < 0) { error_setg_errno(errp, -ret, "Could not read encryption header"); return ret; @@ -90,11 +97,18 @@ static int block_crypto_write_func(QCryptoBlock *block, BlockCrypto *crypto =3D bs->opaque; ssize_t ret; =20 - GLOBAL_STATE_CODE(); - GRAPH_RDLOCK_GUARD_MAINLOOP(); + if (qemu_in_coroutine()) { + GRAPH_RDLOCK_GUARD(); =20 - ret =3D bdrv_pwrite(crypto->header ? crypto->header : bs->file, - offset, buflen, buf, 0); + ret =3D bdrv_co_pwrite(crypto->header ? crypto->header : bs->file, + offset, buflen, buf, 0); + } else { + GLOBAL_STATE_CODE(); + GRAPH_RDLOCK_GUARD_MAINLOOP(); + + ret =3D bdrv_pwrite(crypto->header ? crypto->header : bs->file, + offset, buflen, buf, 0); + } if (ret < 0) { error_setg_errno(errp, -ret, "Could not write encryption header"); return ret; --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781013351215.97153133313316; Fri, 21 Nov 2025 19:10:13 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcuw-0000OU-G8; Fri, 21 Nov 2025 21:00:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc4N-0003IL-6V; Fri, 21 Nov 2025 20:05:43 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc2K-0002pE-MI; Fri, 21 Nov 2025 20:05:38 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id EDD1416CA58; Fri, 21 Nov 2025 21:44:23 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id A26EE321C94; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, "Richard W.M. Jones" , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 29/81] block/curl.c: Fix CURLOPT_VERBOSE parameter type Date: Fri, 21 Nov 2025 21:43:28 +0300 Message-ID: <20251121184424.1137669-29-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781018083018900 Content-Type: text/plain; charset="utf-8" From: "Richard W.M. Jones" In commit ed26056d90 ("block/curl.c: Use explicit long constants in curl_easy_setopt calls") we missed a further call that takes a long parameter. Reported-by: Kevin Wolf Signed-off-by: Richard W.M. Jones Message-ID: <20251013124127.604401-1-rjones@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit ad97769e9dcf4dbdaae6d859176e5f37fd6a7c66) Signed-off-by: Michael Tokarev diff --git a/block/curl.c b/block/curl.c index 1102a3aa2f..cbfb847dc4 100644 --- a/block/curl.c +++ b/block/curl.c @@ -524,7 +524,7 @@ static int curl_init_state(BDRVCURLState *s, CURLState = *state) #endif =20 #ifdef DEBUG_VERBOSE - if (curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1)) { + if (curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1L)) { goto err; } #endif --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784162285398.43027526406297; Fri, 21 Nov 2025 20:02:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd4m-0002zH-Uf; Fri, 21 Nov 2025 21:10:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcSo-00088u-Pr; Fri, 21 Nov 2025 20:30:59 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcQm-0000oV-BU; Fri, 21 Nov 2025 20:30:54 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1185316CA59; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id BEDEB321C95; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Sean Anderson , Richard Henderson , =?UTF-8?q?Alex=20Benn=C3=A9e?= , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 30/81] gdbstub: Fix %s formatting Date: Fri, 21 Nov 2025 21:43:29 +0300 Message-ID: <20251121184424.1137669-30-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784163663018900 From: Sean Anderson The format string for %s has two format characters. This causes it to emit strings like "466f5bd8/6x" instead of "466f5bd8/6". GDB detects this and returns EIO, causing all open File I/O calls to fail. Fixes: 0820a075af ("gdbstub: Adjust gdb_do_syscall to only use uint32_t and= uint64_t") Signed-off-by: Sean Anderson Reviewed-by: Richard Henderson Reviewed-by: Alex Benn=C3=A9e Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-ID: <20251027110344.2289945-35-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 524fc77d2322814f0dfde272559d74ec1599f01e) Signed-off-by: Michael Tokarev diff --git a/gdbstub/syscalls.c b/gdbstub/syscalls.c index e855df21ab..d8bb90cc1c 100644 --- a/gdbstub/syscalls.c +++ b/gdbstub/syscalls.c @@ -127,7 +127,7 @@ void gdb_do_syscall(gdb_syscall_complete_cb cb, const c= har *fmt, ...) case 's': i64 =3D va_arg(va, uint64_t); i32 =3D va_arg(va, uint32_t); - p +=3D snprintf(p, p_end - p, "%" PRIx64 "/%x" PRIx32, i64= , i32); + p +=3D snprintf(p, p_end - p, "%" PRIx64 "/%" PRIx32, i64,= i32); break; default: bad_format: --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784350466578.0980504315138; Fri, 21 Nov 2025 20:05:50 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcvk-0001NO-Th; Fri, 21 Nov 2025 21:00:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc6l-0004ky-KJ; Fri, 21 Nov 2025 20:08:11 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc4j-0003Nj-OZ; Fri, 21 Nov 2025 20:08:08 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 27D4716CA5A; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D653F321C96; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, "Edgar E. Iglesias" , Richard Henderson , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 31/81] target/microblaze: Remove unused arg from check_divz() Date: Fri, 21 Nov 2025 21:43:30 +0300 Message-ID: <20251121184424.1137669-31-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784352189018900 From: "Edgar E. Iglesias" Remove unused arg from check_divz(). No functional change. Signed-off-by: Edgar E. Iglesias Reviewed-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit a04c5ba543c1bc83a25a557e3b62ee811869b373) Signed-off-by: Michael Tokarev diff --git a/target/microblaze/op_helper.c b/target/microblaze/op_helper.c index f6378030b7..85ba8c9b89 100644 --- a/target/microblaze/op_helper.c +++ b/target/microblaze/op_helper.c @@ -70,7 +70,7 @@ void helper_raise_exception(CPUMBState *env, uint32_t ind= ex) cpu_loop_exit(cs); } =20 -static bool check_divz(CPUMBState *env, uint32_t a, uint32_t b, uintptr_t = ra) +static bool check_divz(CPUMBState *env, uint32_t b, uintptr_t ra) { if (unlikely(b =3D=3D 0)) { env->msr |=3D MSR_DZ; @@ -90,7 +90,7 @@ static bool check_divz(CPUMBState *env, uint32_t a, uint3= 2_t b, uintptr_t ra) =20 uint32_t helper_divs(CPUMBState *env, uint32_t a, uint32_t b) { - if (!check_divz(env, a, b, GETPC())) { + if (!check_divz(env, b, GETPC())) { return 0; } return (int32_t)a / (int32_t)b; @@ -98,7 +98,7 @@ uint32_t helper_divs(CPUMBState *env, uint32_t a, uint32_= t b) =20 uint32_t helper_divu(CPUMBState *env, uint32_t a, uint32_t b) { - if (!check_divz(env, a, b, GETPC())) { + if (!check_divz(env, b, GETPC())) { return 0; } return a / b; --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779532909209.81643252710444; Fri, 21 Nov 2025 18:45:32 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMct0-0007h4-3F; Fri, 21 Nov 2025 20:58:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbpT-00036Z-PE; Fri, 21 Nov 2025 19:50:19 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbnR-0008KF-7M; Fri, 21 Nov 2025 19:50:15 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3C3F716CA5B; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id EC2DB321C97; Fri, 21 Nov 2025 21:44:32 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, "Edgar E. Iglesias" , Richard Henderson , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 32/81] target/microblaze: div: Break out raise_divzero() Date: Fri, 21 Nov 2025 21:43:31 +0300 Message-ID: <20251121184424.1137669-32-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779533899018900 From: "Edgar E. Iglesias" Break out raise_divzero() and take the opportunity to rename and reorder function args to better match with spec and pseudo code. No functional change. Signed-off-by: Edgar E. Iglesias Reviewed-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit 0e46b4d1f13b26c3c0e30eafa2be8eed76548bd3) Signed-off-by: Michael Tokarev diff --git a/target/microblaze/op_helper.c b/target/microblaze/op_helper.c index 85ba8c9b89..0e9b725c1b 100644 --- a/target/microblaze/op_helper.c +++ b/target/microblaze/op_helper.c @@ -70,38 +70,36 @@ void helper_raise_exception(CPUMBState *env, uint32_t i= ndex) cpu_loop_exit(cs); } =20 -static bool check_divz(CPUMBState *env, uint32_t b, uintptr_t ra) +/* Raises ESR_EC_DIVZERO if exceptions are enabled. */ +static void raise_divzero(CPUMBState *env, uint32_t esr, uintptr_t unwind_= pc) { - if (unlikely(b =3D=3D 0)) { - env->msr |=3D MSR_DZ; + env->msr |=3D MSR_DZ; =20 - if ((env->msr & MSR_EE) && - env_archcpu(env)->cfg.div_zero_exception) { - CPUState *cs =3D env_cpu(env); + if ((env->msr & MSR_EE) && env_archcpu(env)->cfg.div_zero_exception) { + CPUState *cs =3D env_cpu(env); =20 - env->esr =3D ESR_EC_DIVZERO; - cs->exception_index =3D EXCP_HW_EXCP; - cpu_loop_exit_restore(cs, ra); - } - return false; + env->esr =3D esr; + cs->exception_index =3D EXCP_HW_EXCP; + cpu_loop_exit_restore(cs, unwind_pc); } - return true; } =20 -uint32_t helper_divs(CPUMBState *env, uint32_t a, uint32_t b) +uint32_t helper_divs(CPUMBState *env, uint32_t ra, uint32_t rb) { - if (!check_divz(env, b, GETPC())) { + if (!ra) { + raise_divzero(env, ESR_EC_DIVZERO, GETPC()); return 0; } - return (int32_t)a / (int32_t)b; + return (int32_t)rb / (int32_t)ra; } =20 -uint32_t helper_divu(CPUMBState *env, uint32_t a, uint32_t b) +uint32_t helper_divu(CPUMBState *env, uint32_t ra, uint32_t rb) { - if (!check_divz(env, b, GETPC())) { + if (!ra) { + raise_divzero(env, ESR_EC_DIVZERO, GETPC()); return 0; } - return a / b; + return rb / ra; } =20 /* raise FPU exception. */ diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c index b54e5ac4b2..88904fc728 100644 --- a/target/microblaze/translate.c +++ b/target/microblaze/translate.c @@ -467,16 +467,8 @@ DO_TYPEA0_CFG(flt, use_fpu >=3D 2, true, gen_flt) DO_TYPEA0_CFG(fint, use_fpu >=3D 2, true, gen_fint) DO_TYPEA0_CFG(fsqrt, use_fpu >=3D 2, true, gen_fsqrt) =20 -/* Does not use ENV_WRAPPER3, because arguments are swapped as well. */ -static void gen_idiv(TCGv_i32 out, TCGv_i32 ina, TCGv_i32 inb) -{ - gen_helper_divs(out, tcg_env, inb, ina); -} - -static void gen_idivu(TCGv_i32 out, TCGv_i32 ina, TCGv_i32 inb) -{ - gen_helper_divu(out, tcg_env, inb, ina); -} +ENV_WRAPPER3(gen_idiv, gen_helper_divs) +ENV_WRAPPER3(gen_idivu, gen_helper_divu) =20 DO_TYPEA_CFG(idiv, use_div, true, gen_idiv) DO_TYPEA_CFG(idivu, use_div, true, gen_idivu) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763806894098323.3635848841691; Sat, 22 Nov 2025 02:21:34 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcqg-0005Th-Ev; Fri, 21 Nov 2025 20:55:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbiE-0006z0-6l; Fri, 21 Nov 2025 19:42:50 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbi2-0007B3-PJ; Fri, 21 Nov 2025 19:42:45 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 4DF1516CA5C; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 0C19E321C98; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, "Edgar E. Iglesias" , Richard Henderson , Michael Tokarev Subject: [Stable-10.0.7 33/81] target/microblaze: Handle signed division overflows Date: Fri, 21 Nov 2025 21:43:32 +0300 Message-ID: <20251121184424.1137669-33-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763806896149018901 Content-Type: text/plain; charset="utf-8" From: "Edgar E. Iglesias" Handle signed division overflows as specified in UG984: https://docs.amd.com/r/en-US/ug984-vivado-microblaze-ref/idiv Signed-off-by: Edgar E. Iglesias Reviewed-by: Richard Henderson (cherry picked from commit cfc1d54251d3b4c4cf21c4fa278c8aea2fe25a99) Signed-off-by: Michael Tokarev diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h index e44ddd5307..8d92389c48 100644 --- a/target/microblaze/cpu.h +++ b/target/microblaze/cpu.h @@ -85,6 +85,7 @@ typedef struct CPUArchState CPUMBState; #define ESR_ESS_FSL_OFFSET 5 =20 #define ESR_ESS_MASK (0x7f << 5) +#define ESR_ESS_DEC_OF (1 << 11) /* DEC: 0=3DDBZ, 1=3DOF */ =20 #define ESR_EC_FSL 0 #define ESR_EC_UNALIGNED_DATA 1 diff --git a/target/microblaze/op_helper.c b/target/microblaze/op_helper.c index 0e9b725c1b..bdaf0ca2f8 100644 --- a/target/microblaze/op_helper.c +++ b/target/microblaze/op_helper.c @@ -90,6 +90,21 @@ uint32_t helper_divs(CPUMBState *env, uint32_t ra, uint3= 2_t rb) raise_divzero(env, ESR_EC_DIVZERO, GETPC()); return 0; } + + /* + * Check for division overflows. + * + * Spec: https://docs.amd.com/r/en-US/ug984-vivado-microblaze-ref/idiv + * UG984, Chapter 5 MicroBlaze Instruction Set Architecture, idiv. + * + * If the U bit is clear, the value of rA is -1, and the value of rB is + * -2147483648 (divide overflow), the DZO bit in MSR will be set and + * the value in rD will be -2147483648, unless an exception is generat= ed. + */ + if ((int32_t)ra =3D=3D -1 && (int32_t)rb =3D=3D INT32_MIN) { + raise_divzero(env, ESR_EC_DIVZERO | ESR_ESS_DEC_OF, GETPC()); + return INT32_MIN; + } return (int32_t)rb / (int32_t)ra; } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176378190628680.65466190680786; Fri, 21 Nov 2025 19:25:06 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcvl-0001P5-MV; Fri, 21 Nov 2025 21:00:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbxr-0008B1-W0; Fri, 21 Nov 2025 19:59:00 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbvm-0001Y0-CM; Fri, 21 Nov 2025 19:58:52 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 60D2116CA5D; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 1E91A321C99; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Ilya Leoshkevich , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 34/81] target/s390x: Fix missing interrupts for small CKC values Date: Fri, 21 Nov 2025 21:43:33 +0300 Message-ID: <20251121184424.1137669-34-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781908289018900 Content-Type: text/plain; charset="utf-8" From: Ilya Leoshkevich Suppose TOD clock value is 0x1111111111111111 and clock-comparator value is 0, in which case clock-comparator interruption should occur immediately. With the current code, tod2time(env->ckc - td->base.low) ends up being a very large number, so this interruption never happens. Fix by firing the timer immediately if env->ckc < td->base.low. Cc: qemu-stable@nongnu.org Reviewed-by: Thomas Huth Signed-off-by: Ilya Leoshkevich Message-ID: <20251016175954.41153-2-iii@linux.ibm.com> Signed-off-by: Thomas Huth (cherry picked from commit df7e9243d540ee130f044f975af8de33c45f5299) Signed-off-by: Michael Tokarev diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 31266aeda4..06b75aa453 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -199,11 +199,15 @@ static void update_ckc_timer(CPUS390XState *env) return; } =20 - /* difference between origins */ - time =3D env->ckc - td->base.low; + if (env->ckc < td->base.low) { + time =3D 0; + } else { + /* difference between origins */ + time =3D env->ckc - td->base.low; =20 - /* nanoseconds */ - time =3D tod2time(time); + /* nanoseconds */ + time =3D tod2time(time); + } =20 timer_mod(env->tod_timer, time); } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777598836110.9226100718846; Fri, 21 Nov 2025 18:13:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd1Q-0000uW-HE; Fri, 21 Nov 2025 21:06:45 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcEM-0000Vc-2Y; Fri, 21 Nov 2025 20:16:02 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcCK-0005HT-9F; Fri, 21 Nov 2025 20:15:58 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id ACB1D16CA5E; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 326E2321C9A; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Ilya Leoshkevich , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 35/81] target/s390x: Fix missing clock-comparator interrupts after reset Date: Fri, 21 Nov 2025 21:43:34 +0300 Message-ID: <20251121184424.1137669-35-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777602578018900 Content-Type: text/plain; charset="utf-8" From: Ilya Leoshkevich After reset, CKC value is set to 0, so if clock-comparator interrupts are enabled, one should occur very shortly thereafter. Currently the code that loads the respective control register does not set tod_timer, so this does not happen. Fix by adding a tcg_s390_tod_updated() call to LCTL and LCTLG. Cc: qemu-stable@nongnu.org Suggested-by: Thomas Huth Reviewed-by: Thomas Huth Signed-off-by: Ilya Leoshkevich Message-ID: <20251016175954.41153-3-iii@linux.ibm.com> Signed-off-by: Thomas Huth (cherry picked from commit dacfec5157fb9e2249cf393a143bd545e80a6e31) Signed-off-by: Michael Tokarev diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c index 8187b917ba..116349b17c 100644 --- a/target/s390x/tcg/mem_helper.c +++ b/target/s390x/tcg/mem_helper.c @@ -1956,6 +1956,10 @@ void HELPER(lctlg)(CPUS390XState *env, uint32_t r1, = uint64_t a2, uint32_t r3) if (env->cregs[i] !=3D val && i >=3D 9 && i <=3D 11) { PERchanged =3D true; } + if (i =3D=3D 0 && !(env->cregs[i] & CR0_CKC_SC) && (val & CR0_CKC_= SC)) { + BQL_LOCK_GUARD(); + tcg_s390_tod_updated(env_cpu(env), RUN_ON_CPU_NULL); + } env->cregs[i] =3D val; HELPER_LOG("load ctl %d from 0x%" PRIx64 " =3D=3D 0x%" PRIx64 "\n", i, src, val); @@ -1986,10 +1990,15 @@ void HELPER(lctl)(CPUS390XState *env, uint32_t r1, = uint64_t a2, uint32_t r3) =20 for (i =3D r1;; i =3D (i + 1) % 16) { uint32_t val =3D cpu_ldl_data_ra(env, src, ra); + uint64_t val64 =3D deposit64(env->cregs[i], 0, 32, val); if ((uint32_t)env->cregs[i] !=3D val && i >=3D 9 && i <=3D 11) { PERchanged =3D true; } - env->cregs[i] =3D deposit64(env->cregs[i], 0, 32, val); + if (i =3D=3D 0 && !(env->cregs[i] & CR0_CKC_SC) && (val64 & CR0_CK= C_SC)) { + BQL_LOCK_GUARD(); + tcg_s390_tod_updated(env_cpu(env), RUN_ON_CPU_NULL); + } + env->cregs[i] =3D val64; HELPER_LOG("load ctl %d from 0x%" PRIx64 " =3D=3D 0x%x\n", i, src,= val); src +=3D sizeof(uint32_t); =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779383021562.8043508276415; Fri, 21 Nov 2025 18:43:03 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd7R-00050k-DH; Fri, 21 Nov 2025 21:12:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcok-0004es-Kh; Fri, 21 Nov 2025 20:53:38 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcmi-00062e-0m; Fri, 21 Nov 2025 20:53:34 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C454416CA5F; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7D778321C9B; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Ilya Leoshkevich , =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= , Heiko Carstens , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 36/81] target/s390x: Use address generation for register branch targets Date: Fri, 21 Nov 2025 21:43:35 +0300 Message-ID: <20251121184424.1137669-36-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779383251018900 From: Ilya Leoshkevich Indirect branches to addresses taken from registers go through address generation, e.g., for BRANCH ON CONDITION Principles of Operation says: In the RR format, the contents of general register R2 are used to generate the branch address QEMU uses r2_nz handler for the respective register operands. Currently it does not zero out extra bits in 24- and 31-bit addressing modes as required by address generation. The very frequently used s390x_tr_init_disas_context() function has a workaround for this, but the code for saving an old PSW during an interrupt does not. Add the missing masking to r2_nz. Enforce PSW validity by replacing the workaround with an assertion. Reported-by: Thomas Wei=C3=9Fschuh Reported-by: Heiko Carstens Link: https://lore.kernel.org/lkml/ab3131a2-c42a-47ff-bf03-e9f68ac053c0@t-8= ch.de/ Cc: qemu-stable@nongnu.org Signed-off-by: Ilya Leoshkevich Tested-by: Thomas Wei=C3=9Fschuh Message-ID: <20251016175954.41153-4-iii@linux.ibm.com> Signed-off-by: Thomas Huth (cherry picked from commit fc976a67ded4232cf0b9ae3c11fe051da01e4456) Signed-off-by: Michael Tokarev diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c index 00073c5560..6aa1f30d58 100644 --- a/target/s390x/tcg/translate.c +++ b/target/s390x/tcg/translate.c @@ -5618,6 +5618,7 @@ static void in2_r2_nz(DisasContext *s, DisasOps *o) int r2 =3D get_field(s, r2); if (r2 !=3D 0) { o->in2 =3D load_reg(r2); + gen_addi_and_wrap_i64(s, o->in2, o->in2, 0); } } #define SPEC_in2_r2_nz 0 @@ -6384,10 +6385,12 @@ static void s390x_tr_init_disas_context(DisasContex= tBase *dcbase, CPUState *cs) { DisasContext *dc =3D container_of(dcbase, DisasContext, base); =20 - /* 31-bit mode */ - if (!(dc->base.tb->flags & FLAG_MASK_64)) { - dc->base.pc_first &=3D 0x7fffffff; - dc->base.pc_next =3D dc->base.pc_first; + if (dc->base.tb->flags & FLAG_MASK_32) { + if (!(dc->base.tb->flags & FLAG_MASK_64)) { + assert(!(dc->base.pc_first & ~((1ULL << 31) - 1))); + } + } else { + assert(!(dc->base.pc_first & ~((1ULL << 24) - 1))); } =20 dc->cc_op =3D CC_OP_DYNAMIC; --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781061589203.29351211945072; Fri, 21 Nov 2025 19:11:01 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd3N-0001wS-GB; Fri, 21 Nov 2025 21:08:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcO2-0005a6-Oz; Fri, 21 Nov 2025 20:26:02 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcM0-0007xU-KR; Fri, 21 Nov 2025 20:25:59 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id D604116CA60; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 94DB1321C9C; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Ilya Leoshkevich , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 37/81] tests/tcg/s390x: Test SET CLOCK COMPARATOR Date: Fri, 21 Nov 2025 21:43:36 +0300 Message-ID: <20251121184424.1137669-37-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781062882018900 Content-Type: text/plain; charset="utf-8" From: Ilya Leoshkevich Add a small test to prevent regressions. Cc: qemu-stable@nongnu.org Reviewed-by: Thomas Huth Signed-off-by: Ilya Leoshkevich Message-ID: <20251016175954.41153-5-iii@linux.ibm.com> Signed-off-by: Thomas Huth (cherry picked from commit 0408c61e27aca56c2d40aeb6ca0e5c5f8b8c3845) Signed-off-by: Michael Tokarev diff --git a/tests/tcg/s390x/Makefile.softmmu-target b/tests/tcg/s390x/Make= file.softmmu-target index 8cd4667c63..a4425d3184 100644 --- a/tests/tcg/s390x/Makefile.softmmu-target +++ b/tests/tcg/s390x/Makefile.softmmu-target @@ -28,6 +28,7 @@ ASM_TESTS =3D = \ mc = \ per = \ precise-smc-softmmu = \ + sckc = \ ssm-early = \ stosm-early = \ stpq = \ diff --git a/tests/tcg/s390x/sckc.S b/tests/tcg/s390x/sckc.S new file mode 100644 index 0000000000..ecd64a3059 --- /dev/null +++ b/tests/tcg/s390x/sckc.S @@ -0,0 +1,63 @@ +/* + * Test clock comparator. + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + .org 0x130 +ext_old_psw: + .org 0x1b0 +ext_new_psw: + .quad 0x180000000, _ext /* 64-bit mode */ + .org 0x1d0 +pgm_new_psw: + .quad 0x2000000000000,0 /* disabled wait */ + .org 0x200 /* lowcore padding */ + + .globl _start +_start: + lpswe start31_psw +_start31: + stctg %c0,%c0,c0 + oi c0+6,8 /* set clock-comparator subclass ma= sk */ + lctlg %c0,%c0,c0 + +0: + brasl %r14,_f /* %r14's most significant bit is 1= */ + jg 0b +_f: + br %r14 /* it must not end up in ext_old_ps= w */ + +_ext: + stg %r0,ext_saved_r0 + + lg %r0,ext_counter + aghi %r0,1 + stg %r0,ext_counter + + cgfi %r0,0x1000 + jnz 0f + lpswe success_psw +0: + + stck clock + lg %r0,clock + agfi %r0,0x40000 /* 64us * 0x1000 =3D~ 0.25s */ + stg %r0,clock + sckc clock + + lg %r0,ext_saved_r0 + lpswe ext_old_psw + + .align 8 +start31_psw: + .quad 0x100000080000000,_start31 /* EX, 31-bit mode */ +success_psw: + .quad 0x2000000000000,0xfff /* see is_special_wait_psw() */ +c0: + .skip 8 +clock: + .quad 0 +ext_counter: + .quad 0 +ext_saved_r0: + .skip 8 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781662792942.1915923910798; Fri, 21 Nov 2025 19:21:02 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcxW-0002d8-De; Fri, 21 Nov 2025 21:02:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc3c-0002li-BU; Fri, 21 Nov 2025 20:04:56 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc1Z-0002f2-Q9; Fri, 21 Nov 2025 20:04:52 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id EFDD516CA61; Fri, 21 Nov 2025 21:44:24 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id A60C9321C9D; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Xiaoyao Li , Stefano Garzarella , David Hildenbrand , Peter Xu , Michael Tokarev Subject: [Stable-10.0.7 38/81] hostmem/shm: Allow shm memory backend serve as shared memory for coco-VMs Date: Fri, 21 Nov 2025 21:43:37 +0300 Message-ID: <20251121184424.1137669-38-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781665336018900 Content-Type: text/plain; charset="utf-8" From: Xiaoyao Li shm can surely serve as the shared memory for coco-VMs. But currently it doesn't check the backend->guest_memfd to pass down the RAM_GUEST_MEMFD flag. It leads to failure when creating coco-VMs (e.g., TDX guest) which require private mmeory. Set and pass down RAM_GUEST_MEMFD when backend->guest_memfd is true, to allow shm memory backend serve as shared memory for coco-VMs. Cc: Stefano Garzarella Cc: qemu-stable Signed-off-by: Xiaoyao Li Acked-by: David Hildenbrand Acked-by: Stefano Garzarella Link: https://lore.kernel.org/r/20250721065220.895606-1-xiaoyao.li@intel.com Signed-off-by: Peter Xu (cherry picked from commit 75e2cb144191ecdbba87cfea3608cdc0664c8142) Signed-off-by: Michael Tokarev diff --git a/backends/hostmem-shm.c b/backends/hostmem-shm.c index f67ad2740b..befa0020b7 100644 --- a/backends/hostmem-shm.c +++ b/backends/hostmem-shm.c @@ -54,6 +54,7 @@ have_fd: /* Let's do the same as memory-backend-ram,share=3Don would do. */ ram_flags =3D RAM_SHARED; ram_flags |=3D backend->reserve ? 0 : RAM_NORESERVE; + ram_flags |=3D backend->guest_memfd ? RAM_GUEST_MEMFD : 0; =20 return memory_region_init_ram_from_fd(&backend->mr, OBJECT(backend), backend_name, backend->size, --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763797997030701.0969267479535; Fri, 21 Nov 2025 23:53:17 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd96-0006ZA-AZ; Fri, 21 Nov 2025 21:14:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcx1-0002SB-MP; Fri, 21 Nov 2025 21:02:11 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcvE-0000Ej-1V; Fri, 21 Nov 2025 21:02:08 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 0D6DD16CA62; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id BFBB6321C9E; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Richard Henderson , Michael Tokarev Subject: [Stable-10.0.7 39/81] target/x86: Correctly handle invalid 0x0f 0xc7 0xxx insns Date: Fri, 21 Nov 2025 21:43:38 +0300 Message-ID: <20251121184424.1137669-39-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763798005340018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In the decode_group9() function, if we don't recognise the insn as one that we should handle, we leave the 'entry' pointer unaltered. Because the X86OpEntry struct has a union for the gen and decode pointers, this means that the top level code will call decode.e.gen() which tries to use the decode function pointer (still set to decode_group9) as a gen function pointer. This is undefined behaviour, but seems to be mostly harmless in practice (we call decode_group9() again with bogus arguments and it does nothing). If you have CFI enabled then it will trip the CFI check: ../target/i386/tcg/decode-new.c.inc:2862:9: runtime error: control flow int= egrity check for type 'void (struct DisasContext *, struct X86DecodedInsn *= )' failed during indirect function call Set *entry to UNKNOWN_OPCODE to provoke the #UD exception, as we do in decode_group1A() and decode_group11() for similar situations. Thanks to the bug reporter for the clear description and analysis of the bug and the simple reproducer. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3172 Fixes: fcd16539ebfe2 ("target/i386: convert CMPXCHG8B/CMPXCHG16B to new dec= oder") Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Signed-off-by: Richard Henderson Message-ID: <20251021173152.1695997-1-peter.maydell@linaro.org> (cherry picked from commit 4f503afc7eb503997fedad84f24e2cdf696a7a0e) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.= c.inc index 1a3ee3b1f6..223f39ae0c 100644 --- a/target/i386/tcg/decode-new.c.inc +++ b/target/i386/tcg/decode-new.c.inc @@ -335,6 +335,8 @@ static void decode_group9(DisasContext *s, CPUX86State = *env, X86OpEntry *entry, *entry =3D group9_reg; } else if (op =3D=3D 1) { *entry =3D REX_W(s) ? cmpxchg16b : cmpxchg8b; + } else { + *entry =3D UNKNOWN_OPCODE; } } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779992822444.36126873093906; Fri, 21 Nov 2025 18:53:12 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMdUH-000805-GW; Fri, 21 Nov 2025 21:36:34 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcBx-0007cy-Nt; Fri, 21 Nov 2025 20:13:33 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc9u-0004cT-Ts; Fri, 21 Nov 2025 20:13:29 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2193116CA63; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D177E321C9F; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Albert Esteve , Stefano Garzarella , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.0.7 40/81] vhost-user: fix shared object lookup handler logic Date: Fri, 21 Nov 2025 21:43:39 +0300 Message-ID: <20251121184424.1137669-40-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779993730018900 Content-Type: text/plain; charset="utf-8" From: Albert Esteve Refactor backend_read() function and add a reply_ack variable to have the option for handlers to force tweak whether they should send a reply or not without depending on VHOST_USER_NEED_REPLY_MASK flag. This fixes an issue with vhost_user_backend_handle_shared_object_lookup() logic, as the error path was not closing the backend channel correctly. So, we can remove the reply call from within the handler, make sure it returns early on errors as other handlers do and set the reply_ack variable on backend_read() to true to ensure that it will send a response, thus keeping the original intent. Fixes: 1609476662 ("vhost-user: add shared_object msg") Cc: qemu-stable@nongnu.org Signed-off-by: Albert Esteve Reviewed-by: Stefano Garzarella Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Message-Id: <20251017072011.1874874-2-aesteve@redhat.com> (cherry picked from commit fde5930cc37175cfcd0f03a089e26f4458a52311) (Mjt: context fix) Signed-off-by: Michael Tokarev diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index 267b612587..7961e3c9e8 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -1670,14 +1670,6 @@ static bool vhost_user_send_resp(QIOChannel *ioc, Vh= ostUserHeader *hdr, return !qio_channel_writev_all(ioc, iov, ARRAY_SIZE(iov), errp); } =20 -static bool -vhost_user_backend_send_dmabuf_fd(QIOChannel *ioc, VhostUserHeader *hdr, - VhostUserPayload *payload, Error **errp) -{ - hdr->size =3D sizeof(payload->u64); - return vhost_user_send_resp(ioc, hdr, payload, errp); -} - int vhost_user_get_shared_object(struct vhost_dev *dev, unsigned char *uui= d, int *dmabuf_fd) { @@ -1718,19 +1710,15 @@ int vhost_user_get_shared_object(struct vhost_dev *= dev, unsigned char *uuid, =20 static int vhost_user_backend_handle_shared_object_lookup(struct vhost_user *u, - QIOChannel *ioc, - VhostUserHeader *hdr, - VhostUserPayload *payload) + VhostUserShared *object) { QemuUUID uuid; CharBackend *chr =3D u->user->chr; - Error *local_err =3D NULL; int dmabuf_fd =3D -1; int fd_num =3D 0; =20 - memcpy(uuid.data, payload->object.uuid, sizeof(payload->object.uuid)); + memcpy(uuid.data, object->uuid, sizeof(object->uuid)); =20 - payload->u64 =3D 0; switch (virtio_object_type(&uuid)) { case TYPE_DMABUF: dmabuf_fd =3D virtio_lookup_dmabuf(&uuid); @@ -1739,18 +1727,16 @@ vhost_user_backend_handle_shared_object_lookup(stru= ct vhost_user *u, { struct vhost_dev *dev =3D virtio_lookup_vhost_device(&uuid); if (dev =3D=3D NULL) { - payload->u64 =3D -EINVAL; - break; + return -EINVAL; } int ret =3D vhost_user_get_shared_object(dev, uuid.data, &dmabuf_f= d); if (ret < 0) { - payload->u64 =3D ret; + return ret; } break; } case TYPE_INVALID: - payload->u64 =3D -EINVAL; - break; + return -EINVAL; } =20 if (dmabuf_fd !=3D -1) { @@ -1759,11 +1745,6 @@ vhost_user_backend_handle_shared_object_lookup(struc= t vhost_user *u, =20 if (qemu_chr_fe_set_msgfds(chr, &dmabuf_fd, fd_num) < 0) { error_report("Failed to set msg fds."); - payload->u64 =3D -EINVAL; - } - - if (!vhost_user_backend_send_dmabuf_fd(ioc, hdr, payload, &local_err))= { - error_report_err(local_err); return -EINVAL; } =20 @@ -1792,6 +1773,7 @@ static gboolean backend_read(QIOChannel *ioc, GIOCond= ition condition, struct iovec iov; g_autofree int *fd =3D NULL; size_t fdsize =3D 0; + bool reply_ack; int i; =20 /* Read header */ @@ -1810,6 +1792,8 @@ static gboolean backend_read(QIOChannel *ioc, GIOCond= ition condition, goto err; } =20 + reply_ack =3D hdr.flags & VHOST_USER_NEED_REPLY_MASK; + /* Read payload */ if (qio_channel_read_all(ioc, (char *) &payload, hdr.size, &local_err)= ) { error_report_err(local_err); @@ -1835,8 +1819,10 @@ static gboolean backend_read(QIOChannel *ioc, GIOCon= dition condition, &payload.obje= ct); break; case VHOST_USER_BACKEND_SHARED_OBJECT_LOOKUP: - ret =3D vhost_user_backend_handle_shared_object_lookup(dev->opaque= , ioc, - &hdr, &payloa= d); + /* The backend always expects a response */ + reply_ack =3D true; + ret =3D vhost_user_backend_handle_shared_object_lookup(dev->opaque, + &payload.obje= ct); break; default: error_report("Received unexpected msg type: %d.", hdr.request); @@ -1847,7 +1833,7 @@ static gboolean backend_read(QIOChannel *ioc, GIOCond= ition condition, * REPLY_ACK feature handling. Other reply types has to be managed * directly in their request handlers. */ - if (hdr.flags & VHOST_USER_NEED_REPLY_MASK) { + if (reply_ack) { payload.u64 =3D !!ret; hdr.size =3D sizeof(payload.u64); =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763815955066662.0034831245978; Sat, 22 Nov 2025 04:52:35 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMct3-0007hS-7B; Fri, 21 Nov 2025 20:58:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbll-0000nj-8o; Fri, 21 Nov 2025 19:46:29 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMblY-0007uy-KZ; Fri, 21 Nov 2025 19:46:24 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3572616CA64; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E5CD3321CA0; Fri, 21 Nov 2025 21:44:33 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Shameer Kolothum , Eric Auger , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.0.7 41/81] tests/qtest/bios-tables-test: Prepare for _DSM change in the DSDT table Date: Fri, 21 Nov 2025 21:43:40 +0300 Message-ID: <20251121184424.1137669-41-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763815960426018900 From: Shameer Kolothum Subsequent patch will fix the GPEX _DSM method. Add the affected DSDT blobs to=C2=A0allowed-diff list for bios-table tests. Signed-off-by: Shameer Kolothum Reviewed-by: Eric Auger Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Message-Id: <20251022080639.243965-2-skolothumtho@nvidia.com> (cherry picked from commit 3e6ad83f209ea8cf497e5d160e44c1bc5e518f1a) Signed-off-by: Michael Tokarev diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios= -tables-test-allowed-diff.h index dfb8523c8b..e2fce2e972 100644 --- a/tests/qtest/bios-tables-test-allowed-diff.h +++ b/tests/qtest/bios-tables-test-allowed-diff.h @@ -1 +1,17 @@ /* List of comma-separated changed AML files to ignore */ +"tests/data/acpi/aarch64/virt/DSDT", +"tests/data/acpi/aarch64/virt/DSDT.acpihmatvirt", +"tests/data/acpi/aarch64/virt/DSDT.memhp", +"tests/data/acpi/aarch64/virt/DSDT.pxb", +"tests/data/acpi/aarch64/virt/DSDT.topology", +"tests/data/acpi/aarch64/virt/DSDT.acpipcihp", +"tests/data/acpi/aarch64/virt/DSDT.hpoffacpiindex", +"tests/data/acpi/aarch64/virt/DSDT.viot", +"tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy", +"tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev", +"tests/data/acpi/riscv64/virt/DSDT", +"tests/data/acpi/loongarch64/virt/DSDT", +"tests/data/acpi/loongarch64/virt/DSDT.topology", +"tests/data/acpi/loongarch64/virt/DSDT.numamem", +"tests/data/acpi/loongarch64/virt/DSDT.memhp", +"tests/data/acpi/x86/microvm/DSDT.pcie", --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763786774522257.79234458786334; Fri, 21 Nov 2025 20:46:14 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcq2-0005Fj-P6; Fri, 21 Nov 2025 20:54:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMblB-0000Qr-28; Fri, 21 Nov 2025 19:45:53 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbl0-0007oZ-L6; Fri, 21 Nov 2025 19:45:49 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 4B26916CA65; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 05618321CA1; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Auger , Shameer Kolothum , Zhangfei Gao , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.0.7 42/81] hw/pci-host/gpex-acpi: Fix _DSM function 0 support return value Date: Fri, 21 Nov 2025 21:43:41 +0300 Message-ID: <20251121184424.1137669-42-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763786776952018900 From: Eric Auger Currently, only function 0 is supported. According to the ACPI Specification, Revision 6.6, Section 9.1.1 =E2=80=9C_DSM (Device Specific Method)=E2=80=9D, bit 0 should be 0 to indicate that no other functions are supported beyond function 0. The resulting AML change looks like this: Method (_DSM, 4, NotSerialized) // _DSM: Device-Specific Method { If ((Arg0 =3D=3D ToUUID ("e5c937d0-3553-4d7a-9117-ea4d19c3434d") { If ((Arg2 =3D=3D Zero)) { Return (Buffer (One) { - 0x01 // . + 0x00 // . }) } } } Fixes: 5b85eabe68f9 ("acpi: add acpi_dsdt_add_gpex") Signed-off-by: Eric Auger Signed-off-by: Shameer Kolothum Tested-by: Zhangfei Gao Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Message-Id: <20251022080639.243965-3-skolothumtho@nvidia.com> (cherry picked from commit 325aa2d86a20786c308b0874d15a60d1b924bd0e) Signed-off-by: Michael Tokarev diff --git a/hw/pci-host/gpex-acpi.c b/hw/pci-host/gpex-acpi.c index e8b4c64c5f..2381ca89a2 100644 --- a/hw/pci-host/gpex-acpi.c +++ b/hw/pci-host/gpex-acpi.c @@ -114,7 +114,7 @@ static void acpi_dsdt_add_pci_osc(Aml *dev) UUID =3D aml_touuid("E5C937D0-3553-4D7A-9117-EA4D19C3434D"); ifctx =3D aml_if(aml_equal(aml_arg(0), UUID)); ifctx1 =3D aml_if(aml_equal(aml_arg(2), aml_int(0))); - uint8_t byte_list[1] =3D {1}; + uint8_t byte_list[1] =3D {0}; buf =3D aml_buffer(1, byte_list); aml_append(ifctx1, aml_return(buf)); aml_append(ifctx, ifctx1); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784039331596.2216696801305; Fri, 21 Nov 2025 20:00:39 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd3B-0001r2-7C; Fri, 21 Nov 2025 21:08:34 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMchT-0007VT-A0; Fri, 21 Nov 2025 20:46:07 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcfQ-000434-Pj; Fri, 21 Nov 2025 20:46:03 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 9193A16CA66; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 4F007321CA2; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Shameer Kolothum , Eric Auger , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.0.7 43/81] tests/qtest/bios-tables-test: Update DSDT blobs after GPEX _DSM change Date: Fri, 21 Nov 2025 21:43:42 +0300 Message-ID: <20251121184424.1137669-43-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784041813018900 From: Shameer Kolothum Update the reference DSDT blobs after GPEX _DSM change. This affects the aarch64 'virt', riscv64 "virt", loongarch64 "virt" and the x86 'microvm' machines. DSDT diff is the same for all the machines/tests: =C2=A0/* =C2=A0 * Intel ACPI Component Architecture =C2=A0 * AML/ASL+ Disassembler version 20230628 (64-bit version) =C2=A0 * Copyright (c) 2000 - 2023 Intel Corporation =C2=A0 * =C2=A0 * Disassembling to symbolic ASL+ operators =C2=A0 * - * Disassembly of tests/data/acpi/aarch64/virt/DSDT, Fri Oct 10 11:18:21 2= 025 + * Disassembly of /tmp/aml-E6V9D3, Fri Oct 10 11:18:21 2025 =C2=A0 * =C2=A0 * Original Table Header: =C2=A0 * =C2=A0 =C2=A0 Signature =C2=A0 =C2=A0 =C2=A0 =C2=A0"DSDT" =C2=A0 * =C2=A0 =C2=A0 Length =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0x000014D9= (5337) =C2=A0 * =C2=A0 =C2=A0 Revision =C2=A0 =C2=A0 =C2=A0 =C2=A0 0x02 - * =C2=A0 =C2=A0 Checksum =C2=A0 =C2=A0 =C2=A0 =C2=A0 0xA4 + * =C2=A0 =C2=A0 Checksum =C2=A0 =C2=A0 =C2=A0 =C2=A0 0xA5 =C2=A0 * =C2=A0 =C2=A0 OEM ID =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "BOCHS " =C2=A0 * =C2=A0 =C2=A0 OEM Table ID =C2=A0 =C2=A0 "BXPC =C2=A0 =C2=A0" =C2=A0 * =C2=A0 =C2=A0 OEM Revision =C2=A0 =C2=A0 0x00000001 (1) =C2=A0 * =C2=A0 =C2=A0 Compiler ID =C2=A0 =C2=A0 =C2=A0"BXPC" =C2=A0 * =C2=A0 =C2=A0 Compiler Version 0x00000001 (1) =C2=A0 */ =C2=A0DefinitionBlock ("", "DSDT", 2, "BOCHS ", "BXPC =C2=A0 =C2=A0", 0x000= 00001) =C2=A0{ =C2=A0 =C2=A0 =C2=A0Scope (\_SB) =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Device (C000) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Name (_HID, "ACPI0007" /* P= rocessor Device */) =C2=A0// _HID: Hardware ID =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Name (_UID, Zero) =C2=A0// = _UID: Unique ID =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} @@ -1822,33 +1822,33 @@ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Else =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0CDW1 |=3D 0x04 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Return (Arg3) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Method (_DSM, 4, NotSeriali= zed) =C2=A0// _DSM: Device-Specific Method =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0If ((Arg0 =3D= =3D ToUUID ("e5c937d0-3553-4d7a-9117-ea4d19c3434d") /* Device Labeling Inte= rface */)) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0If ((Arg2 =3D=3D Zero)) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0Return (Buffer (One) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0{ - =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 0x01 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 // . + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 0x00 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 // . =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0}) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0} =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Return (Buffe= r (One) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 0x00 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 // . =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Device (RES0) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Name (_HID, "= PNP0C02" /* PNP Motherboard Resources */) =C2=A0// _HID: Hardware ID =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Name (_CRS, R= esourceTemplate () =C2=A0// _CRS: Current Resource Settings =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0{ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0QWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed, NonCacheab= le, ReadWrite, Signed-off-by: Shameer Kolothum Reviewed-by: Eric Auger Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Message-Id: <20251022080639.243965-4-skolothumtho@nvidia.com> (cherry picked from commit ccf166d89dcf57c9d333f05173851f90e416097a) (Mjt: regenerate all actual tables for 10.0.x) Signed-off-by: Michael Tokarev diff --git a/tests/data/acpi/aarch64/virt/DSDT b/tests/data/acpi/aarch64/vi= rt/DSDT index 36d3e5d5a5..a6f5b3d832 100644 Binary files a/tests/data/acpi/aarch64/virt/DSDT and b/tests/data/acpi/aarc= h64/virt/DSDT differ diff --git a/tests/data/acpi/aarch64/virt/DSDT.acpihmatvirt b/tests/data/ac= pi/aarch64/virt/DSDT.acpihmatvirt index e6154d0355..5bde2feada 100644 Binary files a/tests/data/acpi/aarch64/virt/DSDT.acpihmatvirt and b/tests/d= ata/acpi/aarch64/virt/DSDT.acpihmatvirt differ diff --git a/tests/data/acpi/aarch64/virt/DSDT.memhp b/tests/data/acpi/aarc= h64/virt/DSDT.memhp index 33f011d6b6..055b65c41b 100644 Binary files a/tests/data/acpi/aarch64/virt/DSDT.memhp and b/tests/data/acp= i/aarch64/virt/DSDT.memhp differ diff --git a/tests/data/acpi/aarch64/virt/DSDT.pxb b/tests/data/acpi/aarch6= 4/virt/DSDT.pxb index c0fdc6e9c1..01f2f77d4f 100644 Binary files a/tests/data/acpi/aarch64/virt/DSDT.pxb and b/tests/data/acpi/= aarch64/virt/DSDT.pxb differ diff --git a/tests/data/acpi/aarch64/virt/DSDT.topology b/tests/data/acpi/a= arch64/virt/DSDT.topology index 029d03eecc..a04bd67633 100644 Binary files a/tests/data/acpi/aarch64/virt/DSDT.topology and b/tests/data/= acpi/aarch64/virt/DSDT.topology differ diff --git a/tests/data/acpi/riscv64/virt/DSDT b/tests/data/acpi/riscv64/vi= rt/DSDT index 6a33f5647d..dec0291978 100644 Binary files a/tests/data/acpi/riscv64/virt/DSDT and b/tests/data/acpi/risc= v64/virt/DSDT differ diff --git a/tests/data/acpi/x86/microvm/DSDT.pcie b/tests/data/acpi/x86/mi= crovm/DSDT.pcie index 8eacd21d6e..45128c92cf 100644 Binary files a/tests/data/acpi/x86/microvm/DSDT.pcie and b/tests/data/acpi/= x86/microvm/DSDT.pcie differ diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios= -tables-test-allowed-diff.h index e2fce2e972..dfb8523c8b 100644 --- a/tests/qtest/bios-tables-test-allowed-diff.h +++ b/tests/qtest/bios-tables-test-allowed-diff.h @@ -1,17 +1 @@ /* List of comma-separated changed AML files to ignore */ -"tests/data/acpi/aarch64/virt/DSDT", -"tests/data/acpi/aarch64/virt/DSDT.acpihmatvirt", -"tests/data/acpi/aarch64/virt/DSDT.memhp", -"tests/data/acpi/aarch64/virt/DSDT.pxb", -"tests/data/acpi/aarch64/virt/DSDT.topology", -"tests/data/acpi/aarch64/virt/DSDT.acpipcihp", -"tests/data/acpi/aarch64/virt/DSDT.hpoffacpiindex", -"tests/data/acpi/aarch64/virt/DSDT.viot", -"tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy", -"tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev", -"tests/data/acpi/riscv64/virt/DSDT", -"tests/data/acpi/loongarch64/virt/DSDT", -"tests/data/acpi/loongarch64/virt/DSDT.topology", -"tests/data/acpi/loongarch64/virt/DSDT.numamem", -"tests/data/acpi/loongarch64/virt/DSDT.memhp", -"tests/data/acpi/x86/microvm/DSDT.pcie", --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787276404617.2560720501398; Fri, 21 Nov 2025 20:54:36 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcxP-0002ZM-ML; Fri, 21 Nov 2025 21:02:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcAp-00072p-1k; Fri, 21 Nov 2025 20:12:23 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcAe-0004sN-7E; Fri, 21 Nov 2025 20:12:19 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A29A516CA67; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 6204D321CA3; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Akihiko Odaki , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 44/81] qemu-img: Fix amend option parse error handling Date: Fri, 21 Nov 2025 21:43:43 +0300 Message-ID: <20251121184424.1137669-44-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787277739018900 Content-Type: text/plain; charset="utf-8" From: Akihiko Odaki qemu_opts_del(opts) dereferences opts->list, which is the old amend_opts pointer that can be dangling after executing qemu_opts_append(amend_opts, bs->drv->create_opts) and cause use-after-free. Fix the potential use-after-free by moving the qemu_opts_del() call before the qemu_opts_append() call. Signed-off-by: Akihiko Odaki Message-ID: <20251023-iotests-v1-1-fab143ca4c2f@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit f00bcc833790c72c08bc5eed97845fdaa7542507) Signed-off-by: Michael Tokarev diff --git a/qemu-img.c b/qemu-img.c index 2044c22a4c..d1d8242b02 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -4369,9 +4369,9 @@ static int img_amend(int argc, char **argv) amend_opts =3D qemu_opts_append(amend_opts, bs->drv->amend_opts); opts =3D qemu_opts_create(amend_opts, NULL, 0, &error_abort); if (!qemu_opts_do_parse(opts, options, NULL, &err)) { + qemu_opts_del(opts); /* Try to parse options using the create options */ amend_opts =3D qemu_opts_append(amend_opts, bs->drv->create_opts); - qemu_opts_del(opts); opts =3D qemu_opts_create(amend_opts, NULL, 0, &error_abort); if (qemu_opts_do_parse(opts, options, NULL, NULL)) { error_append_hint(&err, --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783493274822.501587307245; Fri, 21 Nov 2025 19:51:33 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcuG-0008Rc-NF; Fri, 21 Nov 2025 20:59:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc1x-0001vB-5k; Fri, 21 Nov 2025 20:03:13 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc1m-0002hi-OR; Fri, 21 Nov 2025 20:03:09 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id E7C5316CA68; Fri, 21 Nov 2025 21:44:25 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 72242321CA4; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Alberto Garcia , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 45/81] qemu-img rebase: don't exceed IO_BUF_SIZE in one operation Date: Fri, 21 Nov 2025 21:43:44 +0300 Message-ID: <20251121184424.1137669-45-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783495293018900 Content-Type: text/plain; charset="utf-8" From: Alberto Garcia During a rebase operation data is copied from the backing chain into the target image using a loop, and each iteration looks for a contiguous region of allocated data of at most IO_BUF_SIZE (2 MB). Once that region is found, and in order to avoid partial writes, its boundaries are extended so they are aligned to the (sub)clusters of the target image (see commit 12df580b). This operation can however result in a region that exceeds the maximum allowed IO_BUF_SIZE, crashing qemu-img. This can be easily reproduced when the source image has a smaller cluster size than the target image: base <- int <- active $ qemu-img create -f qcow2 base.qcow2 4M $ qemu-img create -f qcow2 -F qcow2 -b base.qcow2 -o cluster_size=3D1M int.= qcow2 $ qemu-img create -f qcow2 -F qcow2 -b int.qcow2 -o cluster_size=3D2M acti= ve.qcow2 $ qemu-io -c "write -P 0xff 1M 2M" int.qcow2 $ qemu-img rebase -F qcow2 -b base.qcow2 active.qcow2 qemu-img: qemu-img.c:4102: img_rebase: Assertion `written + pnum <=3D IO_BU= F_SIZE' failed. Aborted Cc: qemu-stable Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3174 Fixes: 12df580b3b7f ("qemu-img: rebase: avoid unnecessary COW operations") Signed-off-by: Alberto Garcia Message-ID: <20251107091834.383781-1-berto@igalia.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 909852ba6b4a22fd2b6f9d8b88adb5fc47dfa781) Signed-off-by: Michael Tokarev diff --git a/qemu-img.c b/qemu-img.c index d1d8242b02..a7ae3bd121 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -3910,7 +3910,7 @@ static int img_rebase(int argc, char **argv) n +=3D offset - QEMU_ALIGN_DOWN(offset, write_align); offset =3D QEMU_ALIGN_DOWN(offset, write_align); n +=3D QEMU_ALIGN_UP(offset + n, write_align) - (offset + n); - n =3D MIN(n, size - offset); + n =3D MIN(n, MIN(size - offset, IO_BUF_SIZE)); assert(!bdrv_is_allocated(unfiltered_bs, offset, n, &n_alloc) = && n_alloc =3D=3D n); =20 diff --git a/tests/qemu-iotests/024 b/tests/qemu-iotests/024 index b29c76e161..021169b4a1 100755 --- a/tests/qemu-iotests/024 +++ b/tests/qemu-iotests/024 @@ -315,6 +315,52 @@ echo =20 $QEMU_IMG map "$OVERLAY" | _filter_qemu_img_map =20 +# Check that the region to copy to the overlay during a rebase +# operation does not exceed the I/O buffer size. +# +# backing_new <-- backing_old <-- overlay +# +# Backing (new): -- -- -- -- <-- Empty image, size 4MB +# Backing (old):|--|ff|ff|--| <-- 4 clusters, 1MB each +# Overlay: |-- --|-- --| <-- 2 clusters, 2MB each +# +# The data at [1MB, 3MB) must be copied from the old backing image to +# the overlay. However the rebase code will extend that region to the +# overlay's (sub)cluster boundaries to avoid CoW (see commit 12df580b). +# This test checks that IO_BUF_SIZE (2 MB) is taken into account. + +echo +echo "=3D=3D=3D Test that the region to copy does not exceed 2MB (IO_BUF_S= IZE) =3D=3D=3D" +echo + +echo "Creating backing chain" +echo + +TEST_IMG=3D$BASE_NEW _make_test_img 4M +TEST_IMG=3D$BASE_OLD CLUSTER_SIZE=3D1M _make_test_img -b "$BASE_NEW" -F $I= MGFMT +TEST_IMG=3D$OVERLAY CLUSTER_SIZE=3D2M _make_test_img -b "$BASE_OLD" -F $I= MGFMT + +echo +echo "Writing data to region [1MB, 3MB)" +echo + +$QEMU_IO "$BASE_OLD" -c "write -P 0xff 1M 2M" | _filter_qemu_io + +echo +echo "Rebasing" +echo + +$QEMU_IMG rebase -b "$BASE_NEW" -F $IMGFMT "$OVERLAY" + +echo "Verifying the data" +echo + +$QEMU_IO "$OVERLAY" -c "read -P 0x00 0 1M" | _filter_qemu_io +$QEMU_IO "$OVERLAY" -c "read -P 0xff 1M 2M" | _filter_qemu_io +$QEMU_IO "$OVERLAY" -c "read -P 0x00 3M 1M" | _filter_qemu_io + +$QEMU_IMG map "$OVERLAY" | _filter_qemu_img_map + echo =20 # success, all done diff --git a/tests/qemu-iotests/024.out b/tests/qemu-iotests/024.out index 3d1e31927a..1b7522ba71 100644 --- a/tests/qemu-iotests/024.out +++ b/tests/qemu-iotests/024.out @@ -243,4 +243,30 @@ Offset Length File 0 0x20000 TEST_DIR/subdir/t.IMGFMT 0x40000 0x20000 TEST_DIR/subdir/t.IMGFMT =20 +=3D=3D=3D Test that the region to copy does not exceed 2MB (IO_BUF_SIZE) = =3D=3D=3D + +Creating backing chain + +Formatting 'TEST_DIR/subdir/t.IMGFMT.base_new', fmt=3DIMGFMT size=3D4194304 +Formatting 'TEST_DIR/subdir/t.IMGFMT.base_old', fmt=3DIMGFMT size=3D419430= 4 backing_file=3DTEST_DIR/subdir/t.IMGFMT.base_new backing_fmt=3DIMGFMT +Formatting 'TEST_DIR/subdir/t.IMGFMT', fmt=3DIMGFMT size=3D4194304 backing= _file=3DTEST_DIR/subdir/t.IMGFMT.base_old backing_fmt=3DIMGFMT + +Writing data to region [1MB, 3MB) + +wrote 2097152/2097152 bytes at offset 1048576 +2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +Rebasing + +Verifying the data + +read 1048576/1048576 bytes at offset 0 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +read 2097152/2097152 bytes at offset 1048576 +2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +read 1048576/1048576 bytes at offset 3145728 +1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +Offset Length File +0 0x400000 TEST_DIR/subdir/t.IMGFMT + *** done --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783404429948.8996453858095; Fri, 21 Nov 2025 19:50:04 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd8M-000612-J3; Fri, 21 Nov 2025 21:13:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcuq-0000NK-Em; Fri, 21 Nov 2025 20:59:56 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMctJ-00080x-A6; Fri, 21 Nov 2025 20:59:53 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 0845416CA69; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id B8988321CA5; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Alberto Garcia , Eric Blake , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 46/81] tests/qemu-iotest: fix iotest 024 with qed images Date: Fri, 21 Nov 2025 21:43:45 +0300 Message-ID: <20251121184424.1137669-46-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783404826018900 Content-Type: text/plain; charset="utf-8" From: Alberto Garcia Use 'qemu-io -c map' instead of 'qemu-img map' to get an output that works with both image types. Cc: qemu-stable Fixes: 909852ba6b4a ("qemu-img rebase: don't exceed IO_BUF_SIZE in one oper= ation") Fixes: 585d5c1db8bd ("qemu-img rebase: don't exceed IO_BUF_SIZE in one oper= ation") in 10.0.x Signed-off-by: Alberto Garcia Message-ID: <20251112170959.700840-1-berto@igalia.com> Reviewed-by: Eric Blake Tested-by: Thomas Huth Signed-off-by: Eric Blake (cherry picked from commit 4c91719a6a78a1c24d8bb854f7594e767962d0d9) Signed-off-by: Michael Tokarev diff --git a/tests/qemu-iotests/024 b/tests/qemu-iotests/024 index 021169b4a1..10be2bd845 100755 --- a/tests/qemu-iotests/024 +++ b/tests/qemu-iotests/024 @@ -359,7 +359,7 @@ $QEMU_IO "$OVERLAY" -c "read -P 0x00 0 1M" | _filter_q= emu_io $QEMU_IO "$OVERLAY" -c "read -P 0xff 1M 2M" | _filter_qemu_io $QEMU_IO "$OVERLAY" -c "read -P 0x00 3M 1M" | _filter_qemu_io =20 -$QEMU_IMG map "$OVERLAY" | _filter_qemu_img_map +$QEMU_IO -c map "$OVERLAY" | _filter_qemu_io =20 echo =20 diff --git a/tests/qemu-iotests/024.out b/tests/qemu-iotests/024.out index 1b7522ba71..da8fedc08b 100644 --- a/tests/qemu-iotests/024.out +++ b/tests/qemu-iotests/024.out @@ -266,7 +266,6 @@ read 2097152/2097152 bytes at offset 1048576 2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) read 1048576/1048576 bytes at offset 3145728 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) -Offset Length File -0 0x400000 TEST_DIR/subdir/t.IMGFMT +4 MiB (0x400000) bytes allocated at offset 0 bytes (0x0) =20 *** done --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777389644585.3684180380131; Fri, 21 Nov 2025 18:09:49 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd1D-0000pk-Mk; Fri, 21 Nov 2025 21:06:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcVQ-0000yS-Kb; Fri, 21 Nov 2025 20:33:40 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcTM-0001Nn-94; Fri, 21 Nov 2025 20:33:35 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 199EA16CA6A; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id CC95A321CA6; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 47/81] qio: Add trace points to net_listener Date: Fri, 21 Nov 2025 21:43:46 +0300 Message-ID: <20251121184424.1137669-47-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777399462018902 From: Eric Blake Upcoming patches will adjust how net_listener watches for new client connections; adding trace points now makes it easier to debug that the changes work as intended. For example, adding --trace=3D'qio_net_listener*' to the qemu-storage-daemon command line before --nbd-server will track when the server first starts listening for clients. Signed-off-by: Eric Blake Reviewed-by: Daniel P. Berrang=C3=A9 Message-ID: <20251113011625.878876-17-eblake@redhat.com> (cherry picked from commit 59506e59e0f0a773e892104b945d0f15623381a7) Signed-off-by: Michael Tokarev diff --git a/io/net-listener.c b/io/net-listener.c index 47405965a6..007acbd5b1 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -23,6 +23,7 @@ #include "io/dns-resolver.h" #include "qapi/error.h" #include "qemu/module.h" +#include "trace.h" =20 QIONetListener *qio_net_listener_new(void) { @@ -50,6 +51,7 @@ static gboolean qio_net_listener_channel_func(QIOChannel = *ioc, return TRUE; } =20 + trace_qio_net_listener_callback(listener, listener->io_func); if (listener->io_func) { listener->io_func(listener, sioc, listener->io_data); } @@ -123,6 +125,7 @@ void qio_net_listener_add(QIONetListener *listener, object_ref(OBJECT(sioc)); listener->connected =3D true; =20 + trace_qio_net_listener_watch(listener, listener->io_func, "add"); if (listener->io_func !=3D NULL) { object_ref(OBJECT(listener)); listener->io_source[listener->nsioc] =3D qio_channel_add_watch_sou= rce( @@ -143,6 +146,8 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, { size_t i; =20 + trace_qio_net_listener_unwatch(listener, listener->io_func, + "set_client_func"); if (listener->io_notify) { listener->io_notify(listener->io_data); } @@ -158,6 +163,8 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, } } =20 + trace_qio_net_listener_watch(listener, listener->io_func, + "set_client_func"); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); @@ -218,6 +225,7 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetLi= stener *listener) }; size_t i; =20 + trace_qio_net_listener_unwatch(listener, listener->io_func, "wait_clie= nt"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -247,6 +255,7 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetLi= stener *listener) g_main_loop_unref(loop); g_main_context_unref(ctxt); =20 + trace_qio_net_listener_watch(listener, listener->io_func, "wait_client= "); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); @@ -268,6 +277,7 @@ void qio_net_listener_disconnect(QIONetListener *listen= er) return; } =20 + trace_qio_net_listener_unwatch(listener, listener->io_func, "disconnec= t"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); diff --git a/io/trace-events b/io/trace-events index dc3a63ba1f..10976eca5f 100644 --- a/io/trace-events +++ b/io/trace-events @@ -72,3 +72,8 @@ qio_channel_command_new_pid(void *ioc, int writefd, int r= eadfd, int pid) "Comman qio_channel_command_new_spawn(void *ioc, const char *binary, int flags) "C= ommand new spawn ioc=3D%p binary=3D%s flags=3D%d" qio_channel_command_abort(void *ioc, int pid) "Command abort ioc=3D%p pid= =3D%d" qio_channel_command_wait(void *ioc, int pid, int ret, int status) "Command= abort ioc=3D%p pid=3D%d ret=3D%d status=3D%d" + +# net-listener.c +qio_net_listener_watch(void *listener, void *func, const char *extra) "Net= listener=3D%p watch enabled func=3D%p by %s" +qio_net_listener_unwatch(void *listener, void *func, const char *extra) "N= et listener=3D%p watch disabled func=3D%p by %s" +qio_net_listener_callback(void *listener, void *func) "Net listener=3D%p c= allback forwarding to func=3D%p" --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787282517102.77567129592228; Fri, 21 Nov 2025 20:54:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcyy-00040X-7Y; Fri, 21 Nov 2025 21:04:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc90-00063R-Es; Fri, 21 Nov 2025 20:10:30 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc6x-0003ud-WA; Fri, 21 Nov 2025 20:10:26 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2B07416CA6B; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id DD8BF321CA7; Fri, 21 Nov 2025 21:44:34 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 48/81] qio: Unwatch before notify in QIONetListener Date: Fri, 21 Nov 2025 21:43:47 +0300 Message-ID: <20251121184424.1137669-48-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787283378018901 From: Eric Blake When changing the callback registered with QIONetListener, the code was calling notify on the old opaque data prior to actually removing the old GSource objects still pointing to that data. Similarly, during finalize, it called notify before tearing down the various GSource objects tied to the data. In practice, a grep of the QEMU code base found that every existing client of QIONetListener passes in a NULL notifier (the opaque data, if non-NULL, outlives the NetListener and so does not need cleanup when the NetListener is torn down), so this patch has no impact. And even if a caller had passed in a reference-counted object with a notifier of object_unref but kept its own reference on the data, then the early notify would merely reduce a refcount from (say) 2 to 1, but not free the object. However, it is a latent bug waiting to bite any future caller that passes in data where the notifier actually frees the object, because the GSource could then trigger a use-after-free if it loses the race on a last-minute client connection resulting in the data being passed to one final use of the async callback. Better is to delay the notify call until after all GSource that have been given a copy of the opaque data are torn down. CC: qemu-stable@nongnu.org Fixes: 530473924d "io: introduce a network socket listener API", v2.12.0 Signed-off-by: Eric Blake Reviewed-by: Daniel P. Berrang=C3=A9 Message-ID: <20251113011625.878876-18-eblake@redhat.com> (cherry picked from commit 6e03d5cdc991f5db86969fc6aeaca96234426263) Signed-off-by: Michael Tokarev diff --git a/io/net-listener.c b/io/net-listener.c index 007acbd5b1..d71b65270e 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -148,13 +148,6 @@ void qio_net_listener_set_client_func_full(QIONetListe= ner *listener, =20 trace_qio_net_listener_unwatch(listener, listener->io_func, "set_client_func"); - if (listener->io_notify) { - listener->io_notify(listener->io_data); - } - listener->io_func =3D func; - listener->io_data =3D data; - listener->io_notify =3D notify; - for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -163,6 +156,13 @@ void qio_net_listener_set_client_func_full(QIONetListe= ner *listener, } } =20 + if (listener->io_notify) { + listener->io_notify(listener->io_data); + } + listener->io_func =3D func; + listener->io_data =3D data; + listener->io_notify =3D notify; + trace_qio_net_listener_watch(listener, listener->io_func, "set_client_func"); if (listener->io_func !=3D NULL) { @@ -300,10 +300,10 @@ static void qio_net_listener_finalize(Object *obj) QIONetListener *listener =3D QIO_NET_LISTENER(obj); size_t i; =20 + qio_net_listener_disconnect(listener); if (listener->io_notify) { listener->io_notify(listener->io_data); } - qio_net_listener_disconnect(listener); =20 for (i =3D 0; i < listener->nsioc; i++) { object_unref(OBJECT(listener->sioc[i])); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763782774040342.7394281168763; Fri, 21 Nov 2025 19:39:34 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcvf-0001KC-72; Fri, 21 Nov 2025 21:00:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbwM-0007M3-JZ; Fri, 21 Nov 2025 19:57:27 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbwA-0001ay-1y; Fri, 21 Nov 2025 19:57:22 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 7282B16CA6C; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 2F998321CA8; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 49/81] qio: Remember context of qio_net_listener_set_client_func_full Date: Fri, 21 Nov 2025 21:43:48 +0300 Message-ID: <20251121184424.1137669-49-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763782775766018900 From: Eric Blake io/net-listener.c has two modes of use: asynchronous (the user calls qio_net_listener_set_client_func to wake up the callback via the global GMainContext, or qio_net_listener_set_client_func_full to wake up the callback via the caller's own alternative GMainContext), and synchronous (the user calls qio_net_listener_wait_client which creates its own GMainContext and waits for the first client connection before returning, with no need for a user's callback). But commit 938c8b79 has a latent logic flaw: when qio_net_listener_wait_client finishes on its temporary context, it reverts all of the siocs back to the global GMainContext rather than the potentially non-NULL context they might have been originally registered with. Similarly, if the user creates a net-listener, adds initial addresses, registers an async callback with a non-default context (which ties to all siocs for the initial addresses), then adds more addresses with qio_net_listener_add, the siocs for later addresses are blindly placed in the global context, rather than sharing the context of the earlier ones. In practice, I don't think this has caused issues. As pointed out by the original commit, all async callers prior to that commit were already okay with the NULL default context; and the typical usage pattern is to first add ALL the addresses the listener will pay attention to before ever setting the async callback. Likewise, if a file uses only qio_net_listener_set_client_func instead of qio_net_listener_set_client_func_full, then it is never using a custom context, so later assignments of async callbacks will still be to the same global context as earlier ones. Meanwhile, any callers that want to do the sync operation to grab the first client are unlikely to register an async callback; altogether bypassing the question of whether later assignments of a GSource are being tied to a different context over time. I do note that chardev/char-socket.c is the only file that calls both qio_net_listener_wait_client (sync for a single client in tcp_chr_accept_server_sync), and qio_net_listener_set_client_func_full (several places, all with chr->gcontext, but sometimes with a NULL callback function during teardown). But as far as I can tell, the two uses are mutually exclusive, based on the is_waitconnect parameter to qmp_chardev_open_socket_server. That said, it is more robust to remember when an async callback function is tied to a non-default context, and have both the sync wait and any late address additions honor that same context. That way, the code will be robust even if a later user performs a sync wait for a specific client in the middle of servicing a longer-lived QIONetListener that has an async callback for all other clients. CC: qemu-stable@nongnu.org Fixes: 938c8b79 ("qio: store gsources for net listeners", v2.12.0) Signed-off-by: Eric Blake Reviewed-by: Daniel P. Berrang=C3=A9 Message-ID: <20251113011625.878876-19-eblake@redhat.com> (cherry picked from commit b5676493a08b4ff80680aae7a1b1bfef8797c6e7) Signed-off-by: Michael Tokarev diff --git a/include/io/net-listener.h b/include/io/net-listener.h index ab9f291ed6..42fbfab546 100644 --- a/include/io/net-listener.h +++ b/include/io/net-listener.h @@ -50,6 +50,7 @@ struct QIONetListener { QIOChannelSocket **sioc; GSource **io_source; size_t nsioc; + GMainContext *context; =20 bool connected; =20 diff --git a/io/net-listener.c b/io/net-listener.c index d71b65270e..0f16b78fbb 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -51,7 +51,8 @@ static gboolean qio_net_listener_channel_func(QIOChannel = *ioc, return TRUE; } =20 - trace_qio_net_listener_callback(listener, listener->io_func); + trace_qio_net_listener_callback(listener, listener->io_func, + listener->context); if (listener->io_func) { listener->io_func(listener, sioc, listener->io_data); } @@ -125,13 +126,14 @@ void qio_net_listener_add(QIONetListener *listener, object_ref(OBJECT(sioc)); listener->connected =3D true; =20 - trace_qio_net_listener_watch(listener, listener->io_func, "add"); + trace_qio_net_listener_watch(listener, listener->io_func, + listener->context, "add"); if (listener->io_func !=3D NULL) { object_ref(OBJECT(listener)); listener->io_source[listener->nsioc] =3D qio_channel_add_watch_sou= rce( QIO_CHANNEL(listener->sioc[listener->nsioc]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, NULL); + listener, (GDestroyNotify)object_unref, listener->context); } =20 listener->nsioc++; @@ -147,7 +149,8 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, size_t i; =20 trace_qio_net_listener_unwatch(listener, listener->io_func, - "set_client_func"); + listener->context, "set_client_func"); + for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -162,9 +165,10 @@ void qio_net_listener_set_client_func_full(QIONetListe= ner *listener, listener->io_func =3D func; listener->io_data =3D data; listener->io_notify =3D notify; + listener->context =3D context; =20 trace_qio_net_listener_watch(listener, listener->io_func, - "set_client_func"); + listener->context, "set_client_func"); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); @@ -225,7 +229,8 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetLi= stener *listener) }; size_t i; =20 - trace_qio_net_listener_unwatch(listener, listener->io_func, "wait_clie= nt"); + trace_qio_net_listener_unwatch(listener, listener->io_func, + listener->context, "wait_client"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -255,14 +260,15 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONet= Listener *listener) g_main_loop_unref(loop); g_main_context_unref(ctxt); =20 - trace_qio_net_listener_watch(listener, listener->io_func, "wait_client= "); + trace_qio_net_listener_watch(listener, listener->io_func, + listener->context, "wait_client"); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); listener->io_source[i] =3D qio_channel_add_watch_source( QIO_CHANNEL(listener->sioc[i]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, NULL); + listener, (GDestroyNotify)object_unref, listener->context); } } =20 @@ -277,7 +283,8 @@ void qio_net_listener_disconnect(QIONetListener *listen= er) return; } =20 - trace_qio_net_listener_unwatch(listener, listener->io_func, "disconnec= t"); + trace_qio_net_listener_unwatch(listener, listener->io_func, + listener->context, "disconnect"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); diff --git a/io/trace-events b/io/trace-events index 10976eca5f..0cb77d579b 100644 --- a/io/trace-events +++ b/io/trace-events @@ -74,6 +74,6 @@ qio_channel_command_abort(void *ioc, int pid) "Command ab= ort ioc=3D%p pid=3D%d" qio_channel_command_wait(void *ioc, int pid, int ret, int status) "Command= abort ioc=3D%p pid=3D%d ret=3D%d status=3D%d" =20 # net-listener.c -qio_net_listener_watch(void *listener, void *func, const char *extra) "Net= listener=3D%p watch enabled func=3D%p by %s" -qio_net_listener_unwatch(void *listener, void *func, const char *extra) "N= et listener=3D%p watch disabled func=3D%p by %s" -qio_net_listener_callback(void *listener, void *func) "Net listener=3D%p c= allback forwarding to func=3D%p" +qio_net_listener_watch(void *listener, void *func, void *ctx, const char *= extra) "Net listener=3D%p watch enabled func=3D%p ctx=3D%p by %s" +qio_net_listener_unwatch(void *listener, void *func, void *ctx, const char= *extra) "Net listener=3D%p watch disabled func=3D%p ctx=3D%p by %s" +qio_net_listener_callback(void *listener, void *func, void *ctx) "Net list= ener=3D%p callback forwarding to func=3D%p ctx=3D%p" --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763782418644177.94164394555798; Fri, 21 Nov 2025 19:33:38 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcuG-0008RT-Ny; Fri, 21 Nov 2025 20:59:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbtN-0005PF-EH; Fri, 21 Nov 2025 19:54:21 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbrL-0000in-Ry; Fri, 21 Nov 2025 19:54:18 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 8570516CA6D; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 41EC0321CA9; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 50/81] qio: Protect NetListener callback with mutex Date: Fri, 21 Nov 2025 21:43:49 +0300 Message-ID: <20251121184424.1137669-50-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763782420334018900 From: Eric Blake Without a mutex, NetListener can run into this data race between a thread changing the async callback callback function to use when a client connects, and the thread servicing polling of the listening sockets: Thread 1: qio_net_listener_set_client_func(lstnr, f1, ...); =3D> foreach sock: socket =3D> object_ref(lstnr) =3D> sock_src =3D qio_channel_socket_add_watch_source(sock, = ...., lstnr, object_unref); Thread 2: poll() =3D> event POLLIN on socket =3D> ref(GSourceCallback) =3D> if (lstnr->io_func) // while lstnr->io_func is f1 ...interrupt.. Thread 1: qio_net_listener_set_client_func(lstnr, f2, ...); =3D> foreach sock: socket =3D> g_source_unref(sock_src) =3D> foreach sock: socket =3D> object_ref(lstnr) =3D> sock_src =3D qio_channel_socket_add_watch_source(sock, = ...., lstnr, object_unref); Thread 2: =3D> call lstnr->io_func(lstnr->io_data) // now sees f2 =3D> return dispatch(sock) =3D> unref(GSourceCallback) =3D> destroy-notify =3D> object_unref Found by inspection; I did not spend the time trying to add sleeps or execute under gdb to try and actually trigger the race in practice. This is a SEGFAULT waiting to happen if f2 can become NULL because thread 1 deregisters the user's callback while thread 2 is trying to service the callback. Other messes are also theoretically possible, such as running callback f1 with an opaque pointer that should only be passed to f2 (if the client code were to use more than just a binary choice between a single async function or NULL). Mitigating factor: if the code that modifies the QIONetListener can only be reached by the same thread that is executing the polling and async callbacks, then we are not in a two-thread race documented above (even though poll can see two clients trying to connect in the same window of time, any changes made to the listener by the first async callback will be completed before the thread moves on to the second client). However, QEMU is complex enough that this is hard to generically analyze. If QMP commands (like nbd-server-stop) are run in the main loop and the listener uses the main loop, things should be okay. But when a client uses an alternative GMainContext, or if servicing a QMP command hands off to a coroutine to avoid blocking, I am unable to state with certainty whether a given net listener can be modified by a thread different from the polling thread running callbacks. At any rate, it is worth having the API be robust. To ensure that modifying a NetListener can be safely done from any thread, add a mutex that guarantees atomicity to all members of a listener object related to callbacks. This problem has been present since QIONetListener was introduced. Note that this does NOT prevent the case of a second round of the user's old async callback being invoked with the old opaque data, even when the user has already tried to change the async callback during the first async callback; it is only about ensuring that there is no sharding (the eventual io_func(io_data) call that does get made will correspond to a particular combination that the user had requested at some point in time, and not be sharded to a combination that never existed in practice). In other words, this patch maintains the status quo that a user's async callback function already needs to be robust to parallel clients landing in the same window of poll servicing, even when only one client is desired, if that particular listener can be amended in a thread other than the one doing the polling. CC: qemu-stable@nongnu.org Fixes: 53047392 ("io: introduce a network socket listener API", v2.12.0) Signed-off-by: Eric Blake Message-ID: <20251113011625.878876-20-eblake@redhat.com> Reviewed-by: Daniel P. Berrang=C3=A9 [eblake: minor commit message wording improvements] Signed-off-by: Eric Blake (cherry picked from commit 9d86181874ab7b0e95ae988f6f80715943c618c6) Signed-off-by: Michael Tokarev diff --git a/include/io/net-listener.h b/include/io/net-listener.h index 42fbfab546..c2165dc166 100644 --- a/include/io/net-listener.h +++ b/include/io/net-listener.h @@ -54,6 +54,7 @@ struct QIONetListener { =20 bool connected; =20 + QemuMutex lock; /* Protects remaining fields */ QIONetListenerClientFunc io_func; gpointer io_data; GDestroyNotify io_notify; diff --git a/io/net-listener.c b/io/net-listener.c index 0f16b78fbb..f70acdfc5c 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -23,11 +23,16 @@ #include "io/dns-resolver.h" #include "qapi/error.h" #include "qemu/module.h" +#include "qemu/lockable.h" #include "trace.h" =20 QIONetListener *qio_net_listener_new(void) { - return QIO_NET_LISTENER(object_new(TYPE_QIO_NET_LISTENER)); + QIONetListener *listener; + + listener =3D QIO_NET_LISTENER(object_new(TYPE_QIO_NET_LISTENER)); + qemu_mutex_init(&listener->lock); + return listener; } =20 void qio_net_listener_set_name(QIONetListener *listener, @@ -44,6 +49,9 @@ static gboolean qio_net_listener_channel_func(QIOChannel = *ioc, { QIONetListener *listener =3D QIO_NET_LISTENER(opaque); QIOChannelSocket *sioc; + QIONetListenerClientFunc io_func; + gpointer io_data; + GMainContext *context; =20 sioc =3D qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), NULL); @@ -51,10 +59,15 @@ static gboolean qio_net_listener_channel_func(QIOChanne= l *ioc, return TRUE; } =20 - trace_qio_net_listener_callback(listener, listener->io_func, - listener->context); - if (listener->io_func) { - listener->io_func(listener, sioc, listener->io_data); + WITH_QEMU_LOCK_GUARD(&listener->lock) { + io_func =3D listener->io_func; + io_data =3D listener->io_data; + context =3D listener->context; + } + + trace_qio_net_listener_callback(listener, io_func, context); + if (io_func) { + io_func(listener, sioc, io_data); } =20 object_unref(OBJECT(sioc)); @@ -111,6 +124,9 @@ int qio_net_listener_open_sync(QIONetListener *listener, void qio_net_listener_add(QIONetListener *listener, QIOChannelSocket *sioc) { + QIONetListenerClientFunc io_func; + GMainContext *context; + if (listener->name) { qio_channel_set_name(QIO_CHANNEL(sioc), listener->name); } @@ -126,14 +142,18 @@ void qio_net_listener_add(QIONetListener *listener, object_ref(OBJECT(sioc)); listener->connected =3D true; =20 - trace_qio_net_listener_watch(listener, listener->io_func, - listener->context, "add"); - if (listener->io_func !=3D NULL) { + WITH_QEMU_LOCK_GUARD(&listener->lock) { + io_func =3D listener->io_func; + context =3D listener->context; + } + + trace_qio_net_listener_watch(listener, io_func, context, "add"); + if (io_func) { object_ref(OBJECT(listener)); listener->io_source[listener->nsioc] =3D qio_channel_add_watch_sou= rce( QIO_CHANNEL(listener->sioc[listener->nsioc]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, listener->context); + listener, (GDestroyNotify)object_unref, context); } =20 listener->nsioc++; @@ -148,6 +168,7 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, { size_t i; =20 + QEMU_LOCK_GUARD(&listener->lock); trace_qio_net_listener_unwatch(listener, listener->io_func, listener->context, "set_client_func"); =20 @@ -228,9 +249,15 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetL= istener *listener) .loop =3D loop }; size_t i; + QIONetListenerClientFunc io_func; + GMainContext *context; =20 - trace_qio_net_listener_unwatch(listener, listener->io_func, - listener->context, "wait_client"); + WITH_QEMU_LOCK_GUARD(&listener->lock) { + io_func =3D listener->io_func; + context =3D listener->context; + } + + trace_qio_net_listener_unwatch(listener, io_func, context, "wait_clien= t"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -260,15 +287,14 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONet= Listener *listener) g_main_loop_unref(loop); g_main_context_unref(ctxt); =20 - trace_qio_net_listener_watch(listener, listener->io_func, - listener->context, "wait_client"); - if (listener->io_func !=3D NULL) { + trace_qio_net_listener_watch(listener, io_func, context, "wait_client"= ); + if (io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); listener->io_source[i] =3D qio_channel_add_watch_source( QIO_CHANNEL(listener->sioc[i]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, listener->context); + listener, (GDestroyNotify)object_unref, context); } } =20 @@ -283,6 +309,7 @@ void qio_net_listener_disconnect(QIONetListener *listen= er) return; } =20 + QEMU_LOCK_GUARD(&listener->lock); trace_qio_net_listener_unwatch(listener, listener->io_func, listener->context, "disconnect"); for (i =3D 0; i < listener->nsioc; i++) { @@ -318,6 +345,7 @@ static void qio_net_listener_finalize(Object *obj) g_free(listener->io_source); g_free(listener->sioc); g_free(listener->name); + qemu_mutex_destroy(&listener->lock); } =20 static const TypeInfo qio_net_listener_info =3D { --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763782128144651.3683796215608; Fri, 21 Nov 2025 19:28:48 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd6S-0004KL-Qs; Fri, 21 Nov 2025 21:11:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcjt-0000fc-3T; Fri, 21 Nov 2025 20:48:37 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMchq-0004oj-IV; Fri, 21 Nov 2025 20:48:32 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 9971E16CA6E; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 54F0E321CAA; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-10.0.7 51/81] hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX descriptors Date: Fri, 21 Nov 2025 21:43:50 +0300 Message-ID: <20251121184424.1137669-51-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763782129180018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In e1000e_write_packet_to_guest() we don't write data for RX descriptors where the buffer address is NULL (as required by the i82574 datasheet section 7.1.7.2). However, when we do this we still update desc_offset by the amount of data we would have written to the RX descriptor if it had a valid buffer pointer, resulting in our dropping that data entirely. The data sheet is not 100% clear on the subject, but this seems unlikely to be the correct behaviour. Rearrange the null-descriptor logic so that we don't treat these do-nothing descriptors as if we'd really written the data. This both fixes a bug and also is a prerequisite to cleaning up the size calculation logic in the next patch. (Cc to stable largely because it will be needed for the next patch, which fixes a more serious bug.) Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Akihiko Odaki Signed-off-by: Jason Wang (cherry picked from commit 6da0c9828194eb21e54fe4264cd29a1b85a29f33) Signed-off-by: Michael Tokarev diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index 06657bb3ac..8e93bd3d81 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -1481,7 +1481,6 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct= NetRxPkt *pkt, PCIDevice *d =3D core->owner; dma_addr_t base; union e1000_rx_desc_union desc; - size_t desc_size; size_t desc_offset =3D 0; size_t iov_ofs =3D 0; =20 @@ -1500,12 +1499,6 @@ e1000e_write_packet_to_guest(E1000ECore *core, struc= t NetRxPkt *pkt, E1000EBAState bastate =3D { { 0 } }; bool is_last =3D false; =20 - desc_size =3D total_size - desc_offset; - - if (desc_size > core->rx_desc_buf_size) { - desc_size =3D core->rx_desc_buf_size; - } - if (e1000e_ring_empty(core, rxi)) { return; } @@ -1519,6 +1512,12 @@ e1000e_write_packet_to_guest(E1000ECore *core, struc= t NetRxPkt *pkt, e1000e_read_rx_descr(core, &desc, ba); =20 if (ba[0]) { + size_t desc_size =3D total_size - desc_offset; + + if (desc_size > core->rx_desc_buf_size) { + desc_size =3D core->rx_desc_buf_size; + } + if (desc_offset < size) { static const uint32_t fcs_pad; size_t iov_copy; @@ -1582,13 +1581,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, (const char *) &fcs_pad, e1000x_fcs_len(core->ma= c)); } } + desc_offset +=3D desc_size; + if (desc_offset >=3D total_size) { + is_last =3D true; + } } else { /* as per intel docs; skip descriptors with null buf addr= */ trace_e1000e_rx_null_descriptor(); } - desc_offset +=3D desc_size; - if (desc_offset >=3D total_size) { - is_last =3D true; - } =20 e1000e_write_rx_descr(core, &desc, is_last ? core->rx_pkt : NULL, rss_info, do_ps ? ps_hdr_len : 0, &bastate.writ= ten); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763815291542378.25470654030346; Sat, 22 Nov 2025 04:41:31 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcxD-0002Vx-2j; Fri, 21 Nov 2025 21:02:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcAH-0006ku-Me; Fri, 21 Nov 2025 20:11:49 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcA6-0004fo-8J; Fri, 21 Nov 2025 20:11:45 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id AC6E216CA6F; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 6969E321CAB; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-10.0.7 52/81] hw/net/e1000e_core: Correct rx oversize packet checks Date: Fri, 21 Nov 2025 21:43:51 +0300 Message-ID: <20251121184424.1137669-52-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763815305982018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In e1000e_write_packet_to_guest() we attempt to ensure that we don't write more of a packet to a descriptor than will fit in the guest configured receive buffers. However, this code does not allow for the "packet split" feature. When packet splitting is enabled, the first of up to 4 buffers in the descriptor is used for the packet header only, with the payload going into buffers 2, 3 and 4. Our length check only checks against the total sizes of all 4 buffers, which meant that if an incoming packet was large enough to fit in (1 + 2 + 3 + 4) but not into (2 + 3 + 4) and packet splitting was enabled, we would run into the assertion in e1000e_write_hdr_frag_to_rx_buffers() that we had enough buffers for the data: qemu-system-i386: ../../hw/net/e1000e_core.c:1418: void e1000e_write_payloa= d_frag_to_rx_buffers(E1000ECore *, hwaddr *, E1000EBAState *, const char *,= dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed. A malicious guest could provoke this assertion by configuring the device into loopback mode, and then sending itself a suitably sized packet into a suitably arrange rx descriptor. The code also fails to deal with the possibility that the descriptor buffers are sized such that the trailing checksum word does not fit into the last descriptor which has actual data, which might also trigger this assertion. Rework the length handling to use two variables: * desc_size is the total amount of data DMA'd to the guest for the descriptor being processed in this iteration of the loop * rx_desc_buf_size is the total amount of space left in it As we copy data to the guest (packet header, payload, checksum), update these two variables. (Previously we attempted to calculate desc_size once at the top of the loop, but this is too difficult to do correctly.) Then we can use the variables to ensure that we clamp the amount of copied payload data to the remaining space in the descriptor's buffers, even if we've used one of the buffers up in the packet-split code, and we can tell whether we have enough space for the full checksum word in this descriptor or whether we're going to need to split that to the following descriptor. I have included comments that hopefully help to make the loop logic a little clearer. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/537 Reviewed-by: Akihiko Odaki Signed-off-by: Peter Maydell Signed-off-by: Jason Wang (cherry picked from commit 9d946d56a2ac8a6c2df186e20d24810255c83a3f) Signed-off-by: Michael Tokarev diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index 8e93bd3d81..58a34125e9 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -1495,6 +1495,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struc= t NetRxPkt *pkt, rxi =3D rxr->i; =20 do { + /* + * Loop processing descriptors while we have packet data to + * DMA to the guest. desc_offset tracks how much data we have + * sent to the guest in total over all descriptors, and goes + * from 0 up to total_size (the size of everything to send to + * the guest including possible trailing 4 bytes of CRC data). + */ hwaddr ba[MAX_PS_BUFFERS]; E1000EBAState bastate =3D { { 0 } }; bool is_last =3D false; @@ -1512,23 +1519,27 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, e1000e_read_rx_descr(core, &desc, ba); =20 if (ba[0]) { - size_t desc_size =3D total_size - desc_offset; - - if (desc_size > core->rx_desc_buf_size) { - desc_size =3D core->rx_desc_buf_size; - } + /* Total amount of data DMA'd to the guest in this iteration */ + size_t desc_size =3D 0; + /* + * Total space available in this descriptor (we will update + * this as we use it up) + */ + size_t rx_desc_buf_size =3D core->rx_desc_buf_size; =20 if (desc_offset < size) { - static const uint32_t fcs_pad; size_t iov_copy; + /* Amount of data to copy from the incoming packet */ size_t copy_size =3D size - desc_offset; - if (copy_size > core->rx_desc_buf_size) { - copy_size =3D core->rx_desc_buf_size; - } =20 /* For PS mode copy the packet header first */ if (do_ps) { if (is_first) { + /* + * e1000e_do_ps() guarantees that buffer 0 has eno= ugh + * space for the header; otherwise we will not spl= it + * the packet (i.e. do_ps is false). + */ size_t ps_hdr_copied =3D 0; do { iov_copy =3D MIN(ps_hdr_len - ps_hdr_copied, @@ -1550,14 +1561,26 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, } while (ps_hdr_copied < ps_hdr_len); =20 is_first =3D false; + desc_size +=3D ps_hdr_len; } else { /* Leave buffer 0 of each descriptor except first = */ /* empty as per spec 7.1.5.1 = */ e1000e_write_hdr_frag_to_rx_buffers(core, ba, &bas= tate, NULL, 0); } + rx_desc_buf_size -=3D core->rxbuf_sizes[0]; } =20 + /* + * Clamp the amount of packet data we copy into what will = fit + * into the remaining buffers in the descriptor. + */ + if (copy_size > rx_desc_buf_size) { + copy_size =3D rx_desc_buf_size; + } + desc_size +=3D copy_size; + rx_desc_buf_size -=3D copy_size; + /* Copy packet payload */ while (copy_size) { iov_copy =3D MIN(copy_size, iov->iov_len - iov_ofs); @@ -1574,12 +1597,22 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, iov_ofs =3D 0; } } + } =20 - if (desc_offset + desc_size >=3D total_size) { - /* Simulate FCS checksum presence in the last descript= or */ - e1000e_write_payload_frag_to_rx_buffers(core, ba, &bas= tate, - (const char *) &fcs_pad, e1000x_fcs_len(core->ma= c)); - } + if (rx_desc_buf_size && + desc_offset >=3D size && desc_offset < total_size) { + /* + * We are in the last 4 bytes corresponding to the FCS che= cksum. + * We only ever write zeroes here (unlike the hardware). + */ + static const uint32_t fcs_pad; + /* Amount of space for the trailing checksum */ + size_t fcs_len =3D MIN(rx_desc_buf_size, + total_size - desc_offset); + e1000e_write_payload_frag_to_rx_buffers(core, ba, &bastate, + (const char *)&fcs= _pad, + fcs_len); + desc_size +=3D fcs_len; } desc_offset +=3D desc_size; if (desc_offset >=3D total_size) { --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763785874192572.3872120855748; Fri, 21 Nov 2025 20:31:14 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd51-0003ES-C9; Fri, 21 Nov 2025 21:10:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMccd-0004lU-16; Fri, 21 Nov 2025 20:41:07 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcaZ-00030T-Vg; Fri, 21 Nov 2025 20:41:02 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id BE4E516CA70; Fri, 21 Nov 2025 21:44:26 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7BCD8321CAC; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-10.0.7 53/81] hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers() assert Date: Fri, 21 Nov 2025 21:43:52 +0300 Message-ID: <20251121184424.1137669-53-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763785875802018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell An assertion in e1000e_write_payload_frag_to_rx_buffers() attempts to guard against the calling code accidentally trying to write too much data to a single RX descriptor, such that the E1000EBAState::cur_idx indexes off the end of the EB1000BAState::written[] array. Unfortunately it is overzealous: it asserts that cur_idx is in range after it has been incremented. This will fire incorrectly for the case where the guest configures four buffers and exactly enough bytes are written to fill all four of them. The only places where we use cur_idx and index in to the written[] array are the functions e1000e_write_hdr_frag_to_rx_buffers() and e1000e_write_payload_frag_to_rx_buffers(), so we can rewrite this to assert before doing the array dereference, rather than asserting after updating cur_idx. Cc: qemu-stable@nongnu.org Reviewed-by: Akihiko Odaki Signed-off-by: Peter Maydell Signed-off-by: Jason Wang (cherry picked from commit bab496a18358643b686f69e2b97d73fb98d37e79) Signed-off-by: Michael Tokarev diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index 58a34125e9..a2df627119 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -1392,10 +1392,13 @@ e1000e_write_payload_frag_to_rx_buffers(E1000ECore = *core, dma_addr_t data_len) { while (data_len > 0) { - uint32_t cur_buf_len =3D core->rxbuf_sizes[bastate->cur_idx]; - uint32_t cur_buf_bytes_left =3D cur_buf_len - - bastate->written[bastate->cur_idx]; - uint32_t bytes_to_write =3D MIN(data_len, cur_buf_bytes_left); + uint32_t cur_buf_len, cur_buf_bytes_left, bytes_to_write; + + assert(bastate->cur_idx < MAX_PS_BUFFERS); + + cur_buf_len =3D core->rxbuf_sizes[bastate->cur_idx]; + cur_buf_bytes_left =3D cur_buf_len - bastate->written[bastate->cur= _idx]; + bytes_to_write =3D MIN(data_len, cur_buf_bytes_left); =20 trace_e1000e_rx_desc_buff_write(bastate->cur_idx, ba[bastate->cur_idx], @@ -1414,8 +1417,6 @@ e1000e_write_payload_frag_to_rx_buffers(E1000ECore *c= ore, if (bastate->written[bastate->cur_idx] =3D=3D cur_buf_len) { bastate->cur_idx++; } - - assert(bastate->cur_idx < MAX_PS_BUFFERS); } } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763780001721203.8070776808371; Fri, 21 Nov 2025 18:53:21 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd3x-0002NX-6c; Fri, 21 Nov 2025 21:09:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcSq-0008AO-T6; Fri, 21 Nov 2025 20:31:01 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcQp-0000pB-E0; Fri, 21 Nov 2025 20:30:57 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1117716CA71; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 8DD82321CAD; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-10.0.7 54/81] net: pad packets to minimum length in qemu_receive_packet() Date: Fri, 21 Nov 2025 21:43:53 +0300 Message-ID: <20251121184424.1137669-54-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763780004058018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In commits like 969e50b61a28 ("net: Pad short frames to minimum size before sending from SLiRP/TAP") we switched away from requiring network devices to handle short frames to instead having the net core code do the padding of short frames out to the ETH_ZLEN minimum size. We then dropped the code for handling short frames from the network devices in a series of commits like 140eae9c8f7 ("hw/net: e1000: Remove the logic of padding short frames in the receive path"). This missed one route where the device's receive code can still see a short frame: if the device is in loopback mode and it transmits a short frame via the qemu_receive_packet() function, this will be fed back into its own receive code without being padded. Add the padding logic to qemu_receive_packet(). This fixes a buffer overrun which can be triggered in the e1000_receive_iov() logic via the loopback code path. Other devices that use qemu_receive_packet() to implement loopback are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139 and sungem. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043 Reviewed-by: Akihiko Odaki Signed-off-by: Peter Maydell Signed-off-by: Jason Wang (cherry picked from commit a01344d9d78089e9e585faaeb19afccff2050abf) Signed-off-by: Michael Tokarev diff --git a/net/net.c b/net/net.c index 39d6f28158..c2d0d83bc9 100644 --- a/net/net.c +++ b/net/net.c @@ -757,10 +757,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const ui= nt8_t *buf, int size) =20 ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int si= ze) { + uint8_t min_pkt[ETH_ZLEN]; + size_t min_pktsz =3D sizeof(min_pkt); + if (!qemu_can_receive_packet(nc)) { return 0; } =20 + if (net_peer_needs_padding(nc)) { + if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) { + buf =3D min_pkt; + size =3D min_pktsz; + } + } + return qemu_net_queue_receive(nc->incoming_queue, buf, size); } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784166926215.71708479719405; Fri, 21 Nov 2025 20:02:46 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcwB-0001jw-1X; Fri, 21 Nov 2025 21:01:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc7J-00053P-K5; Fri, 21 Nov 2025 20:08:45 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc79-0003xK-5c; Fri, 21 Nov 2025 20:08:42 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2404716CA72; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D50D1321CAE; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , "Edgar E. Iglesias" , Michael Tokarev Subject: [Stable-10.0.7 55/81] hw/display/xlnx_dp.c: Don't abort on AUX FIFO overrun/underrun Date: Fri, 21 Nov 2025 21:43:54 +0300 Message-ID: <20251121184424.1137669-55-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784167582018900 From: Peter Maydell The documentation of the Xilinx DisplayPort subsystem at https://www.xilinx.com/support/documents/ip_documentation/v_dp_txss1/v3_1/p= g299-v-dp-txss1.pdf doesn't say what happens if a guest tries to issue an AUX write command with a length greater than the amount of data in the AUX write FIFO, or tries to write more data to the write FIFO than it can hold, or issues multiple commands that put data into the AUX read FIFO without reading it such that it overflows. Currently QEMU will abort() in these guest-error situations, either in xlnx_dp.c itself or in the fifo8 code. Make these cases all be logged as guest errors instead. We choose to ignore the new data on overflow, and return 0 on underflow. This is in line with how we handled the "read from empty RX FIFO" case in commit a09ef5040477. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1418 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1419 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1424 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Edgar E. Iglesias Message-id: 20251106145209.1083998-2-peter.maydell@linaro.org (cherry picked from commit f52db7f34242d3398bab0bacaa3e5dde99be5258) Signed-off-by: Michael Tokarev diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index 1272da0133..1ca7ab860d 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -435,7 +435,18 @@ static void xlnx_dp_aux_clear_rx_fifo(XlnxDPState *s) =20 static void xlnx_dp_aux_push_rx_fifo(XlnxDPState *s, uint8_t *buf, size_t = len) { + size_t avail =3D fifo8_num_free(&s->rx_fifo); DPRINTF("Push %u data in rx_fifo\n", (unsigned)len); + if (len > avail) { + /* + * Data sheet doesn't specify behaviour here: we choose to ignore + * the excess data. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: ignoring %zu bytes pushed to full RX_FIFO\n", + __func__, len - avail); + len =3D avail; + } fifo8_push_all(&s->rx_fifo, buf, len); } =20 @@ -466,7 +477,18 @@ static void xlnx_dp_aux_clear_tx_fifo(XlnxDPState *s) =20 static void xlnx_dp_aux_push_tx_fifo(XlnxDPState *s, uint8_t *buf, size_t = len) { + size_t avail =3D fifo8_num_free(&s->tx_fifo); DPRINTF("Push %u data in tx_fifo\n", (unsigned)len); + if (len > avail) { + /* + * Data sheet doesn't specify behaviour here: we choose to ignore + * the excess data. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: ignoring %zu bytes pushed to full TX_FIFO\n", + __func__, len - avail); + len =3D avail; + } fifo8_push_all(&s->tx_fifo, buf, len); } =20 @@ -475,8 +497,10 @@ static uint8_t xlnx_dp_aux_pop_tx_fifo(XlnxDPState *s) uint8_t ret; =20 if (fifo8_is_empty(&s->tx_fifo)) { - error_report("%s: TX_FIFO underflow", __func__); - abort(); + /* Data sheet doesn't specify behaviour here: we choose to return = 0 */ + qemu_log_mask(LOG_GUEST_ERROR, "%s: attempt to read empty TX_FIFO\= n", + __func__); + return 0; } ret =3D fifo8_pop(&s->tx_fifo); DPRINTF("pop 0x%2.2X from tx_fifo.\n", ret); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781047672542.86869683432; Fri, 21 Nov 2025 19:10:47 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcql-0005Tr-Lr; Fri, 21 Nov 2025 20:55:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbmt-0001Ql-Lo; Fri, 21 Nov 2025 19:47:39 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbmi-0008An-7T; Fri, 21 Nov 2025 19:47:35 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3949116CA73; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E82DD321CAF; Fri, 21 Nov 2025 21:44:35 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , "Edgar E. Iglesias" , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 56/81] hw/display/xlnx_dp: Don't abort for unsupported graphics formats Date: Fri, 21 Nov 2025 21:43:55 +0300 Message-ID: <20251121184424.1137669-56-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781049913018900 From: Peter Maydell If the guest writes an invalid or unsupported value to the AV_BUF_FORMAT register, currently we abort(). Instead, log this as either a guest error or an unimplemented error and continue. The existing code treats DP_NL_VID_CB_Y0_CR_Y1 as x8b8g8r8 via a "case 0" that does not use the enum constant name for some reason; we leave that alone beyond adding a comment about the weird code. Documentation of this register seems to be at: https://docs.amd.com/r/en-US/ug1087-zynq-ultrascale-registers/AV_BUF_FORMAT= -DISPLAY_PORT-Register Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1415 Signed-off-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 20251106145209.1083998-3-peter.maydell@linaro.org (cherry picked from commit 032333eba77b83dfbd74071cc2971f0bda9a3d4f) Signed-off-by: Michael Tokarev diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index 1ca7ab860d..6fd5601635 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -665,14 +665,28 @@ static void xlnx_dp_change_graphic_fmt(XlnxDPState *s) case DP_GRAPHIC_BGR888: s->g_plane.format =3D PIXMAN_b8g8r8; break; + case DP_GRAPHIC_RGBA5551: + case DP_GRAPHIC_RGBA4444: + case DP_GRAPHIC_8BPP: + case DP_GRAPHIC_4BPP: + case DP_GRAPHIC_2BPP: + case DP_GRAPHIC_1BPP: + qemu_log_mask(LOG_UNIMP, "%s: unimplemented graphic format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK= ); + s->g_plane.format =3D PIXMAN_r8g8b8a8; + break; default: - error_report("%s: unsupported graphic format %u", __func__, - s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK); - abort(); + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid graphic format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK= ); + s->g_plane.format =3D PIXMAN_r8g8b8a8; + break; } =20 switch (s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MASK) { case 0: + /* This is DP_NL_VID_CB_Y0_CR_Y1 ??? */ s->v_plane.format =3D PIXMAN_x8b8g8r8; break; case DP_NL_VID_Y0_CB_Y1_CR: @@ -681,10 +695,39 @@ static void xlnx_dp_change_graphic_fmt(XlnxDPState *s) case DP_NL_VID_RGBA8880: s->v_plane.format =3D PIXMAN_x8b8g8r8; break; + case DP_NL_VID_CR_Y0_CB_Y1: + case DP_NL_VID_Y0_CR_Y1_CB: + case DP_NL_VID_YV16: + case DP_NL_VID_YV24: + case DP_NL_VID_YV16CL: + case DP_NL_VID_MONO: + case DP_NL_VID_YV16CL2: + case DP_NL_VID_YUV444: + case DP_NL_VID_RGB888: + case DP_NL_VID_RGB888_10BPC: + case DP_NL_VID_YUV444_10BPC: + case DP_NL_VID_YV16CL2_10BPC: + case DP_NL_VID_YV16CL_10BPC: + case DP_NL_VID_YV16_10BPC: + case DP_NL_VID_YV24_10BPC: + case DP_NL_VID_Y_ONLY_10BPC: + case DP_NL_VID_YV16_420: + case DP_NL_VID_YV16CL_420: + case DP_NL_VID_YV16CL2_420: + case DP_NL_VID_YV16_420_10BPC: + case DP_NL_VID_YV16CL_420_10BPC: + case DP_NL_VID_YV16CL2_420_10BPC: + qemu_log_mask(LOG_UNIMP, "%s: unimplemented video format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_M= ASK); + s->v_plane.format =3D PIXMAN_x8b8g8r8; + break; default: - error_report("%s: unsupported video format %u", __func__, - s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MA= SK); - abort(); + qemu_log_mask(LOG_UNIMP, "%s: invalid video format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_M= ASK); + s->v_plane.format =3D PIXMAN_x8b8g8r8; + break; } =20 xlnx_dp_recreate_surface(s); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763785475095516.6271389819378; Fri, 21 Nov 2025 20:24:35 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd2T-0001SH-R5; Fri, 21 Nov 2025 21:07:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcf4-0005wT-5c; Fri, 21 Nov 2025 20:43:39 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcd1-0003Zn-Ka; Fri, 21 Nov 2025 20:43:33 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id BCCE616CA74; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 09EB3321CB0; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 57/81] hw/misc/npcm_clk: Don't divide by zero when calculating frequency Date: Fri, 21 Nov 2025 21:43:56 +0300 Message-ID: <20251121184424.1137669-57-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763785476553018900 From: Peter Maydell If the guest misprograms the PLL registers to request a zero divisor, we currently fall over with a division by zero: ../../hw/misc/npcm_clk.c:221:14: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/misc/npcm_= clk.c:221:14 Thread 1 "qemu-system-aar" received signal SIGFPE, Arithmetic exception. 0x00005555584d8f6d in npcm7xx_clk_update_pll (opaque=3D0x7fffed159a20) at .= ./../hw/misc/npcm_clk.c:221 221 freq /=3D PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTD= V2(con); Avoid this by treating this invalid setting like a stopped clock (setting freq to 0). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/549 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 20251107150137.1353532-1-peter.maydell@linaro.org (cherry picked from commit 5fc50b4ec841c8a01e7346c2c804088fc3accb6b) Signed-off-by: Michael Tokarev diff --git a/hw/misc/npcm_clk.c b/hw/misc/npcm_clk.c index b6a893ffb2..e6b28c7a57 100644 --- a/hw/misc/npcm_clk.c +++ b/hw/misc/npcm_clk.c @@ -212,13 +212,14 @@ static void npcm7xx_clk_update_pll(void *opaque) { NPCM7xxClockPLLState *s =3D opaque; uint32_t con =3D s->clk->regs[s->reg]; - uint64_t freq; + uint64_t freq, freq_div; =20 /* The PLL is grounded if it is not locked yet. */ if (con & PLLCON_LOKI) { freq =3D clock_get_hz(s->clock_in); freq *=3D PLLCON_FBDV(con); - freq /=3D PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(con); + freq_div =3D PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(c= on); + freq =3D freq_div ? freq / freq_div : 0; } else { freq =3D 0; } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763779657192678.2324099958668; Fri, 21 Nov 2025 18:47:37 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd4U-0002na-93; Fri, 21 Nov 2025 21:09:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcmK-0002eR-Jh; Fri, 21 Nov 2025 20:51:08 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMckF-0005Qp-UT; Fri, 21 Nov 2025 20:51:03 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id CE28A16CA75; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 8C8BC321CB1; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Vincent Vanlaer , Vladimir Sementsov-Ogievskiy , Michael Tokarev Subject: [Stable-10.0.7 58/81] block: get type of block allocation in commit_run Date: Fri, 21 Nov 2025 21:43:57 +0300 Message-ID: <20251121184424.1137669-58-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779659011018900 Content-Type: text/plain; charset="utf-8" From: Vincent Vanlaer bdrv_co_common_block_status_above not only returns whether the block is allocated, but also if it contains zeroes. Signed-off-by: Vincent Vanlaer Reviewed-by: Vladimir Sementsov-Ogievskiy Message-Id: <20241026163010.2865002-2-libvirt-e6954efa@volkihar.be> Signed-off-by: Vladimir Sementsov-Ogievskiy (cherry picked from commit 71365ee433125026d9744a0a37142c81ff312b53) Signed-off-by: Michael Tokarev diff --git a/block/commit.c b/block/commit.c index 5df3d05346..ba0ba59316 100644 --- a/block/commit.c +++ b/block/commit.c @@ -15,6 +15,8 @@ #include "qemu/osdep.h" #include "qemu/cutils.h" #include "trace.h" +#include "block/block-common.h" +#include "block/coroutines.h" #include "block/block_int.h" #include "block/blockjob_int.h" #include "qapi/error.h" @@ -167,9 +169,13 @@ static int coroutine_fn commit_run(Job *job, Error **e= rrp) break; } /* Copy if allocated above the base */ - ret =3D blk_co_is_allocated_above(s->top, s->base_overlay, true, - offset, COMMIT_BUFFER_SIZE, &n); - copy =3D (ret > 0); + WITH_GRAPH_RDLOCK_GUARD() { + ret =3D bdrv_co_common_block_status_above(blk_bs(s->top), + s->base_overlay, true, true, offset, COMMIT_BUFFER_SIZE, + &n, NULL, NULL, NULL); + } + + copy =3D (ret >=3D 0 && ret & BDRV_BLOCK_ALLOCATED); trace_commit_one_iteration(s, offset, n, ret); if (copy) { assert(n < SIZE_MAX); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176377999142869.16773333644744; Fri, 21 Nov 2025 18:53:11 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd3b-0002Bq-GL; Fri, 21 Nov 2025 21:09:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcQP-0006qR-Rr; Fri, 21 Nov 2025 20:28:29 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcON-0000BT-AX; Fri, 21 Nov 2025 20:28:25 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id DF3B016CA76; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 9E478321CB2; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Vincent Vanlaer , Vladimir Sementsov-Ogievskiy , Michael Tokarev Subject: [Stable-10.0.7 59/81] block: move commit_run loop to separate function Date: Fri, 21 Nov 2025 21:43:58 +0300 Message-ID: <20251121184424.1137669-59-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763779992629018900 Content-Type: text/plain; charset="utf-8" From: Vincent Vanlaer Signed-off-by: Vincent Vanlaer Reviewed-by: Vladimir Sementsov-Ogievskiy Message-Id: <20241026163010.2865002-3-libvirt-e6954efa@volkihar.be> Signed-off-by: Vladimir Sementsov-Ogievskiy (cherry picked from commit 23743ab282af4fbb80fdc049bff2c93668c73c83) Signed-off-by: Michael Tokarev diff --git a/block/commit.c b/block/commit.c index ba0ba59316..3ee0ade7df 100644 --- a/block/commit.c +++ b/block/commit.c @@ -128,6 +128,55 @@ static void commit_clean(Job *job) blk_unref(s->top); } =20 +static int commit_iteration(CommitBlockJob *s, int64_t offset, + int64_t *n, void *buf) +{ + int ret =3D 0; + bool copy; + bool error_in_source =3D true; + + /* Copy if allocated above the base */ + WITH_GRAPH_RDLOCK_GUARD() { + ret =3D bdrv_co_common_block_status_above(blk_bs(s->top), + s->base_overlay, true, true, offset, COMMIT_BUFFER_SIZE, + n, NULL, NULL, NULL); + } + + copy =3D (ret >=3D 0 && ret & BDRV_BLOCK_ALLOCATED); + trace_commit_one_iteration(s, offset, *n, ret); + if (copy) { + assert(*n < SIZE_MAX); + + ret =3D blk_co_pread(s->top, offset, *n, buf, 0); + if (ret >=3D 0) { + ret =3D blk_co_pwrite(s->base, offset, *n, buf, 0); + if (ret < 0) { + error_in_source =3D false; + } + } + } + if (ret < 0) { + BlockErrorAction action =3D block_job_error_action(&s->common, + s->on_error, + error_in_source, + -ret); + if (action =3D=3D BLOCK_ERROR_ACTION_REPORT) { + return ret; + } else { + *n =3D 0; + return 0; + } + } + /* Publish progress */ + job_progress_update(&s->common.job, *n); + + if (copy) { + block_job_ratelimit_processed_bytes(&s->common, *n); + } + + return 0; +} + static int coroutine_fn commit_run(Job *job, Error **errp) { CommitBlockJob *s =3D container_of(job, CommitBlockJob, common.job); @@ -158,9 +207,6 @@ static int coroutine_fn commit_run(Job *job, Error **er= rp) buf =3D blk_blockalign(s->top, COMMIT_BUFFER_SIZE); =20 for (offset =3D 0; offset < len; offset +=3D n) { - bool copy; - bool error_in_source =3D true; - /* Note that even when no rate limit is applied we need to yield * with no pending I/O here so that bdrv_drain_all() returns. */ @@ -168,42 +214,11 @@ static int coroutine_fn commit_run(Job *job, Error **= errp) if (job_is_cancelled(&s->common.job)) { break; } - /* Copy if allocated above the base */ - WITH_GRAPH_RDLOCK_GUARD() { - ret =3D bdrv_co_common_block_status_above(blk_bs(s->top), - s->base_overlay, true, true, offset, COMMIT_BUFFER_SIZE, - &n, NULL, NULL, NULL); - } =20 - copy =3D (ret >=3D 0 && ret & BDRV_BLOCK_ALLOCATED); - trace_commit_one_iteration(s, offset, n, ret); - if (copy) { - assert(n < SIZE_MAX); - - ret =3D blk_co_pread(s->top, offset, n, buf, 0); - if (ret >=3D 0) { - ret =3D blk_co_pwrite(s->base, offset, n, buf, 0); - if (ret < 0) { - error_in_source =3D false; - } - } - } - if (ret < 0) { - BlockErrorAction action =3D - block_job_error_action(&s->common, s->on_error, - error_in_source, -ret); - if (action =3D=3D BLOCK_ERROR_ACTION_REPORT) { - return ret; - } else { - n =3D 0; - continue; - } - } - /* Publish progress */ - job_progress_update(&s->common.job, n); + ret =3D commit_iteration(s, offset, &n, buf); =20 - if (copy) { - block_job_ratelimit_processed_bytes(&s->common, n); + if (ret < 0) { + return ret; } } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787639160656.108926741645; Fri, 21 Nov 2025 21:00:39 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcws-0002LK-0B; Fri, 21 Nov 2025 21:02:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc1P-0001eb-6j; Fri, 21 Nov 2025 20:02:39 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbzL-0002GI-Dw; Fri, 21 Nov 2025 20:02:33 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id EFC1E16CA77; Fri, 21 Nov 2025 21:44:27 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id AEFC4321CB3; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Vincent Vanlaer , Vladimir Sementsov-Ogievskiy , Michael Tokarev Subject: [Stable-10.0.7 60/81] block: refactor error handling of commit_iteration Date: Fri, 21 Nov 2025 21:43:59 +0300 Message-ID: <20251121184424.1137669-60-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787641339018900 Content-Type: text/plain; charset="utf-8" From: Vincent Vanlaer Signed-off-by: Vincent Vanlaer Message-Id: <20241026163010.2865002-4-libvirt-e6954efa@volkihar.be> [vsementsov]: move action declaration to the top of the function Signed-off-by: Vladimir Sementsov-Ogievskiy (cherry picked from commit 0648c76ad198e91515771fbbeaac3a3807669a4a) Signed-off-by: Michael Tokarev diff --git a/block/commit.c b/block/commit.c index 3ee0ade7df..5c6596a52e 100644 --- a/block/commit.c +++ b/block/commit.c @@ -129,51 +129,60 @@ static void commit_clean(Job *job) } =20 static int commit_iteration(CommitBlockJob *s, int64_t offset, - int64_t *n, void *buf) + int64_t *requested_bytes, void *buf) { + BlockErrorAction action; + int64_t bytes =3D *requested_bytes; int ret =3D 0; - bool copy; bool error_in_source =3D true; =20 /* Copy if allocated above the base */ WITH_GRAPH_RDLOCK_GUARD() { ret =3D bdrv_co_common_block_status_above(blk_bs(s->top), s->base_overlay, true, true, offset, COMMIT_BUFFER_SIZE, - n, NULL, NULL, NULL); + &bytes, NULL, NULL, NULL); } =20 - copy =3D (ret >=3D 0 && ret & BDRV_BLOCK_ALLOCATED); - trace_commit_one_iteration(s, offset, *n, ret); - if (copy) { - assert(*n < SIZE_MAX); + trace_commit_one_iteration(s, offset, bytes, ret); =20 - ret =3D blk_co_pread(s->top, offset, *n, buf, 0); - if (ret >=3D 0) { - ret =3D blk_co_pwrite(s->base, offset, *n, buf, 0); - if (ret < 0) { - error_in_source =3D false; - } - } - } if (ret < 0) { - BlockErrorAction action =3D block_job_error_action(&s->common, - s->on_error, - error_in_source, - -ret); - if (action =3D=3D BLOCK_ERROR_ACTION_REPORT) { - return ret; - } else { - *n =3D 0; - return 0; + goto fail; + } + + if (ret & BDRV_BLOCK_ALLOCATED) { + assert(bytes < SIZE_MAX); + + ret =3D blk_co_pread(s->top, offset, bytes, buf, 0); + if (ret < 0) { + goto fail; } + + ret =3D blk_co_pwrite(s->base, offset, bytes, buf, 0); + if (ret < 0) { + error_in_source =3D false; + goto fail; + } + + block_job_ratelimit_processed_bytes(&s->common, bytes); } + /* Publish progress */ - job_progress_update(&s->common.job, *n); =20 - if (copy) { - block_job_ratelimit_processed_bytes(&s->common, *n); + job_progress_update(&s->common.job, bytes); + + *requested_bytes =3D bytes; + + return 0; + +fail: + action =3D block_job_error_action(&s->common, s->on_error, + error_in_source, -ret); + if (action =3D=3D BLOCK_ERROR_ACTION_REPORT) { + return ret; } =20 + *requested_bytes =3D 0; + return 0; } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777936813106.01605743698599; Fri, 21 Nov 2025 18:18:56 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd6B-00046u-Tl; Fri, 21 Nov 2025 21:11:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcsv-0007fj-Qe; Fri, 21 Nov 2025 20:57:57 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcrX-0007RP-TZ; Fri, 21 Nov 2025 20:57:54 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 0DEB016CA78; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id BFFA5321CB4; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Vincent Vanlaer , Vladimir Sementsov-Ogievskiy , Michael Tokarev Subject: [Stable-10.0.7 61/81] block: allow commit to unmap zero blocks Date: Fri, 21 Nov 2025 21:44:00 +0300 Message-ID: <20251121184424.1137669-61-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777939244018900 Content-Type: text/plain; charset="utf-8" From: Vincent Vanlaer Non-active block commits do not discard blocks only containing zeros, causing images to lose sparseness after the commit. This commit fixes that by writing zero blocks using blk_co_pwrite_zeroes rather than writing them out as any other arbitrary data. Signed-off-by: Vincent Vanlaer Reviewed-by: Vladimir Sementsov-Ogievskiy Message-Id: <20241026163010.2865002-5-libvirt-e6954efa@volkihar.be> Signed-off-by: Vladimir Sementsov-Ogievskiy (cherry picked from commit 6f3199f99600fe75f32f78574e507f347de80854) Signed-off-by: Michael Tokarev diff --git a/block/commit.c b/block/commit.c index 5c6596a52e..7cc8c0f0df 100644 --- a/block/commit.c +++ b/block/commit.c @@ -150,19 +150,39 @@ static int commit_iteration(CommitBlockJob *s, int64_= t offset, } =20 if (ret & BDRV_BLOCK_ALLOCATED) { - assert(bytes < SIZE_MAX); + if (ret & BDRV_BLOCK_ZERO) { + /* + * If the top (sub)clusters are smaller than the base + * (sub)clusters, this will not unmap unless the underlying de= vice + * does some tracking of these requests. Ideally, we would find + * the maximal extent of the zero clusters. + */ + ret =3D blk_co_pwrite_zeroes(s->base, offset, bytes, + BDRV_REQ_MAY_UNMAP); + if (ret < 0) { + error_in_source =3D false; + goto fail; + } + } else { + assert(bytes < SIZE_MAX); =20 - ret =3D blk_co_pread(s->top, offset, bytes, buf, 0); - if (ret < 0) { - goto fail; - } + ret =3D blk_co_pread(s->top, offset, bytes, buf, 0); + if (ret < 0) { + goto fail; + } =20 - ret =3D blk_co_pwrite(s->base, offset, bytes, buf, 0); - if (ret < 0) { - error_in_source =3D false; - goto fail; + ret =3D blk_co_pwrite(s->base, offset, bytes, buf, 0); + if (ret < 0) { + error_in_source =3D false; + goto fail; + } } =20 + /* + * Whether zeroes actually end up on disk depends on the details of + * the underlying driver. Therefore, this might rate limit more th= an + * is necessary. + */ block_job_ratelimit_processed_bytes(&s->common, bytes); } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763782125448982.6692082227095; Fri, 21 Nov 2025 19:28:45 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcyB-0003S6-GG; Fri, 21 Nov 2025 21:03:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc6a-0004dt-Et; Fri, 21 Nov 2025 20:08:00 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc4Y-0003Kw-TM; Fri, 21 Nov 2025 20:07:57 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2009916CA79; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D1E54321CB5; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Vincent Vanlaer , Vladimir Sementsov-Ogievskiy , Michael Tokarev Subject: [Stable-10.0.7 62/81] block: add test non-active commit with zeroed data Date: Fri, 21 Nov 2025 21:44:01 +0300 Message-ID: <20251121184424.1137669-62-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763782128818018900 Content-Type: text/plain; charset="utf-8" From: Vincent Vanlaer Signed-off-by: Vincent Vanlaer Tested-by: Vladimir Sementsov-Ogievskiy Reviewed-by: Vladimir Sementsov-Ogievskiy Message-Id: <20241026163010.2865002-6-libvirt-e6954efa@volkihar.be> Signed-off-by: Vladimir Sementsov-Ogievskiy (cherry picked from commit 68aba2a9350345d109f8036f9eff68b81b1c2167) Signed-off-by: Michael Tokarev diff --git a/tests/qemu-iotests/tests/commit-zero-blocks b/tests/qemu-iotes= ts/tests/commit-zero-blocks new file mode 100755 index 0000000000..de00273e72 --- /dev/null +++ b/tests/qemu-iotests/tests/commit-zero-blocks @@ -0,0 +1,96 @@ +#!/usr/bin/env bash +# group: rw quick +# +# Test for commit of discarded blocks +# +# This tests committing a live snapshot where some of the blocks that +# are present in the base image are discarded in the intermediate image. +# This intends to check that these blocks are also discarded in the base +# image after the commit. +# +# Copyright (C) 2024 Vincent Vanlaer. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# creator +owner=3Dlibvirt-e6954efa@volkihar.be + +seq=3D`basename $0` +echo "QA output created by $seq" + +status=3D1 # failure is the default! + +_cleanup() +{ + _cleanup_qemu + _rm_test_img "${TEST_IMG}.base" + _rm_test_img "${TEST_IMG}.mid" + _cleanup_test_img +} +trap "_cleanup; exit \$status" 0 1 2 3 15 + +# get standard environment, filters and checks +cd .. +. ./common.rc +. ./common.filter +. ./common.qemu + +_supported_fmt qcow2 +_supported_proto file + +size=3D"1M" + +TEST_IMG=3D"$TEST_IMG.base" _make_test_img $size +TEST_IMG=3D"$TEST_IMG.mid" _make_test_img -b "$TEST_IMG.base" -F $IMGFMT $= size +_make_test_img -b "${TEST_IMG}.mid" -F $IMGFMT $size + +$QEMU_IO -c "write -P 0x01 64k 128k" "$TEST_IMG.base" | _filter_qemu_io +$QEMU_IO -c "discard 64k 64k" "$TEST_IMG.mid" | _filter_qemu_io + +echo +echo "=3D=3D=3D Base image info before commit =3D=3D=3D" +TEST_IMG=3D"${TEST_IMG}.base" _img_info | _filter_img_info +$QEMU_IMG map --output=3Djson "$TEST_IMG.base" | _filter_qemu_img_map + +echo +echo "=3D=3D=3D Middle image info before commit =3D=3D=3D" +TEST_IMG=3D"${TEST_IMG}.mid" _img_info | _filter_img_info +$QEMU_IMG map --output=3Djson "$TEST_IMG.mid" | _filter_qemu_img_map + +echo +echo =3D=3D=3D Running QEMU Live Commit Test =3D=3D=3D +echo + +qemu_comm_method=3D"qmp" +_launch_qemu -drive file=3D"${TEST_IMG}",if=3Dvirtio,id=3Dtest +h=3D$QEMU_HANDLE + +_send_qemu_cmd $h "{ 'execute': 'qmp_capabilities' }" "return" + +_send_qemu_cmd $h "{ 'execute': 'block-commit', + 'arguments': { 'device': 'test', + 'top': '"${TEST_IMG}.mid"', + 'base': '"${TEST_IMG}.base"'} }" '"status= ": "null"' + +_cleanup_qemu + +echo +echo "=3D=3D=3D Base image info after commit =3D=3D=3D" +TEST_IMG=3D"${TEST_IMG}.base" _img_info | _filter_img_info +$QEMU_IMG map --output=3Djson "$TEST_IMG.base" | _filter_qemu_img_map + +# success, all done +echo "*** done" +rm -f $seq.full +status=3D0 diff --git a/tests/qemu-iotests/tests/commit-zero-blocks.out b/tests/qemu-i= otests/tests/commit-zero-blocks.out new file mode 100644 index 0000000000..85bdc46aaf --- /dev/null +++ b/tests/qemu-iotests/tests/commit-zero-blocks.out @@ -0,0 +1,54 @@ +QA output created by commit-zero-blocks +Formatting 'TEST_DIR/t.IMGFMT.base', fmt=3DIMGFMT size=3D1048576 +Formatting 'TEST_DIR/t.IMGFMT.mid', fmt=3DIMGFMT size=3D1048576 backing_fi= le=3DTEST_DIR/t.IMGFMT.base backing_fmt=3DIMGFMT +Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D1048576 backing_file= =3DTEST_DIR/t.IMGFMT.mid backing_fmt=3DIMGFMT +wrote 131072/131072 bytes at offset 65536 +128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +discard 65536/65536 bytes at offset 65536 +64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + +=3D=3D=3D Base image info before commit =3D=3D=3D +image: TEST_DIR/t.IMGFMT.base +file format: IMGFMT +virtual size: 1 MiB (1048576 bytes) +[{ "start": 0, "length": 65536, "depth": 0, "present": false, "zero": true= , "data": false, "compressed": false}, +{ "start": 65536, "length": 131072, "depth": 0, "present": true, "zero": f= alse, "data": true, "compressed": false, "offset": OFFSET}, +{ "start": 196608, "length": 851968, "depth": 0, "present": false, "zero":= true, "data": false, "compressed": false}] + +=3D=3D=3D Middle image info before commit =3D=3D=3D +image: TEST_DIR/t.IMGFMT.mid +file format: IMGFMT +virtual size: 1 MiB (1048576 bytes) +backing file: TEST_DIR/t.IMGFMT.base +backing file format: IMGFMT +[{ "start": 0, "length": 65536, "depth": 1, "present": false, "zero": true= , "data": false, "compressed": false}, +{ "start": 65536, "length": 65536, "depth": 0, "present": true, "zero": tr= ue, "data": false, "compressed": false}, +{ "start": 131072, "length": 65536, "depth": 1, "present": true, "zero": f= alse, "data": true, "compressed": false, "offset": OFFSET}, +{ "start": 196608, "length": 851968, "depth": 1, "present": false, "zero":= true, "data": false, "compressed": false}] + +=3D=3D=3D Running QEMU Live Commit Test =3D=3D=3D + +{ 'execute': 'qmp_capabilities' } +{"return": {}} +{ 'execute': 'block-commit', + 'arguments': { 'device': 'test', + 'top': 'TEST_DIR/t.IMGFMT.mid', + 'base': 'TEST_DIR/t.IMGFMT.base'} } +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "test"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "test"}} +{"return": {}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "JOB_STATUS_CHANGE", "data": {"status": "waiting", "id": "test"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "JOB_STATUS_CHANGE", "data": {"status": "pending", "id": "test"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "BLOCK_JOB_COMPLETED", "data": {"device": "test", "len": 1048576, "offset= ": 1048576, "speed": 0, "type": "commit"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "test"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event"= : "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "test"}} + +=3D=3D=3D Base image info after commit =3D=3D=3D +image: TEST_DIR/t.IMGFMT.base +file format: IMGFMT +virtual size: 1 MiB (1048576 bytes) +[{ "start": 0, "length": 65536, "depth": 0, "present": false, "zero": true= , "data": false, "compressed": false}, +{ "start": 65536, "length": 65536, "depth": 0, "present": true, "zero": tr= ue, "data": false, "compressed": false}, +{ "start": 131072, "length": 65536, "depth": 0, "present": true, "zero": f= alse, "data": true, "compressed": false, "offset": OFFSET}, +{ "start": 196608, "length": 851968, "depth": 0, "present": false, "zero":= true, "data": false, "compressed": false}] +*** done --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763785757681164.33405704973904; Fri, 21 Nov 2025 20:29:17 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMctt-0007yz-Cf; Fri, 21 Nov 2025 20:58:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbpK-0002z0-Qu; Fri, 21 Nov 2025 19:50:10 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbnG-0008IX-7y; Fri, 21 Nov 2025 19:50:06 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 32B1116CA7A; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E4C14321CB6; Fri, 21 Nov 2025 21:44:36 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Alex=20Benn=C3=A9e?= , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 63/81] tests: move test_xen assets to share.linaro.org Date: Fri, 21 Nov 2025 21:44:02 +0300 Message-ID: <20251121184424.1137669-63-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763785758993018900 From: Alex Benn=C3=A9e Linaro are migrating file-hosting from the old NextCloud instance to another sharing site. Reviewed-by: Thomas Huth Cc: qemu-stable@nongnu.org Message-ID: <20251117115523.3993105-7-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 863449cc8ec7ff23d41ac71d462e2349e11b3852) Signed-off-by: Michael Tokarev diff --git a/tests/functional/test_aarch64_xen.py b/tests/functional/test_a= arch64_xen.py index 339904221b..d03799cab8 100755 --- a/tests/functional/test_aarch64_xen.py +++ b/tests/functional/test_aarch64_xen.py @@ -25,8 +25,7 @@ class BootXen(LinuxKernelTest): XEN_COMMON_COMMAND_LINE =3D 'dom0_mem=3D128M loglvl=3Dall guest_loglvl= =3Dall' =20 ASSET_KERNEL =3D Asset( - ('https://fileserver.linaro.org/s/JSsewXGZ6mqxPr5/' - 'download?path=3D%2F&files=3Dlinux-5.9.9-arm64-ajb'), + 'https://share.linaro.org/downloadFile?id=3DRRahAWwAwYKTZQd', '00366fa51ea957c19462d2e2aefd480bef80ce727120e714ae48e0c88f261edb') =20 def launch_xen(self, xen_path): @@ -54,8 +53,7 @@ def launch_xen(self, xen_path): wait_for_console_pattern(self, console_pattern, "Panic on CPU 0:") =20 ASSET_XEN_4_11 =3D Asset( - ('https://fileserver.linaro.org/s/JSsewXGZ6mqxPr5/download?path=3D= %2F&' - 'files=3Dxen-hypervisor-4.11-arm64_4.11.4%2B37-g3263f257ca-1_arm6= 4.deb'), + 'https://share.linaro.org/downloadFile?id=3DALU4n2NGGYbE4fO', 'b745c2631342f9fcc0147ddc364edb62c20ecfebd430e5a3546e7d7c6891c0bc') =20 def test_arm64_xen_411_and_dom0(self): @@ -65,8 +63,7 @@ def test_arm64_xen_411_and_dom0(self): self.launch_xen(xen_path) =20 ASSET_XEN_4_14 =3D Asset( - ('https://fileserver.linaro.org/s/JSsewXGZ6mqxPr5/download?path=3D= %2F&' - 'files=3Dxen-hypervisor-4.14-arm64_4.14.0%2B80-gd101b417b7-1_arm6= 4.deb'), + 'https://share.linaro.org/downloadFile?id=3Dos4zSXPl7WW4lqX', 'e930a3293248edabd367d5b4b3b6448b9c99c057096ea8b47228a7870661d5cb') =20 def test_arm64_xen_414_and_dom0(self): @@ -76,8 +73,7 @@ def test_arm64_xen_414_and_dom0(self): self.launch_xen(xen_path) =20 ASSET_XEN_4_15 =3D Asset( - ('https://fileserver.linaro.org/s/JSsewXGZ6mqxPr5/download?path=3D= %2F&' - 'files=3Dxen-upstream-4.15-unstable.deb'), + 'https://share.linaro.org/downloadFile?id=3DjjjG4uTp2wuO4Ks', '2a9a8af8acf0231844657cc28baab95bd918b0ee2d493ee4ee6f8846e1358bc9') =20 def test_arm64_xen_415_and_dom0(self): --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763800922254605.2997536486632; Sat, 22 Nov 2025 00:42:02 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd2H-0001MM-RA; Fri, 21 Nov 2025 21:07:38 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcf2-0005vb-Id; Fri, 21 Nov 2025 20:43:36 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMccz-0003ZN-Ga; Fri, 21 Nov 2025 20:43:31 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id B42F916CA7B; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 37B85321CB7; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Alex=20Benn=C3=A9e?= , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 64/81] tests: move test_virt assets to share.linaro.org Date: Fri, 21 Nov 2025 21:44:03 +0300 Message-ID: <20251121184424.1137669-64-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763800934540018900 From: Alex Benn=C3=A9e Linaro are migrating file-hosting from the old NextCloud instance to another sharing site. While I'm at it drop the old pauth-impdef flag which is no longer needed. Reviewed-by: Thomas Huth Cc: qemu-stable@nongnu.org Message-ID: <20251117115523.3993105-8-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit dfaf3695b20d653338c2f34edbbb552f697033c3) Signed-off-by: Michael Tokarev diff --git a/tests/functional/test_aarch64_virt.py b/tests/functional/test_= aarch64_virt.py index 884aad7af6..249f22d978 100755 --- a/tests/functional/test_aarch64_virt.py +++ b/tests/functional/test_aarch64_virt.py @@ -64,8 +64,7 @@ def test_alpine_virt_tcg_gic_max(self): =20 =20 ASSET_KERNEL =3D Asset( - ('https://fileserver.linaro.org/s/' - 'z6B2ARM7DQT3HWN/download'), + 'https://share.linaro.org/downloadFile?id=3D3zGlbmXh8pXFewt', '12a54d4805cda6ab647cb7c7bbdb16fafb3df400e0d6f16445c1a0436100ef8d') =20 def common_aarch64_virt(self, machine): @@ -83,7 +82,7 @@ def common_aarch64_virt(self, machine): self.vm.set_console() kernel_command_line =3D (self.KERNEL_COMMON_COMMAND_LINE + 'console=3DttyAMA0') - self.vm.add_args('-cpu', 'max,pauth-impdef=3Don', + self.vm.add_args('-cpu', 'max', '-machine', machine, '-accel', 'tcg', '-kernel', kernel_path, --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763785381216772.9117292709911; Fri, 21 Nov 2025 20:23:01 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd7i-0005Vr-8W; Fri, 21 Nov 2025 21:13:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcr9-0005x0-6G; Fri, 21 Nov 2025 20:56:07 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcp7-0006mE-Lj; Fri, 21 Nov 2025 20:56:03 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C6D8E16CA7C; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 84663321CB8; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Alex=20Benn=C3=A9e?= , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 65/81] tests: move test_netdev_ethtool to share.linaro.org Date: Fri, 21 Nov 2025 21:44:04 +0300 Message-ID: <20251121184424.1137669-65-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763785381678018900 From: Alex Benn=C3=A9e Linaro are migrating file-hosting from the old NextCloud instance to another sharing site. Reviewed-by: Thomas Huth Cc: qemu-stable@nongnu.org Message-ID: <20251117115523.3993105-9-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 5ff8d1fac98ba35391412883a17feb16a5b464e9) Signed-off-by: Michael Tokarev diff --git a/tests/functional/test_netdev_ethtool.py b/tests/functional/tes= t_netdev_ethtool.py index ee1a397bd2..ac8a92512c 100755 --- a/tests/functional/test_netdev_ethtool.py +++ b/tests/functional/test_netdev_ethtool.py @@ -16,16 +16,10 @@ class NetDevEthtool(QemuSystemTest): # Runs in about 17s under KVM, 19s under TCG, 25s under GCOV timeout =3D 45 =20 - # Fetch assets from the netdev-ethtool subdir of my shared test - # images directory on fileserver.linaro.org. - ASSET_BASEURL =3D ('https://fileserver.linaro.org/s/kE4nCFLdQcoBF9t/' - 'download?path=3D%2Fnetdev-ethtool&files=3D') - ASSET_BZIMAGE =3D Asset( - ASSET_BASEURL + "bzImage", - "ed62ee06ea620b1035747f3f66a5e9fc5d3096b29f75562ada888b04cd1c4baf") - ASSET_ROOTFS =3D Asset( - ASSET_BASEURL + "rootfs.squashfs", - "8f0207e3c4d40832ae73c1a927e42ca30ccb1e71f047acb6ddb161ba422934e6") + ASSET_BZIMAGE =3D Asset("https://share.linaro.org/downloadFile?id=3DQD= 37GYYAJhGOgVe", + "ed62ee06ea620b1035747f3f66a5e9fc5d3096b29f75562= ada888b04cd1c4baf") + ASSET_ROOTFS =3D Asset("https://share.linaro.org/downloadFile?id=3DYAq= nr0W8fruDh3f", + "8f0207e3c4d40832ae73c1a927e42ca30ccb1e71f047acb6= ddb161ba422934e6") =20 def common_test_code(self, netdev, extra_args=3DNone): self.set_machine('q35') --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784931156691.4248589257893; Fri, 21 Nov 2025 20:15:31 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd4h-0002uX-Hb; Fri, 21 Nov 2025 21:10:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcQS-0006s2-Sm; Fri, 21 Nov 2025 20:28:32 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcOQ-0000Cz-Bu; Fri, 21 Nov 2025 20:28:28 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id D8F1E16CA7D; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 9667D321CB9; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Alex=20Benn=C3=A9e?= , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 66/81] tests: move test_kvm_xen to share.linaro.org Date: Fri, 21 Nov 2025 21:44:05 +0300 Message-ID: <20251121184424.1137669-66-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784932260018900 From: Alex Benn=C3=A9e Linaro are migrating file-hosting from the old NextCloud instance to another sharing site. Reviewed-by: Thomas Huth Cc: qemu-stable@nongnu.org Message-ID: <20251117115523.3993105-10-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 533b5ac2d6a826619cf80b009bf23ae3246d7011) Signed-off-by: Michael Tokarev diff --git a/tests/functional/test_x86_64_kvm_xen.py b/tests/functional/tes= t_x86_64_kvm_xen.py index c6abf6bba3..0f1f5d8f0b 100755 --- a/tests/functional/test_x86_64_kvm_xen.py +++ b/tests/functional/test_x86_64_kvm_xen.py @@ -25,18 +25,11 @@ class KVMXenGuest(QemuSystemTest): kernel_path =3D None kernel_params =3D None =20 - # Fetch assets from the kvm-xen-guest subdir of my shared test - # images directory on fileserver.linaro.org where you can find - # build instructions for how they where assembled. - ASSET_KERNEL =3D Asset( - ('https://fileserver.linaro.org/s/kE4nCFLdQcoBF9t/download?' - 'path=3D%2Fkvm-xen-guest&files=3DbzImage'), - 'ec0ad7bb8c33c5982baee0a75505fe7dbf29d3ff5d44258204d6307c6fe0132a') - - ASSET_ROOTFS =3D Asset( - ('https://fileserver.linaro.org/s/kE4nCFLdQcoBF9t/download?' - 'path=3D%2Fkvm-xen-guest&files=3Drootfs.ext4'), - 'b11045d649006c649c184e93339aaa41a8fe20a1a86620af70323252eb29e40b') + ASSET_KERNEL =3D Asset('https://share.linaro.org/downloadFile?id=3DUG0= V8dzzHrrHb9X', + 'ec0ad7bb8c33c5982baee0a75505fe7dbf29d3ff5d442582= 04d6307c6fe0132a') + + ASSET_ROOTFS =3D Asset('https://share.linaro.org/downloadFile?id=3DVwL= RKDXKFl6oKti', + 'b11045d649006c649c184e93339aaa41a8fe20a1a86620af= 70323252eb29e40b') =20 def common_vm_setup(self): # We also catch lack of KVM_XEN support if we fail to launch --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763780833388141.48551492863828; Fri, 21 Nov 2025 19:07:13 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcwl-0002Hi-Jf; Fri, 21 Nov 2025 21:01:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc1B-0001X7-6z; Fri, 21 Nov 2025 20:02:30 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbz8-0002CU-96; Fri, 21 Nov 2025 20:02:20 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id EA7A116CA7E; Fri, 21 Nov 2025 21:44:28 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id A8686321CBA; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Alex=20Benn=C3=A9e?= , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 67/81] tests: move test_virt_gpu to share.linaro.org Date: Fri, 21 Nov 2025 21:44:06 +0300 Message-ID: <20251121184424.1137669-67-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763780834967018900 From: Alex Benn=C3=A9e Linaro are migrating file-hosting from the old NextCloud instance to another sharing site. Cc: qemu-stable@nongnu.org Reviewed-by: Thomas Huth Message-ID: <20251117115523.3993105-12-alex.bennee@linaro.org> Signed-off-by: Alex Benn=C3=A9e (cherry picked from commit 497d3e87ce2d58a4781de03c6f5b0200ef79909f) Signed-off-by: Michael Tokarev diff --git a/tests/functional/test_aarch64_virt_gpu.py b/tests/functional/t= est_aarch64_virt_gpu.py index 3844727857..28ae7592fc 100755 --- a/tests/functional/test_aarch64_virt_gpu.py +++ b/tests/functional/test_aarch64_virt_gpu.py @@ -23,15 +23,11 @@ class Aarch64VirtGPUMachine(LinuxKernelTest): =20 ASSET_VIRT_GPU_KERNEL =3D Asset( - 'https://fileserver.linaro.org/s/ce5jXBFinPxtEdx/' - 'download?path=3D%2F&files=3D' - 'Image.6.12.16.aarch64', + 'https://share.linaro.org/downloadFile?id=3DlL8wgnMmSXZo7Co', '7888c51c55d37e86bbbdeb5acea9f08c34e6b0f03c1f5b2463285f6a6f6eec8b') =20 ASSET_VIRT_GPU_ROOTFS =3D Asset( - 'https://fileserver.linaro.org/s/ce5jXBFinPxtEdx/' - 'download?path=3D%2F&files=3D' - 'rootfs.aarch64.ext2.zstd', + 'https://share.linaro.org/downloadFile?id=3DqOn1wbfKmS6KVHZ', 'd45118c899420b7e673f1539a37a35480134b3e36e3a59e2cb69b1781cbb14ef') =20 def _launch_virt_gpu(self, gpu_device): --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763780467370960.9622152697928; Fri, 21 Nov 2025 19:01:07 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd8l-0006LU-0W; Fri, 21 Nov 2025 21:14:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcwz-0002RW-EG; Fri, 21 Nov 2025 21:02:09 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcvA-0000D3-K0; Fri, 21 Nov 2025 21:02:06 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 0BCA016CA7F; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id BA473321CBB; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Hanna Czenczek , Junyao Zhao , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 68/81] =?UTF-8?q?rbd:=20Run=20co=20BH=20CB=20in=20?= =?UTF-8?q?the=20coroutine=E2=80=99s=20AioContext?= Date: Fri, 21 Nov 2025 21:44:07 +0300 Message-ID: <20251121184424.1137669-68-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763780467620018900 From: Hanna Czenczek qemu_rbd_completion_cb() schedules the request completion code (qemu_rbd_finish_bh()) to run in the BDS=E2=80=99s AioContext, assuming that this is the same thread in which qemu_rbd_start_co() runs. To explain, this is how both latter functions interact: In qemu_rbd_start_co(): while (!task.complete) qemu_coroutine_yield(); In qemu_rbd_finish_bh(): task->complete =3D true; aio_co_wake(task->co); // task->co is qemu_rbd_start_co() For this interaction to work reliably, both must run in the same thread so that qemu_rbd_finish_bh() can only run once the coroutine yields. Otherwise, finish_bh() may run before start_co() checks task.complete, which will result in the latter seeing .complete as true immediately and skipping the yield altogether, even though finish_bh() still wakes it. With multiqueue, the BDS=E2=80=99s AioContext is not necessarily the thread start_co() runs in, and so finish_bh() may be scheduled to run in a different thread than start_co(). With the right timing, this will cause the problems described above; waking a non-yielding coroutine is not good, as can be reproduced by putting e.g. a usleep(100000) above the while loop in start_co() (and using multiqueue), giving finish_bh() a much better chance at exiting before start_co() can yield. So instead of scheduling finish_bh() in the BDS=E2=80=99s AioContext, sched= ule finish_bh() in task->co=E2=80=99s AioContext. In addition, we can get rid of task.complete altogether because we will get woken exactly once, when the task is indeed complete, no need to check. (We could go further and drop the BH, running aio_co_wake() directly in qemu_rbd_completion_cb() because we are allowed to do that even if the coroutine isn=E2=80=99t yet yielding and we=E2=80=99re in a different threa= d =E2=80=93 but the doc comment on qemu_rbd_completion_cb() says to be careful, so I decided not to go so far here.) Buglink: https://issues.redhat.com/browse/RHEL-67115 Reported-by: Junyao Zhao Cc: qemu-stable@nongnu.org Signed-off-by: Hanna Czenczek Message-ID: <20251110154854.151484-3-hreitz@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 89d22536d1a1715083ef8118fe7e6e9239f900c1) Signed-off-by: Michael Tokarev diff --git a/block/rbd.c b/block/rbd.c index 446e90d34c..e2a11a6bc1 100644 --- a/block/rbd.c +++ b/block/rbd.c @@ -110,9 +110,7 @@ typedef struct BDRVRBDState { } BDRVRBDState; =20 typedef struct RBDTask { - BlockDriverState *bs; Coroutine *co; - bool complete; int64_t ret; } RBDTask; =20 @@ -1310,7 +1308,6 @@ static int qemu_rbd_resize(BlockDriverState *bs, uint= 64_t size) static void qemu_rbd_finish_bh(void *opaque) { RBDTask *task =3D opaque; - task->complete =3D true; aio_co_wake(task->co); } =20 @@ -1327,7 +1324,7 @@ static void qemu_rbd_completion_cb(rbd_completion_t c= , RBDTask *task) { task->ret =3D rbd_aio_get_return_value(c); rbd_aio_release(c); - aio_bh_schedule_oneshot(bdrv_get_aio_context(task->bs), + aio_bh_schedule_oneshot(qemu_coroutine_get_aio_context(task->co), qemu_rbd_finish_bh, task); } =20 @@ -1339,7 +1336,7 @@ static int coroutine_fn qemu_rbd_start_co(BlockDriver= State *bs, RBDAIOCmd cmd) { BDRVRBDState *s =3D bs->opaque; - RBDTask task =3D { .bs =3D bs, .co =3D qemu_coroutine_self() }; + RBDTask task =3D { .co =3D qemu_coroutine_self() }; rbd_completion_t c; int r; =20 @@ -1402,9 +1399,8 @@ static int coroutine_fn qemu_rbd_start_co(BlockDriver= State *bs, return r; } =20 - while (!task.complete) { - qemu_coroutine_yield(); - } + /* Expect exactly a single wake from qemu_rbd_finish_bh() */ + qemu_coroutine_yield(); =20 if (task.ret < 0) { error_report("rbd request failed: cmd %d offset %" PRIu64 " bytes = %" --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763796854489259.414461889157; Fri, 21 Nov 2025 23:34:14 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd1v-0001AO-H5; Fri, 21 Nov 2025 21:07:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcaC-0003Sq-FE; Fri, 21 Nov 2025 20:38:36 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcYA-0002SH-UP; Fri, 21 Nov 2025 20:38:33 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1EA0D16CA80; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D01FD321CBC; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Hanna Czenczek , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 69/81] =?UTF-8?q?nfs:=20Run=20co=20BH=20CB=20in=20?= =?UTF-8?q?the=20coroutine=E2=80=99s=20AioContext?= Date: Fri, 21 Nov 2025 21:44:08 +0300 Message-ID: <20251121184424.1137669-69-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763796865072018900 From: Hanna Czenczek Like in =E2=80=9Crbd: Run co BH CB in the coroutine=E2=80=99s AioContext=E2= =80=9D, drop the completion flag, yield exactly once, and run the BH in the coroutine=E2=80= =99s AioContext. (Can be reproduced with multiqueue by adding a usleep(100000) before the `while (!task.complete)` loops.) Like in =E2=80=9Ciscsi: Run co BH CB in the coroutine=E2=80=99s AioContext= =E2=80=9D, this makes nfs_co_generic_bh_cb() trivial, so we can drop it in favor of just calling aio_co_wake() directly. Cc: qemu-stable@nongnu.org Signed-off-by: Hanna Czenczek Message-ID: <20251110154854.151484-5-hreitz@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit deb35c129b859b9bec70fd42f856a0b7c1dc6e61) Signed-off-by: Michael Tokarev diff --git a/block/nfs.c b/block/nfs.c index 0a7d38db09..1d3a34a30c 100644 --- a/block/nfs.c +++ b/block/nfs.c @@ -69,7 +69,6 @@ typedef struct NFSClient { typedef struct NFSRPC { BlockDriverState *bs; int ret; - int complete; QEMUIOVector *iov; struct stat *st; Coroutine *co; @@ -230,14 +229,6 @@ static void coroutine_fn nfs_co_init_task(BlockDriverS= tate *bs, NFSRPC *task) }; } =20 -static void nfs_co_generic_bh_cb(void *opaque) -{ - NFSRPC *task =3D opaque; - - task->complete =3D 1; - aio_co_wake(task->co); -} - /* Called (via nfs_service) with QemuMutex held. */ static void nfs_co_generic_cb(int ret, struct nfs_context *nfs, void *data, @@ -256,8 +247,16 @@ nfs_co_generic_cb(int ret, struct nfs_context *nfs, vo= id *data, if (task->ret < 0) { error_report("NFS Error: %s", nfs_get_error(nfs)); } - replay_bh_schedule_oneshot_event(task->client->aio_context, - nfs_co_generic_bh_cb, task); + + /* + * Safe to call: nfs_service(), which called us, is only run from the = FD + * handlers, never from the request coroutine. The request coroutine = in + * turn will yield unconditionally. + * No need to release the lock, even if we directly enter the coroutin= e, as + * the lock is never re-taken after yielding. (Note: If we do enter t= he + * coroutine, @task will probably be dangling once aio_co_wake() retur= ns.) + */ + aio_co_wake(task->co); } =20 static int coroutine_fn nfs_co_preadv(BlockDriverState *bs, int64_t offset, @@ -278,9 +277,7 @@ static int coroutine_fn nfs_co_preadv(BlockDriverState = *bs, int64_t offset, =20 nfs_set_events(client); } - while (!task.complete) { - qemu_coroutine_yield(); - } + qemu_coroutine_yield(); =20 if (task.ret < 0) { return task.ret; @@ -328,9 +325,7 @@ static int coroutine_fn nfs_co_pwritev(BlockDriverState= *bs, int64_t offset, =20 nfs_set_events(client); } - while (!task.complete) { - qemu_coroutine_yield(); - } + qemu_coroutine_yield(); =20 if (my_buffer) { g_free(buf); @@ -358,9 +353,7 @@ static int coroutine_fn nfs_co_flush(BlockDriverState *= bs) =20 nfs_set_events(client); } - while (!task.complete) { - qemu_coroutine_yield(); - } + qemu_coroutine_yield(); =20 return task.ret; } @@ -723,8 +716,8 @@ nfs_get_allocated_file_size_cb(int ret, struct nfs_cont= ext *nfs, void *data, if (task->ret < 0) { error_report("NFS Error: %s", nfs_get_error(nfs)); } - replay_bh_schedule_oneshot_event(task->client->aio_context, - nfs_co_generic_bh_cb, task); + /* Safe to call, see nfs_co_generic_cb() */ + aio_co_wake(task->co); } =20 static int64_t coroutine_fn nfs_co_get_allocated_file_size(BlockDriverStat= e *bs) @@ -748,9 +741,7 @@ static int64_t coroutine_fn nfs_co_get_allocated_file_s= ize(BlockDriverState *bs) =20 nfs_set_events(client); } - while (!task.complete) { - qemu_coroutine_yield(); - } + qemu_coroutine_yield(); =20 return (task.ret < 0 ? task.ret : st.st_blocks * 512); } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763782294088932.7290593041653; Fri, 21 Nov 2025 19:31:34 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcrW-00069V-3r; Fri, 21 Nov 2025 20:56:31 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbpr-0003P8-R0; Fri, 21 Nov 2025 19:50:43 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbph-0000MF-D1; Fri, 21 Nov 2025 19:50:40 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3177F16CA81; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E3986321CBD; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Hanna Czenczek , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 70/81] curl: Fix coroutine waking Date: Fri, 21 Nov 2025 21:44:09 +0300 Message-ID: <20251121184424.1137669-70-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763782295788018900 From: Hanna Czenczek If we wake a coroutine from a different context, we must ensure that it will yield exactly once (now or later), awaiting that wake. curl=E2=80=99s current .ret =3D=3D -EINPROGRESS loop may lead to the corout= ine not yielding if the request finishes before the loop gets run. To fix it, we must drop the loop and yield exactly once, if we need to yield. Finding out that latter part ("if we need to yield") makes it a bit complicated: Requests may be served from a cache internal to the curl block driver, or fail before being submitted. In these cases, we must not yield. However, if we find a matching but still ongoing request in the cache, we will have to await that, i.e. still yield. To address this, move the yield inside of the respective functions: - Inside of curl_find_buf() when awaiting ongoing concurrent requests, - Inside of curl_setup_preadv() when having created a new request. Rename curl_setup_preadv() to curl_do_preadv() to reflect this. (Can be reproduced with multiqueue by adding a usleep(100000) before the `while (acb.ret =3D=3D -EINPROGRESS)` loop.) Also, add a comment why aio_co_wake() is safe regardless of whether the coroutine and curl_multi_check_completion() run in the same context. Cc: qemu-stable@nongnu.org Signed-off-by: Hanna Czenczek Message-ID: <20251110154854.151484-6-hreitz@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 53d5c7ffac7bd4e0d12174432ebb2b3e88614b15) Signed-off-by: Michael Tokarev diff --git a/block/curl.c b/block/curl.c index cbfb847dc4..96498aac1d 100644 --- a/block/curl.c +++ b/block/curl.c @@ -258,8 +258,8 @@ read_end: } =20 /* Called with s->mutex held. */ -static bool curl_find_buf(BDRVCURLState *s, uint64_t start, uint64_t len, - CURLAIOCB *acb) +static bool coroutine_fn +curl_find_buf(BDRVCURLState *s, uint64_t start, uint64_t len, CURLAIOCB *a= cb) { int i; uint64_t end =3D start + len; @@ -307,6 +307,10 @@ static bool curl_find_buf(BDRVCURLState *s, uint64_t s= tart, uint64_t len, for (j=3D0; jacb[j]) { state->acb[j] =3D acb; + /* Await ongoing request */ + qemu_mutex_unlock(&s->mutex); + qemu_coroutine_yield(); + qemu_mutex_lock(&s->mutex); return true; } } @@ -378,6 +382,16 @@ static void curl_multi_check_completion(BDRVCURLState = *s) acb->ret =3D error ? -EIO : 0; state->acb[i] =3D NULL; qemu_mutex_unlock(&s->mutex); + /* + * Current AioContext is the BDS context, which may or may= not + * be the request (coroutine) context. + * - If it is, the coroutine must have yielded or the FD h= andler + * (curl_multi_do()/curl_multi_timeout_do()) could not h= ave + * been called and we would not be here + * - If it is not, it doesn't matter whether it has already + * yielded or not; it will be scheduled once it does yie= ld + * So aio_co_wake() is safe to call. + */ aio_co_wake(acb->co); qemu_mutex_lock(&s->mutex); } @@ -879,7 +893,7 @@ out_noclean: return -EINVAL; } =20 -static void coroutine_fn curl_setup_preadv(BlockDriverState *bs, CURLAIOCB= *acb) +static void coroutine_fn curl_do_preadv(BlockDriverState *bs, CURLAIOCB *a= cb) { CURLState *state; int running; @@ -891,10 +905,13 @@ static void coroutine_fn curl_setup_preadv(BlockDrive= rState *bs, CURLAIOCB *acb) =20 qemu_mutex_lock(&s->mutex); =20 - // In case we have the requested data already (e.g. read-ahead), - // we can just call the callback and be done. + /* + * In case we have the requested data already (e.g. read-ahead), + * we can just call the callback and be done. This may have to + * await an ongoing request, in which case it itself will yield. + */ if (curl_find_buf(s, start, acb->bytes, acb)) { - goto out; + goto dont_yield; } =20 // No cache found, so let's start a new request @@ -909,7 +926,7 @@ static void coroutine_fn curl_setup_preadv(BlockDriverS= tate *bs, CURLAIOCB *acb) if (curl_init_state(s, state) < 0) { curl_clean_state(state); acb->ret =3D -EIO; - goto out; + goto dont_yield; } =20 acb->start =3D 0; @@ -924,7 +941,7 @@ static void coroutine_fn curl_setup_preadv(BlockDriverS= tate *bs, CURLAIOCB *acb) if (state->buf_len && state->orig_buf =3D=3D NULL) { curl_clean_state(state); acb->ret =3D -ENOMEM; - goto out; + goto dont_yield; } state->acb[0] =3D acb; =20 @@ -936,13 +953,16 @@ static void coroutine_fn curl_setup_preadv(BlockDrive= rState *bs, CURLAIOCB *acb) acb->ret =3D -EIO; =20 curl_clean_state(state); - goto out; + goto dont_yield; } =20 /* Tell curl it needs to kick things off */ curl_multi_socket_action(s->multi, CURL_SOCKET_TIMEOUT, 0, &running); + qemu_mutex_unlock(&s->mutex); + qemu_coroutine_yield(); + return; =20 -out: +dont_yield: qemu_mutex_unlock(&s->mutex); } =20 @@ -958,10 +978,7 @@ static int coroutine_fn curl_co_preadv(BlockDriverStat= e *bs, .bytes =3D bytes }; =20 - curl_setup_preadv(bs, &acb); - while (acb.ret =3D=3D -EINPROGRESS) { - qemu_coroutine_yield(); - } + curl_do_preadv(bs, &acb); return acb.ret; } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763777973605447.8212857638772; Fri, 21 Nov 2025 18:19:33 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcwM-0001ne-65; Fri, 21 Nov 2025 21:01:31 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbyl-0000Aw-MM; Fri, 21 Nov 2025 19:59:55 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbwj-0001il-5j; Fri, 21 Nov 2025 19:59:51 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 77F5C16CA82; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 01C2B321CBE; Fri, 21 Nov 2025 21:44:37 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Hanna Czenczek , Stefan Hajnoczi , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 71/81] nvme: Kick and check completions in BDS context Date: Fri, 21 Nov 2025 21:44:10 +0300 Message-ID: <20251121184424.1137669-71-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763777974149018900 From: Hanna Czenczek nvme_process_completion() must run in the main BDS context, so schedule a BH for requests that aren=E2=80=99t there. The context in which we kick does not matter, but let=E2=80=99s just keep k= ick and process_completion together for simplicity=E2=80=99s sake. (For what it=E2=80=99s worth, a quick fio bandwidth test indicates that on = my test hardware, if anything, this may be a bit better than kicking immediately before scheduling a pure nvme_process_completion() BH. But I wouldn=E2=80=99t take more from those results than that it doesn=E2=80=99= t really seem to matter either way.) Cc: qemu-stable@nongnu.org Signed-off-by: Hanna Czenczek Message-ID: <20251110154854.151484-8-hreitz@redhat.com> Reviewed-by: Stefan Hajnoczi Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 7a501bbd51941fb1867d78e6b0d1dc69e396b9e2) Signed-off-by: Michael Tokarev diff --git a/block/nvme.c b/block/nvme.c index bbf7c23dcd..3366519e57 100644 --- a/block/nvme.c +++ b/block/nvme.c @@ -480,7 +480,7 @@ static void nvme_trace_command(const NvmeCmd *cmd) } } =20 -static void nvme_deferred_fn(void *opaque) +static void nvme_kick_and_check_completions(void *opaque) { NVMeQueuePair *q =3D opaque; =20 @@ -489,6 +489,18 @@ static void nvme_deferred_fn(void *opaque) nvme_process_completion(q); } =20 +static void nvme_deferred_fn(void *opaque) +{ + NVMeQueuePair *q =3D opaque; + + if (qemu_get_current_aio_context() =3D=3D q->s->aio_context) { + nvme_kick_and_check_completions(q); + } else { + aio_bh_schedule_oneshot(q->s->aio_context, + nvme_kick_and_check_completions, q); + } +} + static void nvme_submit_command(NVMeQueuePair *q, NVMeRequest *req, NvmeCmd *cmd, BlockCompletionFunc cb, void *opaque) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763781955940456.9388938334681; Fri, 21 Nov 2025 19:25:55 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcrn-0006hR-3t; Fri, 21 Nov 2025 20:56:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbqx-00045K-SI; Fri, 21 Nov 2025 19:51:51 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbqn-0000cA-EP; Fri, 21 Nov 2025 19:51:48 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 892AF16CA83; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 47005321CBF; Fri, 21 Nov 2025 21:44:38 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Hanna Czenczek , Stefan Hajnoczi , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 72/81] nvme: Fix coroutine waking Date: Fri, 21 Nov 2025 21:44:11 +0300 Message-ID: <20251121184424.1137669-72-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763781956576018900 From: Hanna Czenczek nvme wakes the request coroutine via qemu_coroutine_enter() from a BH scheduled in the BDS AioContext. This may not be the same context as the one in which the request originally ran, which would be wrong: - It could mean we enter the coroutine before it yields, - We would move the coroutine in to a different context. (Can be reproduced with multiqueue by adding a usleep(100000) before the `while (data.ret =3D=3D -EINPROGRESS)` loop.) To fix that, use aio_co_wake() to run the coroutine in its home context. Just like in the preceding iscsi and nfs patches, we can drop the trivial nvme_rw_cb_bh() and use aio_co_wake() directly. With this, we can remove NVMeCoData.ctx. Note the check of data->co =3D=3D NULL to bypass the BH/yield combination in case nvme_rw_cb() is called from nvme_submit_command(): We probably want to keep this fast path for performance reasons, but we have to be quite careful about it: - We cannot overload .ret for this, but have to use a dedicated .skip_yield field. Otherwise, if nvme_rw_cb() runs in a different thread than the coroutine, it may see .ret set and skip the yield, while nvme_rw_cb() will still schedule a BH for waking. Therefore, the signal to skip the yield can only be set in nvme_rw_cb() if waking too is skipped, which is independent from communicating the return value. - We can only skip the yield if nvme_rw_cb() actually runs in the request coroutine. Otherwise (specifically if they run in different AioContexts), the order between this function=E2=80=99s execution and the coroutine yielding (or not yielding) is not reliable. - There is no point to yielding in a loop; there are no spurious wakes, so once we yield, we will only be re-entered once the command is done. Replace `while` by `if`. Cc: qemu-stable@nongnu.org Signed-off-by: Hanna Czenczek Message-ID: <20251110154854.151484-9-hreitz@redhat.com> Reviewed-by: Stefan Hajnoczi Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 0f142cbd919fcb6cea7aa176f7e4939925806dd9) Signed-off-by: Michael Tokarev diff --git a/block/nvme.c b/block/nvme.c index 3366519e57..2e93abdb4b 100644 --- a/block/nvme.c +++ b/block/nvme.c @@ -1171,25 +1171,35 @@ fail: =20 typedef struct { Coroutine *co; + bool skip_yield; int ret; - AioContext *ctx; } NVMeCoData; =20 -static void nvme_rw_cb_bh(void *opaque) -{ - NVMeCoData *data =3D opaque; - qemu_coroutine_enter(data->co); -} - static void nvme_rw_cb(void *opaque, int ret) { NVMeCoData *data =3D opaque; + data->ret =3D ret; - if (!data->co) { - /* The rw coroutine hasn't yielded, don't try to enter. */ - return; + + if (data->co =3D=3D qemu_coroutine_self()) { + /* + * Fast path: We are inside of the request coroutine (through + * nvme_submit_command, nvme_deferred_fn, nvme_process_completion). + * We can set data->skip_yield here to keep the coroutine from + * yielding, and then we don't need to schedule a BH to wake it. + */ + data->skip_yield =3D true; + } else { + /* + * Safe to call: The case where we run in the request coroutine is + * handled above, so we must be independent of it; and without + * skip_yield set, the coroutine will yield. + * No need to release NVMeQueuePair.lock (we are called without it + * held). (Note: If we enter the coroutine here, @data will + * probably be dangling once aio_co_wake() returns.) + */ + aio_co_wake(data->co); } - replay_bh_schedule_oneshot_event(data->ctx, nvme_rw_cb_bh, data); } =20 static coroutine_fn int nvme_co_prw_aligned(BlockDriverState *bs, @@ -1213,7 +1223,7 @@ static coroutine_fn int nvme_co_prw_aligned(BlockDriv= erState *bs, .cdw12 =3D cpu_to_le32(cdw12), }; NVMeCoData data =3D { - .ctx =3D bdrv_get_aio_context(bs), + .co =3D qemu_coroutine_self(), .ret =3D -EINPROGRESS, }; =20 @@ -1230,9 +1240,7 @@ static coroutine_fn int nvme_co_prw_aligned(BlockDriv= erState *bs, return r; } nvme_submit_command(ioq, req, &cmd, nvme_rw_cb, &data); - - data.co =3D qemu_coroutine_self(); - while (data.ret =3D=3D -EINPROGRESS) { + if (!data.skip_yield) { qemu_coroutine_yield(); } =20 @@ -1328,7 +1336,7 @@ static coroutine_fn int nvme_co_flush(BlockDriverStat= e *bs) .nsid =3D cpu_to_le32(s->nsid), }; NVMeCoData data =3D { - .ctx =3D bdrv_get_aio_context(bs), + .co =3D qemu_coroutine_self(), .ret =3D -EINPROGRESS, }; =20 @@ -1336,9 +1344,7 @@ static coroutine_fn int nvme_co_flush(BlockDriverStat= e *bs) req =3D nvme_get_free_req(ioq); assert(req); nvme_submit_command(ioq, req, &cmd, nvme_rw_cb, &data); - - data.co =3D qemu_coroutine_self(); - if (data.ret =3D=3D -EINPROGRESS) { + if (!data.skip_yield) { qemu_coroutine_yield(); } =20 @@ -1379,7 +1385,7 @@ static coroutine_fn int nvme_co_pwrite_zeroes(BlockDr= iverState *bs, }; =20 NVMeCoData data =3D { - .ctx =3D bdrv_get_aio_context(bs), + .co =3D qemu_coroutine_self(), .ret =3D -EINPROGRESS, }; =20 @@ -1399,9 +1405,7 @@ static coroutine_fn int nvme_co_pwrite_zeroes(BlockDr= iverState *bs, assert(req); =20 nvme_submit_command(ioq, req, &cmd, nvme_rw_cb, &data); - - data.co =3D qemu_coroutine_self(); - while (data.ret =3D=3D -EINPROGRESS) { + if (!data.skip_yield) { qemu_coroutine_yield(); } =20 @@ -1429,7 +1433,7 @@ static int coroutine_fn nvme_co_pdiscard(BlockDriverS= tate *bs, }; =20 NVMeCoData data =3D { - .ctx =3D bdrv_get_aio_context(bs), + .co =3D qemu_coroutine_self(), .ret =3D -EINPROGRESS, }; =20 @@ -1474,9 +1478,7 @@ static int coroutine_fn nvme_co_pdiscard(BlockDriverS= tate *bs, trace_nvme_dsm(s, offset, bytes); =20 nvme_submit_command(ioq, req, &cmd, nvme_rw_cb, &data); - - data.co =3D qemu_coroutine_self(); - while (data.ret =3D=3D -EINPROGRESS) { + if (!data.skip_yield) { qemu_coroutine_yield(); } =20 --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176378416324771.56338885254524; Fri, 21 Nov 2025 20:02:43 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd6M-0004Ec-Bh; Fri, 21 Nov 2025 21:11:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcjs-0000fF-FQ; Fri, 21 Nov 2025 20:48:36 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMchq-0004p6-0K; Fri, 21 Nov 2025 20:48:32 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 9D29D16CA84; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 58DD3321CC0; Fri, 21 Nov 2025 21:44:38 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Hanna Czenczek , Stefan Hajnoczi , Kevin Wolf , Michael Tokarev Subject: [Stable-10.0.7 73/81] block/io: Take reqs_lock for tracked_requests Date: Fri, 21 Nov 2025 21:44:12 +0300 Message-ID: <20251121184424.1137669-73-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784163672018900 Content-Type: text/plain; charset="utf-8" From: Hanna Czenczek bdrv_co_get_self_request() does not take a lock around iterating through bs->tracked_requests. With multiqueue, it may thus iterate over a list that is in the process of being modified, producing an assertion failure: ../block/file-posix.c:3702: raw_do_pwrite_zeroes: Assertion `req' failed. [0] abort() at /lib64/libc.so.6 [1] __assert_fail_base.cold() at /lib64/libc.so.6 [2] raw_do_pwrite_zeroes() at ../block/file-posix.c:3702 [3] bdrv_co_do_pwrite_zeroes() at ../block/io.c:1910 [4] bdrv_aligned_pwritev() at ../block/io.c:2109 [5] bdrv_co_do_zero_pwritev() at ../block/io.c:2192 [6] bdrv_co_pwritev_part() at ../block/io.c:2292 [7] bdrv_co_pwritev() at ../block/io.c:2225 [8] handle_alloc_space() at ../block/qcow2.c:2573 [9] qcow2_co_pwritev_task() at ../block/qcow2.c:2625 Fix this by taking reqs_lock. Cc: qemu-stable@nongnu.org Signed-off-by: Hanna Czenczek Message-ID: <20251110154854.151484-11-hreitz@redhat.com> Reviewed-by: Stefan Hajnoczi Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit 9b9ee60c07f52009f9bb659f54c42afae95c1d94) Signed-off-by: Michael Tokarev diff --git a/block/io.c b/block/io.c index 1ba8d1aeea..29d1e84ea7 100644 --- a/block/io.c +++ b/block/io.c @@ -721,11 +721,14 @@ BdrvTrackedRequest *coroutine_fn bdrv_co_get_self_req= uest(BlockDriverState *bs) Coroutine *self =3D qemu_coroutine_self(); IO_CODE(); =20 + qemu_mutex_lock(&bs->reqs_lock); QLIST_FOREACH(req, &bs->tracked_requests, list) { if (req->co =3D=3D self) { + qemu_mutex_unlock(&bs->reqs_lock); return req; } } + qemu_mutex_unlock(&bs->reqs_lock); =20 return NULL; } --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787461556902.137351334133; Fri, 21 Nov 2025 20:57:41 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd2p-0001gU-Vf; Fri, 21 Nov 2025 21:08:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcLa-0004Cu-15; Fri, 21 Nov 2025 20:23:30 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcJX-0007Jm-GA; Fri, 21 Nov 2025 20:23:25 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id F0A3916CA85; Fri, 21 Nov 2025 21:44:29 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 6D969321CC1; Fri, 21 Nov 2025 21:44:38 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Thomas Huth , Richard Henderson , Michael Tokarev Subject: [Stable-10.0.7 74/81] tests/functional: fix formatting of exception args Date: Fri, 21 Nov 2025 21:44:13 +0300 Message-ID: <20251121184424.1137669-74-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787462182018900 From: Daniel P. Berrang=C3=A9 The catch-all exception handler forgot the placeholder for the exception details. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Thomas Huth Reviewed-by: Richard Henderson Message-ID: <20250829142616.2633254-3-berrange@redhat.com> Signed-off-by: Thomas Huth (cherry picked from commit 124ab930ba38c41a86533dbfabb7a3b3b270ef98) Signed-off-by: Michael Tokarev diff --git a/tests/functional/qemu_test/asset.py b/tests/functional/qemu_te= st/asset.py index 704b84d0ea..debed88f5e 100644 --- a/tests/functional/qemu_test/asset.py +++ b/tests/functional/qemu_test/asset.py @@ -169,7 +169,7 @@ def fetch(self): continue except Exception as e: tmp_cache_file.unlink() - raise AssetError(self, "Unable to download: " % e) + raise AssetError(self, "Unable to download: %s" % e) =20 if not os.path.exists(tmp_cache_file): raise AssetError(self, "Download retries exceeded", transient= =3DTrue) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787054581289.3622123961885; Fri, 21 Nov 2025 20:50:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd1a-0000z5-TU; Fri, 21 Nov 2025 21:06:55 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcXn-0002Fi-DR; Fri, 21 Nov 2025 20:36:07 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcVl-00020H-VG; Fri, 21 Nov 2025 20:36:04 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1375516CA86; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id C1136321CC2; Fri, 21 Nov 2025 21:44:38 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Richard Henderson , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 75/81] tests/functional: handle URLError when fetching assets Date: Fri, 21 Nov 2025 21:44:14 +0300 Message-ID: <20251121184424.1137669-75-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787056495018900 From: Daniel P. Berrang=C3=A9 We treat most HTTP errors as non-fatal when fetching assets, but forgot to handle network level errors. This adds catching of URLError so that we retry on failure, and will ultimately trigger graceful skipping in the pre-cache task. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Richard Henderson Reviewed-by: Thomas Huth Message-ID: <20250829142616.2633254-4-berrange@redhat.com> Signed-off-by: Thomas Huth (cherry picked from commit 335da23abec85cd2f6d10f1fe36b28a02088e723) Signed-off-by: Michael Tokarev diff --git a/tests/functional/qemu_test/asset.py b/tests/functional/qemu_te= st/asset.py index debed88f5e..5aceb8f27a 100644 --- a/tests/functional/qemu_test/asset.py +++ b/tests/functional/qemu_test/asset.py @@ -15,7 +15,7 @@ from time import sleep from pathlib import Path from shutil import copyfileobj -from urllib.error import HTTPError +from urllib.error import HTTPError, URLError =20 class AssetError(Exception): def __init__(self, asset, msg, transient=3DFalse): @@ -167,6 +167,14 @@ def fetch(self): raise AssetError(self, "Unable to download: " "HTTP error %d" % e.code) continue + except URLError as e: + # This is typically a network/service level error + # eg urlopen error [Errno 110] Connection timed out> + tmp_cache_file.unlink() + self.log.error("Unable to download %s: URL error %s", + self.url, e.reason) + raise AssetError(self, "Unable to download: URL error %s" % + e.reason, transient=3DTrue) except Exception as e: tmp_cache_file.unlink() raise AssetError(self, "Unable to download: %s" % e) --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763784177380357.5635245953712; Fri, 21 Nov 2025 20:02:57 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMczI-00045a-3e; Fri, 21 Nov 2025 21:04:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc9i-0006Rl-ND; Fri, 21 Nov 2025 20:11:15 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMc7h-00045z-55; Fri, 21 Nov 2025 20:11:11 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2C43316CA87; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D8FC7321CC3; Fri, 21 Nov 2025 21:44:38 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Yannick=20Vo=C3=9Fen?= , YannickV , "Edgar E. Iglesias" , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-10.0.7 76/81] hw/dma/zynq-devcfg: Fix register memory Date: Fri, 21 Nov 2025 21:44:15 +0300 Message-ID: <20251121184424.1137669-76-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763784179507018900 From: Yannick Vo=C3=9Fen Registers are always 32 bit aligned. R_MAX is not the maximum register address, it is the maximum register number. The memory size can be determined by 4 * R_MAX. Currently every register with an offset bigger than 0x40 will be ignored, because the memory size is set wrong. This effects the MCTRL register and makes it useless. This commit restores the correct behaviour. Cc: qemu-stable@nongnu.org Fixes: 034c2e69023 ("dma: Add Xilinx Zynq devcfg device model") Signed-off-by: YannickV Reviewed-by: Edgar E. Iglesias Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-ID: <20251111102836.212535-9-corvin.koehne@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 (cherry picked from commit a344e22917f48d8cd876d72057bcfb938beb0630) Signed-off-by: Michael Tokarev diff --git a/hw/dma/xlnx-zynq-devcfg.c b/hw/dma/xlnx-zynq-devcfg.c index 0fd0d23f57..05b8979f4e 100644 --- a/hw/dma/xlnx-zynq-devcfg.c +++ b/hw/dma/xlnx-zynq-devcfg.c @@ -372,7 +372,7 @@ static void xlnx_zynq_devcfg_init(Object *obj) s->regs_info, s->regs, &xlnx_zynq_devcfg_reg_ops, XLNX_ZYNQ_DEVCFG_ERR_DEBUG, - XLNX_ZYNQ_DEVCFG_R_MAX); + XLNX_ZYNQ_DEVCFG_R_MAX * 4); memory_region_add_subregion(&s->iomem, A_CTRL, ®_array->mem); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176380347925791.11224023284183; Sat, 22 Nov 2025 01:24:39 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcrH-00060Q-Lk; Fri, 21 Nov 2025 20:56:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbke-00008L-4Z; Fri, 21 Nov 2025 19:45:21 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbib-0007Il-CD; Fri, 21 Nov 2025 19:45:15 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 4C89916CA88; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id F04B2321CC4; Fri, 21 Nov 2025 21:44:38 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Gustavo Romero , Thomas Huth , Michael Tokarev Subject: [Stable-10.0.7 77/81] hw/southbridge/lasi: Correct LasiState parent Date: Fri, 21 Nov 2025 21:44:16 +0300 Message-ID: <20251121184424.1137669-77-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763803487146018900 From: Philippe Mathieu-Daud=C3=A9 TYPE_LASI_CHIP inherits from TYPE_SYS_BUS_DEVICE, not TYPE_PCI_HOST_BRIDGE, so its parent structure is of SysBusDevice type. Cc: qemu-stable@nongnu.org Fixes: 376b851909d ("hppa: Add support for LASI chip with i82596 NIC") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Gustavo Romero Reviewed-by: Thomas Huth Message-Id: <20251117091804.56529-1-philmd@linaro.org> (cherry picked from commit 9c3b76a0d40671cbdf1f97c662311ec8bb517c76) (Mjt: context fixup) Signed-off-by: Michael Tokarev diff --git a/include/hw/misc/lasi.h b/include/hw/misc/lasi.h index f01c0f680a..4a8e6df3ab 100644 --- a/include/hw/misc/lasi.h +++ b/include/hw/misc/lasi.h @@ -13,8 +13,8 @@ #define LASI_H =20 #include "exec/address-spaces.h" -#include "hw/pci/pci_host.h" #include "hw/boards.h" +#include "hw/sysbus.h" =20 #define TYPE_LASI_CHIP "lasi-chip" OBJECT_DECLARE_SIMPLE_TYPE(LasiState, LASI_CHIP) @@ -61,7 +61,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(LasiState, LASI_CHIP) #define LASI_IRQ_PS2MOU_HPA 26 =20 struct LasiState { - PCIHostState parent_obj; + SysBusDevice parent_obj; =20 uint32_t irr; uint32_t imr; --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763786530070746.9411262380298; Fri, 21 Nov 2025 20:42:10 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMct2-0007hG-66; Fri, 21 Nov 2025 20:58:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbvn-00073q-H4; Fri, 21 Nov 2025 19:56:51 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbtl-0001DP-04; Fri, 21 Nov 2025 19:56:47 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6140616CA89; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 1CCB3321CC5; Fri, 21 Nov 2025 21:44:39 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 78/81] target/i386: Mark VPERMILPS as not valid with prefix 0 Date: Fri, 21 Nov 2025 21:44:17 +0300 Message-ID: <20251121184424.1137669-78-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763786531863018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell There are a small set of binary SSE insns which have no MMX equivalent, which we create the gen functions for with the BINARY_INT_SSE() macro. This forwards to gen_binary_int_sse() with a NULL pointer for 'mmx'. For almost all of these insns we correctly mark them in the decode table as not permitting a zero prefix byte; however we got this wrong for VPERMILPS, with the result that a bogus instruction would get through the decode checks and end up in gen_binary_int_sse() trying to call a NULL pointer. Correct the decode table entry for VPERMILPS so that we get the expected #UD exception. In the x86 SDM, table A-4 "Three-byte Opcode Map: 08H-FFH (First Two Bytes are 0F 38H)" confirms that there is no pfx 0 version of VPERMILPS. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3199 Signed-off-by: Peter Maydell Link: https://lore.kernel.org/r/20251114175417.2794804-1-peter.maydell@lina= ro.org Signed-off-by: Paolo Bonzini (cherry picked from commit ebd9ea2947d88f237e20333fe547ca8817d0b0ee) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.= c.inc index 223f39ae0c..66a506c497 100644 --- a/target/i386/tcg/decode-new.c.inc +++ b/target/i386/tcg/decode-new.c.inc @@ -643,7 +643,7 @@ static const X86OpEntry opcodes_0F38_00toEF[240] =3D { [0x0a] =3D X86_OP_ENTRY3(PSIGND, V,x, H,x, W,x, vex4 cpuid= (SSSE3) mmx avx2_256 p_00_66), [0x0b] =3D X86_OP_ENTRY3(PMULHRSW, V,x, H,x, W,x, vex4 cpuid= (SSSE3) mmx avx2_256 p_00_66), /* Listed incorrectly as type 4 */ - [0x0c] =3D X86_OP_ENTRY3(VPERMILPS, V,x, H,x, W,x, vex6 chk(W= 0) cpuid(AVX) p_00_66), + [0x0c] =3D X86_OP_ENTRY3(VPERMILPS, V,x, H,x, W,x, vex6 chk(W= 0) cpuid(AVX) p_66), [0x0d] =3D X86_OP_ENTRY3(VPERMILPD, V,x, H,x, W,x, vex6 chk(W= 0) cpuid(AVX) p_66), [0x0e] =3D X86_OP_ENTRY3(VTESTPS, None,None, V,x, W,x, vex6 chk(W= 0) cpuid(AVX) p_66), [0x0f] =3D X86_OP_ENTRY3(VTESTPD, None,None, V,x, W,x, vex6 chk(W= 0) cpuid(AVX) p_66), --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763787647874597.552736678089; Fri, 21 Nov 2025 21:00:47 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMcvs-0001To-3f; Fri, 21 Nov 2025 21:01:01 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbyQ-0008RF-TP; Fri, 21 Nov 2025 19:59:34 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMbyF-00022V-Fs; Fri, 21 Nov 2025 19:59:30 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 7E69116CA8A; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 31FA4321CC6; Fri, 21 Nov 2025 21:44:39 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 79/81] target/i386/tcg: validate segment registers Date: Fri, 21 Nov 2025 21:44:18 +0300 Message-ID: <20251121184424.1137669-79-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763787648720018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini Correctly reject invalid segment registers, including CS when used as the destination of a MOV. Ignore the REX prefix as well. Fixes: 5e9e21bcc4d ("target/i386: move 60-BF opcodes to new decoder", 2024-= 05-07) Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3195 Signed-off-by: Paolo Bonzini (cherry picked from commit ebb46ba6a4a20d393a6889c21e8a80dabab4cc8e) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.= c.inc index 66a506c497..61303232b7 100644 --- a/target/i386/tcg/decode-new.c.inc +++ b/target/i386/tcg/decode-new.c.inc @@ -2059,7 +2059,12 @@ static bool decode_op(DisasContext *s, CPUX86State *= env, X86DecodedInsn *decode, =20 case X86_TYPE_S: /* reg selects a segment register */ op->unit =3D X86_OP_SEG; - goto get_reg; + op->n =3D (get_modrm(s, env) >> 3) & 7; + /* Values outside [CDEFGS]S, as well as storing to CS, are invalid= . */ + if (op->n >=3D 6 || (op->n =3D=3D R_CS && op =3D=3D &decode->op[0]= )) { + return false; + } + break; =20 case X86_TYPE_P: op->unit =3D X86_OP_MMX; --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763785591234776.9206269887176; Fri, 21 Nov 2025 20:26:31 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd5y-0003vc-Vy; Fri, 21 Nov 2025 21:11:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcst-0007f9-3H; Fri, 21 Nov 2025 20:57:55 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcrW-0007RM-TV; Fri, 21 Nov 2025 20:57:51 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C56D616CA8B; Fri, 21 Nov 2025 21:44:30 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 847C7321CC7; Fri, 21 Nov 2025 21:44:39 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 80/81] target/i386: svm: fix sign extension of exit code Date: Fri, 21 Nov 2025 21:44:19 +0300 Message-ID: <20251121184424.1137669-80-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763785592421018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini The exit_code parameter of cpu_vmexit is declared as uint32_t, but exit codes are 64 bits wide according to the AMD SVM specification. And because uint32_t is unsigned, this causes exit codes to be zero-extended, for examp= le writing SVM_EXIT_ERR as 0xffff_ffff instead of the expected 0xffff_ffff_fff= f_ffff. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2977 Signed-off-by: Paolo Bonzini (cherry picked from commit 9c3afb9d9b92d166d227b43d890c6a8ad33a928d) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/helper-tcg.h b/target/i386/tcg/helper-tcg.h index 54d845379c..906d32970d 100644 --- a/target/i386/tcg/helper-tcg.h +++ b/target/i386/tcg/helper-tcg.h @@ -100,7 +100,7 @@ void cpu_load_eflags(CPUX86State *env, int eflags, int = update_mask); =20 /* sysemu/svm_helper.c */ #ifndef CONFIG_USER_ONLY -G_NORETURN void cpu_vmexit(CPUX86State *nenv, uint32_t exit_code, +G_NORETURN void cpu_vmexit(CPUX86State *nenv, uint64_t exit_code, uint64_t exit_info_1, uintptr_t retaddr); void do_vmexit(CPUX86State *env); #endif diff --git a/target/i386/tcg/system/svm_helper.c b/target/i386/tcg/system/s= vm_helper.c index fd9fadad00..70bbde305c 100644 --- a/target/i386/tcg/system/svm_helper.c +++ b/target/i386/tcg/system/svm_helper.c @@ -128,7 +128,7 @@ static inline bool virtual_gif_enabled(CPUX86State *env) return false; } =20 -static inline bool virtual_vm_load_save_enabled(CPUX86State *env, uint32_t= exit_code, uintptr_t retaddr) +static inline bool virtual_vm_load_save_enabled(CPUX86State *env, uint64_t= exit_code, uintptr_t retaddr) { uint64_t lbr_ctl; =20 @@ -723,7 +723,7 @@ void helper_svm_check_io(CPUX86State *env, uint32_t por= t, uint32_t param, } } =20 -void cpu_vmexit(CPUX86State *env, uint32_t exit_code, uint64_t exit_info_1, +void cpu_vmexit(CPUX86State *env, uint64_t exit_code, uint64_t exit_info_1, uintptr_t retaddr) { CPUState *cs =3D env_cpu(env); @@ -732,7 +732,7 @@ void cpu_vmexit(CPUX86State *env, uint32_t exit_code, u= int64_t exit_info_1, =20 qemu_log_mask(CPU_LOG_TB_IN_ASM, "vmexit(%08x, %016" PRIx64 ", %016" PRIx64 ", " TARGET_FMT_lx ")!\n", - exit_code, exit_info_1, + (uint32_t)exit_code, exit_info_1, x86_ldq_phys(cs, env->vm_vmcb + offsetof(struct vmcb, control.exit_info_2)), env->eip); --=20 2.47.3 From nobody Tue Feb 10 01:32:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763783526465962.563245369564; Fri, 21 Nov 2025 19:52:06 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMd4G-0002WP-3E; Fri, 21 Nov 2025 21:09:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcVO-0000xC-FP; Fri, 21 Nov 2025 20:33:38 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMcTL-0001Mr-8y; Fri, 21 Nov 2025 20:33:33 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 16B0C16CA8C; Fri, 21 Nov 2025 21:44:31 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id CB323321CC8; Fri, 21 Nov 2025 21:44:39 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.7 81/81] target/i386: fix stack size when delivering real mode interrupts Date: Fri, 21 Nov 2025 21:44:20 +0300 Message-ID: <20251121184424.1137669-81-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763783527372018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini The stack can be 32-bit even in real mode, and in this case the stack pointer must be updated in its entirety rather than just the bottom 16 bits. The same is true of real mode IRET, for which there was even a comment suggesting the right thing to do. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1506 Signed-off-by: Paolo Bonzini (cherry picked from commit 106d766c9d5b549bc9780d2d2c519aa2bbebc89a) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c index 71962113fb..603993ea03 100644 --- a/target/i386/tcg/seg_helper.c +++ b/target/i386/tcg/seg_helper.c @@ -1135,7 +1135,7 @@ static void do_interrupt_real(CPUX86State *env, int i= ntno, int is_int, sa.env =3D env; sa.ra =3D 0; sa.sp =3D env->regs[R_ESP]; - sa.sp_mask =3D 0xffff; + sa.sp_mask =3D get_sp_mask(env->segs[R_SS].flags); sa.ss_base =3D env->segs[R_SS].base; sa.mmu_index =3D x86_mmu_index_pl(env, 0); =20 @@ -1933,7 +1933,7 @@ void helper_iret_real(CPUX86State *env, int shift) sa.env =3D env; sa.ra =3D GETPC(); sa.mmu_index =3D x86_mmu_index_pl(env, 0); - sa.sp_mask =3D 0xffff; /* XXXX: use SS segment size? */ + sa.sp_mask =3D get_sp_mask(env->segs[R_SS].flags); sa.sp =3D env->regs[R_ESP]; sa.ss_base =3D env->segs[R_SS].base; =20 --=20 2.47.3