From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241378; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JU8BGF+CHkzA1VUNaLCre2hlWqWT527fob/w81WW0IRONpnWOLJXpJbG77WufdUBZVeJzJpy4NYeNaH1ZBh2TRc/vWHofes2Je8P/Nzia+eC+Bq6aiq16fIloKOepOYbBfasFGrdE/CFoan9EXg/UfNzpEhC3wCYHGo1RjNSDuY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241378;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=QeMkVBmktPZBJvhwlVKME/BFV8XWJscptHXxiwkpuEQ=;
	b=eNMVRffwXHIn+fe4+KhTCkVpqzsImoJvk4h1mJI/eah1jMvInpkvyKCK6GM3+64EE8N+z1upvYQqhYDgzGRmeFBoiwTBPWpsN/VwBbEoimL5g0k00w1G5WD/yjACOou5HdXDPGEpONr2knorWEBziDyLUTvfLpxpLLhc7X19TzU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241377992486.5851171625711;
 Wed, 11 Mar 2026 08:02:57 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L5B-0004Ql-O0; Wed, 11 Mar 2026 11:02:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4u-0004Ng-Ka; Wed, 11 Mar 2026 11:02:30 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4r-0003hf-7w; Wed, 11 Mar 2026 11:02:28 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 30ADB191E3F;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 17CC537C291;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=UC2nUUBeCWy1t4hy/Y/w1gkN+VN65Za29soopU2COAw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=tT/x3ElPClmO86Og2SN6dW2QCLS5wfhwFMUhvs2M80t9T+HaMv5WdcZEkSBQ4CfkN
 oMke3LGLGCrFCIo7PJ2FwnqIYIBDY+4tQhizeuTjxk3YT3TvoXNntrmq1ftCIVaUWS
 vWUsdgYP5u2lSbxcNReuNFeIo1nqejQHNdRmxf1vEKZ0HMFEko1jvlhw+fUYQHVKes
 6OdirRF5RghUW8KceodQkkdqur8qDsT1KrhuEBKSrfy2PQF9MJyqjn2uIQjIjYHVYy
 BoawijxNLcXphhwd9nlti440wrH2LH1ny9y7AThNXuYpOdj8Y+/Vzjh+nGuC500Zdd
 51/Qb0rihDzaw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jaehoon Kim <jhkim@linux.ibm.com>,
 Matthew Rosato <mjrosato@linux.ibm.com>, Farhan Ali <alifm@linux.ibm.com>,
 Eric Farman <farman@linux.ibm.com>, Thomas Huth <thuth@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 01/44] s390x/pci: Fix endianness for zPCI BAR values.
Date: Wed, 11 Mar 2026 18:01:33 +0300
Message-ID: <20260311150221.1084186-1-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241384909158500
Content-Type: text/plain; charset="utf-8"

From: Jaehoon Kim <jhkim@linux.ibm.com>

During zPCI scan, BAR configuration data retrieved via CLP Query was
misinterpreted due to an endianness mismatch between QEMU and the guest
kernel.

The guest kernel's clp_store_query_pci_fn() expects BAR values in
little-endian format and converts them with le32_to_cpu(). However, QEMU
was incorrectly sending them in big-endian format, not following the
architecture specification. This caused incorrect bit-swapping in the
kernel, leading zpci_setup_bus_resources() to perform registration checks
against invalid flags, making the process ineffective.

Observation values for zPCI device (NVMe passthrough):
LPAR from real CLP:
[    0.865595] Resource: PCI Bus 0000:00 -> zdev->bar[0].val: 0x4
[    0.865597]  start: 0x4000000000000000
[    0.865598]  end:   0x4000000000003fff
[    0.865600]  flags: 0x100200

QEMU before fix (wrong):
[    0.601083] Resource: PCI Bus 0001:00 -> zdev->bar[0].val: 0x4000000
[    0.601085]  start: 0x4003000000000000
[    0.601086]  end:   0x4003000000003fff
[    0.601087]  flags: 0x200

QEMU after fix (correct):
[    0.601116] Resource: PCI Bus 0001:00 -> zdev->bar[0].val: 0x4
[    0.601117]  start: 0x4003000000000000
[    0.601118]  end:   0x4003000000003fff
[    0.601119]  flags: 0x100200

Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260206164645.1845366-1-jhkim@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 00ebc44514a67fb75a46d60e4b44614ebf91230f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
index 8cdeb6cb7f..6d95b96bef 100644
--- a/hw/s390x/s390-pci-inst.c
+++ b/hw/s390x/s390-pci-inst.c
@@ -305,7 +305,7 @@ int clp_service_call(S390CPU *cpu, uint8_t r2, uintptr_=
t ra)
             uint32_t data =3D pci_get_long(pbdev->pdev->config +
                 PCI_BASE_ADDRESS_0 + (i * 4));
=20
-            stl_be_p(&resquery->bar[i], data);
+            stl_le_p(&resquery->bar[i], data);
             resquery->bar_size[i] =3D pbdev->pdev->io_regions[i].size ?
                                     ctz64(pbdev->pdev->io_regions[i].size)=
 : 0;
             trace_s390_pci_bar(i,
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241463; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C5yYryPEctXCz4IChvaXOGDMwV6qjh2K5mWnEmVPw0c6YQ6l83UQyJoSjNFdlaFMKdoEMHsyzHTPGnpCmMNAXLek9q1F96QeAJcnKtP7i9WnDLuebRf7t1p6WZf2VFJm49P6jVpRTIpdFR6Tp+mCrLP2J0D0ga+r8UM5CCYs8vo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241463;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=F0kd+RwlI0VAzXLrAyVJaqHtWxjjIiuUcoX3rFoudzw=;
	b=QMFPUup9xN1YSXQIt9kH/3OhTn6SjeujsqEN9RvSGBqHWJbalKSaGSfiMTsefaNPE0PlaAmJktUcRwfs8UY4lJZas+OHthTptJDgRhRj9uV/lnVyEWFm+54e9L9HAHtjK/6XxnzYxG6hZpHRcFQJUZQO2r3LLD+ybGjldFcurr0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241463664438.45496115659785;
 Wed, 11 Mar 2026 08:04:23 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L5i-0004lk-ML; Wed, 11 Mar 2026 11:03:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4x-0004OZ-Sz; Wed, 11 Mar 2026 11:02:32 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4w-0003jQ-4I; Wed, 11 Mar 2026 11:02:31 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 40FC7191E40;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2DFD137C292;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=429YLG3NRdlGovkOnUIU/0a5PXmGPJOzgH5GypK1PeM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=GEoo3qetTptmIf2FrEx9l0AUd93FKdOcWnRo9KsvpYwZnSmvi+f/uIsaOZp4x/Zlt
 v1nXlAisD61RHsBNuDnZLE7gUTTmaHN9kAZICiFX2ugXoiNnj9QYwlTm4XIT1knb0r
 +ThtD5NIxNVeGFQZAbnjmKDGl9LzBCb0RtQ1H9Gc/RohHZXZ3IaGCWCtmIWQX5E3F1
 w3/L0ae4M/C2Dro0jrBuIGQsH3doL7eImANCRNjRpIIuf9cv3m0SNmqJ2lgEaTtb1v
 2LpZ2fAExuMPkP15ogBFZqu3TX1b4RyHMFLnTmLQxSzPyTFnTcfgcRZdPgH+8eTFaM
 lCVcuHHWAM6ag==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Mohamed Mediouni <mohamed@unpredictable.fr>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 02/44] plugins: fix cross-build using LLVM for Windows
 targets
Date: Wed, 11 Mar 2026 18:01:34 +0300
Message-ID: <20260311150221.1084186-2-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241467286154100
Content-Type: text/plain; charset="utf-8"

From: Mohamed Mediouni <mohamed@unpredictable.fr>

llvm-dlltool assumes that it's by default targeting the host architecture
it's running on. That assumption doesn't hold true when cross-compiling.

Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260210040722.11375-1-mohamed@unp=
redictable.fr
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit b0353beebb0c4fa4059c88362561a8362ada8b4c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/plugins/meson.build b/plugins/meson.build
index 3be8245a69..5f655d81f3 100644
--- a/plugins/meson.build
+++ b/plugins/meson.build
@@ -41,9 +41,16 @@ if host_os =3D=3D 'windows'
   # to find missing symbols in current program.
   win32_qemu_plugin_api_link_flags =3D ['-Lplugins', '-lqemu_plugin_api']
   if meson.get_compiler('c').get_id() =3D=3D 'clang'
+    if host_machine.cpu() =3D=3D 'x86_64'
+      dlltool_target =3D 'i386:x86-64'
+    elif host_machine.cpu() =3D=3D 'aarch64'
+      dlltool_target =3D 'arm64'
+    else
+      error('Unknown machine')
+    endif
     # With LLVM/lld, delaylib is specified at link time (-delayload)
     dlltool =3D find_program('llvm-dlltool', required: true)
-    dlltool_cmd =3D [dlltool, '-d', '@INPUT@', '-l', '@OUTPUT@', '-D', 'qe=
mu.exe']
+    dlltool_cmd =3D [dlltool, '-m', dlltool_target,'-d', '@INPUT@', '-l', =
'@OUTPUT@', '-D', 'qemu.exe']
     win32_qemu_plugin_api_link_flags +=3D ['-Wl,-delayload=3Dqemu.exe']
   else
     # With gcc/ld, delay lib is built with a specific delay parameter.
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241381; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fMtE6VrfzZGDXl9iTPF4tbCTUXouf2WyDlzV6w7Ikox3sbV+u/B0nh4c4ehLY0PCmDJM9Ou7wChx8+AC10GK2cKaRQWrf9YHaICIovYH1MY4BpZxj66xuGL+dxHoX3673qi84WsS0y7qcy1B2hLaRr/gkek/eUY2N/+KirT6bDk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241381;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=okdMRNLivTqbv1+SQ1RagToGEgbaPtLSdDkoMAxfwP4=;
	b=mmbn3FNKdqd4Wjm34JTZU4QrVq1jwLOlujOpJh43ONi3CMLeFGW4a1kRegD8i90euBof67pYRWqJN/iGfp3H/JL/FKR4jdMvio1oT+GxhDJXTLszwsN8+qP8h3ZspgIDEibpAgMr5lcxUDTmfDfiDxMksbZ9yiDUdw+46xFiGXQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241379685881.3020909655427;
 Wed, 11 Mar 2026 08:02:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L5E-0004RJ-Mb; Wed, 11 Mar 2026 11:02:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4y-0004Od-Nx; Wed, 11 Mar 2026 11:02:32 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4x-0003jg-3z; Wed, 11 Mar 2026 11:02:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 605A7191E41;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3EB9B37C293;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=0uZ5ATjhIzDgyacoMi6E796UKRKgVRPT0yaUj1O9yhM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=FN5vCu3Yrcznhlv9865CAfNj71vWdBvKov9p1S28oAigNNN5HJJdNnAcbCrfPu0PV
 loakVqQT3/5AqmzvdPlhYc58h//XxTVAVhs/ciA1FhQ9ddO84JKa/09B23mKEc/Lh+
 wN4i6xzAx77QZirx6nVl1s++Guto5wu5c7Fljy9ntT8/tW7O4vKwQZvU7JUMEhGNdg
 CGY3b5ykshqgmxbQzrSbfgAyMyO4DDBApKf1hqXnwmHDgIDtzXkt8j4LylM9B7Tir5
 ThmPQJJdzp7yk7AikA2oZSkWT3ltW5tlg1wCVima99B9ImV9i+ZrBP+ZArF1B9DK+B
 Var59tR+UB1yg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, John Snow <jsnow@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Thomas Huth <thuth@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 03/44] python: drop uses of pkg_resources
Date: Wed, 11 Mar 2026 18:01:35 +0300
Message-ID: <20260311150221.1084186-3-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241384758158500
Content-Type: text/plain; charset="utf-8"

From: John Snow <jsnow@redhat.com>

pkg_resources has been fully dropped from modern pip/setuptools
distributions and we should phase out its use. This patch is enough to,
by itself, repair most GitLab CI tests upstream; with the exception of
tox tests which are still making use of avocado - which will be dropped
in a separate series to restore functionality there.

Signed-off-by: John Snow <jsnow@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260211195804.135144-3-jsnow@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit e44a26ba940214824b61976324058e73d9f41658)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/python/setup.py b/python/setup.py
index c5bc45919a..789fa39b0f 100755
--- a/python/setup.py
+++ b/python/setup.py
@@ -7,7 +7,6 @@
 import setuptools
 from setuptools.command import bdist_egg
 import sys
-import pkg_resources
=20
=20
 class bdist_egg_guard(bdist_egg.bdist_egg):
@@ -30,9 +29,6 @@ def main():
     QEMU tooling installer
     """
=20
-    # https://medium.com/@daveshawley/safely-using-setup-cfg-for-metadata-=
1babbe54c108
-    pkg_resources.require('setuptools>=3D39.2')
-
     setuptools.setup(cmdclass=3D{'bdist_egg': bdist_egg_guard})
=20
=20
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241390; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cAb3Jx5jcHMYWIA+Xcqb/ASkCnxp7I5bodlCz8eHO6/SkCqwfmk4hD3hVGI92JIia8UzC4HVVwQOYP38YkErm70CMDSCB7Q1nSYm0KDi8bGufDxAAbW27DwhWJb9UTXyqhYtsFb0SqPHRAZR9aWmJJ1nC4B59v48iKrCnNsCAZg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241390;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=c2sAoXvBP6fPQd7Emh+XBOM29rDCUbIVY/IkjNFdxJ0=;
	b=KIHKFtXKkaQ4jYXbyixyqFcM1vAUs3OHeHynvYAbrxHJknZQkyQOEiC6X1oyOipNmCdQReZCEyA+DQGHaN/7FYdkCOczV5ZNMm0btgK8LYzbdGNXBIy5lkYqkEgfu9an/zewdtE4SXHD075E4NzIJFJ1vX5WJ7PseKp0gtBf2r8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241389607210.97998651125215;
 Wed, 11 Mar 2026 08:03:09 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L5M-0004cD-GN; Wed, 11 Mar 2026 11:02:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L53-0004Qk-Ab; Wed, 11 Mar 2026 11:02:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L4z-0003kQ-D7; Wed, 11 Mar 2026 11:02:36 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 73631191E42;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5EA7137C294;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=eij2pWfI5TS+5Aj8jultDnPDfshAPOG6s6Q3bP+Yw1s=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=gV+0Q8Er9Vp6kw9Tj8PGlLTYrdBHfXN0vZWCFaFRLC8vmnMunILJHApQKHF+EB0iF
 k5GZ4Y9xRXXapb0kEoEQQyVf/C0bDmqcyAkLatsoGCC7bAF8+YNz7Bx3dmz8HxjZci
 z0fpQFxBzq4IjPRBXji1hR42cVhJxJdl/Li5Sq3Ek9vmBK6REuXfFU+ewwlquFd2Dg
 kfWZDatf80AiPpXspWVrM2iU28a/8g9ogubr/jzJebk7Paj9OIG7PFMtM7Ztuosl22
 YoAsyZEbPVxgnyRn0jPbpZACzGmP8eD4KYyPv6TC8IDwtImltzAbEc+80xJr/b715p
 h7TjR9YSmMmpw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kohei Tokunaga <ktokunaga.mail@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 04/44] contrib/plugins: Fix type conflict of GLib
 function pointers
Date: Wed, 11 Mar 2026 18:01:36 +0300
Message-ID: <20260311150221.1084186-4-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241394205154100

From: Kohei Tokunaga <ktokunaga.mail@gmail.com>

On Emscripten, function pointer casts can result in runtime failures due to
strict function signature checks. This affects the use of g_list_sort and
g_slist_sort, which internally perform function pointer casts that are not
supported by Emscripten. To avoid these issues, g_list_sort_with_data and
g_slist_sort_with_data should be used instead, as they do not rely on
function pointer casting.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <0fcddfca16ca8da2bdaa7b2c114476f5b73d032b.1745295397.git.ktokun=
aga.mail@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 01499add2ae6529589002860e1880ff193a6578a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/cache.c b/contrib/plugins/cache.c
index 7cfd3df249..56508587d3 100644
--- a/contrib/plugins/cache.c
+++ b/contrib/plugins/cache.c
@@ -576,7 +576,7 @@ static void sum_stats(void)
     }
 }
=20
-static int dcmp(gconstpointer a, gconstpointer b)
+static int dcmp(gconstpointer a, gconstpointer b, gpointer d)
 {
     InsnData *insn_a =3D (InsnData *) a;
     InsnData *insn_b =3D (InsnData *) b;
@@ -584,7 +584,7 @@ static int dcmp(gconstpointer a, gconstpointer b)
     return insn_a->l1_dmisses < insn_b->l1_dmisses ? 1 : -1;
 }
=20
-static int icmp(gconstpointer a, gconstpointer b)
+static int icmp(gconstpointer a, gconstpointer b, gpointer d)
 {
     InsnData *insn_a =3D (InsnData *) a;
     InsnData *insn_b =3D (InsnData *) b;
@@ -592,7 +592,7 @@ static int icmp(gconstpointer a, gconstpointer b)
     return insn_a->l1_imisses < insn_b->l1_imisses ? 1 : -1;
 }
=20
-static int l2_cmp(gconstpointer a, gconstpointer b)
+static int l2_cmp(gconstpointer a, gconstpointer b, gpointer d)
 {
     InsnData *insn_a =3D (InsnData *) a;
     InsnData *insn_b =3D (InsnData *) b;
@@ -645,7 +645,7 @@ static void log_top_insns(void)
     InsnData *insn;
=20
     miss_insns =3D g_hash_table_get_values(miss_ht);
-    miss_insns =3D g_list_sort(miss_insns, dcmp);
+    miss_insns =3D g_list_sort_with_data(miss_insns, dcmp, NULL);
     g_autoptr(GString) rep =3D g_string_new("");
     g_string_append_printf(rep, "%s", "address, data misses, instruction\n=
");
=20
@@ -659,7 +659,7 @@ static void log_top_insns(void)
                                insn->l1_dmisses, insn->disas_str);
     }
=20
-    miss_insns =3D g_list_sort(miss_insns, icmp);
+    miss_insns =3D g_list_sort_with_data(miss_insns, icmp, NULL);
     g_string_append_printf(rep, "%s", "\naddress, fetch misses, instructio=
n\n");
=20
     for (curr =3D miss_insns, i =3D 0; curr && i < limit; i++, curr =3D cu=
rr->next) {
@@ -676,7 +676,7 @@ static void log_top_insns(void)
         goto finish;
     }
=20
-    miss_insns =3D g_list_sort(miss_insns, l2_cmp);
+    miss_insns =3D g_list_sort_with_data(miss_insns, l2_cmp, NULL);
     g_string_append_printf(rep, "%s", "\naddress, L2 misses, instruction\n=
");
=20
     for (curr =3D miss_insns, i =3D 0; curr && i < limit; i++, curr =3D cu=
rr->next) {
diff --git a/contrib/plugins/cflow.c b/contrib/plugins/cflow.c
index 930ecb46fc..b5e33f25f9 100644
--- a/contrib/plugins/cflow.c
+++ b/contrib/plugins/cflow.c
@@ -98,7 +98,7 @@ static GHashTable *nodes;
 struct qemu_plugin_scoreboard *state;
=20
 /* SORT_HOTTEST */
-static gint hottest(gconstpointer a, gconstpointer b)
+static gint hottest(gconstpointer a, gconstpointer b, gpointer d)
 {
     NodeData *na =3D (NodeData *) a;
     NodeData *nb =3D (NodeData *) b;
@@ -107,7 +107,7 @@ static gint hottest(gconstpointer a, gconstpointer b)
         na->dest_count =3D=3D nb->dest_count ? 0 : 1;
 }
=20
-static gint exception(gconstpointer a, gconstpointer b)
+static gint exception(gconstpointer a, gconstpointer b, gpointer d)
 {
     NodeData *na =3D (NodeData *) a;
     NodeData *nb =3D (NodeData *) b;
@@ -116,7 +116,7 @@ static gint exception(gconstpointer a, gconstpointer b)
         na->early_exit =3D=3D nb->early_exit ? 0 : 1;
 }
=20
-static gint popular(gconstpointer a, gconstpointer b)
+static gint popular(gconstpointer a, gconstpointer b, gpointer d)
 {
     NodeData *na =3D (NodeData *) a;
     NodeData *nb =3D (NodeData *) b;
@@ -138,7 +138,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
 {
     g_autoptr(GString) result =3D g_string_new("collected ");
     GList *data;
-    GCompareFunc sort =3D &hottest;
+    GCompareDataFunc sort =3D &hottest;
     int i =3D 0;
=20
     g_mutex_lock(&node_lock);
@@ -162,7 +162,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
         break;
     }
=20
-    data =3D g_list_sort(data, sort);
+    data =3D g_list_sort_with_data(data, sort, NULL);
=20
     for (GList *l =3D data;
          l !=3D NULL && i < topn;
diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index f12bfb7a26..98404b6885 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -39,7 +39,7 @@ typedef struct {
     unsigned long insns;
 } ExecCount;
=20
-static gint cmp_exec_count(gconstpointer a, gconstpointer b)
+static gint cmp_exec_count(gconstpointer a, gconstpointer b, gpointer d)
 {
     ExecCount *ea =3D (ExecCount *) a;
     ExecCount *eb =3D (ExecCount *) b;
@@ -79,7 +79,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     g_string_append_printf(report, "%d entries in the hash table\n",
                            g_hash_table_size(hotblocks));
     counts =3D g_hash_table_get_values(hotblocks);
-    it =3D g_list_sort(counts, cmp_exec_count);
+    it =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
=20
     if (it) {
         g_string_append_printf(report, "pc, tcount, icount, ecount\n");
diff --git a/contrib/plugins/hotpages.c b/contrib/plugins/hotpages.c
index c6e6493719..9d48ac969e 100644
--- a/contrib/plugins/hotpages.c
+++ b/contrib/plugins/hotpages.c
@@ -48,7 +48,7 @@ typedef struct {
 static GMutex lock;
 static GHashTable *pages;
=20
-static gint cmp_access_count(gconstpointer a, gconstpointer b)
+static gint cmp_access_count(gconstpointer a, gconstpointer b, gpointer d)
 {
     PageCounters *ea =3D (PageCounters *) a;
     PageCounters *eb =3D (PageCounters *) b;
@@ -83,7 +83,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     if (counts && g_list_next(counts)) {
         GList *it;
=20
-        it =3D g_list_sort(counts, cmp_access_count);
+        it =3D g_list_sort_with_data(counts, cmp_access_count, NULL);
=20
         for (i =3D 0; i < limit && it->next; i++, it =3D it->next) {
             PageCounters *rec =3D (PageCounters *) it->data;
diff --git a/contrib/plugins/howvec.c b/contrib/plugins/howvec.c
index 2aa9029c3f..42bddb6566 100644
--- a/contrib/plugins/howvec.c
+++ b/contrib/plugins/howvec.c
@@ -155,7 +155,7 @@ static ClassSelector class_tables[] =3D {
 static InsnClassExecCount *class_table;
 static int class_table_sz;
=20
-static gint cmp_exec_count(gconstpointer a, gconstpointer b)
+static gint cmp_exec_count(gconstpointer a, gconstpointer b, gpointer d)
 {
     InsnExecCount *ea =3D (InsnExecCount *) a;
     InsnExecCount *eb =3D (InsnExecCount *) b;
@@ -208,7 +208,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     counts =3D g_hash_table_get_values(insns);
     if (counts && g_list_next(counts)) {
         g_string_append_printf(report, "Individual Instructions:\n");
-        counts =3D g_list_sort(counts, cmp_exec_count);
+        counts =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
=20
         for (i =3D 0; i < limit && g_list_next(counts);
              i++, counts =3D g_list_next(counts)) {
diff --git a/contrib/plugins/hwprofile.c b/contrib/plugins/hwprofile.c
index 2a4cbc47d4..a9838ccc87 100644
--- a/contrib/plugins/hwprofile.c
+++ b/contrib/plugins/hwprofile.c
@@ -71,7 +71,7 @@ static void plugin_init(void)
     devices =3D g_hash_table_new(NULL, NULL);
 }
=20
-static gint sort_cmp(gconstpointer a, gconstpointer b)
+static gint sort_cmp(gconstpointer a, gconstpointer b, gpointer d)
 {
     DeviceCounts *ea =3D (DeviceCounts *) a;
     DeviceCounts *eb =3D (DeviceCounts *) b;
@@ -79,7 +79,7 @@ static gint sort_cmp(gconstpointer a, gconstpointer b)
            eb->totals.reads + eb->totals.writes ? -1 : 1;
 }
=20
-static gint sort_loc(gconstpointer a, gconstpointer b)
+static gint sort_loc(gconstpointer a, gconstpointer b, gpointer d)
 {
     IOLocationCounts *ea =3D (IOLocationCounts *) a;
     IOLocationCounts *eb =3D (IOLocationCounts *) b;
@@ -126,13 +126,13 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     if (counts && g_list_next(counts)) {
         GList *it;
=20
-        it =3D g_list_sort(counts, sort_cmp);
+        it =3D g_list_sort_with_data(counts, sort_cmp, NULL);
=20
         while (it) {
             DeviceCounts *rec =3D (DeviceCounts *) it->data;
             if (rec->detail) {
                 GList *accesses =3D g_hash_table_get_values(rec->detail);
-                GList *io_it =3D g_list_sort(accesses, sort_loc);
+                GList *io_it =3D g_list_sort_with_data(accesses, sort_loc,=
 NULL);
                 const char *prefix =3D pattern ? "off" : "pc";
                 g_string_append_printf(report, "%s @ 0x%"PRIx64"\n",
                                        rec->name, rec->base);
diff --git a/tests/tcg/plugins/mem.c b/tests/tcg/plugins/mem.c
index d87d6628e0..ca4e8883dd 100644
--- a/tests/tcg/plugins/mem.c
+++ b/tests/tcg/plugins/mem.c
@@ -67,7 +67,7 @@ static enum qemu_plugin_mem_rw rw =3D QEMU_PLUGIN_MEM_RW;
 static GMutex lock;
 static GHashTable *regions;
=20
-static gint addr_order(gconstpointer a, gconstpointer b)
+static gint addr_order(gconstpointer a, gconstpointer b, gpointer d)
 {
     RegionInfo *na =3D (RegionInfo *) a;
     RegionInfo *nb =3D (RegionInfo *) b;
@@ -94,7 +94,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     if (do_region_summary) {
         GList *counts =3D g_hash_table_get_values(regions);
=20
-        counts =3D g_list_sort(counts, addr_order);
+        counts =3D g_list_sort_with_data(counts, addr_order, NULL);
=20
         g_string_printf(out, "Region Base, Reads, Writes, Seen all\n");
=20
diff --git a/tests/tcg/plugins/syscall.c b/tests/tcg/plugins/syscall.c
index 47aad55fc1..42801f5c86 100644
--- a/tests/tcg/plugins/syscall.c
+++ b/tests/tcg/plugins/syscall.c
@@ -180,7 +180,7 @@ static void print_entry(gpointer val, gpointer user_dat=
a)
     qemu_plugin_outs(out);
 }
=20
-static gint comp_func(gconstpointer ea, gconstpointer eb)
+static gint comp_func(gconstpointer ea, gconstpointer eb, gpointer d)
 {
     SyscallStats *ent_a =3D (SyscallStats *) ea;
     SyscallStats *ent_b =3D (SyscallStats *) eb;
@@ -197,7 +197,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
=20
     g_mutex_lock(&lock);
     GList *entries =3D g_hash_table_get_values(statistics);
-    entries =3D g_list_sort(entries, comp_func);
+    entries =3D g_list_sort_with_data(entries, comp_func, NULL);
     qemu_plugin_outs("syscall no.  calls  errors\n");
=20
     g_list_foreach(entries, print_entry, NULL);
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241453; cv=none;
	d=zohomail.com; s=zohoarc;
	b=aT02vNM/F+cnTJqckBtj3A+XOQKZS7xUA0B59g2Ds8Ztf1zx+tRAk3yMWLDLV04J0ZscIMlRKpFAtcyeVGc7lNEgMRsVKhlYjoL5Pr/1JQNeETgaux6SkLPnA4/TJ/z/1Jn9OkG5s6syV5Vr/MJa2QPeNMXZbNy0KiWuVpFycOc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241453;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wR+hUPyzcoaLr/0kiZZS1flGn03HnEHVpcuXjPmwacA=;
	b=Da8vr3e1IKA0jN9KXjEY6nWre9gi/wq5BnLmJmwMB4PAZWeXNuQHKXPgWl1kVmeGRjKD7HYYb5FK92bo6SisQ0GAIuKTqy1iQ4GQLaFUmBlTigGO7vFSds77q9f6cbKHhVQejm+ffB4A7hOXpKR+ovYz9nJdU1WdeqeBM4kfeC0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241453526981.0084106968426;
 Wed, 11 Mar 2026 08:04:13 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6F-0005Gy-Ay; Wed, 11 Mar 2026 11:03:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L53-0004Qj-A5; Wed, 11 Mar 2026 11:02:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L51-0003kZ-6E; Wed, 11 Mar 2026 11:02:36 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8628F191E43;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 70B4437C295;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=AREQ/dFnXzezlRlc40BNW1VnJ2gwDKJL+a4jQQus1S0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vE46g8zDXDxmw+/XD2Tl9350TSKmyuKncyupGUmWQJ/8WquoAdIFLXjrvMijdt/+3
 HKDNW+vlJSdb+3zjsCUyK8IwjwIteW642cI8j+/rB6d6IX9qLPkzzwgkFPUfyOsRE4
 rW1aGvxtpW+6fpHE4401/5CmkuR108mZ5hEBKyHGAPK/RkmLT3hZjnBcCBRG8j5J55
 1sdrmEGLaA0TxtmotHqFUyYN+TGnTP5PWVXkn0D6T0yX07Rb8ehJT10tNnkct3DSVb
 mTANHrrquIgn7llCkBUCY0b75JnFOzGpSqY7Y+UUzkarIBgomJTTtxjKT+GlyMjLkj
 4wctYP/gb2+Cg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 05/44] contrib/plugins/hotblocks: Correctly free
 sorted counts list
Date: Wed, 11 Mar 2026 18:01:37 +0300
Message-ID: <20260311150221.1084186-5-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241454886154100
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

g_list_free should be passed the head of the list.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/cf5a00136738b981a12270b76572e8d502=
daf208.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 90fabd5ddace6ffa5a62a5186201fd071b4e2b74)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index 98404b6885..d3dd23ed9f 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -73,15 +73,16 @@ static void exec_count_free(gpointer key, gpointer valu=
e, gpointer user_data)
 static void plugin_exit(qemu_plugin_id_t id, void *p)
 {
     g_autoptr(GString) report =3D g_string_new("collected ");
-    GList *counts, *it;
+    GList *counts, *sorted_counts, *it;
     int i;
=20
     g_string_append_printf(report, "%d entries in the hash table\n",
                            g_hash_table_size(hotblocks));
     counts =3D g_hash_table_get_values(hotblocks);
-    it =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
+    sorted_counts =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
=20
-    if (it) {
+    if (sorted_counts) {
+        it =3D sorted_counts;
         g_string_append_printf(report, "pc, tcount, icount, ecount\n");
=20
         for (i =3D 0; i < limit && it->next; i++, it =3D it->next) {
@@ -94,7 +95,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
                     qemu_plugin_scoreboard_u64(rec->exec_count)));
         }
=20
-        g_list_free(it);
+        g_list_free(sorted_counts);
     }
=20
     qemu_plugin_outs(report->str);
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241445; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FG5S/9fKj1hNbVFHqiRSsdcgcVwmi4SL4ENatYHwH/84SbJRuXP9y4/zsCpFx03K19y8KpAB0pnPXB4JOc/FvBbDBAOjdsdCqHl8S+jFsJiIYYQVqwBWWUDFYApkodcQLzMypBL5HrFvADce64OW9elu+BMK1uradoeNYkPWiF4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241445;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Rq0QLobwwzhc6KsCt7U0KM3311LFEJkCaKJbPg2yi/w=;
	b=m2D3J2WbBSInUekPqZFyml9VlxaEagTp8oEm0wzHpKNW6ry0vSRn8vZr0zM/xd1kLx4UGBN3j9VZPMe3c65lggEPH+ZgydUtJLtrQylXGatNLgTq1BwUGRDRtepR/MQPc+3SImnJp9IgPxOaRKzYZ9d4zjiYIdjGDmcM0TI0ysI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241445697249.38306630798536;
 Wed, 11 Mar 2026 08:04:05 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6F-0005I9-Cx; Wed, 11 Mar 2026 11:03:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L56-0004RL-E7; Wed, 11 Mar 2026 11:02:43 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L54-0003ln-RC; Wed, 11 Mar 2026 11:02:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 95FCF191E44;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8344F37C296;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=cfcf1z7/JpS4xZDWqSxPZgHSdgbv846o0KdJ0aeJQi0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=NaNORCjqYlOmoNQsJwAawqWnKyWlrFLbkLP0EWY+QusHjay4f082SVXTeKSwgr0kA
 xyb3cibi+5U0xHIbfk8DqdNxolOei/pztgbbBpDz3mfGJ7XhsDesX0wP4CiP2D3w/M
 knpbxbaRG9TP1Ov0pt/dmK9aeMgtN79aGj4BT478FL98btdA04mDEj3wO4BFvJICfE
 TmsZAH9u480AMsT19cN/IkfYbQFkseKKtrFOjgF25l9JGkho04pM/e2DaLTaAlkabn
 1T/U6arGO3mjwPZoMcWVYMG8y8xpcZt5T62hjcqD62K4UkPDT6flAQt7hCMh2mm+fL
 Ab+O0VctfwIOA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 06/44] contrib/plugins/hotblocks: Fix off by one error
 in iteration of sorted blocks
Date: Wed, 11 Mar 2026 18:01:38 +0300
Message-ID: <20260311150221.1084186-6-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241447628154100
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

The logic to iterate over the hottest blocks will never reach the last
item in the list, as it checks `it->next !=3D NULL` before entering the
loop. It's hard to trigger this off-by-one error with the default
limit=3D20, but it is a bug and is problematic if that default is changed
to something larger.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/f1ba2e57c6126472c0c8310774009f2455=
efc370.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 1c1e45fcd66269f8a6dbd97fd7b8267d8f6f58af)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index d3dd23ed9f..cf4d6b8c36 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -82,10 +82,9 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     sorted_counts =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
=20
     if (sorted_counts) {
-        it =3D sorted_counts;
         g_string_append_printf(report, "pc, tcount, icount, ecount\n");
=20
-        for (i =3D 0; i < limit && it->next; i++, it =3D it->next) {
+        for (i =3D 0, it =3D sorted_counts; i < limit && it; i++, it =3D i=
t->next) {
             ExecCount *rec =3D (ExecCount *) it->data;
             g_string_append_printf(
                 report, "0x%016"PRIx64", %d, %ld, %"PRId64"\n",
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241556; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QBpYAP+XocGgyMKPp+tW2QXAIl7XooPtl+xzeTNgR2yjFF5ZsfQTiJxdy0jN7PjaDRuvd6/fgnDJf7aYc8XG8lGnJk/C28x+6YeIz/BK1j6Wq8KDruYopDXI1sFXCinUzUcuROT3lj53qvE9HoMbZ34jxB/UfyUSzGo1Q1lp4FM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241556;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kkg8aUHyILWwQ3+0hqFTlPB6ypecqke33sQVMjes/Ww=;
	b=M3cz+WjN3dTsU9HIAQhw947M7nz23aWWZi55Dz7oBATNfbBlvGSm8EKMn7D2ZriQQuCOz4I+TOsVUVIH7vsxgxDXQMIMkxmcN7Dt4iTPTUNXh+w0bXIgd/rzbWHxZbTf10mvCUArcU0/WD1ml9XzoCBRL2MKxNVMLMg+83S2rWQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241556806530.6311892930695;
 Wed, 11 Mar 2026 08:05:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6k-0007LD-As; Wed, 11 Mar 2026 11:04:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L56-0004RK-Cm; Wed, 11 Mar 2026 11:02:43 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L54-0003lo-QF; Wed, 11 Mar 2026 11:02:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B86CB191E45;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9795137C297;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=FSMGlYph0E646l8xPKs1QSoOKQfE4LlZnojK7QnNiVY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=AWZsPCkZ9mjcmjm/elz3BoEUnuD9wUOTl6yoOGrvFQoqikvZbxYuHYUCGxX6yRMtz
 xhpuqoJ+4P7XAECrZZCVgO4tlHlZX+ZkVxCrROuNDa93eyfpeKVhawbsu3pZMzIAdP
 OJv3r2CZM8wfUJg5Sk4FqL/AExrOPqr4C0YnZMG6RGqFCRh6sfDkZiOJ1N6o1/G+kj
 ZBxWDSfCjqz3MAqElQVjn6dHbRwNBvY50AyDyhlU7jQGP5sj5SaY1T/GTgQZwF1Tuz
 Fp8kcpjq7I/gdMusoIm8RC//AzCzOTPZI6UXq7VycmcNi4Bqxy+JyUV9/sqCg55XCB
 jMULI2aPaN2VA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 07/44] contrib/plugins/hotblocks: Print uint64_t with
 PRIu64 rather than PRId64
Date: Wed, 11 Mar 2026 18:01:39 +0300
Message-ID: <20260311150221.1084186-7-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241558634158500
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

qemu_plugin_u64_sum returns a uint64_t, so PRIu64 is the correct format
specifier.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/5d26c9d99ee87ac4a4034ff64e3d888125=
3eedf3.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit e777f6ab91406884136b5679a9d64124832668d8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index cf4d6b8c36..40d8dae1cd 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -87,7 +87,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
         for (i =3D 0, it =3D sorted_counts; i < limit && it; i++, it =3D i=
t->next) {
             ExecCount *rec =3D (ExecCount *) it->data;
             g_string_append_printf(
-                report, "0x%016"PRIx64", %d, %ld, %"PRId64"\n",
+                report, "0x%016"PRIx64", %d, %ld, %"PRIu64"\n",
                 rec->start_addr, rec->trans_count,
                 rec->insns,
                 qemu_plugin_u64_sum(
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241571; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iJVwIJ5hP1B1w33hja3UuGEsA0OwOHwejMJLauqIXSRJ5m+VrIGGOxM4MqmGFLmLCun0/l8tU5chMys21fcf3+/fJU1b4VwHWgn9Mb7J4vF+bfy+k8PXPeaWcuEGTYorEemjXjb+0kR47Xs8c8k8Mbd8rDHMBG2fNkVX6Bp6E9w=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241571;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=fKXJ7RnHWqFI+mG1Qf2pq9xke3x7g5t0V6qKOuKo2RQ=;
	b=Dx8ABpgvsWzcsAU3Po63F9eymjSrWZWVQE3XrIySIoIwKUbYdP4ePvne+ODONQBbJMnnMKJguhz8Y9eJgciGSdzzJQ8zzkEVRW/MhjoMqaHkJ1zYMctR8CIF4Cr9qtCS6QuuBLfgOr3ocHaJIkt9Wz5SM1FVW85H5DjrAFugO1I=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241571758236.34254798946608;
 Wed, 11 Mar 2026 08:06:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6V-0005le-0C; Wed, 11 Mar 2026 11:04:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5A-0004S2-Pe; Wed, 11 Mar 2026 11:02:47 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L58-0003pc-7Z; Wed, 11 Mar 2026 11:02:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D00BC191E46;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B47C737C298;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=Scoz5vWWtJuOsOhmD5izBqmtOTiJUw+vyXNsSYupuQc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=SiD40WsVs/KtSZe7SA4lvZddxM175TbFxljy/8u4OALdX2qx9Qx4UWOdLFaEbHy/C
 q4MCxBaxDzj/LRor4jxpO/abDrb4aHg7sO5mUGkglDWqxE7aoY+I2bnoSpJD0m352i
 GxbTSRsYymMvkQ6tJvGfOme948fOm9Dp64WY7u1LZuH6hHIeEdxg+bexu/w5luGUjR
 CkQeaCKJTbI3mCP42nwfxtc3tR9Z5jYdfUHzyMJn5Jb2SSOv/Grz+oDAhqHptSvk3S
 Ylg7+2jH3GBWt127A/z1p0Gl4Z7RUyDi6gC3FxZuHBNp0LjdBU737BAwrrYHxHV9Wk
 /MjQ/j0Cg268Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 08/44] docs/about/emulation: Add documentation for
 hotblocks plugin arguments
Date: Wed, 11 Mar 2026 18:01:40 +0300
Message-ID: <20260311150221.1084186-8-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241572271158500
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

Currently just 'inline'.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/35128cc5a86a0c18418f9d3150fb8771c5=
4ef7d8.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit e4ed74c9aef68cb2e7c10c2b7597fee5491a506a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/docs/about/emulation.rst b/docs/about/emulation.rst
index a72591ee4d..73b193a727 100644
--- a/docs/about/emulation.rst
+++ b/docs/about/emulation.rst
@@ -463,6 +463,16 @@ Example::
   0x000000004002b0, 1, 4, 66087
   ...
=20
+Behaviour can be tweaked with the following arguments:
+
+.. list-table:: Hot Blocks plugin arguments
+  :widths: 20 80
+  :header-rows: 1
+
+  * - Option
+    - Description
+  * - inline=3Dtrue|false
+    - Use faster inline addition of a single counter.
=20
 Hot Pages
 .........
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241537; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nYQs2KGDRZN/VZhBk8Kpqtr8RdxziAZTjhGd5SQ28tdw21AenvUbsPurcqahJlO2bqrrPhn0g0ouqHcBXNNjXiXLMuue8mV1hduNpxFi5EKS30356sG0hZ+PNCMls4deifNiocq9ZjHc9II0p7HWBHGPLYL5BC0LBRQ8U4UQL8Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241537;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vjbomGXFQkMMegL0CGVORkpAUF6CErmMXBxFh7aFUH8=;
	b=DWknVp3Ukyz00kpMNYSXvuj1dGH7mOaBhp8x/wT1K8G2ceMx8voQZqkH/5jnCAjIK3LIQPqliBGYXBN2l6q/Oz+eEf1PAC0OlxYRJ8zKBYNet3BlMMhVcUPXhLITmHMnqrWH66KdnCogE/XHI/YC3SzhN4KlFBQi/HVDtB0lz6Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241537769657.8904884047442;
 Wed, 11 Mar 2026 08:05:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6f-0006zE-PC; Wed, 11 Mar 2026 11:04:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5B-0004S4-Oq; Wed, 11 Mar 2026 11:02:49 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L58-0003pe-9I; Wed, 11 Mar 2026 11:02:45 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E0713191E47;
 Wed, 11 Mar 2026 18:01:43 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CCAAF37C299;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241303; bh=48i6eBKXftJqY451kPbhow7I+neYu344SPbOUt52g6o=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=FQ8d3xM7AiVhCGyXFnzGtjpHvTxxIdUWxszuLi5MdpLdHo63C09h4E0/rzljHLwm4
 jcec02UHr/E2VPzOA5WgOdIcv8/UNsNF3FJ4qBv2thQE9wZnqA4PkZ7mRGdOuzqodr
 09FWRcy2CR1FvabUXbgex+NeQISkkA3qTs1QaEXOhaaK86o8dCHE6QxdQyXlebNXvR
 peLfFI37oPaosiB80enqUTJjF/vQqDe7vFFu7OTyk1I3wBH2HAge+XNxqpmQEfMfOc
 UoNHOyUZFUpOF+RwIh+5NmAcm4zEc/a3ZApW/IqW1/g5CMHWJLZzKbjIp/VTpAYKw2
 YuG0dmWvKYNhQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jamin Lin <jamin_lin@aspeedtech.com>,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 09/44] hw/i2c/aspeed_i2c: Fix out-of-bounds read in
 I2C MMIO handlers
Date: Wed, 11 Mar 2026 18:01:41 +0300
Message-ID: <20260311150221.1084186-9-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241540480154101

From: Jamin Lin <jamin_lin@aspeedtech.com>

The ASPEED I2C controller exposes a per-bus MMIO window of 0x80 bytes on
AST2600/AST1030/AST2700, but the backing regs[] array was sized for only
28 dwords (0x70 bytes). This allows guest reads in the range [0x70..0x7f]
to index past the end of regs[].

Fix this by:
- Sizing ASPEED_I2C_NEW_NUM_REG to match the 0x80-byte window
  (0x80 >> 2 =3D 32 dwords).
- Avoiding an unconditional pre-read from regs[] in the legacy/new read
  handlers. Initialize the return value to -1 and only read regs[] for
  offsets that are explicitly handled/valid, leaving invalid offsets to
  return -1 with a guest error log.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3290
Reviewed-by: C=C3=A9dric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260210024331.3984696-2-jamin_lin=
@aspeedtech.com
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
(cherry picked from commit c2c5beec42bf9872b37e78b9e259132df7435cb5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/i2c/aspeed_i2c.c b/hw/i2c/aspeed_i2c.c
index f4f6e8aff9..35026fba00 100644
--- a/hw/i2c/aspeed_i2c.c
+++ b/hw/i2c/aspeed_i2c.c
@@ -94,7 +94,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus=
, hwaddr offset,
                                         unsigned size)
 {
     AspeedI2CClass *aic =3D ASPEED_I2C_GET_CLASS(bus->controller);
-    uint64_t value =3D bus->regs[offset / sizeof(*bus->regs)];
+    uint64_t value =3D -1;
=20
     switch (offset) {
     case A_I2CD_FUN_CTRL:
@@ -105,7 +105,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *b=
us, hwaddr offset,
     case A_I2CD_DEV_ADDR:
     case A_I2CD_POOL_CTRL:
     case A_I2CD_BYTE_BUF:
-        /* Value is already set, don't do anything. */
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CD_CMD:
         value =3D SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus-=
>bus));
@@ -113,21 +113,20 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus =
*bus, hwaddr offset,
     case A_I2CD_DMA_ADDR:
         if (!aic->has_dma) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func=
__);
-            value =3D -1;
             break;
         }
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CD_DMA_LEN:
         if (!aic->has_dma) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func=
__);
-            value =3D -1;
+            break;
         }
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
-
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, off=
set);
-        value =3D -1;
         break;
     }
=20
@@ -139,7 +138,7 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *b=
us, hwaddr offset,
                                         unsigned size)
 {
     AspeedI2CClass *aic =3D ASPEED_I2C_GET_CLASS(bus->controller);
-    uint64_t value =3D bus->regs[offset / sizeof(*bus->regs)];
+    uint64_t value =3D -1;
=20
     switch (offset) {
     case A_I2CC_FUN_CTRL:
@@ -159,13 +158,12 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus =
*bus, hwaddr offset,
     case A_I2CS_CMD:
     case A_I2CS_INTR_CTRL:
     case A_I2CS_DMA_LEN_STS:
-        /* Value is already set, don't do anything. */
+    case A_I2CS_INTR_STS:
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CC_DMA_ADDR:
         value =3D extract64(bus->dma_dram_offset, 0, 32);
         break;
-    case A_I2CS_INTR_STS:
-        break;
     case A_I2CM_CMD:
         value =3D SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus-=
>bus));
         break;
@@ -176,13 +174,13 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus =
*bus, hwaddr offset,
         if (!aic->has_dma64) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA 64 bits support\n",
             __func__);
-            value =3D -1;
+            break;
         }
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, off=
set);
-        value =3D -1;
         break;
     }
=20
diff --git a/include/hw/i2c/aspeed_i2c.h b/include/hw/i2c/aspeed_i2c.h
index 2c4c81bd20..29b2b5cb80 100644
--- a/include/hw/i2c/aspeed_i2c.h
+++ b/include/hw/i2c/aspeed_i2c.h
@@ -37,8 +37,7 @@ OBJECT_DECLARE_TYPE(AspeedI2CState, AspeedI2CClass, ASPEE=
D_I2C)
 #define ASPEED_I2C_NR_BUSSES 16
 #define ASPEED_I2C_SHARE_POOL_SIZE 0x800
 #define ASPEED_I2C_BUS_POOL_SIZE 0x20
-#define ASPEED_I2C_OLD_NUM_REG 11
-#define ASPEED_I2C_NEW_NUM_REG 28
+#define ASPEED_I2C_NEW_NUM_REG (0x80 >> 2)
=20
 #define A_I2CD_M_STOP_CMD       BIT(5)
 #define A_I2CD_M_RX_CMD         BIT(3)
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241470; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LekhKBW74MmjU3T6HaP8bcX3xlj8HfCwAqXkDKujqsuwWgUjrJYhKck/hic1ghYijCAwBYPhmTv3CR1dDbxl/7sXmhnoYEIpdOOSdLxzNKm+lcbYm2m2BXAx/Y505pm2fOPxntXJKVw/hhrf7/aUFXPuz5/7o2+dObpl5h7HsP0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241470;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nzCeYyO+lPBVkj3HnE00nwfnklTvFdx6w2SiYBJm+9k=;
	b=JmCL2cpJrDvPcr7j8jMbrTv1VR9+17rZev1wsaJJ05rlmUh6iVXtWB9zwRyDSLUjBHW8Ye1LZ1RWg4nqGldbgoNeM31HAx5JUGvF+rWTMCyGXMPZyBL05CYwre6owUbgyg/NkXWrIUh2Tcc3ijXFPnwwshBtGZAqacPfKmnp7rg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241470811469.7788272323305;
 Wed, 11 Mar 2026 08:04:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6X-00065m-PQ; Wed, 11 Mar 2026 11:04:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5F-0004Sn-7e; Wed, 11 Mar 2026 11:02:49 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5C-0003tf-BC; Wed, 11 Mar 2026 11:02:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 050CB191E48;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id DD08937C29A;
 Wed, 11 Mar 2026 18:02:21 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=0zg7tlqA0PmCQOOZqvnbPUHceDOa5curi+1/7Jqt4uU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=irViH/oUYJzKeEYWuIKEvttUoG2q9UzEuxK7gQvkReRPDLztlXU+2/2OmSqmUuGmi
 ZXMGCxHIfnzPRJARBY2WqzDQjIyyCG/sJg3t92Qx1IhWpYIkj0cF+ASZl8SBKBG37e
 EDMTGLdWaAgmwT42znhn5MXQp2PehnnWdM0VNCKZlsjnpJGj5cqqkN7z9H9oFKuDdX
 bPavqOp8pC+KENvSWfFHGIeiDKyweTVV83WEWC0XBKYS8qbojYEwY40OaxofLKJEEc
 VB6Iy93zWMf3wRaPWsncQSllv5FSmqo0JkjU4DeFP2kM9RWSiaGKZw6+NRnNsJetZM
 rDU0Z+cknnqOQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 10/44] target/arm: Introduce ARMCPU.sme_max_vq
Date: Wed, 11 Mar 2026 18:01:42 +0300
Message-ID: <20260311150221.1084186-10-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241473199154100
Content-Type: text/plain; charset="utf-8"

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250704142112.1018902-25-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit c48d0471beb0cb197efda0b2be3fa75b4628a673)
(this change itself is a no-op for 10.0.x but requires for subsequent chang=
es)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index a8177c6c2e..28342d6efc 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1125,6 +1125,7 @@ struct ArchCPU {
=20
     /* Used to set the maximum vector length the cpu will support.  */
     uint32_t sve_max_vq;
+    uint32_t sme_max_vq;
=20
 #ifdef CONFIG_USER_ONLY
     /* Used to set the default vector length at process start. */
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index 8188ede5cc..4633c86e93 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -337,6 +337,7 @@ void arm_cpu_sme_finalize(ARMCPU *cpu, Error **errp)
     }
=20
     cpu->sme_vq.map =3D vq_map;
+    cpu->sme_max_vq =3D 32 - clz32(vq_map);
 }
=20
 static bool cpu_arm_get_sme(Object *obj, Error **errp)
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241530; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C8CpGd3RkbdB7TZJ8bfKh9DPWPjc+lEr1UoJev66EezHNw7xriGTBwM6Uwn+Z5frSKZmTu1PFQSxD4T41kGpHmi0R/u0XE9GDRQQ20V1haFzVz3zXKL4J/P/+JxoenCSqnfO6o74nk/wUblRe086ceKJ7KTxLo5sPDLDlKzjp/c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241530;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KZfar1wcSutQ4Dg2htgeUaRGpN7W4lq8FLHImpZaimA=;
	b=kNUH33jM6xmgV4/EGAYKya6yjQE6+xQUxOFlNsBmprr+mpe0DdUBHMSpeNlSMgQuEgRCXFJj2YQaqm7uuf+qtD4BCheYA8d+ibNEtiQRNSjjxVNDoLgHRER/g1Oyy319PcSs9a4BAcgiINN/KVLr8hSY40Dx/tnDar+hio/Dxiw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241530524912.4985131989257;
 Wed, 11 Mar 2026 08:05:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6a-0006Tm-RT; Wed, 11 Mar 2026 11:04:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5F-0004Tf-UG; Wed, 11 Mar 2026 11:02:50 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5E-0003tx-Bs; Wed, 11 Mar 2026 11:02:49 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 19550191E49;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 01F0837C29B;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=hvnyb1Y6FNyC0eGz8LPqKFjYsMuewxeCVaAQCFc+W9k=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vRIvFgg5Rgq6DJa8NOKpVa+wfjmi2aYixfwMYwXUg8FQcp0AiDWvUGCQcMOVDDzTm
 nvzJAyev6ZPJeuJclUQL8NU/9p/cfXrKkn9j7CtJvYSAq2pxYUD9JyvmgDBFUe0BMB
 7tBhfMOWIBFtrXfddFO+++QJfNuI2SUz8qE+zGC+H+3V0gpjhqPxlPrGd0wmUlc1zy
 FtDUUex9BMnixDm2cN/G/J2H+KtA7NKjeJG15b6jkwwIvc4MnzUPEzIHoxB+Uvesn7
 YDgLp7CAQxnxrYcOu20e2Rw4HSK3MX33HZn+OqBUwXkU6RK3ZJ5lSPaogS5oT0/6a9
 QyApD1+NqRzzA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 11/44] target/arm: Account for SME in
 aarch64_sve_narrow_vq() assertion
Date: Wed, 11 Mar 2026 18:01:43 +0300
Message-ID: <20260311150221.1084186-11-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241532163154100

From: Peter Maydell <peter.maydell@linaro.org>

In aarch64_sve_narrow_vq() we assert that the new VQ is within
the maximum supported range for the CPU. We forgot to update
this to account for SME, which might have a different maximum.

Update the assert to permit any VQ which is valid for either
SVE or SME.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-2-peter.maydell@linaro.org
(cherry picked from commit 42eab40a12f12f044a5ca7b7d889d9a1f0d172ee)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 9df41f7248..cd577e794f 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11590,7 +11590,7 @@ void aarch64_sve_narrow_vq(CPUARMState *env, unsign=
ed vq)
     uint64_t pmask;
=20
     assert(vq >=3D 1 && vq <=3D ARM_MAX_VQ);
-    assert(vq <=3D env_archcpu(env)->sve_max_vq);
+    assert(vq <=3D arm_max_vq(env_archcpu(env)));
=20
     /* Zap the high bits of the zregs.  */
     for (i =3D 0; i < 32; i++) {
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 28585c0755..17221c847d 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1878,6 +1878,15 @@ static inline uint64_t arm_mdcr_el2_eff(CPUARMState =
*env)
     ((1 << (1 - 1)) | (1 << (2 - 1)) |                  \
      (1 << (4 - 1)) | (1 << (8 - 1)) | (1 << (16 - 1)))
=20
+/*
+ * Return the maximum SVE/SME VQ for this CPU. This defines
+ * the maximum possible size of the Zn vector registers.
+ */
+static inline int arm_max_vq(ARMCPU *cpu)
+{
+    return MAX(cpu->sve_max_vq, cpu->sme_max_vq);
+}
+
 /*
  * Return true if it is possible to take a fine-grained-trap to EL2.
  */
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241542; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Q8SZXfWXEogMXYcfB+dni0HANcXHAakgL8bHWM/yTt82g0hQt9hv3PaNFv0jItHkBq2m/nXKiPO9bvWaGt4YcIrNKnWtALS4s1g9J60KGTSGA9YvWixQuQCQgxm510Zncn7PfCPsXAg/fUevLhBJrXddOFuU5jby9rYsmZFMwr8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241542;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=TZ7n+RBlA16+mm/il8LFPOEQOTHuRDrvAc9MPPW3cuM=;
	b=OSDHdAWa1esPLz9kMgv7UQzktHywu/TqZpU6JV5YhHWirVA8qJGaxo36ctaScodr2QyyQygDdWfDfE5VIhNh2l8ntmv4wqmluc4FP/CLwMR37Iv3p3a0XTijgOOAbgZABPYtQdHyKQTsmNjyZNBE6c2ev5mJ2dRneotTYyJFW/U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241542264705.0901475144477;
 Wed, 11 Mar 2026 08:05:42 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6V-0005sD-EW; Wed, 11 Mar 2026 11:04:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5c-0004of-Po; Wed, 11 Mar 2026 11:03:18 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5a-0003xv-QH; Wed, 11 Mar 2026 11:03:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2AAEC191E4A;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1670037C29C;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=CnOfKUuD/+LcPeqpZmNqF5xea++p36tqP+EroKnGnYw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fjia6CfYAidiu4bFRAH8f5OEnrnKjX0KhiL5iD7PQNTt1EeFhka5O0CXMviO9M+I2
 NKrl4ZeKyIQ81+uqUHWP+eCMyEpY7xAzU1RwbKkH6J/ogtdMLzAVSTy9JrujjiUU7a
 fYTl+hK2OnQHyz1Qfq4MumkbDfhxOB7m1Qj0OOKIikbVvY1UqSeZe8JvB+e4F11+g3
 q5MsHzGLpJzmj+TMUSyKimre3QJ/GD2UN0sTo34k/YYFECQ7NpW9XDYzPscNKuJbpe
 GqWP0EIHy2NUuqGiWNA+XEjwN08yDJSmwcVXr3a5l/36LiXRimdSoCq+7HaE1AVoVV
 fJIqmyXhJXakg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 12/44] target/arm: Fix feature check in DO_SVE2_RRX,
 DO_SVE2_RRX_TB
Date: Wed, 11 Mar 2026 18:01:44 +0300
Message-ID: <20260311150221.1084186-12-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241568630158500
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

In the macros DO_SVE2_RRX and DO_SVE2_RRX_TB we use the
feature check aa64_sve, thus exposing this set of instructions
in SVE as well as SVE2. Use aa64_sve2 instead, so they UNDEF
on an SVE1-only CPU as they should.

Strictly, the condition here should be "SVE2 or SME"; but we
will correct that in a following commit with all the other
missing "or SME" checks.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-id: 20260202133353.2231685-4-peter.maydell@linaro.org
(cherry picked from commit ee5bf0962ed6e0eb42d6bc9bfb3687f2408e3580)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index b6fa0b67b1..81616210aa 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -3427,7 +3427,7 @@ TRANS_FEAT(USDOT_zzxw_s, aa64_sve_i8mm, gen_gvec_ool_=
arg_zzxz,
            gen_helper_gvec_usdot_idx_b, a)
=20
 #define DO_SVE2_RRX(NAME, FUNC) \
-    TRANS_FEAT(NAME, aa64_sve, gen_gvec_ool_zzz, FUNC,          \
+    TRANS_FEAT(NAME, aa64_sve2, gen_gvec_ool_zzz, FUNC,          \
                a->rd, a->rn, a->rm, a->index)
=20
 DO_SVE2_RRX(MUL_zzx_h, gen_helper_gvec_mul_idx_h)
@@ -3445,7 +3445,7 @@ DO_SVE2_RRX(SQRDMULH_zzx_d, gen_helper_sve2_sqrdmulh_=
idx_d)
 #undef DO_SVE2_RRX
=20
 #define DO_SVE2_RRX_TB(NAME, FUNC, TOP) \
-    TRANS_FEAT(NAME, aa64_sve, gen_gvec_ool_zzz, FUNC,          \
+    TRANS_FEAT(NAME, aa64_sve2, gen_gvec_ool_zzz, FUNC,          \
                a->rd, a->rn, a->rm, (a->index << 1) | TOP)
=20
 DO_SVE2_RRX_TB(SQDMULLB_zzx_s, gen_helper_sve2_sqdmull_idx_s, false)
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241744; cv=none;
	d=zohomail.com; s=zohoarc;
	b=n5y1URSaZIUtGUJS5bl97HLzmetPBMyDUmGK10P6R1+hL7fdzlRrBHtukEyNTlnaHByCgpcSw8Do76EOcG2XDa3KyPVPIwqUXl1uA2mI40DyQwFfFlZHRveGI+2WcV5zgLdVRh5BkBBJRKCUDZ6z7ZYofAJ4Hi6epG/lPPFFXyY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241744;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=pzrSsVc8hy2ugAR246+/lrom24ncC6hy5EeRu/FMlVo=;
	b=hv2A8rSb9Mk3a8bQCYOnbUaO4ienw1tCzt0ddRFjkyMvOKqb3XKmwnQeThUIhygZiiwILitQwqBTx5swILP5JSshHHIOjgLSHM15VT4RWazvUdmxl0GgTQNF+o9qxiTZzZM0s2tPR8hQQ1mixPWUNbxCY2H8DsDyxxoLUEV83Po=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241744955519.6032627157285;
 Wed, 11 Mar 2026 08:09:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L7m-0000OY-S4; Wed, 11 Mar 2026 11:05:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5g-0004oy-T4; Wed, 11 Mar 2026 11:03:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5b-0003zJ-F8; Wed, 11 Mar 2026 11:03:14 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3D9D5191E4B;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 27AC637C29D;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=G755aRR8g+DB8Ndai7mnkZddJynlIh/TbgQ/RmnQewY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=alUi1wzlwYPhxuN92i57z452/CrreJ0jjV5+xuNjf7um3efMtp+XFL1H0wKV3PkDl
 isERZkVrqOHEfSEacb0iHagAHCXMxmHrv50vevVh6ycUgbvvbIMCZ0/R9XdmKr1n4D
 w7JpAN/LgFJK2D8opo2ULYY9TM4105x/sELmAPmuhLjeOm2K82j2JxLa0m/BJxuhNB
 9zvmUDEh4EQppTABvX813eExXwPF8odOhOW2cs3QkcphmbDTFLadrvL4wf/0DT+Hex
 m4eDp58YuwDnLBVExBoiIEwKNPH+r3GJIiCnKMtXZPqQaf+Pok/N3M2KvZSVkxS5wl
 r9GOZ/A2eGGkQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,
 Dmitry Osipenko <dmitry.osipenko@collabora.com>,
 Joelle van Dyne <j@getutm.app>, "Michael S. Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 13/44] virtio-gpu-virgl: Add
 virtio-gpu-virgl-hostmem-region type
Date: Wed, 11 Mar 2026 18:01:45 +0300
Message-ID: <20260311150221.1084186-13-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241746371154100
Content-Type: text/plain; charset="utf-8"

From: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>

Commit e27194e087ae ("virtio-gpu-virgl: correct parent for blob memory
region") made the name member of MemoryRegion unset, causing a NULL
pointer dereference[1]:
> Thread 2 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> (gdb) bt
> #0  0x00007ffff56565e2 in __strcmp_evex () at /lib64/libc.so.6
> #1  0x0000555555841bdb in find_fd (head=3D0x5555572337d0 <cpr_state>,
> name=3D0x0, id=3D0) at ../migration/cpr.c:68
> #2  cpr_delete_fd (name=3Dname@entry=3D0x0, id=3Did@entry=3D0) at
> ../migration/cpr.c:77
> #3  0x000055555582290a in qemu_ram_free (block=3D0x7ff7e93aa7f0) at
> ../system/physmem.c:2615
> #4  0x000055555581ae02 in memory_region_finalize (obj=3D<optimized out>)
> at ../system/memory.c:1816
> #5  0x0000555555a70ab9 in object_deinit (obj=3D<optimized out>,
> type=3D<optimized out>) at ../qom/object.c:715
> #6  object_finalize (data=3D0x7ff7e936eff0) at ../qom/object.c:729
> #7  object_unref (objptr=3D0x7ff7e936eff0) at ../qom/object.c:1232
> #8  0x0000555555814fae in memory_region_unref (mr=3D<optimized out>) at
> ../system/memory.c:1848
> #9  flatview_destroy (view=3D0x555559ed6c40) at ../system/memory.c:301
> #10 0x0000555555bfc122 in call_rcu_thread (opaque=3D<optimized out>) at
> ../util/rcu.c:324
> #11 0x0000555555bf17a7 in qemu_thread_start (args=3D0x555557b99520) at
> ../util/qemu-thread-posix.c:393
> #12 0x00007ffff556f464 in start_thread () at /lib64/libc.so.6
> #13 0x00007ffff55f25ac in __clone3 () at /lib64/libc.so.6

The intention of the aforementioned commit is to prevent a MemoryRegion
from parenting itself while its references is counted indendependently
of the device. To achieve the same goal, add a type of QOM objects that
count references and parent MemoryRegions.

[1] https://lore.kernel.org/qemu-devel/4eb93d7a-1fa9-4b3c-8ad7-a2eb64f025a0=
@collabora.com/

Cc: qemu-stable@nongnu.org
Fixes: e27194e087ae ("virtio-gpu-virgl: correct parent for blob memory regi=
on")
Fixes: 8d5a8ebaaff2 ("virtio-gpu-virgl: correct parent for blob memory regi=
on") in 10.0.x
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Joelle van Dyne <j@getutm.app>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260214-region-v1-1-229f00ae1f38@rsg.ci.i.u-tokyo.ac.jp>
(cherry picked from commit b2a279094c3b86667969cc645f7fb1087e08dd19)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index b25ddc0746..362828f54e 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -52,11 +52,17 @@ virgl_get_egl_display(G_GNUC_UNUSED void *cookie)
=20
 #if VIRGL_VERSION_MAJOR >=3D 1
 struct virtio_gpu_virgl_hostmem_region {
+    Object parent_obj;
     MemoryRegion mr;
     struct VirtIOGPU *g;
     bool finish_unmapping;
 };
=20
+#define TYPE_VIRTIO_GPU_VIRGL_HOSTMEM_REGION "virtio-gpu-virgl-hostmem-reg=
ion"
+
+OBJECT_DECLARE_SIMPLE_TYPE(virtio_gpu_virgl_hostmem_region,
+                           VIRTIO_GPU_VIRGL_HOSTMEM_REGION)
+
 static struct virtio_gpu_virgl_hostmem_region *
 to_hostmem_region(MemoryRegion *mr)
 {
@@ -70,14 +76,22 @@ static void virtio_gpu_virgl_resume_cmdq_bh(void *opaqu=
e)
     virtio_gpu_process_cmdq(g);
 }
=20
-static void virtio_gpu_virgl_hostmem_region_free(void *obj)
+/*
+ * MR could outlive the resource if MR's reference is held outside of
+ * virtio-gpu. In order to prevent unmapping resource while MR is alive,
+ * and thus, making the data pointer invalid, we will block virtio-gpu
+ * command processing until MR is fully unreferenced and freed.
+ */
+static void virtio_gpu_virgl_hostmem_region_finalize(Object *obj)
 {
-    MemoryRegion *mr =3D MEMORY_REGION(obj);
-    struct virtio_gpu_virgl_hostmem_region *vmr;
+    struct virtio_gpu_virgl_hostmem_region *vmr =3D VIRTIO_GPU_VIRGL_HOSTM=
EM_REGION(obj);
     VirtIOGPUBase *b;
     VirtIOGPUGL *gl;
=20
-    vmr =3D to_hostmem_region(mr);
+    if (!vmr->g) {
+        return;
+    }
+
     vmr->finish_unmapping =3D true;
=20
     b =3D VIRTIO_GPU_BASE(vmr->g);
@@ -92,11 +106,26 @@ static void virtio_gpu_virgl_hostmem_region_free(void =
*obj)
     qemu_bh_schedule(gl->cmdq_resume_bh);
 }
=20
+static const TypeInfo virtio_gpu_virgl_hostmem_region_info =3D {
+    .parent =3D TYPE_OBJECT,
+    .name =3D TYPE_VIRTIO_GPU_VIRGL_HOSTMEM_REGION,
+    .instance_size =3D sizeof(struct virtio_gpu_virgl_hostmem_region),
+    .instance_finalize =3D virtio_gpu_virgl_hostmem_region_finalize
+};
+
+static void virtio_gpu_virgl_types(void)
+{
+    type_register_static(&virtio_gpu_virgl_hostmem_region_info);
+}
+
+type_init(virtio_gpu_virgl_types)
+
 static int
 virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
                                    struct virtio_gpu_virgl_resource *res,
                                    uint64_t offset)
 {
+    g_autofree char *name =3D NULL;
     struct virtio_gpu_virgl_hostmem_region *vmr;
     VirtIOGPUBase *b =3D VIRTIO_GPU_BASE(g);
     MemoryRegion *mr;
@@ -117,21 +146,16 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
     }
=20
     vmr =3D g_new0(struct virtio_gpu_virgl_hostmem_region, 1);
+    name =3D g_strdup_printf("blob[%" PRIu32 "]", res->base.resource_id);
+    object_initialize_child(OBJECT(g), name, vmr,
+                            TYPE_VIRTIO_GPU_VIRGL_HOSTMEM_REGION);
     vmr->g =3D g;
=20
     mr =3D &vmr->mr;
-    memory_region_init_ram_ptr(mr, OBJECT(mr), NULL, size, data);
+    memory_region_init_ram_ptr(mr, OBJECT(vmr), "mr", size, data);
     memory_region_add_subregion(&b->hostmem, offset, mr);
     memory_region_set_enabled(mr, true);
=20
-    /*
-     * MR could outlive the resource if MR's reference is held outside of
-     * virtio-gpu. In order to prevent unmapping resource while MR is aliv=
e,
-     * and thus, making the data pointer invalid, we will block virtio-gpu
-     * command processing until MR is fully unreferenced and freed.
-     */
-    OBJECT(mr)->free =3D virtio_gpu_virgl_hostmem_region_free;
-
     res->mr =3D mr;
=20
     return 0;
@@ -159,7 +183,7 @@ virtio_gpu_virgl_unmap_resource_blob(VirtIOGPU *g,
      * 1. Begin async unmapping with memory_region_del_subregion()
      *    and suspend/block cmd processing.
      * 2. Wait for res->mr to be freed and cmd processing resumed
-     *    asynchronously by virtio_gpu_virgl_hostmem_region_free().
+     *    asynchronously by virtio_gpu_virgl_hostmem_region_finalize().
      * 3. Finish the unmapping with final virgl_renderer_resource_unmap().
      */
     if (vmr->finish_unmapping) {
@@ -182,7 +206,7 @@ virtio_gpu_virgl_unmap_resource_blob(VirtIOGPU *g,
         /* memory region owns self res->mr object and frees it by itself */
         memory_region_set_enabled(mr, false);
         memory_region_del_subregion(&b->hostmem, mr);
-        object_unref(OBJECT(mr));
+        object_unparent(OBJECT(vmr));
     }
=20
     return 0;
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241502; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DmCvoIEres17CZhrsCGSWqwu/YVT8GC7+0es6x0RC0w66sloSff6SqXRSHmaf3I7tv+Cb38dG5pFbsrAIO5aX/pqDXxr5549W/3+v3TLotR6swUQdGebkiz8Pc8Wq7PyABo/Vax4kUV4O68Hls48J4pFwRc4VjEz25jqSp9DgMs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241502;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=5mR/pScJQqYQRzBXYf2KUbMrhV7R3tL/8CnhOgWYemM=;
	b=ScHxmvidzpk9dH3Gy/Nx6pIKPkz/lVnYte5QUUj9HuzvUMUZrZyFrgyBGYkAm09NcCVdc62jRDCdlYbrdeITjXcjm6V1IUcJ9DM2FUxyfw5xfDdpK+Rqsmji4+8oT98wnSmObf57LVkuNLGl1N2etmDqDXv8mNO4AqzOjX4KP2s=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177324150266113.89891595308029;
 Wed, 11 Mar 2026 08:05:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6k-0007RC-P7; Wed, 11 Mar 2026 11:04:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5k-0004v5-5n; Wed, 11 Mar 2026 11:03:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5g-00044v-Vv; Wed, 11 Mar 2026 11:03:19 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4D616191E4C;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3AA0137C29E;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=70/i7Jv60BeMJubq03AYNnhISETNLN5vagvkMkl2Th4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=XXFAPgUFGK1GgFwDiAL0jjXFnHRm/fEozGWAEOKD+Ow6pWpQB2gQmC0UghlzaprHA
 ozXHV4Qxw7YCpDOxaSlsapCDL+BkhImiLDMAXHHJR8xinlHtDU5lnF6C1omfJs1KQQ
 LyQSG1eTwnUttv+umO5qLRIJ6JQkSg7JzA5UA8RRg2Pat3COccUNEC2yEx5Q49KuVb
 +9i4+/Bi4VllJwsnVY6h05u8crdOTTMOWyBsvcRFAGN36AOaiJRUEV29nsiQM/UxGa
 5XAtL54zsjRgyaRwLvLDQEujm96bgsXiZyx78aiSzQTJ8wJhx1EDSfreHcF+5uT8Uo
 MvQLcp47yLaNQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 "Michael S. Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 14/44] virtio-snd: remove TODO comments
Date: Wed, 11 Mar 2026 18:01:46 +0300
Message-ID: <20260311150221.1084186-14-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241503699154100
Content-Type: text/plain; charset="utf-8"

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

Replying with a VIRTIO_SND_S_BAD_MSG error does not warrant a device
reset. Instead, a device reset happens when the driver requests it from the
transport.

Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-2-207c4f7200a2@linaro.org>
(cherry picked from commit 34238f078a04f24b91199249b83846ab082b4e05)
(Mjt: pick this one up so the next commit applies cleanly)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 0b47741f01..6266e84fd9 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -168,9 +168,6 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
                                sizeof(virtio_snd_query_info));
=20
     if (msg_sz !=3D sizeof(virtio_snd_query_info)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(virtio_snd_query_info));
@@ -184,9 +181,6 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
=20
     if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
         sizeof(virtio_snd_hdr) + size * count) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         error_report("pcm info: buffer too small, got: %zu, needed: %zu",
                 iov_size(cmd->elem->in_sg, cmd->elem->in_num),
                 sizeof(virtio_snd_pcm_info));
@@ -244,9 +238,6 @@ uint32_t virtio_snd_set_pcm_params(VirtIOSound *s,
     virtio_snd_pcm_set_params *st_params;
=20
     if (stream_id >=3D s->snd_conf.streams || s->pcm->pcm_params =3D=3D NU=
LL) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         virtio_error(VIRTIO_DEVICE(s), "Streams have not been initialized.=
\n");
         return cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
     }
@@ -297,9 +288,6 @@ static void virtio_snd_handle_pcm_set_params(VirtIOSoun=
d *s,
                                sizeof(virtio_snd_pcm_set_params));
=20
     if (msg_sz !=3D sizeof(virtio_snd_pcm_set_params)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(virtio_snd_pcm_set_params=
));
@@ -609,9 +597,6 @@ static void virtio_snd_handle_pcm_release(VirtIOSound *=
s,
                                sizeof(stream_id));
=20
     if (msg_sz !=3D sizeof(stream_id)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(stream_id));
@@ -623,9 +608,6 @@ static void virtio_snd_handle_pcm_release(VirtIOSound *=
s,
     trace_virtio_snd_handle_pcm_release(stream_id);
     stream =3D virtio_snd_pcm_get_stream(s, stream_id);
     if (stream =3D=3D NULL) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         error_report("already released stream %"PRIu32, stream_id);
         virtio_error(VIRTIO_DEVICE(s),
                      "already released stream %"PRIu32,
@@ -668,9 +650,6 @@ process_cmd(VirtIOSound *s, virtio_snd_ctrl_command *cm=
d)
                                sizeof(virtio_snd_hdr));
=20
     if (msg_sz !=3D sizeof(virtio_snd_hdr)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(virtio_snd_hdr));
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241769; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cOs8ta31i8no8kl6Vb2IcmG3NHG7Lcdg6lPaf+W9mo8aVVm15yEtV7n+TYcjy5UJj/2sVza6NkkkrWsEhw6QoEbJOqLy8SKGzGKo9UEzKYIr4rObtpcEc4cYp3evJqQihT5j/z4Gc042YxJUplZbHmEkc8Zy6JUN3cOf/SH5wWs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241769;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=DF4Su1oyvGFaIHgO8D+o7q7v2NQvQwhOBF+jUiKRDqU=;
	b=R9yRaNX5G4vwaKH3knRtBTW5YK37TnhS5o+raQIOmwaxdPwl0GdTjXP3SZtJeMe869FzIlJxLwUj0IMwsIIjKejWbcFVm872AV3jh2RXCcPAMXvTDSUmtWSrf1QRigvmrbBWPTgu9qkWuL4X9+GIPKp9+UbGCnSGvYzrr/tahkM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241769889426.9310278381579;
 Wed, 11 Mar 2026 08:09:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L7p-0000l8-Op; Wed, 11 Mar 2026 11:05:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5k-0004wV-Rb; Wed, 11 Mar 2026 11:03:22 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5i-00045G-VZ; Wed, 11 Mar 2026 11:03:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5F584191E4D;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4AD2B37C29F;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=9oHbpUeDEd6XwzIlLrrqJ5LBuhqpm9zsXXRYrX+/U3c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=wQqVANafwYeAgkLtKLPiS0rxV0oV3oYwIOdsfnHBO1iNMyc0RGbPEQb+UmJdlhw22
 xF0xnc6gF8F+6kKYPb/iUKKfHO9SjkojVpbQvObRo7X3ykdXjtjQsFIfVcUtUv2UhR
 Oy3cWQmfqYhscicWvfW8Y4uashHfAUkgxe/4xEQasW/lZcGPKzTYHUQQxtFtcLol7U
 pMfUotSSxNXMoUtmXs2Qbz9LGiLBmW/uJZsG9OV42os9T+gMGbHpI5iFbZi3xRnENN
 H8/HnhCE0MEh8hJRs1CagqbD6aPRZC7ugrdJpmULYo3heI4SeQLX/ZbF4X3WC6IQpL
 E+Rz+x8QKIGWg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 =?UTF-8?q?=E7=BD=97=E9=93=AD=E6=BA=90?= <myluo24@m.fudan.edu.cn>,
 "Michael S. Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 15/44] virtio-snd: handle 5.14.6.2 for PCM_INFO
 properly
Date: Wed, 11 Mar 2026 18:01:47 +0300
Message-ID: <20260311150221.1084186-15-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241772606154100

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

The section 5.14.6.2 of the VIRTIO spec says:

  5.14.6.2 Driver Requirements: Item Information Request

  - The driver MUST NOT set start_id and count such that start_id +
    count is greater than the total number of particular items that is
    indicated in the device configuration space.

  - The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
    count * size bytes for the response.

While we performed some check for the second requirement, it failed to
check for integer overflow.

Add also a check for the first requirement, which should limit exposure
to any overflow, since realistically the number of streams will be low
enough in value such that overflow is improbable.

Cc: qemu-stable@nongnu.org
Reported-by: =E7=BD=97=E9=93=AD=E6=BA=90 <myluo24@m.fudan.edu.cn>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-3-207c4f7200a2@linaro.org>
(cherry picked from commit 61679d7dcfa2dffc8fb115aa19b09e0e7cf5ea5c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 6266e84fd9..520fc7240c 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -156,7 +156,7 @@ static virtio_snd_pcm_set_params *virtio_snd_pcm_get_pa=
rams(VirtIOSound *s,
 static void virtio_snd_handle_pcm_info(VirtIOSound *s,
                                        virtio_snd_ctrl_command *cmd)
 {
-    uint32_t stream_id, start_id, count, size;
+    uint32_t stream_id, start_id, count, size, tmp;
     virtio_snd_pcm_info val;
     virtio_snd_query_info req;
     VirtIOSoundPCMStream *stream =3D NULL;
@@ -179,11 +179,34 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
     count =3D le32_to_cpu(req.count);
     size =3D le32_to_cpu(req.size);
=20
-    if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
-        sizeof(virtio_snd_hdr) + size * count) {
+    /*
+     * 5.14.6.2 Driver Requirements: Item Information Request
+     * "The driver MUST NOT set start_id and count such that start_id + co=
unt
+     * is greater than the total number of particular items that is indica=
ted
+     * in the device configuration space."
+     */
+    if (start_id > s->snd_conf.streams
+        || !g_uint_checked_add(&tmp, start_id, count)
+        || start_id + count > s->snd_conf.streams) {
+        error_report("pcm info: start_id + count is greater than the total=
 "
+                     "number of streams, got: start_id =3D %u, count =3D %=
u",
+                     start_id, count);
+        cmd->resp.code =3D cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
+        return;
+    }
+
+    /*
+     * 5.14.6.2 Driver Requirements: Item Information Request
+     * "The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
+     * count * size bytes for the response."
+     */
+    if (!g_uint_checked_mul(&tmp, size, count)
+        || !g_uint_checked_add(&tmp, tmp, sizeof(virtio_snd_hdr))
+        || iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
+           sizeof(virtio_snd_hdr) + size * count) {
         error_report("pcm info: buffer too small, got: %zu, needed: %zu",
                 iov_size(cmd->elem->in_sg, cmd->elem->in_num),
-                sizeof(virtio_snd_pcm_info));
+                sizeof(virtio_snd_pcm_info) * count);
         cmd->resp.code =3D cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
         return;
     }
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241528; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RaIS7/4Xaw8TrdNt8f3or3bkEqhY5nNM8ILHOXy5jmRNv79S9OEv67X6qsbdoEgPkM0eE83Te6zDwwKa+rsHz56T6wAVWK/oiwa5aYxEMMIS2vMoTeLGviSar2jqmRIVpPcX4Scdjzkc59iI/Ph45WL+TU0eu6m1p0BzbduTYc4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241528;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=WCBmrQEEV/ltm6c4cDd9SevuoB8N3LE3sxaB3yaPY0k=;
	b=K6Rb5aQ6LNa4ivTFwOFV5aOF4a5rMk8bEPnxWNxLQpi84+ryHM92J8MT9wrGuDpR7QOaFLq4BtBsvZi66wg7DSJsJ4b3PblTSK2EzN+mxn6h2cOx2fh2KfN0eQmL4o8TxZQKhp4SuHziJ0agIYJZk87teqZir3eAAuMxqmRkR6k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241528908438.0320137766802;
 Wed, 11 Mar 2026 08:05:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6Y-00069w-Ab; Wed, 11 Mar 2026 11:04:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5n-0004y0-5T; Wed, 11 Mar 2026 11:03:24 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L5l-00045i-Lf; Wed, 11 Mar 2026 11:03:22 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7046C191E4E;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5C3FD37C2A0;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=c+gqTMqLUfRdgr1Jk8Ff5A4mQWOYOUh3Ga7CxaI3CI8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=TVJcSPBxKHNeir1pX3tJwqTU34mdOIo0Xps7s8YAZRrK4VRVmFWTXfhLC9HnmNUwF
 wNFs2Y6kX0VY2SU0ql6jv8Kx0PiH9xGd9kUPJmaYHUYaySythzZaO/733HpFyvKRnl
 R082fpVopW2c8b1is9JBKBMonolRE94E4DXUDe5BSYS8brHXfQsIhQZGesHyCbhZWJ
 hQHL4QnHae/D7i/HnJ2BJYhuxMRbXWGeCq07m9LIhwPOKhj6E2J7gFGVvnqq4gHGJM
 IPPmgoMp7DWZ619gHNT8Buv2LTRH9Z0Xb43M/6H97DJhC9XXZJGSpjuVMtB7CmHoTH
 bxcFHWH6GBH2Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 DARKNAVY <vr@darknavy.com>, "Michael S. Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 16/44] virtio-snd: fix max_size bounds check in input
 cb
Date: Wed, 11 Mar 2026 18:01:48 +0300
Message-ID: <20260311150221.1084186-16-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241530650154100
Content-Type: text/plain; charset="utf-8"

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

In 98e77e3d we calculated the max size and checked that each buffer is smal=
ler than it.

We neglected to subtract the size of the virtio_snd_pcm_status header
from the max size, and max_size was thus larger than the correct value,
leading to potential OOB writes.

If the buffer cannot fit the header or can fit only the header, return
the buffer immediately.

Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size =
bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org>
(cherry picked from commit bcb53328aa70023f1405fade4e253e7f77567261)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 520fc7240c..4ea2d4db95 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1255,6 +1255,12 @@ static void virtio_snd_pcm_in_cb(void *data, int ava=
ilable)
             }
=20
             max_size =3D iov_size(buffer->elem->in_sg, buffer->elem->in_nu=
m);
+            if (max_size <=3D sizeof(virtio_snd_pcm_status)) {
+                return_rx_buffer(stream, buffer);
+                continue;
+            }
+            max_size -=3D sizeof(virtio_snd_pcm_status);
+
             for (;;) {
                 if (buffer->size >=3D max_size) {
                     return_rx_buffer(stream, buffer);
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241560; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Z192ZwBb7XR762vz0CzcAzuYCdzLdSFf7vq3dZVFLvD9RFVAaP+43gCTf8EdBRbN+mnUMD2AnXZKl7t5iUr6n4TywIoO4i/OA/iYcHmFpeh9THq44YePbaBp8532qUiIvNd7dZCGB79NuIQHIZby7Oqfle1quGmvv/RJ7DASYRQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241560;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=t8wxRD8eHrCkC71RO66ztlt+NCmwuan53ri1XxNOPks=;
	b=A6JltD/hPGp3rrsWXsWZpnTaRBHAbaq9WT+OOdm9z2KiIQK790zD4H9HAqzuMAvBPBf5Xc0/twUt9DbRr15CYQ3nOtIpvSIKPa309TjOYlxlWmPSeFH0/3JN7qwjXQPvj/kHurWg/VdPm647qBzmKlfPV0OzM21KME6/8LTCCpo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241560270193.0277124712253;
 Wed, 11 Mar 2026 08:06:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6Z-0006Q1-Vw; Wed, 11 Mar 2026 11:04:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L69-0005Lb-6V; Wed, 11 Mar 2026 11:03:49 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L67-000465-M7; Wed, 11 Mar 2026 11:03:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 81B97191E4F;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6D96537C2A1;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=DtZQY6XeRzC5KZ+gX9mOuCpE3BdRSgH1u565E2eo52g=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=nSK41s8vE/zh+U5Oubtnu7ZFMd4oi8P0PZ4XwAfPvMY/2ibzDlNyqu0R6WqJIzDSU
 CKD1z7rnoSp91OHfHD6rf4oVtoHWYNqZcJjuwYoGR4D/zHH5mBnnPCGnPvT1Gnx5zu
 D0rP8kHd1RzJ4tGETmQnft3/eFpGtFGCNDSwU6TdgRFDJ9b0eGP7RUcKdsH3ic3rOE
 0i1DngssxyDg49RHhlV8+4SnObeLJ8ZijclCXe1Ufr4y0eswCrvK5jcSEc7b4ZH4U0
 y8D3ljPqhuhq9Fgwav0KhDJyY5RcwlUp1LXGo99tSEZQtZ7sSR4O8YxsDRs7kHnYir
 k43+imikcvcPw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 DARKNAVY <vr@darknavy.com>, "Michael S. Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 17/44] virtio-snd: tighten read amount in in_cb
Date: Wed, 11 Mar 2026 18:01:49 +0300
Message-ID: <20260311150221.1084186-17-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241562163158500
Content-Type: text/plain; charset="utf-8"

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

The amount of bytes to read passed to AUD_read() should never surpass
the maximum available buffer length. Tighten the current amount by
MIN(<amount>, max_size - <existing size>).

Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size =
bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-5-207c4f7200a2@linaro.org>
(cherry picked from commit 7994203bb1b83a6604f3ab00fe9598909bb66164)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 4ea2d4db95..3653b52d7e 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1240,7 +1240,7 @@ static void virtio_snd_pcm_in_cb(void *data, int avai=
lable)
 {
     VirtIOSoundPCMStream *stream =3D data;
     VirtIOSoundPCMBuffer *buffer;
-    size_t size, max_size;
+    size_t size, max_size, to_read;
=20
     WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
         while (!QSIMPLEQ_EMPTY(&stream->queue)) {
@@ -1266,10 +1266,12 @@ static void virtio_snd_pcm_in_cb(void *data, int av=
ailable)
                     return_rx_buffer(stream, buffer);
                     break;
                 }
+                to_read =3D stream->params.period_bytes - buffer->size;
+                to_read =3D MIN(to_read, available);
+                to_read =3D MIN(to_read, max_size - buffer->size);
                 size =3D AUD_read(stream->voice.in,
-                        buffer->data + buffer->size,
-                        MIN(available, (stream->params.period_bytes -
-                                        buffer->size)));
+                                buffer->data + buffer->size,
+                                to_read);
                 if (!size) {
                     available =3D 0;
                     break;
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241603; cv=none;
	d=zohomail.com; s=zohoarc;
	b=kqdNluIOt/cukgtMqmOVMvmWqDdekaYVki4+hdW4VkqvfBQ983Pr5L0jKYc1QXE0Zd/bLEeXUl7mK8i24Tlp8KtLrYZoO0LD2fJINSwJW7OBT0DKK4WVaTxLno2bAH0UNt21vyVkkGhzMpbrHEvgxkquw2Xq+l5byzVuMDAS6Ic=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241603;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=950/T7fAHAXbt40xWkBxFURAG6k1r9tTGIHE0d66H4Y=;
	b=HRzh8e8XE67UMOJRCPxvebIRP5rOOv51LAQnjKjUArBYAMt5yN2uFHI6QujpWnf3xxPu/eUg7WAprBulfLgrUyqjyn4JBSSQxelWySNmVIInue+9JoYxthSTyX8p1pkess6BaNd/DSBbiCRNtTnEPNXUqTZ7yP2KCWXhQ1PG78k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241603681724.8648609160866;
 Wed, 11 Mar 2026 08:06:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6f-0006wT-6R; Wed, 11 Mar 2026 11:04:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6A-0005RS-AB; Wed, 11 Mar 2026 11:03:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L68-00046V-Ln; Wed, 11 Mar 2026 11:03:46 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9B736191E50;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7E69137C2A2;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=JNL2rIu2vfEaYsIMtje72Dk25oI+UsT0THp6K99zEqc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rGPy4ahtfN2/EewjLBRs84wrSkA2jchG4PnSRpkevgGrmvvUpu05aFfcv/Y02Uxw0
 fPiZlCCC9XBb+DqjOOYvKGWgY1wgbSkbQ8f8xN2NCJ2oNFDNKtXjY8ULa2qLgznqv3
 2CkyQFhsac+EO3ykQtx4DEg3NZGzMuplxYpbclJPe+th3MNcJQtyw6odz4KtByU3HI
 POeity09nnyhGjRoHNaZK2g7rxKSLlURUJK5QRfB3n3k1xqtD4ibr6bUwn9hOn7Huu
 6dHxQPQQ/saOxdnbsMO6e7ICDIqh9EdNpvprnjHEWDHiW0ic97RQpdXmuUsdaEP3zJ
 EdxDRp6VspbNw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kuan-Wei Chiu <visitorckw@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 18/44] hw/misc/virt_ctrl: Fix incorrect trace event in
 read operation
Date: Wed, 11 Mar 2026 18:01:50 +0300
Message-ID: <20260311150221.1084186-18-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241604531158500

From: Kuan-Wei Chiu <visitorckw@gmail.com>

The virt_ctrl_read() function currently invokes trace_virt_ctrl_write()
instead of trace_virt_ctrl_read(). This results in read operations
appearing as write operations in the trace output, which is misleading
during debugging and analysis.

Replace the incorrect trace call with the proper read-specific trace
event to accurately reflect the hardware behavior.

Fixes: 0791bc02b8fb ("m68k: add a system controller")
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260111184915.1363318-1-visitorckw@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 8608ed356ef90815cc5bcf04fcdbde987fd24bca)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/virt_ctrl.c b/hw/misc/virt_ctrl.c
index a210a5924c..ee31b10210 100644
--- a/hw/misc/virt_ctrl.c
+++ b/hw/misc/virt_ctrl.c
@@ -43,7 +43,7 @@ static uint64_t virt_ctrl_read(void *opaque, hwaddr addr,=
 unsigned size)
         break;
     }
=20
-    trace_virt_ctrl_write(s, addr, size, value);
+    trace_virt_ctrl_read(s, addr, size, value);
=20
     return value;
 }
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241567; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TlrLMG+q3k3GtRn2aPQzRY/+VxMDUbXuINq6xuwx7Z+QrZs/n1QRPexuR5l0X5pCT7tgeaTZNwxSdXVDcejkzwEfn84bEmCYXl2OAugDG/PFYynqNDv1MmHgHLUXCTaVGP/3LGBEz6T44OEwdO5Y3o5otxh6GBTxIcjzlCqy2Ns=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241567;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=mB2SXop5wvnstVDKfON5oeyEtXD3Y92BVsQDIOGm5wI=;
	b=Z24iA6cdk2IS+y+kZd712wxQs+byxN7AFGH+Dn5oDmclAzRgVUjFt2ns3O2ET3IounEnQ9uUHXgvXk1BleKClfxXdGpskV0caD9vwCzYjyiKE7KYvLwRQbTziT6RsaVFvIR1eiYtPfVB+KpSPv2MFLGzgy7qjybXZe53agn3stE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241567029489.6789572998025;
 Wed, 11 Mar 2026 08:06:07 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6c-0006bt-BG; Wed, 11 Mar 2026 11:04:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6C-0005Rm-6f; Wed, 11 Mar 2026 11:03:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6A-000494-MF; Wed, 11 Mar 2026 11:03:47 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AF375191E51;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9878037C2A3;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=lLLSedyNCQhyA9RJ4psxHKwKyNFw5bmd1lU8fvbFqOk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sswHMId9Q4FQhftorg2ewHjPkQXdi2XjO1RWrjy9A9KZXtYpwqiw08cVneIczLrRM
 rscuh+QB2h0QkPCwWctJfw2RCuSIq8dridQsNAORVC1di3kk7zQKC80oh2tqfuHpxH
 5cOEwNxGp7qzwL3fkZs83LGdoLy1elMU6kjoevPJ4O+UAuTcSwUbeRGeO3GvYmBpYx
 Eys+UU+bszeyoDQL1V+nP302rjYOoPAe80iKMBQwslwYfa6EGre5xQ+tpi9XyaBtk/
 5Ledoj9E0w33t+N6TGDq5Vr9lXU2/AondTTBVQFQNiu07b2V0fxxs42O8NFP3cXsSU
 +PT92qF+M+jpg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Weixie Cui <cuiweixie@gmail.com>,
 Thomas Huth <thuth@redhat.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 19/44] hw/ssi/xilinx_spips: Reset TX FIFO in reset
Date: Wed, 11 Mar 2026 18:01:51 +0300
Message-ID: <20260311150221.1084186-19-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241568232158500
Content-Type: text/plain; charset="utf-8"

From: Weixie Cui <cuiweixie@gmail.com>

In xilinx_spips_reset() and xlnx_zynqmp_qspips_reset() a cut and
paste error meant we reset the RX FIFO twice and the TX FIFO not at
all.  Correct this to reset both FIFOs.

Cc: qemu-stable@nongnu.org
Signed-off-by: Weixie Cui <cuiweixie@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260223095905.67709-1-cuiweixie@gmail.com
[Rewrote commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 669683cf1414ce442d2faea160dbc69747aef007)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 60d092039f..1a51aeed91 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -369,7 +369,7 @@ static void xilinx_spips_reset(DeviceState *d)
     memset(s->regs, 0, sizeof(s->regs));
=20
     fifo8_reset(&s->rx_fifo);
-    fifo8_reset(&s->rx_fifo);
+    fifo8_reset(&s->tx_fifo);
     /* non zero resets */
     s->regs[R_CONFIG] |=3D MODEFAIL_GEN_EN;
     s->regs[R_SLAVE_IDLE_COUNT] =3D 0xFF;
@@ -397,7 +397,7 @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d)
     memset(s->regs, 0, sizeof(s->regs));
=20
     fifo8_reset(&s->rx_fifo_g);
-    fifo8_reset(&s->rx_fifo_g);
+    fifo8_reset(&s->tx_fifo_g);
     fifo32_reset(&s->fifo_g);
     s->regs[R_INTR_STATUS] =3D R_INTR_STATUS_RESET;
     s->regs[R_GPIO] =3D 1;
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241476; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WeqYTThS98YVMh05sZfekWG0EIy5aexceDOw7xaS2fKymyoaAuwTl6XdOTpj67l5ON5ce2+tY5J1ud/vovRWaZslPV8XmfGtler5Du+o787YeKbVXb/9lm48b8f0I2uJXLyXVfW3Jvg3ecFQU7SXMP/ISbcMx/2bIlYjk+v18AI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241476;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=/r4aAOGephG2JhxOGXFc74Ur5FqRLjnxq5WwJRXe0UE=;
	b=fvAGYh8Jkfw0xC4TswqLRxGoCRP0NAxkRAYuDiceF87WHMgVFiX3E6SEzPpaffG+RCmTwVjmXyr2bruHu1SIlEyKgWgRDUVD/pbyExmSujHCS4l8KaksbOTGHMqaULxJSMQSvOscuvQej0u2B4XhqWMnQmyDxDvc7/jkQqjmI7w=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241476713245.34288023232455;
 Wed, 11 Mar 2026 08:04:36 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L6b-0006Xc-H8; Wed, 11 Mar 2026 11:04:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6D-0005Rn-IT; Wed, 11 Mar 2026 11:03:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6B-00049K-Pf; Wed, 11 Mar 2026 11:03:49 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CA8F2191E52;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AB87F37C2A4;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=NffVCPGSp5i3clKr46RBGcZPHeUchWgm4o7EnCjgvWg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Ly6a9aJOzw5kWvdB8dh/OFeOILflPPH5+7mVLgq5tE14X7SJ1zGV4KbzaIbEqMZGP
 YFUjOqeqrxjNkdXeH75RcI60E+rKZM9mRBcZl0q+woRQvEI4OvDRBDSjSUngJXJDdN
 yyPUtAz1PT3P+gH9XmRsvud5u8k87Wjr1d2Ue58RveomsKJQihK/afPbQWR8d+Xx/B
 CFMTs4v29kEKms/ny7KuGozZxotNtOfZcWYHsQckGW09KUR8jJ32wfH8CmzZ4WcJ2q
 0otJKboeDnV+Twhg5lwdcxBtR/ocZhevXkYqCU1rQVdAELwkyNzndaWV6A5kqkaAZ1
 r1UtfBeynjyBg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Gustavo Romero <gustavo.romero@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 20/44] target/arm: set the correct TI bits for WFIT
 traps
Date: Wed, 11 Mar 2026 18:01:52 +0300
Message-ID: <20260311150221.1084186-20-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241477492158500

From: Alex Benn=C3=A9e <alex.bennee@linaro.org>

The WFIT trap should be reported as 0b10.

Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20260220171945.1065102-1-alex.bennee@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 662fd548a027c9362df71ebfc0c9cdd7b1f349fb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c
index 30786fd1ff..4e87b37a64 100644
--- a/target/arm/tcg/op_helper.c
+++ b/target/arm/tcg/op_helper.c
@@ -447,7 +447,7 @@ void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
=20
     if (target_el) {
         env->pc -=3D 4;
-        raise_exception(env, excp, syn_wfx(1, 0xe, 0, false), target_el);
+        raise_exception(env, excp, syn_wfx(1, 0xe, 2, false), target_el);
     }
=20
     if (uadd64_overflow(timeout, offset, &nexttick)) {
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241544; cv=none;
	d=zohomail.com; s=zohoarc;
	b=aFzwTDq3yke5C7DcrBQILBTHW6Cg6AARvve8dCLlhY84dPUhcA1MHnviuQdoUx3DA0OGU/7pvn5mXE1VX5vlvmlNUHGtRIAtyIPy4v8JkuPcgnzgeP7wepudu5HM7nl3wktNTsIBRvcdvlL2Hqb0f76LBTufTjD5ut0fs7aHYGY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241544;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=AQs7/4punjlP9TA6Q2iVY1apioyB9jmj7ZofebP76/A=;
	b=ceePsmwqkGX4wTAMUSJ+mKdNkLzW7+5f6K8iWROlNXdU78MRDD/VuzvVKnqCJp/QBh9y1AcBdpw2F8QsKyYBU/xx1nLLcsXrm/bZA5/9xTVHWD6W93FQrdSBlqzfAWb93a0wWrt/x1U4Reu3ELCqxVwMjfnVCawhzQgKUi6pCUs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241544332766.5824468865691;
 Wed, 11 Mar 2026 08:05:44 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L7l-00004t-SN; Wed, 11 Mar 2026 11:05:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6F-0005Sb-Hp; Wed, 11 Mar 2026 11:03:55 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6D-00049j-NT; Wed, 11 Mar 2026 11:03:51 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DAE29191E53;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C7E8C37C2A5;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=Jyh1Fr9LA2lKwnx5fFYLqhpftjyZTAdmbu/4IxxV/iw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sPRDnU0JKjEYyUj/15eOZlWHDhv5WCwz2oMtHx/dr5ULxRWLn5QJwxNe9rudtE+No
 pDJawd0PWg+654w9/eZxRQu1AZE9sZFOy7tZ/yY+1Yt7uExXdaMPs40kGmHoPtj9Ep
 O0Dbtfj2Co5h59gWMBBQjmPmmMFr2NDiC+IcxeLVnMkIeTMohPfoLSuljI5whb+mL8
 ruifGisdqg6yv94V3M6TfFKymMdgYARKvQ5bclxMHyQTU2sho63nOirXiE7XJNuYp9
 oediSeKlVOKJQaizupm4htzPvTQVZrV2T1KANEmv1/i2HS+07eIa3uyPtHlntrHoGF
 uVccsh3W6UYxQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richie Buturla <richie@linux.ibm.com>,
 Christian Schoenebeck <qemu_oss@crudebyte.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 21/44] hw/9pfs: fix data race in
 v9fs_mark_fids_unreclaim()
Date: Wed, 11 Mar 2026 18:01:53 +0300
Message-ID: <20260311150221.1084186-21-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241546361154100
Content-Type: text/plain; charset="utf-8"

From: Richie Buturla <richie@linux.ibm.com>

A data race between v9fs_mark_fids_unreclaim() and v9fs_path_copy()
causes an inconsistent read of fidp->path. In v9fs_path_copy(), the
path size is set before the data pointer is allocated, creating a
window where size is non-zero but data is NULL.

v9fs_co_open2() holds a write lock during path modifications,
but v9fs_mark_fids_unreclaim() was not acquiring a read
lock, allowing it to race.

Fix by holding the path read lock during FID table iteration.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3300
Signed-off-by: Richie Buturla <richie@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20260211154450.254338-1-richie@lin=
ux.ibm.com/
Fixes: 7a46274529 ("hw/9pfs: Add file descriptor reclaim support")
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
(cherry picked from commit c96f6d2398a9dc068fa82088ea43020a52e2b26d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 80b190ff5b..b1fcda574d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -551,6 +551,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPD=
U *pdu, V9fsPath *path)
             sizeof(V9fsFidState *), 1);
     gint i;
=20
+    v9fs_path_read_lock(s);
     g_hash_table_iter_init(&iter, s->fids);
=20
     /*
@@ -571,6 +572,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPD=
U *pdu, V9fsPath *path)
             g_array_append_val(to_reopen, fidp);
         }
     }
+    v9fs_path_unlock(s);
=20
     for (i =3D 0; i < to_reopen->len; i++) {
         fidp =3D g_array_index(to_reopen, V9fsFidState*, i);
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241789; cv=none;
	d=zohomail.com; s=zohoarc;
	b=igY3dq8C0lzKoCkIvMGe/Gp7pG+Ijr5wIgVEpDk8PDkGhTgU9W3vRVRm1tvuWTYI1sQ/DpHZuPQWaD649tP3xwgDkG8hR8kyDREfRIcz5dgGuOWG5L63wFoB1knCF7HY/nXchETmIO99icO8JgRj7FtROr0+TuXeiXcO5wEAquc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241789;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=CqF7xb8suB4C/na72qf41J+Kvoae38SUU2ZVh21FrVs=;
	b=FWtYPZ3oCeQtabAdBkjPTGeY6nWYKxaQ5qdWH9JCCgK0ApnvtG3FRj+5KZKIPse2OcAqcAM3GQwbpsyXXxgB+0ob6x0CyA6Has6I5IxRYGOy2xHE0+xB0pslhK3oUXEpB54qs+8Xrx9riA8fH9jR2PorjREyCJQMSJ0/YjTtEPc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241789086228.04033703429582;
 Wed, 11 Mar 2026 08:09:49 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L7p-0000fn-1Z; Wed, 11 Mar 2026 11:05:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6b-0006Xq-7b; Wed, 11 Mar 2026 11:04:13 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6Z-0004A0-2e; Wed, 11 Mar 2026 11:04:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ED02D191E54;
 Wed, 11 Mar 2026 18:01:44 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D817D37C2A6;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241304; bh=8xhQiE1gLxgMzgWK9RXcErVqkvyOxnMT913Hwm5X38Y=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=F5buYiYW/+3m3t4jD47yc4EGxnBnjBfZ3o3LvlWOI9ABC/oT1Id+3XG9BquoPI7HR
 6sIIls8KaA8nyTexD0vN8B8k7liV9u7DzfPHesDoWzmpz95Q/3/CVrDhPJhHno8VoW
 b65OUuaRAWtt6n6D+zQHkQPg4MzXm05Qtr027Lfo8RZ1WjfxU0i1jCAwBTcS+sR4Mg
 wjoGpCAJwZrTRT8h+APucPNcjDL5cO/vg5qkcwbQwsrdVSx284tS5U11bKnEZi9Clf
 futWjq7ElrHywyIXZdKx8hlOtsSmboCYhsBBkgLzoBP2cb2xcPWrMJMp+RTKK1k/L+
 p2Sb0sIQugPqg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Christian Schoenebeck <qemu_oss@crudebyte.com>,
 Oliver Chang <ochang@google.com>, Greg Kurz <groug@kaod.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 22/44] hw/9pfs: fix missing EOPNOTSUPP on Twstat and
 Trenameat for fs synth driver
Date: Wed, 11 Mar 2026 18:01:54 +0300
Message-ID: <20260311150221.1084186-22-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241790500154100
Content-Type: text/plain; charset="utf-8"

From: Christian Schoenebeck <qemu_oss@crudebyte.com>

Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP
should be returned on any renaming attempt for not path-based fs drivers.
This was already the case for 9p "Trename" request type. However for 9p
request types "Trenameat" and "Twstat" this was yet missing.

So fix this by checking in Twstat and Trenameat request handlers whether
the fs driver in use is really path based, if not return EOPNOTSUPP and
abort further handling of the request.

This fixes a crash with the 9p "synth" fs driver which is not path-based.

The crash happened because the synth driver stores and expects a raw
V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the
C-string delivered by 9p server to synth fs driver was incorrectly
casted to a V9fsSynthNode pointer, eventually causing a segfault.

Reported-by: Oliver Chang <ochang@google.com>
Fixes: https://issues.oss-fuzz.com/issues/477990727
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Link: https://lore.kernel.org/qemu-devel/E1vrbaP-000Gqb-B3@kylie.crudebyte.=
com/
(cherry picked from commit b72d15f47cbd2fc93580f33fa86a7e23595a68dd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index b1fcda574d..74dbf95a63 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3496,6 +3496,12 @@ static void coroutine_fn v9fs_renameat(void *opaque)
         goto out_err;
     }
=20
+    /* if fs driver is not path based, return EOPNOTSUPP */
+    if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
+        err =3D -EOPNOTSUPP;
+        goto out_err;
+    }
+
     v9fs_path_write_lock(s);
     err =3D v9fs_complete_renameat(pdu, olddirfid,
                                  &old_name, newdirfid, &new_name);
@@ -3586,6 +3592,11 @@ static void coroutine_fn v9fs_wstat(void *opaque)
         }
     }
     if (v9stat.name.size !=3D 0) {
+        /* if fs driver is not path based, return EOPNOTSUPP */
+        if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
+            err =3D -EOPNOTSUPP;
+            goto out;
+        }
         v9fs_path_write_lock(s);
         err =3D v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
         v9fs_path_unlock(s);
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241597; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WzuJFEryLPERpRNanqOpt6GIm6xmoc+265hvC/ROVU8D8vpazTS0FeIcLOhL0pSmA2r7W6uxoG6tLG4VRr/vda7d2jMRIpYRG/qN9JfHU9t6ugTvj1JYFUBHAAiuq6CkN5xDszEsqlKjSvEyR47VNNMH7jCfUBJMq12lZfM2CUE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241597;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=iwEzFNKma+GOXMLyfZR575VxQYXNhtvsxOoSYp+PGKE=;
	b=LVbpHJYFm1Z8i5ofFVmzbY1/IAarlOcsuYGFg0mVNUYacsimRwF5+D/4ZnjRtay8Qwy/Vfqsn7QnUpOXaSsM+ThyveG/3znMcFDE8JdKoFfXTci8N7wOwzJjG0BwzWhIsBTOfhTetDKQKiQ5APgSH+NMWsPnI3CoSADk69A8gpw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241597545517.4338688960735;
 Wed, 11 Mar 2026 08:06:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L8K-0002Nq-2c; Wed, 11 Mar 2026 11:06:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6d-0006lh-AS; Wed, 11 Mar 2026 11:04:15 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6b-0004AJ-1F; Wed, 11 Mar 2026 11:04:14 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0C384191E55;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E9EA537C2A7;
 Wed, 11 Mar 2026 18:02:22 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=AIrqPt+dnRLFsZxahbC8ZGLB9VyUjCWnNavT0kX01pc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=KjSaDWb3B38FZt3cNlgoFqC1uRJB7DyHw9/DR0C0pwNmBTaB+O8NHWk7LjNGN0b3m
 fEVIRETz9yG94GfqJ3DMnyURdpH8MMBpfxOjnmHs0vyIeha8R76YPy/1DdgDz/Tvfy
 QOZFQmLgBxDjyYZB/un9WY1ZV07ZJjaadqR1359RHzc4dXVuUssYYUUsAjy8r0p3zm
 frvWO1MKOImDW66pLQ+12C/ZT1chmGY1KJBlkI3xDEDH+OZUL7sh0TdPechzxQtngJ
 PiQ3Ra1f5Sis9bsEG/S/ncb0hrqLdXr1UPQbf8r8tHTneGlCgs7K1KYOtJLdhoDP7k
 oSyyn1NrNcNDg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, John Snow <jsnow@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 23/44] tests/docker: upgrade most non-lcitool debian
 tests to debian 13
Date: Wed, 11 Mar 2026 18:01:55 +0300
Message-ID: <20260311150221.1084186-23-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241599204154100

From: John Snow <jsnow@redhat.com>

Debian 11 was EOL in 2024, and Debian 12 will be EOL this June. This
patch moves all but one of our tests, debian-legacy-test-cross, onto
Debian 13.

This patch does the bare minimum to upgrade these tests and doesn't make
any attempt at optimization or cleanup that may or may not be possible
with this upgrade.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
[AJB: tweak summary line]
Message-ID: <20260226185303.1920021-2-alex.bennee@linaro.org>
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
(cherry picked from commit e2d4646a02689c8428f267e66ab422f04aa717ba)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tests/docker/dockerfiles/debian-hexagon-cross.docker b/tests/d=
ocker/dockerfiles/debian-hexagon-cross.docker
index 23152b4918..91d4b71ac9 100644
--- a/tests/docker/dockerfiles/debian-hexagon-cross.docker
+++ b/tests/docker/dockerfiles/debian-hexagon-cross.docker
@@ -5,10 +5,12 @@
 # needs to be able to build QEMU itself in CI we include its
 # build-deps.
 #
-FROM docker.io/library/debian:11-slim
+FROM docker.io/library/debian:13-slim
+
+# Add deb-src repository sources
+RUN sed -i "s/^Types: deb$/Types: deb deb-src/" \
+    /etc/apt/sources.list.d/debian.sources
=20
-# Duplicate deb line as deb-src
-RUN cat /etc/apt/sources.list | sed "s/^deb\ /deb-src /" >> /etc/apt/sourc=
es.list
 RUN apt-get update && \
     DEBIAN_FRONTEND=3Dnoninteractive apt install -yy eatmydata && \
     DEBIAN_FRONTEND=3Dnoninteractive eatmydata \
@@ -24,6 +26,7 @@ RUN apt-get update && \
         ninja-build \
         python3-pip \
         python3-setuptools \
+        python3-tomli \
         python3-venv \
         python3-wheel && \
 # Install QEMU build deps for use in CI
@@ -36,8 +39,6 @@ RUN apt-get update && \
     ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc && \
     dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --sh=
ow > /packages.txt
=20
-RUN /usr/bin/pip3 install tomli
-
 ENV TOOLCHAIN_INSTALL /opt
 ENV TOOLCHAIN_RELEASE 12.Dec.2023
 ENV TOOLCHAIN_BASENAME "clang+llvm-${TOOLCHAIN_RELEASE}-cross-hexagon-unkn=
own-linux-musl"
diff --git a/tests/docker/dockerfiles/debian-loongarch-cross.docker b/tests=
/docker/dockerfiles/debian-loongarch-cross.docker
index 538ab53490..55b3dbe451 100644
--- a/tests/docker/dockerfiles/debian-loongarch-cross.docker
+++ b/tests/docker/dockerfiles/debian-loongarch-cross.docker
@@ -4,10 +4,11 @@
 # This docker target uses prebuilt toolchains for LoongArch64 from:
 # https://github.com/loongson/build-tools/releases
 #
-FROM docker.io/library/debian:11-slim
+FROM docker.io/library/debian:13-slim
=20
-# Duplicate deb line as deb-src
-RUN cat /etc/apt/sources.list | sed "s/^deb\ /deb-src /" >> /etc/apt/sourc=
es.list
+# Add deb-src repository sources
+RUN sed -i "s/^Types: deb$/Types: deb deb-src/" \
+    /etc/apt/sources.list.d/debian.sources
=20
 RUN export DEBIAN_FRONTEND=3Dnoninteractive && \
     apt-get update && \
@@ -31,12 +32,11 @@ RUN apt-get update && \
         ninja-build \
         python3-pip \
         python3-setuptools \
+        python3-tomli \
         python3-venv \
         python3-wheel && \
         dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' =
--show > /packages.txt
=20
-RUN /usr/bin/pip3 install tomli
-
 RUN curl -#SL https://github.com/loongson/build-tools/releases/download/20=
23.08.08/CLFS-loongarch64-8.1-x86_64-cross-tools-gcc-glibc.tar.xz \
     | tar -xJC /opt
=20
diff --git a/tests/docker/dockerfiles/debian-toolchain.docker b/tests/docke=
r/dockerfiles/debian-toolchain.docker
index ab4ce29533..9a256209a7 100644
--- a/tests/docker/dockerfiles/debian-toolchain.docker
+++ b/tests/docker/dockerfiles/debian-toolchain.docker
@@ -4,13 +4,15 @@
 # This dockerfile is used for building a cross-compiler toolchain.
 # The script for building the toolchain is supplied via extra-files.
 #
-FROM docker.io/library/debian:11-slim
+FROM docker.io/library/debian:13-slim
=20
 # Install build utilities for building gcc and glibc.
 # ??? The build-dep isn't working, missing a number of
 # minimal build dependiencies, e.g. libmpc.
=20
-RUN sed 's/^deb /deb-src /' </etc/apt/sources.list >/etc/apt/sources.list.=
d/deb-src.list
+# Add deb-src repository sources
+RUN sed -i "s/^Types: deb$/Types: deb deb-src/" \
+    /etc/apt/sources.list.d/debian.sources
=20
 RUN apt update && \
     DEBIAN_FRONTEND=3Dnoninteractive apt install -yy eatmydata && \
@@ -34,7 +36,7 @@ RUN cd /root && ./build-toolchain.sh
 # Throw away the extra toolchain build deps, the downloaded source,
 # and the build trees by restoring the original image,
 # then copying the built toolchain from stage 0.
-FROM docker.io/library/debian:11-slim
+FROM docker.io/library/debian:13-slim
 RUN apt update && \
     DEBIAN_FRONTEND=3Dnoninteractive apt install -yy eatmydata && \
     DEBIAN_FRONTEND=3Dnoninteractive eatmydata \
diff --git a/tests/docker/dockerfiles/debian-tricore-cross.docker b/tests/d=
ocker/dockerfiles/debian-tricore-cross.docker
index 7e00e870ce..fd797dc7ee 100644
--- a/tests/docker/dockerfiles/debian-tricore-cross.docker
+++ b/tests/docker/dockerfiles/debian-tricore-cross.docker
@@ -9,7 +9,7 @@
 #
 # SPDX-License-Identifier: GPL-2.0-or-later
 #
-FROM docker.io/library/debian:11-slim
+FROM docker.io/library/debian:13-slim
=20
 RUN apt update && \
     DEBIAN_FRONTEND=3Dnoninteractive apt install -yy eatmydata && \
@@ -31,12 +31,11 @@ RUN apt update && \
        pkgconf \
        python3-pip \
        python3-setuptools \
+       python3-tomli \
        python3-wheel \
        python3-venv && \
        dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' -=
-show > /packages.txt
=20
-RUN /usr/bin/pip3 install tomli
-
 RUN curl -#SL https://github.com/bkoppelmann/package_940/releases/download=
/tricore-toolchain-9.40/tricore-toolchain-9.4.0.tar.gz \
     | tar -xzC /usr/local/
=20
diff --git a/tests/docker/dockerfiles/debian-xtensa-cross.docker b/tests/do=
cker/dockerfiles/debian-xtensa-cross.docker
index d011eee2ad..ef63e44e2e 100644
--- a/tests/docker/dockerfiles/debian-xtensa-cross.docker
+++ b/tests/docker/dockerfiles/debian-xtensa-cross.docker
@@ -5,7 +5,7 @@
 # using a prebuilt toolchains for Xtensa cores from:
 # https://github.com/foss-xtensa/toolchain/releases
 #
-FROM docker.io/library/debian:11-slim
+FROM docker.io/library/debian:13-slim
=20
 RUN apt-get update && \
     DEBIAN_FRONTEND=3Dnoninteractive apt install -yy eatmydata && \
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241664; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZSSfDZ0dgGy0CIYz27pIqXQOiJVsT1tEoPnWSe3E36FYbzoC5XtX2kncIoZKqzvg9M9Rngo+yfc0dJjgdSIPS7QB4DiELOwE1DFeTHcNr0nuOoVfzPGDNGItuzm6rMGzpmnANSkLPyfDfV5zhyoX3ng1MwyyVGdAmLAHDbhpaSQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241664;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=14isuQQmLo8BsaEONaM0npHhTo5SRytuu0uFfCjdvDc=;
	b=XUKgEmm+o7oXFNeDirD2UOYmYjyzbnQFo8A4aU00hFZceb5tYpHIG/znFrqejDNt5W32X6AqpU1E7q04IsB7IGexYN70YRFlMhy1jDh+3tOtAD+eul+1C7U6wbJWEv3XAcSmgKRxUiRo8QlHaVjcAdIyyLXQd3/JciliCbrRnWU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241664318664.6085458925609;
 Wed, 11 Mar 2026 08:07:44 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L8Y-00035Z-Gi; Wed, 11 Mar 2026 11:06:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6e-0006wa-Ov; Wed, 11 Mar 2026 11:04:16 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6c-0004Dw-NE; Wed, 11 Mar 2026 11:04:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 22F45191E56;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 09BE137C2A8;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=lweadc1MEUVuSuelnhIcbt8w/kR3cRh3F5VZUGtyz0E=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=T0hfDHybOBVLAiP6+4HP5oyLxEUbgh6/5loP4eepSSafbYsiOyj2PwcWaV4aeBv6b
 kvbRQdSiswmWKrJpALfa0XdtNyWwBUTmzfWb9pO1APKoqBSfvPh4faOkpn6Ai7Nydj
 qQDfKipPqPMO6T4xFPK2IWUHkF7X9wWI8zeayQsv1naRjkZQL93QqeYG5FTqpgIliB
 nM3B81Sam/ZU0iDaux1RkgPoh9PA89zF3x7kY2drqyPBlPWpK1Sh2MO/cI4USIGlM3
 eT9QLHShfOpkzRHjWIJY6NkXJFzcmyq3Wljmukl2DtqPjO33pF7oOjbGiwySYEUP5Y
 t81u3hX3La7Pg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Josh Poimboeuf <jpoimboe@kernel.org>,
 Justin Forbes <jforbes@fedoraproject.org>,
 Alexey Makhalov <alexey.makhalov@broadcom.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 24/44] hw/i386/vmmouse: Fix hypercall clobbers
Date: Wed, 11 Mar 2026 18:01:56 +0300
Message-ID: <20260311150221.1084186-24-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241665333158500

From: Josh Poimboeuf <jpoimboe@kernel.org>

Fedora QA reported the following kernel panic:

  BUG: unable to handle page fault for address: 0000000040003e54
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD 1082ec067 P4D 0
  Oops: Oops: 0002 [#1] SMP NOPTI
  CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.19.0-0.rc4.260108gf0b9=
d8eb98df.34.fc43.x86_64 #1 PREEMPT(lazy)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.=
fc43 11/19/2025
  RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90
  Code: 48 83 c4 20 5b e9 69 f0 fc fe 8b 05 a0 c1 b2 01 85 c0 74 23 b8 68 5=
8 4d 56 b9 27 00 00 00 31 d2 bb 04 00 00 00 66 ba 58 56 ed <89> 1f 89 0e 41=
 89 10 5b e9 3c f0 fc fe 6a 00 49 89 f9 45 31 c0 31
  RSP: 0018:ff5eeb3240003e40 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: 000000000000ffca RCX: 000000000000ffac
  RDX: 0000000000000000 RSI: 0000000040003e58 RDI: 0000000040003e54
  RBP: ff1e05f3c1204800 R08: ff5eeb3240003e5c R09: 000000009d899c41
  R10: 000000000000003d R11: ff5eeb3240003ff8 R12: 0000000000000000
  R13: 00000000000000ff R14: ff1e05f3c02f9e00 R15: 000000000000000c
  FS:  0000000000000000(0000) GS:ff1e05f489e40000(0000) knlGS:0000000000000=
000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000040003e54 CR3: 000000010841d002 CR4: 0000000000771ef0
  PKRU: 55555554
  Call Trace:
   <IRQ>
   vmmouse_report_events+0x13e/0x1b0
   psmouse_handle_byte+0x15/0x60
   ps2_interrupt+0x8a/0xd0
   ...

It was triggered by dereferencing a bad pointer (RDI) immediately after
a VMware hypercall for VMWARE_CMD_ABSPOINTER_DATA in the vmmouse driver:

  ffffffff82135070 <vmware_hypercall4.constprop.0>:
  ...
  ffffffff821350ac:       b8 68 58 4d 56          mov    $0x564d5868,%eax
  ffffffff821350b1:       b9 27 00 00 00          mov    $0x27,%ecx
  ffffffff821350b6:       31 d2                   xor    %edx,%edx
  ffffffff821350b8:       bb 04 00 00 00          mov    $0x4,%ebx
  ffffffff821350bd:       66 ba 58 56             mov    $0x5658,%dx
  ffffffff821350c1:       ed                      in     (%dx),%eax	<-- hyp=
ercall
  ffffffff821350c2:       89 1f                   mov    %ebx,(%rdi)	<-- cr=
ash

Reading the kernel disassembly shows that RDI should contain the value
of a valid kernel stack address here (0xff5eeb3240003e54).  Instead it
contains 0x40003e54, suggesting the hypervisor cleared the upper 32
bits.

And indeed, Alexey discovered that QEMU's vmmouse_get_data() and
vmmouse_set_data() are only saving/restoring the lower 32 bits, while
clearing the upper 32.  Fix that by changing the type of the saved data
array from uint32_t to uint64_t.

Fixes: 548df2acc6fc ("VMMouse Emulation, by Anthony Liguori.")
Reported-by: Justin Forbes <jforbes@fedoraproject.org>
Debugged-by: Alexey Makhalov <alexey.makhalov@broadcom.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/c508fc1d4a4ccd8c9fb1e51b71df089e31115a53.17=
70309998.git.jpoimboe@kernel.org
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3293
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 48c8916aec4319efc60324d9d971831a8a1d6350)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/i386/vmmouse.c b/hw/i386/vmmouse.c
index 3e07d12512..388d493fe9 100644
--- a/hw/i386/vmmouse.c
+++ b/hw/i386/vmmouse.c
@@ -72,7 +72,7 @@ struct VMMouseState {
     ISAKBDState *i8042;
 };
=20
-static void vmmouse_get_data(uint32_t *data)
+static void vmmouse_get_data(uint64_t *data)
 {
     X86CPU *cpu =3D X86_CPU(current_cpu);
     CPUX86State *env =3D &cpu->env;
@@ -82,7 +82,7 @@ static void vmmouse_get_data(uint32_t *data)
     data[4] =3D env->regs[R_ESI]; data[5] =3D env->regs[R_EDI];
 }
=20
-static void vmmouse_set_data(const uint32_t *data)
+static void vmmouse_set_data(const uint64_t *data)
 {
     X86CPU *cpu =3D X86_CPU(current_cpu);
     CPUX86State *env =3D &cpu->env;
@@ -197,7 +197,7 @@ static void vmmouse_disable(VMMouseState *s)
     vmmouse_remove_handler(s);
 }
=20
-static void vmmouse_data(VMMouseState *s, uint32_t *data, uint32_t size)
+static void vmmouse_data(VMMouseState *s, uint64_t *data, uint32_t size)
 {
     int i;
=20
@@ -221,7 +221,7 @@ static void vmmouse_data(VMMouseState *s, uint32_t *dat=
a, uint32_t size)
 static uint32_t vmmouse_ioport_read(void *opaque, uint32_t addr)
 {
     VMMouseState *s =3D opaque;
-    uint32_t data[6];
+    uint64_t data[6];
     uint16_t command;
=20
     vmmouse_get_data(data);
@@ -247,7 +247,7 @@ static uint32_t vmmouse_ioport_read(void *opaque, uint3=
2_t addr)
             vmmouse_request_absolute(s);
             break;
         default:
-            printf("vmmouse: unknown command %x\n", data[1]);
+            printf("vmmouse: unknown command %" PRIx64 "\n", data[1]);
             break;
         }
         break;
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241700; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jr9reo/U/RiWe9fAlbOCjNvFHghAdCmJKMRHo4vMli7HVPVXuJraBstr6ZciuXfw8mD9BmaSlZ70lHt0OlG3d+HZk9s8rZoppOLRUUGpt4PZ8Iee4bfKL6WeW7fBx2+Z2COLiP3R7J6ve1ESFTngd50qz56sHGP0sI/LQxkEEyc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241700;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=4o/gl+rbsIolqSbYo6oySiec4j0XSSBaKT9ShrJ091Y=;
	b=nBpLSh5U4yYRiYN4IZbMVlO+TTzF2N+Ubj+xnISmc948KZBXy8udvlyKjx/d4fUyoQ3oLktm9EDtvDDOjrua9RSl+CZpQWxcEmhV64gzbOt6ZXJ//v2kkChoK6jALAKjDwdf22O4/lrytKbzmMXvgi9joVEC3G9/GbbrZ/gv5RU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241700108158.38353628214577;
 Wed, 11 Mar 2026 08:08:20 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L9k-0004Cc-KH; Wed, 11 Mar 2026 11:07:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6g-0007Gv-UN; Wed, 11 Mar 2026 11:04:19 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L6e-0004Ec-SE; Wed, 11 Mar 2026 11:04:18 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 37852191E57;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2086F37C2A9;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=T9t/ctxvV0jRUZCR6Umy+mIXPjBC9aWRuUhHC4N58KM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=A0VCfNBKxvQdA7sDyXic5FgjWjdvwHHGSIvTZBdRn7coI7fImRq5xiwPcgCNeoY0Z
 WB+zGkg+H/G0BrUr8T+POTNtqDOl7oUMf4APImXArMn6spcd957eJgb/YIF2HwS/rH
 3NTv4H3Hpt3ksgWX9mEClTRJuKNj5lQyQLkWP8GE5jKVDx/Q9KyuxMKD4LIBOjfnDr
 ccMZZg2doZrAHBrNVpn3rKh2SakafUitxhYD8zcq/N3gW8CCYjMp5+2rP9NLSP/sXp
 sOJWlEGtVad6sfPYl50cgvLRCE/5LgN7SPqa8FSweFFpHPN/KyKd3lRf2zi0GHn/jh
 jWe8wvVHhjWnA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bernhard Beschow <shentey@gmail.com>,
 Mohamed Mediouni <mohamed@unpredictable.fr>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 "Wei Liu (Microsoft)" <wei.liu@kernel.org>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 25/44] target/i386/hvf/x86_mmu: Fix compiler warning
Date: Wed, 11 Mar 2026 18:01:57 +0300
Message-ID: <20260311150221.1084186-25-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241701318158500

From: Bernhard Beschow <shentey@gmail.com>

When reusing the code in WHPX, GCC emits the following warning when compili=
ng
for i386-softmmu under MSYS2:

  In file included from ../src/target/i386/emulate/x86_mmu.c:20:
  ../src/target/i386/emulate/x86_mmu.c: In function 'vmx_write_mem':
  ../src/target/i386/emulate/x86_mmu.c:251:25: error: format '%llx' expects=
 argument of type 'long long unsigned int', but argument 3 has type 'target=
_ulong' {aka 'unsigned int'} [-Werror=3Dformat=3D]
    251 |             VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __fun=
c__, gva);
        |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~       =
     ~~~
        |                                                                  =
     |
        |                                                                  =
     target_ulong {aka unsigned int}
  ../src/target/i386/emulate/panic.h:34:12: note: in definition of macro 'V=
M_PANIC_EX'
     34 |     printf(__VA_ARGS__); \
        |            ^~~~~~~~~~~
  ../src/target/i386/emulate/x86_mmu.c:251:48: note: format string is defin=
ed here
    251 |             VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __fun=
c__, gva);
        |                                             ~~~^
        |                                                |
        |                                                long long unsigned=
 int
        |                                             %x

Fix the warning by reusing the target-specific macro TARGET_FMT_lx which ex=
ists
for this exact purpose.

Fixes: c97d6d2cdf97 ("i386: hvf: add code base from Google's QEMU repositor=
y")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Wei Liu (Microsoft) <wei.liu@kernel.org>
Link: https://lore.kernel.org/r/20260223233950.96076-3-mohamed@unpredictabl=
e.fr
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 529e5e7643078e19d65e694f51cad64be49090ab)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/hvf/x86_mmu.c b/target/i386/hvf/x86_mmu.c
index 579d0c3a4c..e0d39737ea 100644
--- a/target/i386/hvf/x86_mmu.c
+++ b/target/i386/hvf/x86_mmu.c
@@ -244,7 +244,8 @@ void vmx_write_mem(CPUState *cpu, target_ulong gva, voi=
d *data, int bytes)
         int copy =3D MIN(bytes, 0x1000 - (gva & 0xfff));
=20
         if (!mmu_gva_to_gpa(cpu, gva, &gpa)) {
-            VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __func__, gva);
+            VM_PANIC_EX("%s: mmu_gva_to_gpa " TARGET_FMT_lx " failed\n",
+                        __func__, gva);
         } else {
             address_space_write(&address_space_memory, gpa,
                                 MEMTXATTRS_UNSPECIFIED, data, copy);
@@ -265,7 +266,8 @@ void vmx_read_mem(CPUState *cpu, void *data, target_ulo=
ng gva, int bytes)
         int copy =3D MIN(bytes, 0x1000 - (gva & 0xfff));
=20
         if (!mmu_gva_to_gpa(cpu, gva, &gpa)) {
-            VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __func__, gva);
+            VM_PANIC_EX("%s: mmu_gva_to_gpa " TARGET_FMT_lx " failed\n",
+                        __func__, gva);
         }
         address_space_read(&address_space_memory, gpa, MEMTXATTRS_UNSPECIF=
IED,
                            data, copy);
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241754; cv=none;
	d=zohomail.com; s=zohoarc;
	b=M6u6G76IBPPGpE1AuR8YdYjt3tJ9S/xRHpPigEujCsrQAUVLoAcZY07VBILqbzk9ZZde6Qv7NaueHroN8oc6AuNSdlu08e1rbk5qqn9hOzygHKAAwgl6AgyH5TtmyIH8C5+KvFQOd6Y5DLBfQqPfMKCJ0qy3nLi3tig799WXFCs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241754;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=r0kDQz95/wKJ2GnojUyO74kRORSw05wo94q1sIMfRI4=;
	b=nbm837gzNJCZeWMnOrF8z8Mrt8HNh7bP+Eia0FSXrtPhhGW+Zf+My1eHOIUFP9zmsT+C6rv53EUJ4V9nCLlVG9Bz25FlX5ZllDmcpi66C1rmK7rLcVetOINH9v3+ZzJd0jJZ883u691PL6xTs75ew38gnob0WsbNRyADDI2OnlM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241754519757.602378700213;
 Wed, 11 Mar 2026 08:09:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L8F-00021K-Qm; Wed, 11 Mar 2026 11:05:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L72-0007xb-PQ; Wed, 11 Mar 2026 11:04:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L70-0004F2-CC; Wed, 11 Mar 2026 11:04:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4994A191E58;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 35CBB37C2AA;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=dXzl4n7CmTMRGx/JKM5xPZwU9mMM1+bSSJ5HGzcyKJA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lpHvyUpbb2QGOOHcLQXImiZAOAwDxpGUFP/ELYlGkXnJhLAPi1PPniWc74EcPzkY/
 qjqbfAOsMqywwfkpcu++9d7J8OxEuCp7nZGDjpkV1COGNybxhjwQNXd90V5fDWX+KE
 YMZ//KrwHALxYpcvzyfNqLpV/IPS5+esey6uA56+ka2DjKx+GKQQB3j1pudHiqLGfZ
 NuDCfWmvDa/MXcGSxMaUWxPj/KMC4cTlzX54tV6VeftLtcpc7jB9mdxkaA98Fc0byC
 UmiqSHKnPJL3fHcujvNdzQk+BFVs2DHY3+OOlUwlvO+eOmBVoEl46F1DRRwN6LD3g/
 730V8Fqc0IHMw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 26/44] io: separate freeing of tasks from marking them
 as complete
Date: Wed, 11 Mar 2026 18:01:58 +0300
Message-ID: <20260311150221.1084186-26-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241755842158500

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

The original design of QIOTask was intended to simplify lifecycle
management by automatically freeing it when the task was marked as
complete. This overlooked the fact that when a QIOTask is used in
combination with a GSource, there may be times when the source
callback is never invoked. This is typically when a GSource is
released before any I/O event arrives. In such cases it is not
desirable to mark a QIOTask as complete, but it still needs to be
freed. To satisfy this, the task must be released manually.

Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
(cherry picked from commit 403d3a5f4a2d86bfe1f1f33aa337f2eb3a71182b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/include/io/task.h b/include/io/task.h
index 0b5342ee84..98847f5994 100644
--- a/include/io/task.h
+++ b/include/io/task.h
@@ -96,7 +96,7 @@ typedef void (*QIOTaskWorker)(QIOTask *task,
  *                         1000,
  *                         myobject_operation_timer,
  *                         task,
- *                         NULL);
+ *                         qio_task_free);
  *    }
  *   </programlisting>
  * </example>
@@ -138,9 +138,8 @@ typedef void (*QIOTaskWorker)(QIOTask *task,
  * the callback func 'myobject_operation_notify' shown
  * earlier to deal with the results.
  *
- * Once this function returns false, object_unref will be called
- * automatically on the task causing it to be released and the
- * ref on QMyObject dropped too.
+ * Once this function returns FALSE, the task will be freed,
+ * causing it release the ref on QMyObject too.
  *
  * The QIOTask module can also be used to perform operations
  * in a background thread context, while still reporting the
@@ -208,8 +207,8 @@ typedef void (*QIOTaskWorker)(QIOTask *task,
  * 'err' attribute in the task object to determine if
  * the operation was successful or not.
  *
- * The returned task will be released when qio_task_complete()
- * is invoked.
+ * The returned task must be released by calling
+ * qio_task_free() when no longer required.
  *
  * Returns: the task struct
  */
@@ -218,6 +217,19 @@ QIOTask *qio_task_new(Object *source,
                       gpointer opaque,
                       GDestroyNotify destroy);
=20
+/**
+ * qio_task_free:
+ * task: the task object to free
+ *
+ * Free the resources associated with the task. Typically
+ * the qio_task_complete() method will be called immediately
+ * before this to trigger the task callback, however, it is
+ * permissible to free the task in the case of cancellation.
+ * The destroy callback will be used to release the opaque
+ * data provided to qio_task_new().
+ */
+void qio_task_free(QIOTask *task);
+
 /**
  * qio_task_run_in_thread:
  * @task: the task struct
@@ -268,8 +280,9 @@ void qio_task_wait_thread(QIOTask *task);
  * qio_task_complete:
  * @task: the task struct
  *
- * Invoke the completion callback for @task and
- * then free its memory.
+ * Invoke the completion callback for @task. This should typically
+ * only be invoked once on a task, and then qio_task_free() used
+ * to free it.
  */
 void qio_task_complete(QIOTask *task);
=20
diff --git a/io/channel-tls.c b/io/channel-tls.c
index f8b03aa63c..919bbf10dd 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -170,6 +170,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
         trace_qio_channel_tls_handshake_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         return;
     }
=20
@@ -183,6 +184,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
             trace_qio_channel_tls_credentials_allow(ioc);
         }
         qio_task_complete(task);
+        qio_task_free(task);
     } else {
         GIOCondition condition;
         QIOChannelTLSData *data =3D g_new0(typeof(*data), 1);
@@ -265,11 +267,13 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *i=
oc, QIOTask *task,
         trace_qio_channel_tls_bye_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         return;
     }
=20
     if (status =3D=3D QCRYPTO_TLS_BYE_COMPLETE) {
         qio_task_complete(task);
+        qio_task_free(task);
         return;
     }
=20
diff --git a/io/channel-websock.c b/io/channel-websock.c
index 7f8eded4ff..1cd3a1e45d 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -561,6 +562,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
             trace_qio_channel_websock_handshake_complete(ioc);
             qio_task_complete(task);
         }
+        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -588,6 +590,7 @@ static gboolean qio_channel_websock_handshake_io(QIOCha=
nnel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
diff --git a/io/task.c b/io/task.c
index 451f26f8b4..331febd4e1 100644
--- a/io/task.c
+++ b/io/task.c
@@ -70,8 +70,12 @@ QIOTask *qio_task_new(Object *source,
     return task;
 }
=20
-static void qio_task_free(QIOTask *task)
+void qio_task_free(QIOTask *task)
 {
+    if (!task) {
+        return;
+    }
+
     qemu_mutex_lock(&task->thread_lock);
     if (task->thread) {
         if (task->thread->destroy) {
@@ -110,6 +114,7 @@ static gboolean qio_task_thread_result(gpointer opaque)
=20
     trace_qio_task_thread_result(task);
     qio_task_complete(task);
+    qio_task_free(task);
=20
     return FALSE;
 }
@@ -196,7 +201,6 @@ void qio_task_complete(QIOTask *task)
 {
     task->func(task, task->opaque);
     trace_qio_task_complete(task);
-    qio_task_free(task);
 }
=20
=20
diff --git a/tests/unit/test-io-task.c b/tests/unit/test-io-task.c
index 115dba8970..b1c8ecb7ab 100644
--- a/tests/unit/test-io-task.c
+++ b/tests/unit/test-io-task.c
@@ -73,6 +73,7 @@ static void test_task_complete(void)
     src =3D qio_task_get_source(task);
=20
     qio_task_complete(task);
+    qio_task_free(task);
=20
     g_assert(obj =3D=3D src);
=20
@@ -84,6 +85,28 @@ static void test_task_complete(void)
 }
=20
=20
+static void test_task_cancel(void)
+{
+    QIOTask *task;
+    Object *obj =3D object_new(TYPE_DUMMY);
+    Object *src;
+    struct TestTaskData data =3D { NULL, NULL, false };
+
+    task =3D qio_task_new(obj, task_callback, &data, NULL);
+    src =3D qio_task_get_source(task);
+
+    qio_task_free(task);
+
+    g_assert(obj =3D=3D src);
+
+    object_unref(obj);
+
+    g_assert(data.source =3D=3D NULL);
+    g_assert(data.err =3D=3D NULL);
+    g_assert(data.freed =3D=3D false);
+}
+
+
 static void task_data_free(gpointer opaque)
 {
     struct TestTaskData *data =3D opaque;
@@ -101,6 +124,7 @@ static void test_task_data_free(void)
     task =3D qio_task_new(obj, task_callback, &data, task_data_free);
=20
     qio_task_complete(task);
+    qio_task_free(task);
=20
     object_unref(obj);
=20
@@ -123,6 +147,7 @@ static void test_task_failure(void)
=20
     qio_task_set_error(task, err);
     qio_task_complete(task);
+    qio_task_free(task);
=20
     object_unref(obj);
=20
@@ -260,6 +285,7 @@ int main(int argc, char **argv)
     module_call_init(MODULE_INIT_QOM);
     type_register_static(&dummy_info);
     g_test_add_func("/crypto/task/complete", test_task_complete);
+    g_test_add_func("/crypto/task/cancel", test_task_cancel);
     g_test_add_func("/crypto/task/datafree", test_task_data_free);
     g_test_add_func("/crypto/task/failure", test_task_failure);
     g_test_add_func("/crypto/task/thread_complete", test_task_thread_compl=
ete);
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241794; cv=none;
	d=zohomail.com; s=zohoarc;
	b=apQZu0sY7jLbNHAQ8qG2hi27qd8OcjZeAvKJd3ey2lAdAL6DuHkDIl7lCCbqyyAPLb02K4cDdhFoqIgMpY105Tdak7g50ekR3bzluE5TmBA7tk1ajXfrcRDxESqgGnrv8XO9lMKONDKuORcoUKpHXsdDmhvRvbwOd6mqftpvIzo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241794;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=9tqo+ItfWPAjkbkUDYmhUcXFSCZhOyPoR4C92pCMQpU=;
	b=cnGoFlCz5oDA+ZZ5mMz5iLzm8lH+3KQl3OvHCOmv15F2+ExUbSi6q2fz6+QUJS16uOA5apVpQXwynfAQqY4Ri0TIuY69vzHh/789EQZuHtfct/uZueo92D1RC9d1d8gQkhh+cb0APlF0hj29p1ZDsYHTziqwFnm7ybRMcTHZP8k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241794630133.76628057072662;
 Wed, 11 Mar 2026 08:09:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L8O-0002dI-Nq; Wed, 11 Mar 2026 11:06:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L74-0007zZ-Nj; Wed, 11 Mar 2026 11:04:43 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L72-0004FQ-GR; Wed, 11 Mar 2026 11:04:42 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5A45A191E59;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 46D1337C2AB;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=4Nlfdi5GGWNBm6h4dFOA/ZCsnAbi/KsWlMfEchoZYTk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=xbuCGkMj9QBoZyas6vUZX9njsd7X7F+vBqkVb9YnZxXwwGLwAoYIVI1dV/QBXlvgb
 DluSXy6IYPyFYc2/+5NEJNXyh5esiIFvW2DZk6YPTvCwKIqxPA0bTggMd5VjGwAZJO
 1CH0mCWVT9ynqFIu9C96+m2Ts0MLkaY3SqlZfLZyEzfkkZx7YmfPQUh0FMC4xqjXoG
 Qr9/b1ShYvZGop2Yj0J43e3l3Kmn/DeIv9qXFu1TzzxJJaY2HDZTzDEkQGeOT2+SbG
 TND0c1Ks0N/dJtYCYE74DPTcc21tv823qgsMorBeUJsGOkbVzZZdTAdGXwoH/Dncer
 C0Sr0IApiDUiQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 27/44] io: fix cleanup for TLS I/O source data on
 cancellation
Date: Wed, 11 Mar 2026 18:01:59 +0300
Message-ID: <20260311150221.1084186-27-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241796533154100

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

The TLS code will create a GSource for tracking completion of the
handshake process, passing a QIOChannelTLSData struct that contains
various data items. The data struct is freed by the callback when
it completes, which means when a source is cancelled, nothing is
free'ing the data struct or its contents.

Switch to provide a data free callback to the GSource, which ensures
the QIOChannelTLSData struct is always freed even when the main event
callback never fires.

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/3114
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
(cherry picked from commit d39d0f3acdd7c1bb275db7e97b511f98254ecd9f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/io/channel-tls.c b/io/channel-tls.c
index 919bbf10dd..329ef6759f 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -153,13 +153,32 @@ struct QIOChannelTLSData {
 };
 typedef struct QIOChannelTLSData QIOChannelTLSData;
=20
+static void qio_channel_tls_io_data_free(gpointer user_data)
+{
+    QIOChannelTLSData *data =3D user_data;
+    /*
+     * Usually 'task' will be NULL since the GSource
+     * callback will either complete the task or pass
+     * it on to a new GSource. We'll see a non-NULL
+     * task here only if the GSource was released before
+     * its callback triggers
+     */
+    if (data->task) {
+        qio_task_free(data->task);
+    }
+    if (data->context) {
+        g_main_context_unref(data->context);
+    }
+    g_free(data);
+}
+
 static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
                                              GIOCondition condition,
                                              gpointer user_data);
=20
-static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
-                                           QIOTask *task,
-                                           GMainContext *context)
+static gboolean qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+                                               QIOTask *task,
+                                               GMainContext *context)
 {
     Error *err =3D NULL;
     int status;
@@ -170,8 +189,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
         trace_qio_channel_tls_handshake_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
-        return;
+        return TRUE;
     }
=20
     if (status =3D=3D QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
@@ -184,7 +202,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
             trace_qio_channel_tls_credentials_allow(ioc);
         }
         qio_task_complete(task);
-        qio_task_free(task);
+        return TRUE;
     } else {
         GIOCondition condition;
         QIOChannelTLSData *data =3D g_new0(typeof(*data), 1);
@@ -208,8 +226,9 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
                                        condition,
                                        qio_channel_tls_handshake_io,
                                        data,
-                                       NULL,
+                                       qio_channel_tls_io_data_free,
                                        context);
+        return FALSE;
     }
 }
=20
@@ -225,11 +244,9 @@ static gboolean qio_channel_tls_handshake_io(QIOChanne=
l *ioc,
         qio_task_get_source(task));
=20
     tioc->hs_ioc_tag =3D 0;
-    g_free(data);
-    qio_channel_tls_handshake_task(tioc, task, context);
-
-    if (context) {
-        g_main_context_unref(context);
+    if (!qio_channel_tls_handshake_task(tioc, task, context)) {
+        /* task is kept by new GSource so must not be released yet */
+        data->task =3D NULL;
     }
=20
     return FALSE;
@@ -247,14 +264,16 @@ void qio_channel_tls_handshake(QIOChannelTLS *ioc,
                         func, opaque, destroy);
=20
     trace_qio_channel_tls_handshake_start(ioc);
-    qio_channel_tls_handshake_task(ioc, task, context);
+    if (qio_channel_tls_handshake_task(ioc, task, context)) {
+        qio_task_free(task);
+    }
 }
=20
 static gboolean qio_channel_tls_bye_io(QIOChannel *ioc, GIOCondition condi=
tion,
                                        gpointer user_data);
=20
-static void qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
-                                     GMainContext *context)
+static gboolean qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
+                                         GMainContext *context)
 {
     GIOCondition condition;
     QIOChannelTLSData *data;
@@ -267,14 +286,12 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *i=
oc, QIOTask *task,
         trace_qio_channel_tls_bye_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
-        return;
+        return TRUE;
     }
=20
     if (status =3D=3D QCRYPTO_TLS_BYE_COMPLETE) {
         qio_task_complete(task);
-        qio_task_free(task);
-        return;
+        return TRUE;
     }
=20
     data =3D g_new0(typeof(*data), 1);
@@ -294,7 +311,10 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *io=
c, QIOTask *task,
     trace_qio_channel_tls_bye_pending(ioc, status);
     ioc->bye_ioc_tag =3D qio_channel_add_watch_full(ioc->master, condition,
                                                   qio_channel_tls_bye_io,
-                                                  data, NULL, context);
+                                                  data,
+                                                  qio_channel_tls_io_data_=
free,
+                                                  context);
+    return FALSE;
 }
=20
=20
@@ -307,11 +327,9 @@ static gboolean qio_channel_tls_bye_io(QIOChannel *ioc=
, GIOCondition condition,
     QIOChannelTLS *tioc =3D QIO_CHANNEL_TLS(qio_task_get_source(task));
=20
     tioc->bye_ioc_tag =3D 0;
-    g_free(data);
-    qio_channel_tls_bye_task(tioc, task, context);
-
-    if (context) {
-        g_main_context_unref(context);
+    if (!qio_channel_tls_bye_task(tioc, task, context)) {
+        /* task is kept by new GSource so must not be released yet */
+        data->task =3D NULL;
     }
=20
     return FALSE;
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241630; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lbIbqW/aAiStFLAZVf+CynGGqaC2jUtN0K7+inNKzpZDGoRcEaL0THhn0hFEdBV2RPRGjBxTGiSHzEQc5Yo9zRMvdQt2pzGQOSJp0crKj9RjhySAYau8pfSZV5IxGH/ycIUny+cKOlMiY8IGS5vcbBA1rrjcGjg4c/d9NnurOuo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241630;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=TrZ6G/iBG4QCsXoCb9gp9DdxWAQfGImNNG3IMBIWOZ0=;
	b=POHcD6o/CYw8xDQTKRuPYWnXOkKHMny2qQBWgJ4x3vqGAX9wcHx6a+/mL6fWvSmDhPqe5pOJ+2IIQ2HTba0mTaYIK2nB/iTIPy4pu1iOJ4dcvAZ52l4DQTKHWPPc32hybvsprj6qsUJgEksArHPzeyy9pD0hObH5XbD5AtcLhAE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241630364910.8365378047819;
 Wed, 11 Mar 2026 08:07:10 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0L87-0001bl-RT; Wed, 11 Mar 2026 11:05:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L79-00085S-7q; Wed, 11 Mar 2026 11:04:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L74-0004Ik-BP; Wed, 11 Mar 2026 11:04:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 69641191E5A;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5892937C2AC;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=A9jvgvkR+9aQb0FBA+kJd/OusEvZUMk5dvOgKDr2OPc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HLLIxfRgshVvYKMdAKBtaZ36LLPqY/06dP4rh/Wxz5swUycFxqyHFdUJDYJdJYrnY
 CVeB2I7KQfHbw3/msytmab4gW9VLX1ielijXwAw5bNixyQTNdy28i4RDKNWV0PHyUy
 g8TZlp1JRrOrEDao4XPr4AzPT5ID/8UYC3cuEgGVh9R39xwT6ZU0A39hCakwoKL8eF
 ef1vU3OThbrNVKR2v9qTP2LrgPjgLlLhsL+D/9q974xpMIdyaV5LY8Qu8YkxVK+OP+
 EWCcUHx10go5HBw+QgX4F2Smmdw8egz492fUxOfUwBQsQeTXd8NPXJfDypBmdx6ZN0
 E9zgy0rXwlIUw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 28/44] io: fix cleanup for websock I/O source data on
 cancellation
Date: Wed, 11 Mar 2026 18:02:00 +0300
Message-ID: <20260311150221.1084186-28-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241630838158500

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

The websock code will create a GSource for tracking completion of the
handshake process, passing a QIOTask which is freed by the callback
when it completes, which means when a source is cancelled, nothing is
free'ing the task.

Switch to provide a data free callback to the GSource, which ensures
the QIOTask is always freed even when the main event callback never
fires.

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/3114
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
(cherry picked from commit 9545c059f77e3f814fcbaba83203572ea655c50e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/io/channel-websock.c b/io/channel-websock.c
index 1cd3a1e45d..c8c8340cbd 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -526,11 +526,32 @@ static int qio_channel_websock_handshake_read(QIOChan=
nelWebsock *ioc,
     return 1;
 }
=20
+typedef struct QIOChannelWebsockData {
+    QIOTask *task;
+} QIOChannelWebsockData;
+
+static void qio_channel_websock_data_free(gpointer user_data)
+{
+    QIOChannelWebsockData *data =3D user_data;
+    /*
+     * Usually 'task' will be NULL since the GSource
+     * callback will either complete the task or pass
+     * it on to a new GSource. We'll see a non-NULL
+     * task here only if the GSource was released before
+     * its callback triggers
+     */
+    if (data->task) {
+        qio_task_free(data->task);
+    }
+    g_free(data);
+}
+
 static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
                                                    GIOCondition condition,
                                                    gpointer user_data)
 {
-    QIOTask *task =3D user_data;
+    QIOChannelWebsockData *data =3D user_data;
+    QIOTask *task =3D data->task;
     QIOChannelWebsock *wioc =3D QIO_CHANNEL_WEBSOCK(
         qio_task_get_source(task));
     Error *err =3D NULL;
@@ -545,7 +566,6 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -562,7 +582,6 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
             trace_qio_channel_websock_handshake_complete(ioc);
             qio_task_complete(task);
         }
-        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -574,7 +593,8 @@ static gboolean qio_channel_websock_handshake_io(QIOCha=
nnel *ioc,
                                                  GIOCondition condition,
                                                  gpointer user_data)
 {
-    QIOTask *task =3D user_data;
+    QIOChannelWebsockData *data =3D user_data, *newdata =3D NULL;
+    QIOTask *task =3D data->task;
     QIOChannelWebsock *wioc =3D QIO_CHANNEL_WEBSOCK(
         qio_task_get_source(task));
     Error *err =3D NULL;
@@ -590,7 +610,6 @@ static gboolean qio_channel_websock_handshake_io(QIOCha=
nnel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -603,12 +622,14 @@ static gboolean qio_channel_websock_handshake_io(QIOC=
hannel *ioc,
     error_propagate(&wioc->io_err, err);
=20
     trace_qio_channel_websock_handshake_reply(ioc);
+    newdata =3D g_new0(QIOChannelWebsockData, 1);
+    newdata->task =3D g_steal_pointer(&data->task);
     wioc->hs_io_tag =3D qio_channel_add_watch(
         wioc->master,
         G_IO_OUT,
         qio_channel_websock_handshake_send,
-        task,
-        NULL);
+        newdata,
+        qio_channel_websock_data_free);
     return FALSE;
 }
=20
@@ -904,12 +925,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock =
*ioc,
                                    gpointer opaque,
                                    GDestroyNotify destroy)
 {
-    QIOTask *task;
+    QIOChannelWebsockData *data =3D g_new0(QIOChannelWebsockData, 1);
=20
-    task =3D qio_task_new(OBJECT(ioc),
-                        func,
-                        opaque,
-                        destroy);
+    data->task =3D qio_task_new(OBJECT(ioc),
+                              func,
+                              opaque,
+                              destroy);
=20
     trace_qio_channel_websock_handshake_start(ioc);
     trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN);
@@ -917,8 +938,8 @@ void qio_channel_websock_handshake(QIOChannelWebsock *i=
oc,
         ioc->master,
         G_IO_IN,
         qio_channel_websock_handshake_io,
-        task,
-        NULL);
+        data,
+        qio_channel_websock_data_free);
 }
=20
=20
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241971; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EQ10FJPeIXqQU9mrx0wUpZNyjQsWemWZqg54OqLfBAUxxNN8RXDTKBbq3iTKEYJskpsMPrCpiXBTmIYM1xUYrX58W+TX+wNQvDKswASqHUNSDjt9EQPIupJZ96EFcQcRbh4Qea8Y7wo6h4Hr8ugIjLG5mjtVG9w+tRyG05G6nwg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241971;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=A/ycMNBqI1ojSrn7ymkU9F9HGi2dK81QQ3XaM9GZwmw=;
	b=XOC4X+1OwrFP1f/dlOwyl7Gs0XqwVIA/oEijeX5CJYnPGYDSIReqkQ/BX/opkhhFNdHKBl4aefp+uhsVND5VpG9Oc059sEUZLucmdtpXnlyjmICX5OlJVRxpQCTq67P0rTv7qx3x0MMO1Fxi23wy5HM4enKWoQtH9zlmSzd+F/I=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241971643761.9910687111562;
 Wed, 11 Mar 2026 08:12:51 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAT-0005bQ-2j; Wed, 11 Mar 2026 11:08:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7B-00085h-BK; Wed, 11 Mar 2026 11:04:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L77-0004JC-MV; Wed, 11 Mar 2026 11:04:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 79377191E5B;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6665E37C2AD;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=AUUDO7q3YbgWrK2s3KDfeGNU5tgRA6Ni7c41Dyf/AfE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=iTdz+qnTh6UR//fx/a55i5siaFJ7U6KgnzejzV8nOGeCJr0LKXKC7nZYG0yRvnj1f
 vRgzHlg5EE0RwuUmYzEggX04nuxDTX1wBm74PshdMlEmqT5K4vzxqjq6NBKFwZqsjb
 8T7+eKw5kx6+LOaRz5hNiEz0jKn4hjoF9xBff+u76TrQDVXcB1LQBDE88Srdvjjugj
 YDP+kyu35xyXs/5cJuZ8nbYWn3k07tXTssgeZx77jymv03gxUkLEFDPpfFA32g3d3w
 ZJCaCIY0d3dtQfNpn/CiUs13sv7+YATjQJYs9oG0Jif7vD8NNohHsUjS4w5vOY2lV0
 KzeLpXV7q4QJg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 29/44] hw/net/smc91c111: Don't allow negative-length
 packets
Date: Wed, 11 Mar 2026 18:02:01 +0300
Message-ID: <20260311150221.1084186-29-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241973358154100

From: Peter Maydell <peter.maydell@linaro.org>

The smc91c111 data frame format in memory (figure 8-1 in the
datasheet) includes a "byte count" field which is intended to be the
total size of the data frame, including not just the packet data but
also the leading and trailing information like the status word and
the byte count field itself.  It is therefore possible for the guest
to set this to a value so small that the leading and trailing fields
won't fit and the packet has effectively a negative area.

We weren't checking for this, with the result that when we subtract 6
from the length to get the length of the packet proper we end up with
a negative length, which is then inconsistently handled in the
qemu_send_packet() code such that we can try to transmit a very large
amount of data and read off the end of the device's data array.

Treat excessively small length values the same way we do excessively
large values.  As with the oversized case, the datasheet does not
describe what happens for this software error case, and there is no
relevant tx error condition for this, so we just log and drop the
packet.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-id: 20260226175549.1319476-1-peter.maydell@linaro.org
(cherry picked from commit d8e19f8042dcaff8e077292209c8196acb150bdd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 9ce42b5615..751e9e6f97 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -30,6 +30,12 @@
  * LAN91C111 datasheet).
  */
 #define MAX_PACKET_SIZE 2048
+/*
+ * Size of the non-data fields in a data frame: status word,
+ * byte count, control byte, and last data byte; this defines
+ * the smallest value the byte count in the frame can validly be.
+ */
+#define MIN_PACKET_SIZE 6
=20
 #define TYPE_SMC91C111 "smc91c111"
 OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111)
@@ -289,7 +295,7 @@ static void smc91c111_do_tx(smc91c111_state *s)
         *(p++) =3D 0x40;
         len =3D *(p++);
         len |=3D ((int)*(p++)) << 8;
-        if (len > MAX_PACKET_SIZE) {
+        if (len < MIN_PACKET_SIZE || len > MAX_PACKET_SIZE) {
             /*
              * Datasheet doesn't say what to do here, and there is no
              * relevant tx error condition listed. Log, and drop the packe=
t.
@@ -300,7 +306,13 @@ static void smc91c111_do_tx(smc91c111_state *s)
             smc91c111_complete_tx_packet(s, packetnum);
             continue;
         }
-        len -=3D 6;
+        /*
+         * Convert from size of the data frame to number of bytes of
+         * actual packet data. Whether the "last data byte" field is
+         * included in the packet depends on the ODD bit in the control
+         * byte at the end of the frame.
+         */
+        len -=3D MIN_PACKET_SIZE;
         control =3D p[len + 1];
         if (control & 0x20)
             len++;
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241932; cv=none;
	d=zohomail.com; s=zohoarc;
	b=j8e0LRdKJmhHDIUPMmGm4/xWkVJOGhWqhyxCA16jUnatjo4/pFgzsCNmXVbl1f7Ms40WzZd6ozar/tlk0yz+OjvuhxlC2YUVGAiN49Kx5tHDrSpbymzmw4F73H/YVMLBUxwBUXSs9NGjcsin6/745iofjgFeh374PZ2ZVxN1aUY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241932;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=w6TUKJ404faB2yseHxEClln5N4dMGgOqT34UyNPtfyU=;
	b=JjZE6bOfXPJ2sYiTsj2HJDwxK6ENrINxggESlwNPmNQlWv1m/212+jOD8v4zSXNWFxO2FW2g/epeisd1hHtHpefMiDInbbQc1gnIs8siRoSBTvY0G7TP+xgMNM0rj3JNfh1iv9kdKznagnyOfwTYFhajI8EXIRNKPykWmyyjyHQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241932973969.0510363016981;
 Wed, 11 Mar 2026 08:12:12 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAV-000672-Cm; Wed, 11 Mar 2026 11:08:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7C-00085r-TE; Wed, 11 Mar 2026 11:04:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7B-0004Jb-DM; Wed, 11 Mar 2026 11:04:50 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 928A2191E5C;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7634337C2AE;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=5gcbLveQYJeMxh9AzYQZOmJnl2B2tTcvAjJUsd4Kvhc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lZ3Byfx7/V67u7Yc2ak7zYUdl7CPxS1MaQPju9BLaP//qSlefReJSQGE0ZVmYWZeU
 139YhZLm73eG4EOBcWPYCmTHqw3crHLKJu5COL0/kdet0hYw8B4fy0vhRqVV9C9BZz
 xtqkrV8ceaU1nZkcPyygcW8LWYNr64NVenTv/X6azmvi+FJPac7U+yVsPFv/91DLkl
 /2hjG4iScsw97V08w2zS9+k+P/Uz14AlLXq1HQ2FCQjS4QQjGi+VVmp1x4daiYnKXZ
 4NcykoduiCsLLepDMcTr/ZagirmHIT3+/pD6lzlhLKSq4CFtGK9zZtylU7mmBtCxEN
 AgCjb4MlNlAzw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 30/44] block/vmdk: fix OOB read in vmdk_read_extent()
Date: Wed, 11 Mar 2026 18:02:02 +0300
Message-ID: <20260311150221.1084186-30-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241934891158500
Content-Type: text/plain; charset="utf-8"

From: "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>

Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/vmdk.c b/block/vmdk.c
index 5a53c4624a..ffdaf3c901 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1949,10 +1949,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluste=
r_offset,
         marker =3D (VmdkGrainMarker *)cluster_buf;
         compressed_data =3D marker->data;
         data_len =3D le32_to_cpu(marker->size);
-    }
-    if (!data_len || data_len > buf_bytes) {
-        ret =3D -EINVAL;
-        goto out;
+        if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+            ret =3D -EINVAL;
+            goto out;
+        }
     }
     ret =3D uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
     if (ret !=3D Z_OK) {
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241914; cv=none;
	d=zohomail.com; s=zohoarc;
	b=R52erudoS5OQ7osg5ZoxgWUhsYHuV7VmPTez+24kw6C1lbyelMBjb4VEoa8DiAhugWwYTksBwgnGDLzRR0xLC1P0Qg/do3PlnulMm5TJYeylRSPoiQbWPk7bxCSIoNPGM9xBIkNLFiVWG+5poh/LhO9m/dXmvKQ9U5n2u8PbNJ4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241914;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=pwJTzTWJX3UNt9rfXRjBC+5tjiNHSAtUoDAzKN1sZ9g=;
	b=Jf+HrOa6nEu31QsYoEWybK49/zDQnB3+6a9r3S30Sh8CkP5P4Hz8li0ztMy6L5ezyH2W4Vvl+OpIrHcEFuQdMEX75hHthK2qDH+6bxDiEZmBo1a8JO7yUXyS4VI2ZNX2gdSpzmahMyybKI5rExMOaF/kTT55lIkICK9l/zn5sOI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241914312999.8144303659024;
 Wed, 11 Mar 2026 08:11:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LA5-0004SP-5H; Wed, 11 Mar 2026 11:07:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7Z-0008M3-Kl; Wed, 11 Mar 2026 11:05:15 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7W-0004Jy-RS; Wed, 11 Mar 2026 11:05:13 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A1A1D191E5D;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8F7DC37C2AF;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=1+0w7xRv/DZ7PGz4an+pI/7zGWxeu5zPdwS/hJ4BtIg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=EUyQtYMa7GQuETT6mK0cgVg2DG18OTZUeJt2eD0HVVLudwwb3h1el8xjglhtRKKF4
 T7R7O2mYsrruFyrj4BYhhys2aK/9JzZDKphKCxxu3h2/9oDJaEWp8OrJ58RkKCMK1w
 uvVfhXeH+4Quzmac6t5+qWaEGOMIJnhzHLOByzq6myW8BZTthRUQLomSlt/aipz5YN
 rpja6F/LCLxI0gTMHDSzGmOTin7sHqAHL/ED4TQGcWUoXd5TOajEA4dYbIS6in3EN9
 I/FvC/1K3tCrTlhXKWFIl6GyXZW02vZBXejGox0AV9zQeCo3oWwGfO/Jty93Bkau1S
 doOLb9XkilXMQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Antoine Damhet <adamhet@scaleway.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 31/44] block/curl: fix concurrent completion handling
Date: Wed, 11 Mar 2026 18:02:03 +0300
Message-ID: <20260311150221.1084186-31-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241914926158500
Content-Type: text/plain; charset="utf-8"

From: Antoine Damhet <adamhet@scaleway.com>

curl_multi_check_completion would bail upon the first completed
transfer even if more completion messages were available thus leaving
some in flight IOs stuck.

Rework a bit the loop to make the iterations clearer and drop the breaks.

The original hang can be somewhat reproduced with the following command:

$ qemu-img convert -p -m 16 -O qcow2 -c --image-opts \
  'file.driver=3Dhttps,file.url=3Dhttps://scaleway.testdebit.info/10G.iso,f=
ile.readahead=3D1M' \
  /tmp/test.qcow2

Fixes: 1f2cead32443 ("curl: Ensure all informationals are checked for compl=
etion")
Cc: qemu-stable@nongnu.org
Signed-off-by: Antoine Damhet <adamhet@scaleway.com>
Message-ID: <20260212162730.440855-2-adamhet@scaleway.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6f7b0a23a6ea0cc72ad222ab37936248d99d4256)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/curl.c b/block/curl.c
index 96498aac1d..dabd2a905e 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -324,17 +324,11 @@ curl_find_buf(BDRVCURLState *s, uint64_t start, uint6=
4_t len, CURLAIOCB *acb)
 static void curl_multi_check_completion(BDRVCURLState *s)
 {
     int msgs_in_queue;
+    CURLMsg *msg;
=20
     /* Try to find done transfers, so we can free the easy
      * handle again. */
-    for (;;) {
-        CURLMsg *msg;
-        msg =3D curl_multi_info_read(s->multi, &msgs_in_queue);
-
-        /* Quit when there are no more completions */
-        if (!msg)
-            break;
-
+    while ((msg =3D curl_multi_info_read(s->multi, &msgs_in_queue))) {
         if (msg->msg =3D=3D CURLMSG_DONE) {
             int i;
             CURLState *state =3D NULL;
@@ -397,7 +391,6 @@ static void curl_multi_check_completion(BDRVCURLState *=
s)
             }
=20
             curl_clean_state(state);
-            break;
         }
     }
 }
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773242594; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JmHCHOCuHLS1TvGGPEyfQ9wltSzynjN2v5qZgW2BjCesgUjeizOZiQ1hFZox9FcgYqJsgGHvn0+ISPC7CjM9egNiEyMZX2Yw5yvFXD5rl3mcsU946LXxR2HMiTMRbcXdW7KifWS7hU7ZJ1sLpfRIFCY7PVd6krkot5E5uDsE+fg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773242594;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=DZZ9FiibWf5kYZGfwMY+6mP68JCZnbdpf824LmjGFlg=;
	b=egoN5ThV7YXU8DG8Tc2luchJ6JLdCvxQgdQr1m+fB6Hj1yP+YT5JVqgZp82DOBWaKpihlKR8+UzFNYDF/CSv5AbkZMvpGdMyn1iCn5qu7ENt7T4+Iaw8UoiaFFUwNU9CHQUQtHRmMmhUcR5SzDwlVTF83BDK5AmPYNfXANH0ffw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773242594618182.54218361561823;
 Wed, 11 Mar 2026 08:23:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAJ-0004xO-53; Wed, 11 Mar 2026 11:08:05 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7c-0008Qm-48; Wed, 11 Mar 2026 11:05:18 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7Z-0004KM-Mo; Wed, 11 Mar 2026 11:05:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B3C9F191E5E;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9EE1337C2B0;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=EobHR6aZuNGAg48s15DbsxWeloD5KaiXWl+B9fhDdvc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Iti9VnXkjKZ+HeEB0ukEX08k1JW7uxg/KgcEoGQOabBCb+uyRE4Jmst3+5SrcsdAN
 WiCAYlzk6QwTjpveLcwhP8TBl3UThgMvmvYN3xUfb9DeQQqwholDuHyHVQNTFsNrlW
 hEpPFil3bqiGqXf67+AvzqRSs4R/Elk6r+A5tzS/nOUv1IZo/tJq/za6dzUeChLRSH
 yvCFNRHGjC05pXn97OiCwjCymvTqNFLeRTy1G78CXKTxyv6JZkNoOk7WJdgASOWBUh
 5ILFm9+qRZyUwB0bKc2dRp4DNZqNb/4N3VeuDSk828JzuBoLfFhm1ynY0KfciOV4q4
 ieSIzUQwMSPgw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Fiona Ebner <f.ebner@proxmox.com>,
 Jean-Louis Dupond <jean-louis@dupond.be>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 32/44] mirror: Fix missed dirty bitmap writes during
 startup
Date: Wed, 11 Mar 2026 18:02:04 +0300
Message-ID: <20260311150221.1084186-32-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773242595283158500
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

Currently, mirror disables the block layer's dirty bitmap before its own
replacement is working. This means that during startup, there is a
window in which the allocation status of blocks in the source has
already been checked, but new writes coming in aren't tracked yet,
resulting in a corrupted copy:

1. Dirty bitmap is disabled in mirror_start_job()
2. Some request are started in mirror_top_bs while s->job =3D=3D NULL
3. mirror_dirty_init() -> bdrv_co_is_allocated_above() runs and because
   the request hasn't completed yet, the block isn't allocated
4. The request completes, still sees s->job =3D=3D NULL and skips the
   bitmap, and nothing else will mark it dirty either

One ingredient is that mirror_top_opaque->job is only set after the
job is fully initialized. For the rationale, see commit 32125b1460
("mirror: Fix access of uninitialised fields during start").

Fix this by giving mirror_top_bs access to dirty_bitmap and enabling it
to track writes from the beginning. Disabling the block layer's tracking
and enabling the mirror_top_bs one happens in a drained section, so
there is no danger of races with in-flight requests any more. All of
this happens well before the block allocation status is checked, so we
can be sure that no writes will be missed.

Cc: qemu-stable@nongnu.org
Closes: https://gitlab.com/qemu-project/qemu/-/issues/3273
Fixes: 32125b14606a ('mirror: Fix access of uninitialised fields during sta=
rt')
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260219202446.312493-1-kwolf@redhat.com>
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Jean-Louis Dupond <jean-louis@dupond.be>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 0f51f9c3420b31bb383e456dd7bf24d3056eeb73)
(Mjt: context fix in block/mirror.c:mirror_start_job() - bdrv_graph_wrlock_=
drained() is not in 10.0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/mirror.c b/block/mirror.c
index a53582f17b..db2af08050 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -98,6 +98,7 @@ typedef struct MirrorBlockJob {
=20
 typedef struct MirrorBDSOpaque {
     MirrorBlockJob *job;
+    BdrvDirtyBitmap *dirty_bitmap;
     bool stop;
     bool is_commit;
 } MirrorBDSOpaque;
@@ -1557,9 +1558,11 @@ bdrv_mirror_top_do_write(BlockDriverState *bs, Mirro=
rMethod method,
         abort();
     }
=20
-    if (!copy_to_target && s->job && s->job->dirty_bitmap) {
-        qatomic_set(&s->job->actively_synced, false);
-        bdrv_set_dirty_bitmap(s->job->dirty_bitmap, offset, bytes);
+    if (!copy_to_target) {
+        if (s->job) {
+            qatomic_set(&s->job->actively_synced, false);
+        }
+        bdrv_set_dirty_bitmap(s->dirty_bitmap, offset, bytes);
     }
=20
     if (ret < 0) {
@@ -1785,13 +1788,35 @@ static BlockJob *mirror_start_job(
=20
     bdrv_drained_begin(bs);
     ret =3D bdrv_append(mirror_top_bs, bs, errp);
-    bdrv_drained_end(bs);
-
     if (ret < 0) {
+        bdrv_drained_end(bs);
+        bdrv_unref(mirror_top_bs);
+        return NULL;
+    }
+
+    bs_opaque->dirty_bitmap =3D bdrv_create_dirty_bitmap(mirror_top_bs,
+                                                       granularity,
+                                                       NULL, errp);
+    if (!bs_opaque->dirty_bitmap) {
+        bdrv_drained_end(bs);
         bdrv_unref(mirror_top_bs);
         return NULL;
     }
=20
+    /*
+     * The mirror job doesn't use the block layer's dirty tracking because=
 it
+     * needs to be able to switch seemlessly between background copy mode =
(which
+     * does need dirty tracking) and write blocking mode (which doesn't) a=
nd
+     * doing that would require draining the node. Instead, mirror_top_bs =
takes
+     * care of updating the dirty bitmap as appropriate.
+     *
+     * Note that write blocking mode only becomes effective after mirror_r=
un()
+     * sets mirror_top_opaque->job (see should_copy_to_target()). Until th=
en,
+     * we're still in background copy mode irrespective of @copy_mode.
+     */
+    bdrv_disable_dirty_bitmap(bs_opaque->dirty_bitmap);
+    bdrv_drained_end(bs);
+
     /* Make sure that the source is not resized while the job is running */
     s =3D block_job_create(job_id, driver, NULL, mirror_top_bs,
                          BLK_PERM_CONSISTENT_READ,
@@ -1886,24 +1911,13 @@ static BlockJob *mirror_start_job(
     s->base_overlay =3D bdrv_find_overlay(bs, base);
     s->granularity =3D granularity;
     s->buf_size =3D ROUND_UP(buf_size, granularity);
+    s->dirty_bitmap =3D bs_opaque->dirty_bitmap;
     s->unmap =3D unmap;
     if (auto_complete) {
         s->should_complete =3D true;
     }
     bdrv_graph_rdunlock_main_loop();
=20
-    s->dirty_bitmap =3D bdrv_create_dirty_bitmap(s->mirror_top_bs, granula=
rity,
-                                               NULL, errp);
-    if (!s->dirty_bitmap) {
-        goto fail;
-    }
-
-    /*
-     * The dirty bitmap is set by bdrv_mirror_top_do_write() when not in a=
ctive
-     * mode.
-     */
-    bdrv_disable_dirty_bitmap(s->dirty_bitmap);
-
     bdrv_graph_wrlock();
     ret =3D block_job_add_bdrv(&s->common, "source", bs, 0,
                              BLK_PERM_WRITE_UNCHANGED | BLK_PERM_WRITE |
@@ -1983,9 +1997,6 @@ fail:
         g_free(s->replaces);
         blk_unref(s->target);
         bs_opaque->job =3D NULL;
-        if (s->dirty_bitmap) {
-            bdrv_release_dirty_bitmap(s->dirty_bitmap);
-        }
         job_early_fail(&s->common.job);
     }
=20
@@ -1999,6 +2010,7 @@ fail:
     bdrv_graph_wrunlock();
     bdrv_drained_end(bs);
=20
+    bdrv_release_dirty_bitmap(bs_opaque->dirty_bitmap);
     bdrv_unref(mirror_top_bs);
=20
     return NULL;
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241707; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WxAMXk9EKurT3idU0Hht5ofP4aHnd/bdDknrdbc1Dr0/ucHRzN8F5AcoP8cPaLDJIFkfFwuRanpCwQkvnsfkRPAMIYBoU6uV5llKcLgcSZaNCdPq9k8ekqgzaYMU+w9gNMQY7bPo2MSzeUu9oe+aJ4jkeAkelsRYyh4TaaHrpck=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241707;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=x9Pv267DKgPrCgfQ6hyl65Cfs9xdlx7shs2KekCtLHQ=;
	b=UUULvR3EsV1m0dhG57wms+DHcuoabguci/ZAI6APKwG793TD5m2kMB/3XOCE76ssMTaX4N2nCgda++aB6yKfwq2Jao7s830taYe6U4k1ibSYSPY4v6+ZV7ikKAvvZJuogT0embGEiwgc6XmICGcDdZcuIT+dNAnnSPKn1C6oMLw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241707031634.7683678295684;
 Wed, 11 Mar 2026 08:08:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAS-0005PA-0q; Wed, 11 Mar 2026 11:08:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7j-00008P-8t; Wed, 11 Mar 2026 11:05:25 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7c-0004Zp-8J; Wed, 11 Mar 2026 11:05:23 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C3C5F191E5F;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AF9DB37C2B1;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=IWzwU49V5a1A0MEg9tth+bQYl9/AuKMtjnmErL6ohqM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=BHvDwdqR/FbAMvohnpSMYGtY7UvVKnGd8xUPAENnuYmFdjF8Em6eFC2ejA9VNxp73
 HrzkruMTYL4T5BmSeimrzA73HD3Gm3X2R7pmF66bXPpaG63MWvgBguPh7zrQsmIFTo
 ql3xmST2+wX2Dr84N3cVOoOty+IdQ75QvfmB3WgeK+wEW1HzKb32Doo/LKE1jqXJOx
 NykhDtP304+sPdOe6rAl5vuuPXx5+13t3jbsYajXo6upSmRQ6LnU1MfCnm7lEYTVTo
 JKfnEwxavroVIe1fcvVgzjw85jazdTygGB0FBsN/eLsC+jsj4LC6PjU1sPF/mh9QHv
 jOHc+55stAhMw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dmitry Guryanov <dmitry.guryanov@gmail.com>,
 Hanna Czenczek <hreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 33/44] block/throttle-groups: fix deadlock with
 iolimits and muliple iothreads
Date: Wed, 11 Mar 2026 18:02:05 +0300
Message-ID: <20260311150221.1084186-33-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241707411158500
Content-Type: text/plain; charset="utf-8"

From: Dmitry Guryanov <dmitry.guryanov@gmail.com>

Details: https://gitlab.com/qemu-project/qemu/-/issues/3144

The function schedule_next_request is called with tg->lock held and
it may call throttle_group_co_restart_queue, which takes
tgm->throttled_reqs_lock, qemu_co_mutex_lock may leave current
coroutine if other iothread has taken the lock. If the next
coroutine will call throttle_group_co_io_limits_intercept - it
will try to take the mutex tg->lock which will never be released.

Here is the backtrace of the iothread:
Thread 30 (Thread 0x7f8aad1fd6c0 (LWP 24240) "IO iothread2"):
 #0  futex_wait (futex_word=3D0x5611adb7d828, expected=3D2, private=3D0) at=
 ../sysdeps/nptl/futex-internal.h:146
 #1  __GI___lll_lock_wait (futex=3Dfutex@entry=3D0x5611adb7d828, private=3D=
0) at lowlevellock.c:49
 #2  0x00007f8ab5a97501 in lll_mutex_lock_optimized (mutex=3D0x5611adb7d828=
) at pthread_mutex_lock.c:48
 #3  ___pthread_mutex_lock (mutex=3D0x5611adb7d828) at pthread_mutex_lock.c=
:93
 #4  0x00005611823f5482 in qemu_mutex_lock_impl (mutex=3D0x5611adb7d828, fi=
le=3D0x56118289daca "../block/throttle-groups.c", line=3D372) at ../util/qe=
mu-thread-posix.c:94
 #5  0x00005611822b0b39 in throttle_group_co_io_limits_intercept (tgm=3D0x5=
611af1bb4d8, bytes=3D4096, direction=3DTHROTTLE_READ) at ../block/throttle-=
groups.c:372
 #6  0x00005611822473b1 in blk_co_do_preadv_part (blk=3D0x5611af1bb490, off=
set=3D15972311040, bytes=3D4096, qiov=3D0x7f8aa4000f98, qiov_offset=3D0, fl=
ags=3DBDRV_REQ_REGISTERED_BUF) at ../block/block-backend.c:1354
 #7  0x0000561182247fa0 in blk_aio_read_entry (opaque=3D0x7f8aa4005910) at =
../block/block-backend.c:1619
 #8  0x000056118241952e in coroutine_trampoline (i0=3D-1543497424, i1=3D326=
50) at ../util/coroutine-ucontext.c:175
 #9  0x00007f8ab5a56f70 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__sta=
rt_context.S:66 from target:/lib64/libc.so.6
 #10 0x00007f8aad1ef190 in ?? ()
 #11 0x0000000000000000 in ?? ()

The lock is taken in line 386:
(gdb) p tg.lock
$1 =3D {lock =3D {__data =3D {__lock =3D 2, __count =3D 0, __owner =3D 2424=
0, __nusers =3D 1, __kind =3D 0, __spins =3D 0, __elision =3D 0, __list =3D=
 {__prev =3D 0x0, __next =3D 0x0}},
    __size =3D "\002\000\000\000\000\000\000\000\260^\000\000\001", '\000' =
<repeats 26 times>, __align =3D 2}, file =3D 0x56118289daca "../block/throt=
tle-groups.c",
  line =3D 386, initialized =3D true}

The solution is to use tg->lock to protect both ThreadGroup fields and
ThrottleGroupMember.throttled_reqs. It doesn't seem to be possible
to use separate locks because we need to first manipulate ThrottleGroup
fields, then schedule next coroutine using throttled_reqs and after than
update token field from ThrottleGroup depending on the throttled_reqs
state.

Signed-off-by: Dmitry Guryanov <dmitry.guryanov@gmail.com>
Message-ID: <20251208085528.890098-1-dmitry.guryanov@gmail.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit d4816177654d59e26ce212c436513f01842eb410)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/throttle-groups.c b/block/throttle-groups.c
index 32553b39e3..4385748bbf 100644
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@@ -295,19 +295,15 @@ static bool throttle_group_schedule_timer(ThrottleGro=
upMember *tgm,
 /* Start the next pending I/O request for a ThrottleGroupMember. Return wh=
ether
  * any request was actually pending.
  *
+ * This assumes that tg->lock is held.
+ *
  * @tgm:       the current ThrottleGroupMember
  * @direction: the ThrottleDirection
  */
 static bool coroutine_fn throttle_group_co_restart_queue(ThrottleGroupMemb=
er *tgm,
                                                          ThrottleDirection=
 direction)
 {
-    bool ret;
-
-    qemu_co_mutex_lock(&tgm->throttled_reqs_lock);
-    ret =3D qemu_co_queue_next(&tgm->throttled_reqs[direction]);
-    qemu_co_mutex_unlock(&tgm->throttled_reqs_lock);
-
-    return ret;
+    return qemu_co_queue_next(&tgm->throttled_reqs[direction]);
 }
=20
 /* Look for the next pending I/O request and schedule it.
@@ -378,12 +374,8 @@ void coroutine_fn throttle_group_co_io_limits_intercep=
t(ThrottleGroupMember *tgm
     /* Wait if there's a timer set or queued requests of this type */
     if (must_wait || tgm->pending_reqs[direction]) {
         tgm->pending_reqs[direction]++;
-        qemu_mutex_unlock(&tg->lock);
-        qemu_co_mutex_lock(&tgm->throttled_reqs_lock);
         qemu_co_queue_wait(&tgm->throttled_reqs[direction],
-                           &tgm->throttled_reqs_lock);
-        qemu_co_mutex_unlock(&tgm->throttled_reqs_lock);
-        qemu_mutex_lock(&tg->lock);
+                           &tg->lock);
         tgm->pending_reqs[direction]--;
     }
=20
@@ -410,15 +402,15 @@ static void coroutine_fn throttle_group_restart_queue=
_entry(void *opaque)
     ThrottleDirection direction =3D data->direction;
     bool empty_queue;
=20
+    qemu_mutex_lock(&tg->lock);
     empty_queue =3D !throttle_group_co_restart_queue(tgm, direction);
=20
     /* If the request queue was empty then we have to take care of
      * scheduling the next one */
     if (empty_queue) {
-        qemu_mutex_lock(&tg->lock);
         schedule_next_request(tgm, direction);
-        qemu_mutex_unlock(&tg->lock);
     }
+    qemu_mutex_unlock(&tg->lock);
=20
     g_free(data);
=20
@@ -569,7 +561,6 @@ void throttle_group_register_tgm(ThrottleGroupMember *t=
gm,
                          read_timer_cb,
                          write_timer_cb,
                          tgm);
-    qemu_co_mutex_init(&tgm->throttled_reqs_lock);
 }
=20
 /* Unregister a ThrottleGroupMember from its group, removing it from the l=
ist,
diff --git a/include/block/throttle-groups.h b/include/block/throttle-group=
s.h
index 2355e8d9de..7dfc81f7b5 100644
--- a/include/block/throttle-groups.h
+++ b/include/block/throttle-groups.h
@@ -35,8 +35,7 @@
=20
 typedef struct ThrottleGroupMember {
     AioContext   *aio_context;
-    /* throttled_reqs_lock protects the CoQueues for throttled requests.  =
*/
-    CoMutex      throttled_reqs_lock;
+    /* Protected by ThrottleGroup.lock */
     CoQueue      throttled_reqs[THROTTLE_MAX];
=20
     /* Nonzero if the I/O limits are currently being ignored; generally
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241905; cv=none;
	d=zohomail.com; s=zohoarc;
	b=IxoiNVfjdrgcQM1xuRBss01vRlVUHZn/jjllDX17CCXlMHoEDTyDuAq1+SOiknZjeGAXZ0+cmeccW4TFI14qg751sbI7HccyWENw7r+m/QDKKMGTEXDabe841yuate5jmINO+ilxIL3VVqYP4OWosfOR1aUtEXi/gPQQoON3uRk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241905;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=C/rL5Nqkj/9bonLCEUN2nIw5Vhd7o2LpQw1uy+NQnMw=;
	b=bxUX4qZW2irf31gkyMRuyAHJhzQzmXE3Cq2gaH9KoWR/jhV5aHpsG5nPRmC6h+l3RNtCaJaEIypgo2V50xmI16Xl0Cjletk9MxY6cQdW4bkyaFRxCbcT+juWsbX+qfr0Ee9rsyLqOZG2UWS0hrBAq3o4FCyPgnc9TNemVfvsQVY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241905707565.326551539425;
 Wed, 11 Mar 2026 08:11:45 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LBC-0007Cv-1r; Wed, 11 Mar 2026 11:08:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7l-0000C9-Cs; Wed, 11 Mar 2026 11:05:25 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7h-0004aK-MR; Wed, 11 Mar 2026 11:05:24 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CFBD8191E60;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id BFD8937C2B2;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=a6ShXSpOePxr/0qCwVUGkHanU4hFz9sz6MBqi9VESwI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PA08Z0FO8dMEhTwBgBuWohCAoBGk/ULyjkzuUdATyiSeOFkdh1twxejJ8JA/JTfls
 i27diWr+ZQZZ0hbv1RNnSfbSNnzofp+hvgQRubpWp0rK/dbL/D9SwSIs7qyG53lEQn
 qTkJJzpZpmFJjcBvbfX43FJfHEArg/weKSGQcKULDH+RhtrKTJeiqHwP8/qbYoVEUM
 aJ7iksSmwa3HnLGG5Qj4af0YB68tuAMMHw+0PFE6SFF3c+j4bB8vZoV2LrwFWncgHD
 sd4TUFeZU/0LdCBIlFCmSVDC9VHbBCcpWeub17Ih2lzOqI5bF+SHHPKYBWPMXT+5bh
 zp41AbLzOS0FQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 34/44] block: Never drop BLOCK_IO_ERROR with
 action=stop for rate limiting
Date: Wed, 11 Mar 2026 18:02:06 +0300
Message-ID: <20260311150221.1084186-34-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241906744158500
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

Commit 2155d2dd introduced rate limiting for BLOCK_IO_ERROR to emit an
event only once a second. This makes sense for cases in which the guest
keeps running and can submit more requests that would possibly also fail
because there is a problem with the backend.

However, if the error policy is configured so that the VM is stopped on
errors, this is both unnecessary because stopping the VM means that the
guest can't issue more requests and in fact harmful because stopping the
VM is an important state change that management tools need to keep track
of even if it happens more than once in a given second. If an event is
dropped, the management tool would see a VM randomly going to paused
state without an associated error, so it has a hard time deciding how to
handle the situation.

This patch disables rate limiting for action=3Dstop by not relying on the
event type alone any more in monitor_qapi_event_queue_no_reenter(), but
checking action for BLOCK_IO_ERROR, too. If the error is reported to the
guest or ignored, the rate limiting stays in place.

Fixes: 2155d2dd7f73 ('block-backend: per-device throttling of BLOCK_IO_ERRO=
R reports')
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260304122800.51923-1-kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 544ddbb6373d61292a0e2dc269809cd6bd5edec6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/monitor/monitor.c b/monitor/monitor.c
index c5a5d30877..ae7cf64de0 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -363,14 +363,33 @@ monitor_qapi_event_queue_no_reenter(QAPIEvent event, =
QDict *qdict)
 {
     MonitorQAPIEventConf *evconf;
     MonitorQAPIEventState *evstate;
+    bool throttled;
=20
     assert(event < QAPI_EVENT__MAX);
     evconf =3D &monitor_qapi_event_conf[event];
     trace_monitor_protocol_event_queue(event, qdict, evconf->rate);
+    throttled =3D evconf->rate;
+
+    /*
+     * Rate limit BLOCK_IO_ERROR only for action !=3D "stop".
+     *
+     * If the VM is stopped after an I/O error, this is important informat=
ion
+     * for the management tool to keep track of the state of QEMU and we c=
an't
+     * merge any events. At the same time, stopping the VM means that the =
guest
+     * can't send additional requests and the number of events is already
+     * limited, so we can do without rate limiting.
+     */
+    if (event =3D=3D QAPI_EVENT_BLOCK_IO_ERROR) {
+        QDict *data =3D qobject_to(QDict, qdict_get(qdict, "data"));
+        const char *action =3D qdict_get_str(data, "action");
+        if (!strcmp(action, "stop")) {
+            throttled =3D false;
+        }
+    }
=20
     QEMU_LOCK_GUARD(&monitor_lock);
=20
-    if (!evconf->rate) {
+    if (!throttled) {
         /* Unthrottled event */
         monitor_qapi_event_emit(event, qdict);
     } else {
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 807efd27fd..65031a86b5 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -5660,7 +5660,7 @@
 # .. note:: If action is "stop", a STOP event will eventually follow
 #    the BLOCK_IO_ERROR event.
 #
-# .. note:: This event is rate-limited.
+# .. note:: This event is rate-limited, except if action is "stop".
 #
 # Since: 0.13
 #
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241750; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hnoYCQYHsk4DesQx34rgCZQoIOC9QNHaDw1z2vcak3dtdS5NiHo6k7zYrnsmjsHorXivtUjLfitn/Vnje5+hP+Acz7SRV5DjqM/er30WJobkeZ28VMAWWmO0g9N4BBESkOhrI9zHaadZO0PFb3edQkpqkEeX4gmY9pc2gVR/nFA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241750;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=tdvjoVAzdKD5BSlUuav03UXGEqceILbpIiMDM4yPkJY=;
	b=HmxmOZNkIozR9MoQ5xh3bPhwNd0inzHlH9kMdBskBEfmJVU2YLutF5tfmGcCDMWIdoFaMxCSjyKOeErlPXxWbwgWo7Y5QxUXmp9IldHLu3jVrBoZuwgC2NhkKDjOvEeufZ8WzwfgvRJT+vrPFzXRzEY5ypoCQXYTi4KJ97uXMJw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177324175005077.14221891906914;
 Wed, 11 Mar 2026 08:09:10 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAn-0006Z0-8s; Wed, 11 Mar 2026 11:08:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7n-0000ad-Mf; Wed, 11 Mar 2026 11:05:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7l-0004bt-IG; Wed, 11 Mar 2026 11:05:27 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DDBD6191E61;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CB8C837C2B3;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=6xzuZ76X0cYdz6GomQIS+AAycOBkcyK2J/9Yi7hseQI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sWaKOGhynit+gXQQo2MgF5EVbn29wkOtLVh4ci2VcW3xCH9xZTkOqYrK5B02RyBaq
 1sZrajFzIfHB2Y03YVX2ntrmUhWKgOvkuzOMXtWOzOI23sAuxjMzr1J4gSKnrub3FJ
 KP7AFCiK92uxSeUWkBGc6Xl5JdQptIBFOVCf/bd6Qk8C3SRC39/ecsC6MqngBYT4jj
 W0WXlrxEOrWtpulivdzwgMYwaDbaPyaEBZWnOOj+jS4ZQV/ojX7y/7MAtSnUNAs0Io
 a4w1ogYaWTyzdK2mbaENqu7Czr682Hs1JgKsucEDm6boYjwiWgDGSqjJ2YQDMe/R25
 JFINEJowuVoYQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 35/44] block/nfs: Do not enter coroutine from CB
Date: Wed, 11 Mar 2026 18:02:07 +0300
Message-ID: <20260311150221.1084186-35-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241751715154100

From: Hanna Czenczek <hreitz@redhat.com>

The reasoning I gave for why it would be safe to call aio_co_wake()
despite holding the mutex was wrong: It is true that the current request
will not re-acquire the mutex, but a subsequent request in the same
coroutine can.  Because the mutex is a non-coroutine mutex, this will
result in a deadlock.

Therefore, we must either not enter the coroutine here (only scheduling
it), or release the mutex around aio_co_wake().  I opt for the former,
as it is the behavior prior to the offending commit, and so seems safe
to do.

Fixes: deb35c129b859b9bec70fd42f856a0b7c1dc6e61
Fixes: aa2ec06680b1924980a177e98502494293e4e9d9 in 10.0.7
       ("nfs: Run co BH CB in the coroutine=E2=80=99s AioContext")
Buglink: https://gitlab.com/qemu-project/qemu/-/issues/2622#note_2965097035
Cc: qemu-stable@nongnu.org
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260102153246.154207-1-hreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 1d6610099bd7fc159626a38e60a3c84343ff67f7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/nfs.c b/block/nfs.c
index 1d3a34a30c..b78f4f86e8 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -249,14 +249,15 @@ nfs_co_generic_cb(int ret, struct nfs_context *nfs, v=
oid *data,
     }
=20
     /*
-     * Safe to call: nfs_service(), which called us, is only run from the =
FD
-     * handlers, never from the request coroutine.  The request coroutine =
in
-     * turn will yield unconditionally.
-     * No need to release the lock, even if we directly enter the coroutin=
e, as
-     * the lock is never re-taken after yielding.  (Note: If we do enter t=
he
-     * coroutine, @task will probably be dangling once aio_co_wake() retur=
ns.)
+     * Using aio_co_wake() here could re-enter the coroutine directly, whi=
le we
+     * still hold the mutex.  The current request will not attempt to re-t=
ake
+     * the mutex, so that is fine; but if the same coroutine then goes on =
to
+     * submit another request, that new request will try to re-take the mu=
tex,
+     * resulting in a deadlock.
+     * To prevent that, only schedule the coroutine so it will be entered =
later,
+     * with the mutex released.
      */
-    aio_co_wake(task->co);
+    aio_co_schedule(qemu_coroutine_get_aio_context(task->co), task->co);
 }
=20
 static int coroutine_fn nfs_co_preadv(BlockDriverState *bs, int64_t offset,
@@ -716,8 +717,8 @@ nfs_get_allocated_file_size_cb(int ret, struct nfs_cont=
ext *nfs, void *data,
     if (task->ret < 0) {
         error_report("NFS Error: %s", nfs_get_error(nfs));
     }
-    /* Safe to call, see nfs_co_generic_cb() */
-    aio_co_wake(task->co);
+    /* Must not use aio_co_wake(), see nfs_co_generic_cb() */
+    aio_co_schedule(qemu_coroutine_get_aio_context(task->co), task->co);
 }
=20
 static int64_t coroutine_fn nfs_co_get_allocated_file_size(BlockDriverStat=
e *bs)
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241910; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KM0o0tE/zMFXGK0d93zy1yy9Qwpzgb9uWe3bNv/Yy5ypFbOXSFZpemZeMkkVmbGqkO28j7FxC2m2uIzx88OaTFCEfmQB2TrfZy9DiJ+XeG1QjYEAO+tkp0Zygo9wDXiRcag1HIABMbLIkTUS6M9bcznESSq0tHza9pGlx1nc+GY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241910;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=xZxdtJoy0BhH/oqLbZ6Ty2Uik4o2Htolzl4f9bNpKKc=;
	b=Bbyqm6xJ+LffJOK/TX8g+AYzNqq5ykdjlSOQ+119WSLhiL732ioKXQd4UP9MwViItIFLva2w72UrIq9ZxH/ZAKq3hPmb8fxXhgrPAhfdvXFSCqgtEZDdehrkb5oc+ZdxSba5rr+npg8a7VQXRyFG1Sy+MnVLZcHahyauetKTRg8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241910038863.8008058692928;
 Wed, 11 Mar 2026 08:11:50 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAx-0006rO-O4; Wed, 11 Mar 2026 11:08:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7p-0000mB-9G; Wed, 11 Mar 2026 11:05:29 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L7n-0004cY-3K; Wed, 11 Mar 2026 11:05:28 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EE119191E62;
 Wed, 11 Mar 2026 18:01:45 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id DADF637C2B4;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241305; bh=M9A7oOaWz0cwmh8/2A4pxaQ3GJewcei2wJIvO1Wo9ks=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=aJqeAfwJ+iVHUBf9hCj4NKgF196d00dnwR0oFEToqCPvIl6JPu3yKB3jaT/YYMmp0
 n4dG1lTX+D96TAdadhUTxanUvp6xk/IJQPUripCq/qhKrSxGPiKzoiEsQjdlXRVzK6
 RGe2/qsP7fYq1501WF91vUUSRRWtXIBxIBof99xTroAldf36newCXajrgliXYi/UXj
 OlW2ujGNN/PdFgVzthkHZ2nKvi2jE//rkc10lYAf2n1BX6UKVH5XzXRMnDN/D4UZQn
 +/pEI1GC8cPEWEdrwKgFMMK060v9bAR1Zt0tQkTVHwbUozvi+4lA5fSmls9mlYazTT
 avrUroVg6pS/Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dmitry Osipenko <dmitry.osipenko@collabora.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 36/44] virtio-gpu: Ensure BHs are invoked only from
 main-loop thread
Date: Wed, 11 Mar 2026 18:02:08 +0300
Message-ID: <20260311150221.1084186-36-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241912451154100

From: Dmitry Osipenko <dmitry.osipenko@collabora.com>

QEMU's display GL core is tied to main-loop thread and virtio-gpu
interacts with display while processing GPU commands. Virtio-gpu BHs
work in generic AIO context that can be invoked on vCPU thread, while
GL and UI toolkits are bound to the main-loop thread.

Make virtio-gpu BHs use iohandler AIO context that is handled in a
main-loop thread only.

 0  SDL_GL_MakeCurrent() (libSDL3)
 1  SDL_GL_MakeCurrent_REAL() (libSDL2)
 2  sdl2_gl_make_context_current() (ui/sdl2-gl.c:201)
 3  make_current() (virglrenderer.c:639)
 4  vrend_finish_context_switch() (vrend_renderer.c:11630)
 5  vrend_hw_switch_context() (vrend_renderer.c:11613)
 6  vrend_renderer_force_ctx_0() (vrend_renderer.c:12986)
 7  virgl_renderer_force_ctx_0() (virglrenderer.c:460)
 8  virtio_gpu_virgl_process_cmd() (virtio-gpu-virgl.c:1013)
 9  virtio_gpu_process_cmdq() (virtio-gpu.c:1050)
 10 virtio_gpu_gl_handle_ctrl() (virtio-gpu-gl.c:86)
 11 aio_bh_poll() (util/async.c)
 12 aio_poll() (util/aio-posix.c)
 13 blk_pwrite() (block/block-gen.c:1985)
 14 pflash_update() (pflash_cfi01.c:396)
 15 pflash_write() (pflash_cfi01.c:541)
 16 memory_region_dispatch_write() (system/memory.c:1554)
 17 flatview_write() (system/physmem.c:3333)
 18 address_space_write() (system/physmem.c:3453)
 19 kvm_cpu_exec() (accel/kvm/kall-all.c:3248)
 20 kvm_vcpu_thread_fn() (accel/kvm/kaccel-ops.c:53)

Cc: qemu-stable@nongnu.org
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20260303151422.977399-8-dmitry.osipenko@collabora.com>
Message-ID: <20260304165043.1437519-10-alex.bennee@linaro.org>
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
(cherry picked from commit 235f9b36383e4cc7a790bca51eddbe38edd5438c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index 362828f54e..a65fca9c62 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -1199,9 +1199,9 @@ int virtio_gpu_virgl_init(VirtIOGPU *g)
     }
=20
 #if VIRGL_VERSION_MAJOR >=3D 1
-    gl->cmdq_resume_bh =3D aio_bh_new(qemu_get_aio_context(),
-                                    virtio_gpu_virgl_resume_cmdq_bh,
-                                    g);
+    gl->cmdq_resume_bh =3D virtio_bh_io_new_guarded(DEVICE(g),
+                                                  virtio_gpu_virgl_resume_=
cmdq_bh,
+                                                  g);
 #endif
=20
     return 0;
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 11a7a85750..7ab5221fbc 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1514,9 +1514,9 @@ void virtio_gpu_device_realize(DeviceState *qdev, Err=
or **errp)
=20
     g->ctrl_vq =3D virtio_get_queue(vdev, 0);
     g->cursor_vq =3D virtio_get_queue(vdev, 1);
-    g->ctrl_bh =3D virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
-    g->cursor_bh =3D virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
-    g->reset_bh =3D qemu_bh_new(virtio_gpu_reset_bh, g);
+    g->ctrl_bh =3D virtio_bh_io_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
+    g->cursor_bh =3D virtio_bh_io_new_guarded(qdev, virtio_gpu_cursor_bh, =
g);
+    g->reset_bh =3D virtio_bh_io_new_guarded(qdev, virtio_gpu_reset_bh, g);
     qemu_cond_init(&g->reset_cond);
     QTAILQ_INIT(&g->reslist);
     QTAILQ_INIT(&g->cmdq);
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index b756f49867..34ef7b86d9 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -4403,3 +4403,13 @@ QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
     return qemu_bh_new_full(cb, opaque, name,
                             &transport->mem_reentrancy_guard);
 }
+
+QEMUBH *virtio_bh_io_new_guarded_full(DeviceState *dev,
+                                      QEMUBHFunc *cb, void *opaque,
+                                      const char *name)
+{
+    DeviceState *transport =3D qdev_get_parent_bus(dev)->parent;
+
+    return aio_bh_new_full(iohandler_get_aio_context(), cb, opaque, name,
+                           &transport->mem_reentrancy_guard);
+}
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index 14c2afed33..d6c9fdf0e0 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -543,4 +543,14 @@ QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
 #define virtio_bh_new_guarded(dev, cb, opaque) \
     virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
=20
+/*
+ * The "_io" variant runs BH only on a main-loop thread, while generic BH
+ * may run on a vCPU thread.
+ */
+QEMUBH *virtio_bh_io_new_guarded_full(DeviceState *dev,
+                                      QEMUBHFunc *cb, void *opaque,
+                                      const char *name);
+#define virtio_bh_io_new_guarded(dev, cb, opaque) \
+    virtio_bh_io_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
+
 #endif
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241941; cv=none;
	d=zohomail.com; s=zohoarc;
	b=KZQlZzORicJMDfcPSLAzHSvhmoF/tf5JdneSclSJxezUvJkbPWTJlId7CDvDe/EGplMj4Y7MBd16dqgKPBKpQh8HDWvDvAl9ELJDiinC7n7LaftkzPsgoLj3EK2yQYXHYnfiK34pqrv6r8QVxPts8AK1dZai/7oBsjaDjQxvAOw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241941;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nct+7OfPcXN2BM4KhCn2qnjuPJ6uO+rZJGN104Djg5I=;
	b=YhhjKQBglO/amvKZn5cldpEL0Wpvh2WsUhr+XkgEOVbbbgoEUpQCaYfwWf5NadnwlIph17x8nh1mdC+aPVyME3WtsT9o+XFKtAs9CxzKJyt9RPcTlgSE0OJ7zlsIjFkjJmTvP9dJ4QcR9ltwV1htsR3fn5IISoOiyP5f1ZRAao0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177324194121874.95772593327194;
 Wed, 11 Mar 2026 08:12:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAR-0005FZ-5B; Wed, 11 Mar 2026 11:08:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8F-00027p-Pi; Wed, 11 Mar 2026 11:05:55 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L89-0004gr-9i; Wed, 11 Mar 2026 11:05:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0B878191E63;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id EACB137C2B5;
 Wed, 11 Mar 2026 18:02:23 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=CI6sjz8BUnkol5NPtEPnjU388I519lcydZCmaSFzMPI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=tdePONr2Q64EwLRFi6y27F8VvbGEgVBsJnww+/yT7KA+Dqfs2gehg/FHCSMPAXJwc
 dkJ/dhiaO4gt5gNCv+/N+YWDy0gHC4WyzMzGyfFX5lUG5y8lQ+l5TGZTBXTQTVkk3j
 pE3XpX+XMr3hO/5Of+/lcsX1gJW8RyH8wKfX+YGOVdppOmZDK1WE4/0iWx1ZSkY9Ri
 /c6jQmZjnLmbbZM0tli2Anvx3tDYDb0Iy1GtSdVXAo01uqrYT3q4aSe3lxwvHUjnU6
 /23bWHVzQs6idrhYSIX3+sUBo326W7+nMqEeFr+W+f+7WwIZv/ZU9Sr5+JIt/8hJBv
 Ilvd0gihHohdQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Alistair Francis <alistair.francis@wdc.com>,
 "Edgar E. Iglesias" <edgar.iglesias@amd.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 37/44] hw/net/xilinx_ethlite: Check for oversized TX
 packets
Date: Wed, 11 Mar 2026 18:02:09 +0300
Message-ID: <20260311150221.1084186-37-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241942963158500

From: Peter Maydell <peter.maydell@linaro.org>

The xilinx_ethlite network device wasn't checking that the TX packet
size set by the guest was within the size of its dual port RAM, with
the effect that the guest could get it to read off the end of the RAM
block.

Check the length.  There is no provision in this very simple device
for reporting errors, so as with various RX errors we just report via
tracepoint.

This lack of length check has been present since the device was first
introduced, though the code implementing the tx path has changed
somewhat since then.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3317
Fixes: b43848a1005ce ("xilinx: Add ethlite emulation")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-ID: <20260303172718.437015-1-peter.maydell@linaro.org>
[PMD: renamed size -> tx_size to avoid shadow=3Dcompatible-local error]
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 6595a8d5d17ea1716ddafb34455ec2b29381e232)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/trace-events b/hw/net/trace-events
index 72b69c4a8b..698290fe79 100644
--- a/hw/net/trace-events
+++ b/hw/net/trace-events
@@ -517,3 +517,4 @@ xen_netdev_rx(int dev, int idx, int status, int flags) =
"vif%u idx %d status %d f
 # xilinx_ethlite.c
 ethlite_pkt_lost(uint32_t rx_ctrl) "rx_ctrl:0x%" PRIx32
 ethlite_pkt_size_too_big(uint64_t size) "size:0x%" PRIx64
+ethlite_pkt_tx_size_too_big(uint64_t size) "size:0x%" PRIx64
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 15d9b95aa8..b5a18f6ef7 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -162,9 +162,15 @@ static void port_tx_write(void *opaque, hwaddr addr, u=
int64_t value,
         break;
     case TX_CTRL:
         if ((value & (CTRL_P | CTRL_S)) =3D=3D CTRL_S) {
-            qemu_send_packet(qemu_get_queue(s->nic),
-                             txbuf_ptr(s, port_index),
-                             s->port[port_index].reg.tx_len);
+            uint32_t tx_size =3D s->port[port_index].reg.tx_len;
+
+            if (tx_size >=3D BUFSZ_MAX) {
+                trace_ethlite_pkt_tx_size_too_big(tx_size);
+            } else {
+                qemu_send_packet(qemu_get_queue(s->nic),
+                                 txbuf_ptr(s, port_index),
+                                 tx_size);
+            }
             if (s->port[port_index].reg.tx_ctrl & CTRL_I) {
                 eth_pulse_irq(s);
             }
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241752; cv=none;
	d=zohomail.com; s=zohoarc;
	b=djGbyY4D6knkIvoaUZ2zdE+z2tX9xfSjKucK3x0BvPnHre1ixEjRayJw6RBp5ZMqXMzgGA9hFkz1+7HbmRjBbc5rtV23vbwmMVw2H6jIGQJXb/oEphAXpXHFTDRxicHLEsnEnqERE3E8sSLjnDaa67oF36C3WmyxT8PPb7Qmirk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241752;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gvyWswSZmW7j48eWKLvU1hlxQDqyYdX36xUhw6Bs5zs=;
	b=PEnupD5teBD7MsSqILJMYPMJFhrnybfTSOIV+AoT6Xpx9HwWHwkpfNZXghMGrvmAN5zG9I2I95/eTt+hF5+fydwK4qjBF3kMFsiRiQNqGpLLOpZBgl91Ss0veT43gD+O9aMYB2aXLpkFf9AUIJ2XDGvc4K4Qv6UxZRCC7fJug7U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241752049349.22871082376287;
 Wed, 11 Mar 2026 08:09:12 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAC-0004qa-Ml; Wed, 11 Mar 2026 11:08:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8F-00028F-T8; Wed, 11 Mar 2026 11:05:55 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8A-0004hb-Sz; Wed, 11 Mar 2026 11:05:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1969E191E64;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 07EC937C2B6;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=ey24FL2WtAviVBhBLUavUi+PlzeDOpL1ByagnJYcMNE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=A0Q2uoUrbla+iq8h9xtCXt9Hw6dvdf91O/AYeO7VGEJnOEIweJrXO/DuvJ1RLf76B
 G4OLMru7Bw/157H/3iJBIRZ8MoG00G36W6mCHp5VVRjG7Ffu0iqHyGnAzs8iKq9+hs
 8mm84XsfYi9nOvhaEyonvqdF9buJZiqQ86Jj3AI9CuKRPmc3j9XSx/gZHM/TNoThbO
 nF8ntBzTuFNQBUztrZLuMKyxWkzqwmBtM66NBqk1uuCGGNAHF4LJTpaSOqChxjsd0z
 Y3dNuTrvdhSlNcWy2bWUzZ+8DQBgWCnF+S2TVHo7PHVxWwFU30Xtmd3CFyG0YGNDdn
 tpfNDd7EBB9NQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bingwu Zhang <xtex@astrafall.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 38/44] linux-user: Deal with mmap where start >
 reserved_va
Date: Wed, 11 Mar 2026 18:02:10 +0300
Message-ID: <20260311150221.1084186-38-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241753901154100
Content-Type: text/plain; charset="utf-8"

From: Bingwu Zhang <xtex@astrafall.org>

Fixes: 4c13048e02d9 ("linux-user: Use page_find_range_empty for mmap_find_v=
ma_reserved")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3310
Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit f2813e13fe910e01127271a87177a477b9438bc6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 568538d833..5622a01123 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -417,12 +417,15 @@ abi_ulong mmap_next_start;
 static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
                                         abi_ulong align)
 {
-    target_ulong ret;
+    target_ulong ret =3D -1;
=20
-    ret =3D page_find_range_empty(start, reserved_va, size, align);
+    if (start <=3D reserved_va) {
+        ret =3D page_find_range_empty(start, reserved_va, size, align);
+    }
     if (ret =3D=3D -1 && start > mmap_min_addr) {
         /* Restart at the beginning of the address space. */
-        ret =3D page_find_range_empty(mmap_min_addr, start - 1, size, alig=
n);
+        ret =3D page_find_range_empty(mmap_min_addr, MIN(start - 1, reserv=
ed_va),
+                                    size, align);
     }
=20
     return ret;
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241957; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PFR2DhPrQ74Kp2EVuPmuhbTPcPBy2GkpHv16ZEt4ZiN6+LoDmZLZb8wliYUGjvRWjoKcoTOwwESHcFbbu0dhhiUPra2Mo6jwcKulySZxnur3SN7PUiahfv7woxyBsq+MoJ+6YIQlPcn86qLuszktqtQ8VMKD/UJocHSAtVF2WVc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241957;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=9YgBpCIkbqjD/Xzt6dhn/nMvXGPb6Htdj2WuzqR05NI=;
	b=QiJ1O9mYVzlxxZ6Q93jUK85r2LOX6UKshEWjlLXSkCc0x7q+AxUpLNdZGB5SOJVNDydeQD6aXXblkvZP4C4rtaPrgqhR9ZhjM8oWxl4Qt5WxI34exJ2z+Sq7VOA/BS/48Nar2OznlNkIiEuIv9n4Xabeu4eGAfxIe6LHpIdY7CY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241957751758.0671337845107;
 Wed, 11 Mar 2026 08:12:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LBX-00008L-EE; Wed, 11 Mar 2026 11:09:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8J-0002Zh-BG; Wed, 11 Mar 2026 11:06:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8H-0004lp-FJ; Wed, 11 Mar 2026 11:05:59 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 276FF191E65;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 15F9E37C2B7;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=BHOviuHP5foff2AjkdUA6ZMcXXULNC4ThKsRfXFMgTE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sRq1knxVrwotdFEZOi5uNY+GVfsZPuLFYT4Dyjlh9FRYWwcvprhDLdfjD/nsqgREr
 qYLgtWby8CXrKWKOJrzPdlbPYQqjlZBiS1odKftr8CLGeylGZOIhssvybcneYE6kHz
 65c9KB+a18cYBdgR0WB/oFrkdarJSgat4FghHYNOKsdL+9XAMRJRpK9SYpBAVJk8DC
 L/pgMWHPN0XF7wQeeeW0XPwbLhNSpxb/SS2OQ7t5Pd+MNjtkJ3NpT+57asWbIghcgU
 xOkDHF/Q6SyftNz0cLNz2m+fx0HKmHySonnRLR8uZqaQOJFwwkDQqY3CsHgQWRRmqE
 2L8AmcTP7bauA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bingwu Zhang <xtex@astrafall.org>,
 Helge Deller <deller@gmx.de>, Warner Losh <imp@bsdimp.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 39/44] bsd-user: Deal with mmap where start >
 reserved_va
Date: Wed, 11 Mar 2026 18:02:11 +0300
Message-ID: <20260311150221.1084186-39-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241959797158500
Content-Type: text/plain; charset="utf-8"

From: Bingwu Zhang <xtex@astrafall.org>

Fixes: f12294b5bd21 ("bsd-user: Use page_find_range_empty for mmap_find_vma=
_reserved")
Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit e8e7d1f97785be2fd81fc520e0c7b9d228c10a56)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
index 3f0df79c37..00305463e6 100644
--- a/bsd-user/mmap.c
+++ b/bsd-user/mmap.c
@@ -257,12 +257,14 @@ abi_ulong mmap_next_start =3D TASK_UNMAPPED_BASE;
 static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
                                         abi_ulong alignment)
 {
-    abi_ulong ret;
+    abi_ulong ret =3D -1;
=20
-    ret =3D page_find_range_empty(start, reserved_va, size, alignment);
+    if (start <=3D reserved_va) {
+        ret =3D page_find_range_empty(start, reserved_va, size, alignment);
+    }
     if (ret =3D=3D -1 && start > TARGET_PAGE_SIZE) {
         /* Restart at the beginning of the address space. */
-        ret =3D page_find_range_empty(TARGET_PAGE_SIZE, start - 1,
+        ret =3D page_find_range_empty(TARGET_PAGE_SIZE, MIN(start - 1, res=
erved_va),
                                     size, alignment);
     }
=20
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773242942; cv=none;
	d=zohomail.com; s=zohoarc;
	b=MRMsQ4JanCRVxiLDHw8FNL6pBbEnKU11Yz70L9cth4glAtctPx4emXZis6VTgZeubpaXhxreENAPtUQfU1vCOT8I3ernKtWQovDhAY/Fy6vOZ47sTvYATzVP4jhhBKYG9WzUtENnV6wMdqgBh2ziVoVyZ/cgM6joO4aqfrq5GD0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773242942;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=DMAAGrsm3kVk7l/bXuA2rKxaEQt3VPXYmmmROQgvT5o=;
	b=Vxb9X/Cy8EAQuoU5JWfZPIAhPu9ZjAsOfyf1Yl4Y1+saSLV5lVRE+GZMWwnLXyVRuBAnm/v6sMn3U0OYxU2UkXgcGuVUAzsN8BT5EHyGouTlU85YFles+IdTUMNhHDa/adOg0VxDatfSqTfO8vmjTuBJL3rcwFkF3/32Yq1J48s=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17732429428481002.6806557158558;
 Wed, 11 Mar 2026 08:29:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LBd-0000WJ-9U; Wed, 11 Mar 2026 11:09:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8J-0002br-LY; Wed, 11 Mar 2026 11:06:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8H-0004lt-RD; Wed, 11 Mar 2026 11:05:59 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 36122191E66;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 23AA837C2B8;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=+W3eicgXEE2AmYSo7J29g83NNYv1Bgs92Oh+32965CA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=hVdUtmkBfcuQ+wjdrm+xpgZLikrBeKB3iPd0WschJw4ZbEEOED4AV6yqla+6zTIO5
 x+h4w4LgkRm+f5hNJ5y20Fo+kNoljUVzkFuY71mKdpatVgnd8ddLSJ+CHmg8DY/dk3
 fHJnZEqT/M2lz/3TxLiCqoTPZ0pT3R5YE4BBzaB5u8/n8e0DANFEYTWOMg4l6rnO9C
 J5GdrtMmOGzffc6+ZFcJe/dkkXuWJl+Djq/vTQG/ktH4OYhc6GxZT6TheP2cgl2URq
 QeuP9V0Hg4LGkYK5HogbRsqqfuW2cvxgTxCchBteEElnYB+E5vSNNvytbseSpSztYv
 P/eQ5hWFjpe6A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bingwu Zhang <xtex@astrafall.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 40/44] tests/tcg/multiarch/test-mmap: Check mmaps
 beyond reserved_va
Date: Wed, 11 Mar 2026 18:02:12 +0300
Message-ID: <20260311150221.1084186-40-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773242945170154100
Content-Type: text/plain; charset="utf-8"

From: Bingwu Zhang <xtex@astrafall.org>

Unfixed mmap calls where start > reserved_va or the max guest addr
should have a valid result.

Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit c865b6bce5d0c882b86fb7c3512174cdaf235017)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tests/tcg/multiarch/test-mmap.c b/tests/tcg/multiarch/test-mma=
p.c
index e297f4b1e9..fd9055a90e 100644
--- a/tests/tcg/multiarch/test-mmap.c
+++ b/tests/tcg/multiarch/test-mmap.c
@@ -491,6 +491,20 @@ void check_shrink_mmaps(void)
     munmap(c, 2 * pagesize);
 }
=20
+void check_mmaps_beyond_addr_space(void)
+{
+    unsigned char *addr;
+    addr =3D mmap((void *)(-(unsigned long)pagesize * 10), pagesize * 2,
+                PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    fprintf(stdout, "%s addr=3D%p errno=3D%d", __func__, (void *)addr, err=
no);
+    fail_unless(addr !=3D MAP_FAILED);
+
+    memcpy(dummybuf, addr, 2 * pagesize);
+    munmap(addr, 2 * pagesize);
+
+    fprintf(stdout, " passed\n");
+}
+
 int main(int argc, char **argv)
 {
 	char tempname[] =3D "/tmp/.cmmapXXXXXX";
@@ -534,6 +548,7 @@ int main(int argc, char **argv)
 	check_file_unfixed_eof_mmaps();
 	check_invalid_mmaps();
     check_shrink_mmaps();
+    check_mmaps_beyond_addr_space();
=20
 	/* Fails at the moment.  */
 	/* check_aligned_anonymous_fixed_mmaps_collide_with_host(); */
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241916; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hR/VEsvt3dTQ5mrRT5NcWl7sPGJ37l75fTCTcDYumWce7jxXuSQQE0CkzeImOc3a5YFCNq+vE7I9VehKdp8lYFop0aji8glFpyJ0lZzTKi3IbexUXlEVJNEYMgPMoPi5PWO+8d0mXSAVrYKgey3Z9EM423PZH5miED8XtYT9k0c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241916;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=W2gJBJ5llIUJniSrgFXix60thjr9rJ5NBerrfSJZcEs=;
	b=jfzu8rWLAmK6FY3zPxlhwppHewIw9cu/xP8EK/nDOCARlCLnvXk3TF56pmG3f1X06SclZ9r41kYvRJKxNb47qkC6aEKNVHkBDJET3TGGbFsiVqlbpwqWyIjn/f80agzTixRECJYQqH6Ngp803PvQieTrRevhLYqAD0t7hBfVb+g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241916446307.23175539995907;
 Wed, 11 Mar 2026 08:11:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LBi-0000ul-BC; Wed, 11 Mar 2026 11:09:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8M-0002kx-FD; Wed, 11 Mar 2026 11:06:04 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8K-0004mj-Vf; Wed, 11 Mar 2026 11:06:02 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4F2A6191E67;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 336F137C2B9;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=zsJdKC1oSdqH86t/OM5dqP2jvqDdEPy1KD1EWd5IWzA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rzdOQy6TTiooLLtteNAI/m8OMCF7btBK1UOD9LJ4Vh3jYCIVVKU8E+NEkLvhGoQhS
 EodMMvaep/vjlq30IWx0+CTX3jRm+CR8vA+nw8OitE3vblCzivX+z1HMTzv3kWGUNs
 O6RF/ZLBD1eajNVFIGkODI0jmXIZ0CvKI2OCzjcShw4fECV+QWoP+T2OluvoI1xU30
 AE/Nz1L2acuv59vraJE5loJmG7kd2L5A0OL1VX2comqdu+LtQxIlzM7KqUUb80NvmP
 Cug/jZaAAqHAjV7fJFjqHRdCf3rAX4fiYacHFQH/GCAD/W95l3zRbOjbCxF0pdvz8M
 Q1cuzCFHIG92Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Andreas Schwab <schwab@suse.de>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 41/44] linux-user: fix TIOCGSID ioctl
Date: Wed, 11 Mar 2026 18:02:13 +0300
Message-ID: <20260311150221.1084186-41-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241916788158500
Content-Type: text/plain; charset="utf-8"

From: Andreas Schwab <schwab@suse.de>

TIOCGSID is IOC_R, not IOC_W.

Signed-off-by: Andreas Schwab <schwab@suse.de>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 6a1221614fd9344a22cafea78e48d6ded95f317d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 6ecfe6306e..5b7d00e92f 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -26,7 +26,7 @@
      IOCTL(TIOCSCTTY, 0, TYPE_INT)
      IOCTL(TIOCGPGRP, IOC_R, MK_PTR(TYPE_INT))
      IOCTL(TIOCSPGRP, IOC_W, MK_PTR(TYPE_INT))
-     IOCTL(TIOCGSID, IOC_W, MK_PTR(TYPE_INT))
+     IOCTL(TIOCGSID, IOC_R, MK_PTR(TYPE_INT))
      IOCTL(TIOCOUTQ, IOC_R, MK_PTR(TYPE_INT))
      IOCTL(TIOCSTI, IOC_W, MK_PTR(TYPE_INT))
      IOCTL(TIOCMGET, IOC_R, MK_PTR(TYPE_INT))
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773242808; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hiDg9d9JhfRSFI86HSHMBNbiCoUK4ktd0GTYLk/jK4L/eFB7pfUDNSSetV7xTlssjkSCAAVlu2bHhcwIS7NmiPSQCqewJUe3JZeWWsLO+l6jUXL6GfASlmSFZLr6BgTlyGEcSEL6Uudzvf9Lo+dw3isGsbg2Mhf09LY6/AFmqck=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773242808;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=6vG3DgEsxDHX77uW9FaHcSgKUyQy9RLQPb60xwVuIxo=;
	b=GCK87GYeUmdIJYVy7DSShSUqdYi0oUEtg4vN5s4ug7GDhNyrwIE9hApDGmn3HDdErFzeN1orcDgl4tTto0yj/OPE5hry128aHOHb8LBHEfzvBpwxTiXSr+0z6JCkVIpfXJIoVqcNqnY0WND2tQyBhuu1ffOcW/SQSde4xuPHQ68=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773242808900281.148288945673;
 Wed, 11 Mar 2026 08:26:48 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LBL-0007xS-Nm; Wed, 11 Mar 2026 11:09:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8g-0003MY-V8; Wed, 11 Mar 2026 11:06:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8f-0004mr-7j; Wed, 11 Mar 2026 11:06:22 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5E90C191E68;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4C26B37C2BA;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=R/u0rugd00vx2T4UY6BiXP1jI7CxGPC3DrYf5zPxN4Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=BMc/m82HeX9CiqhiNcpt4RwEQfSb2hJZ2Jdbel+yFkJ0Et5NV8t2i2jITBptmd6id
 w7tu0v5ivPNDVQCpElJ3aiAawGpCYqWoQbZOyaLWWGwoYeHApuUVQaUM6ipJuMfwXm
 ZesUUArn4vB1AgFW3Vyd/D+SrPSBGE3k8rJz8R37jwc8H1JTPTu5JZQmvfj5WzvHuu
 NAoPS4/s7MTimP9Ycq/QP8fdQr3cnlx5VuIW8H1KzIsKSfrIlkX1KHvw14anpR7klW
 rXJOCE1OXt9qEOlxXRzL4tb1t3PIEqtpfAk0QgampGL+55ZhMBC4eRc1Dl10KTVXI0
 PAvfw3FrPN/nQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 42/44] hw/net/npcm_gmac: Catch accesses off the end of
 the register array
Date: Wed, 11 Mar 2026 18:02:14 +0300
Message-ID: <20260311150221.1084186-42-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773242810950154100

From: Peter Maydell <peter.maydell@linaro.org>

In the npcm_gmac device, we create the iomem MemoryRegion with
a size of 8KB, but NPCM_GMAC_NR_REGS is only 0x1060 / 4. This
means there's a range of offsets that the guest can access
that don't have gmac->regs[] entries. We weren't catching this,
so the guest could get us to index off the end of the regs array.

Catch and log these invalid accesses.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3316
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260306154016.2194091-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 550391c7134d295d73b2b0e7a1111a922b78c13c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/npcm_gmac.c b/hw/net/npcm_gmac.c
index d4dba630ac..e9dd5e68ae 100644
--- a/hw/net/npcm_gmac.c
+++ b/hw/net/npcm_gmac.c
@@ -703,6 +703,13 @@ static uint64_t npcm_gmac_read(void *opaque, hwaddr of=
fset, unsigned size)
     NPCMGMACState *gmac =3D opaque;
     uint32_t v =3D 0;
=20
+    if (offset >=3D NPCM_GMAC_REG_SIZE) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid register offset: 0x%04" HWADDR_PRIx"\n",
+                      DEVICE(gmac)->canonical_path, offset);
+        return v;
+    }
+
     switch (offset) {
     /* Write only registers */
     case A_NPCM_DMA_XMT_POLL_DEMAND:
@@ -727,6 +734,13 @@ static void npcm_gmac_write(void *opaque, hwaddr offse=
t,
=20
     trace_npcm_gmac_reg_write(DEVICE(gmac)->canonical_path, offset, v);
=20
+    if (offset >=3D NPCM_GMAC_REG_SIZE) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid register offset: 0x%04" HWADDR_PRIx"\n",
+                      DEVICE(gmac)->canonical_path, offset);
+        return;
+    }
+
     switch (offset) {
     /* Read only registers */
     case A_NPCM_GMAC_VERSION:
diff --git a/include/hw/net/npcm_gmac.h b/include/hw/net/npcm_gmac.h
index 6340ffe92c..0c21b25a82 100644
--- a/include/hw/net/npcm_gmac.h
+++ b/include/hw/net/npcm_gmac.h
@@ -24,7 +24,8 @@
 #include "hw/sysbus.h"
 #include "net/net.h"
=20
-#define NPCM_GMAC_NR_REGS (0x1060 / sizeof(uint32_t))
+#define NPCM_GMAC_REG_SIZE 0x1060
+#define NPCM_GMAC_NR_REGS (NPCM_GMAC_REG_SIZE / sizeof(uint32_t))
=20
 #define NPCM_GMAC_MAX_PHYS 32
 #define NPCM_GMAC_MAX_PHY_REGS 32
--=20
2.47.3


From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241964; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PE9dFlTRJkebLNc1IYUsm/3VtXvP/Q9+QPcD3RqAEVhwC+pYK/6RxOg1AFrMulX2jlFrmUDamTdRBLzZDbfgZ1tJRDPU8pvMe6Mh6b1+vU4ScE6ByWit+9/3bpa06+goGu+aFumGoI4kGTpONd9PWuul5sQaUvhyZ07UUNM8tO0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241964;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=LGBzhSxs7BJypmw3ue6N+biErV7GblT/jEQwd7fPFvU=;
	b=g+nSABqC6BdfFPzGUFT/FjH96NShn2y/ZOIAwgKa2qdURqSe3x8yQFNgsaXdDQY/gndeg5NLEfBxYzoMBjoeYuBTjcPP8Cvl+NzfDC9wm4TXEkJA66SGBkpDa5JGLZJIMu6JEqJCxKTrH5yh3kyuTQlg4Qgq9kHL8rDCUbXhEgg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241964222271.29762762416897;
 Wed, 11 Mar 2026 08:12:44 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LBk-0001B7-VS; Wed, 11 Mar 2026 11:09:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8l-0003Pa-KX; Wed, 11 Mar 2026 11:06:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8j-0004nn-B4; Wed, 11 Mar 2026 11:06:27 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6FFB0191E69;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5BEC937C2BB;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=EvXZ/BWz1i2r9aDeNNCZTHrXhtgOfDxjw5qN58btyc8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=oNDNaxIFya/qgZGx2yPQ91x/1/cvzkaumJjaJxSHc5Tkjq6zviFf2QtSw0dmBCgn6
 PNuvVtV7/aL85Lv1S4kF1ULyDOlV62Ao6mv6EOE8USYI2/LYPQ0bDWsJvuq1TDQErr
 tK27NthUzIvMHT1fp7Sm8TGkPc1Ax1WLSGk/0cfdsp+zYctiTpQNjNfQH1OdH/lpv1
 OWiqn5YEGpOUXveuV99hZVzl2YboeY/2WNdxBafJf3SbPHlcBNCePfnLEy51VYYqym
 v1sPOLXXctk9yhNn2RyX9tdm3TLlApyBtjClIi7sYvBgLyRXhXw6GCJHsL0EzqDm+g
 6YAQ9IWTg9dYQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, rail5 <andrew@rail5.org>,
 Bibo Mao <maobibo@loongson.cn>, Song Gao <gaosong@loongson.cn>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 43/44] target/loongarch: Preserve PTE permission bits
 in LDPTE
Date: Wed, 11 Mar 2026 18:02:15 +0300
Message-ID: <20260311150221.1084186-43-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241965451154100
Content-Type: text/plain; charset="utf-8"

From: rail5 <andrew@rail5.org>

The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.

That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.

Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.

Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319

Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
(cherry picked from commit 2d877bc02a3b94998cbdd784d194c173d308a98a)
(Mjt: backport to 10.0.x which lacks v10.2.0-1568-g56599a705f
 "target/loongarch: Introduce loongarch_palen_mask()")
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 364db7fab8..84b86da308 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -554,6 +554,17 @@ static void loongarch_cpu_reset_hold(Object *obj, Rese=
tType type)
=20
 #ifdef CONFIG_TCG
     env->fcsr0_mask =3D FCSR0_M1 | FCSR0_M2 | FCSR0_M3;
+
+    if (is_la64(env)) {
+        env->hw_pte_mask =3D MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_64_PPN_MASK |
+                           R_TLBENTRY_64_NR_MASK |
+                           R_TLBENTRY_64_NX_MASK |
+                           R_TLBENTRY_64_RPLV_MASK;
+    } else {
+        env->hw_pte_mask =3D MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_32_PPN_MASK;
+    }
 #endif
     env->fcsr0 =3D 0x0;
=20
diff --git a/target/loongarch/cpu.h b/target/loongarch/cpu.h
index ab76a0b451..a9bd969b85 100644
--- a/target/loongarch/cpu.h
+++ b/target/loongarch/cpu.h
@@ -378,6 +378,7 @@ typedef struct CPUArchState {
     uint32_t fcsr0_mask;
     uint64_t lladdr; /* LL virtual address compared against SC */
     uint64_t llval;
+    uint64_t hw_pte_mask; /* Mask of architecturally-defined (hardware) PT=
E bits. */
 #endif
 #ifndef CONFIG_USER_ONLY
 #ifdef CONFIG_TCG
diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_h=
elper.c
index 70d1b5cf99..e71faa6ce8 100644
--- a/target/loongarch/tcg/tlb_helper.c
+++ b/target/loongarch/tcg/tlb_helper.c
@@ -539,6 +539,20 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr addres=
s, int size,
     cpu_loop_exit_restore(cs, retaddr);
 }
=20
+static inline uint64_t loongarch_sanitize_hw_pte(CPULoongArchState *env,
+                                                 uint64_t pte)
+{
+    uint64_t ppn_mask =3D is_la64(env) ? R_TLBENTRY_64_PPN_MASK : R_TLBENT=
RY_32_PPN_MASK;
+
+    /*
+     * Keep only architecturally-defined PTE bits. Guests may use some
+     * otherwise-unused bits for software purposes.
+     */
+    pte &=3D env->hw_pte_mask;
+
+    return (pte & ~ppn_mask) | ((pte & ppn_mask) & TARGET_PHYS_MASK);
+}
+
 target_ulong helper_lddir(CPULoongArchState *env, target_ulong base,
                           target_ulong level, uint32_t mem_idx)
 {
@@ -579,6 +593,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong =
base, target_ulong odd,
 {
     CPUState *cs =3D env_cpu(env);
     target_ulong phys, tmp0, ptindex, ptoffset0, ptoffset1, ps, badv;
+    uint64_t pte_raw;
     uint64_t ptbase =3D FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTBASE);
     uint64_t ptwidth =3D FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTWIDTH);
     uint64_t dir_base, dir_width;
@@ -590,7 +605,6 @@ void helper_ldpte(CPULoongArchState *env, target_ulong =
base, target_ulong odd,
      * and the other is the huge page entry,
      * whose bit 6 should be 1.
      */
-    base =3D base & TARGET_PHYS_MASK;
     if (FIELD_EX64(base, TLBENTRY, HUGE)) {
         /*
          * Gets the huge page level and Gets huge page size.
@@ -614,19 +628,22 @@ void helper_ldpte(CPULoongArchState *env, target_ulon=
g base, target_ulong odd,
          * when loaded into the tlb,
          * so the tlb page size needs to be divided by 2.
          */
-        tmp0 =3D base;
+        tmp0 =3D loongarch_sanitize_hw_pte(env, base);
         if (odd) {
             tmp0 +=3D MAKE_64BIT_MASK(ps, 1);
         }
     } else {
         badv =3D env->CSR_TLBRBADV;
=20
+        base =3D base & TARGET_PHYS_MASK;
+
         ptindex =3D (badv >> ptbase) & ((1 << ptwidth) - 1);
         ptindex =3D ptindex & ~0x1;   /* clear bit 0 */
         ptoffset0 =3D ptindex << 3;
         ptoffset1 =3D (ptindex + 1) << 3;
         phys =3D base | (odd ? ptoffset1 : ptoffset0);
-        tmp0 =3D ldq_phys(cs->as, phys) & TARGET_PHYS_MASK;
+        pte_raw =3D ldq_le_phys(cs->as, phys);
+        tmp0 =3D loongarch_sanitize_hw_pte(env, pte_raw);
         ps =3D ptbase;
     }
=20
--=20
2.47.3
From nobody Tue Apr  7 20:12:06 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773241916; cv=none;
	d=zohomail.com; s=zohoarc;
	b=d9mtebAwWk5aIZCg7+GcOdI7ySBoCBTgF13+ztTJTwVWIeh1GiSSWDGP+BTWmSOEGJAqCBk7p8QpOVKDG4/N61GNrxBT2/2IJ8rWF/c0Z6Hr0nCtf64zTc//r+ZX5RmJmAsUvq6nNDt2TIshOHN1KK2lFDHO/O+kox76/ZQK2Ik=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773241916;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=inDUBod4rxifPap/EUG2mcJZ5KFZ5p0VexH6iiPz9eA=;
	b=KebSDQdq6j3GTNIhDSNxSOOY+vaMg5aEPGceSyHLeaZgRDaYhEfRkKp5RqWLPwDYMEaTAeJZykqz7lOga9Rf1Pyw2KeIgGKhVv4cxU+Cg4+wQbXxp4idznZgIeM2vjdFEsaOITHdXji4TkrvJxypv9M03SN/XaE6dtX/xFjXOTA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773241916912447.529642596744;
 Wed, 11 Mar 2026 08:11:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0LAW-0006Dl-D4; Wed, 11 Mar 2026 11:08:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8l-0003Pc-SF; Wed, 11 Mar 2026 11:06:33 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0L8j-0004qf-KK; Wed, 11 Mar 2026 11:06:27 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8090B191E6A;
 Wed, 11 Mar 2026 18:01:46 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6D35037C2BC;
 Wed, 11 Mar 2026 18:02:24 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773241306; bh=UhDEF+0FkvE8wwY7FcHd1IRaCkhOlhAOXEZlZtt+UPQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=norGXK5Wm5rlJ8+1vYsere+6Di+xupDu7GYWl0yeCapJevYcC6CMTRI+cM6/kYeqw
 NVxzCHpfExNVCxs9Su5yZY+qQTM9csinXbHTzM0u7ZG+tk/2Y3y1CR46VpfpEdBmf0
 sTFFkPauJc6gKPj8X1Wm4FTHupawW25JXaQyyvRDft1DT1g5W5FMG3kxCkWMKtbRYg
 fm6cIvJZkMb2ih56Q84M7ICyOqAIdjtrI0YqIVQs5sRstkspjiR4hoHe53CY18zb0G
 R5sU4zSjybDy+WTpGXU8FNzgf0OE8tyYBDJ297yQhEt/1SR/JeyqzG9+RIDiWAeH8r
 G+X1dc4yXYbyg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.0.9 44/44] fuse: Copy write buffer content before polling
Date: Wed, 11 Mar 2026 18:02:16 +0300
Message-ID: <20260311150221.1084186-44-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
References: <qemu-stable-10.0.9-20260311180113@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773241918505154100
Content-Type: text/plain; charset="utf-8"

From: Hanna Czenczek <hreitz@redhat.com>

aio_poll() in I/O functions can lead to nested read_from_fuse_export()
calls, overwriting the request buffer's content.  The only function
affected by this is fuse_write(), which therefore must use a bounce
buffer or corruption may occur.

Note that in addition we do not know whether libfuse-internal structures
can cope with this nesting, and even if we did, we probably cannot rely
on it in the future.  This is the main reason why we want to remove
libfuse from the I/O path.

I do not have a good reproducer for this other than:

$ dd if=3D/dev/urandom of=3Dimage bs=3D1M count=3D4096
$ dd if=3D/dev/zero of=3Dcopy bs=3D1M count=3D4096
$ touch fuse-export
$ qemu-storage-daemon \
    --blockdev file,node-name=3Dfile,filename=3Dcopy \
    --export \
    fuse,id=3Dexp,node-name=3Dfile,mountpoint=3Dfuse-export,writable=3Dtrue=
 \
    &

Other shell:
$ qemu-img convert -p -n -f raw -O raw -t none image fuse-export
$ killall -SIGINT qemu-storage-daemon
$ qemu-img compare image copy
Content mismatch at offset 0!

(The -t none in qemu-img convert is important.)

I tried reproducing this with throttle and small aio_write requests from
another qemu-io instance, but for some reason all requests are perfectly
serialized then.

I think in theory we should get parallel writes only if we set
fi->parallel_direct_writes in fuse_open().  In fact, I can confirm that
if we do that, that throttle-based reproducer works (i.e. does get
parallel (nested) write requests).  I have no idea why we still get
parallel requests with qemu-img convert anyway.

Also, a later patch in this series will set fi->parallel_direct_writes
and note that it makes basically no difference when running fio on the
current libfuse-based version of our code.  It does make a difference
without libfuse.  So something quite fishy is going on.

I will try to investigate further what the root cause is, but I think
for now let's assume that calling blk_pwrite() can invalidate the buffer
contents through nested polling.

Cc: qemu-stable@nongnu.org
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-2-hreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit a3fcbca0ef643a8aecf354bdeb08b1d81e5b33e7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/export/fuse.c b/block/export/fuse.c
index 465cc9891d..aec4d8736d 100644
--- a/block/export/fuse.c
+++ b/block/export/fuse.c
@@ -301,6 +301,12 @@ static void read_from_fuse_export(void *opaque)
         goto out;
     }
=20
+    /*
+     * Note that aio_poll() in any request-processing function can lead to=
 a
+     * nested read_from_fuse_export() call, which will overwrite the conte=
nts of
+     * exp->fuse_buf.  Anything that takes a buffer needs to take care tha=
t the
+     * content is copied before potentially polling via aio_poll().
+     */
     fuse_session_process_buf(exp->fuse_session, &exp->fuse_buf);
=20
 out:
@@ -624,6 +630,7 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inode=
, const char *buf,
                        size_t size, off_t offset, struct fuse_file_info *f=
i)
 {
     FuseExport *exp =3D fuse_req_userdata(req);
+    QEMU_AUTO_VFREE void *copied =3D NULL;
     int64_t length;
     int ret;
=20
@@ -638,6 +645,14 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inod=
e, const char *buf,
         return;
     }
=20
+    /*
+     * Heed the note on read_from_fuse_export(): If we call aio_poll() (wh=
ich
+     * any blk_*() I/O function may do), read_from_fuse_export() may be ne=
sted,
+     * overwriting the request buffer content.  Therefore, we must copy it=
 here.
+     */
+    copied =3D blk_blockalign(exp->common.blk, size);
+    memcpy(copied, buf, size);
+
     /**
      * Clients will expect short writes at EOF, so we have to limit
      * offset+size to the image length.
@@ -660,7 +675,7 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inode=
, const char *buf,
         }
     }
=20
-    ret =3D blk_pwrite(exp->common.blk, offset, size, buf, 0);
+    ret =3D blk_pwrite(exp->common.blk, offset, size, copied, 0);
     if (ret >=3D 0) {
         fuse_reply_write(req, size);
     } else {
--=20
2.47.3