From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257846; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VvPS3ckOlBGc5kzE/aJvup2nfo+Y383pyuK0zsX1Jjjv7xeXES3DoKRIz+sLJJWikHkMM79+1gBzW9dc1UCTgFfPRTyhRjrMBnH20uRxIaB8CA8S1gpEER6VElHwBWKt++QYUdVSHowTfxOcZex8yiHho9ldRcuP2Zjxb+QuH58=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257846;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=BrNuvFSbc7vVj0NfzeUdASL/cUqiR4qxP5JzhThgC08=;
	b=Pk8Npsxx/JNwojmanTBj1wzbcn6V3nuTe+yRV3WD5v6AIYc813PT6+lXJr5Mv1Q+snIgh/wz6gRJNCA/p9GFx8CRTJ1rCfv9R/wC8s40Go4p2wM1txftDV44420oqaeqBn5KRSq79E0Ya15ovLg8oQWxDfelzXsly/jBud/l4Ew=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257846080625.3020721115015;
 Wed, 11 Mar 2026 12:37:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PL0-0007Sx-IF; Wed, 11 Mar 2026 15:35:24 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKn-0007RP-Sg; Wed, 11 Mar 2026 15:35:09 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKj-0008UH-Vm; Wed, 11 Mar 2026 15:35:08 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E07001920E9;
 Wed, 11 Mar 2026 22:34:25 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 29C6D37C44E;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257665; bh=LKvMLuP67wh1wfkP2YjbH5OAxzraP19Fv3VPJ3Q/vDw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=P3ZO+OTQNvjyIjTSwsawMa92wu7Xj7+awg+J4XEurcJBVSff8U/A5FBHXOT3A1DIp
 Emzd6DyADZvMebmwjH+euorIiuEYlF/md7DObXd2LfAeVwTahajEiut4pi831cfszb
 L0ua+daY9osdb9MfW2UgxX/ZufYTTt6u31Usbuh576t3rE1ZFa1olJPRUfL0XHDFD5
 TS2OjWqwKcfQ8HUD/DeZ87sg21X9cilViUrmMLwF7kxrjWg4VEOaJY7ME3c3erozvP
 3hJeP+PPrcXFEiyBysSqX/W1bJIt6wWS2knUUDPtt/kfjGHNo43jPfGVEs498YFs7t
 jOcbCrCulCj4g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jaehoon Kim <jhkim@linux.ibm.com>,
 Matthew Rosato <mjrosato@linux.ibm.com>, Farhan Ali <alifm@linux.ibm.com>,
 Eric Farman <farman@linux.ibm.com>, Thomas Huth <thuth@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 01/53] s390x/pci: Fix endianness for zPCI BAR values.
Date: Wed, 11 Mar 2026 22:33:54 +0300
Message-ID: <20260311193449.1096110-1-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257847346154100
Content-Type: text/plain; charset="utf-8"

From: Jaehoon Kim <jhkim@linux.ibm.com>

During zPCI scan, BAR configuration data retrieved via CLP Query was
misinterpreted due to an endianness mismatch between QEMU and the guest
kernel.

The guest kernel's clp_store_query_pci_fn() expects BAR values in
little-endian format and converts them with le32_to_cpu(). However, QEMU
was incorrectly sending them in big-endian format, not following the
architecture specification. This caused incorrect bit-swapping in the
kernel, leading zpci_setup_bus_resources() to perform registration checks
against invalid flags, making the process ineffective.

Observation values for zPCI device (NVMe passthrough):
LPAR from real CLP:
[    0.865595] Resource: PCI Bus 0000:00 -> zdev->bar[0].val: 0x4
[    0.865597]  start: 0x4000000000000000
[    0.865598]  end:   0x4000000000003fff
[    0.865600]  flags: 0x100200

QEMU before fix (wrong):
[    0.601083] Resource: PCI Bus 0001:00 -> zdev->bar[0].val: 0x4000000
[    0.601085]  start: 0x4003000000000000
[    0.601086]  end:   0x4003000000003fff
[    0.601087]  flags: 0x200

QEMU after fix (correct):
[    0.601116] Resource: PCI Bus 0001:00 -> zdev->bar[0].val: 0x4
[    0.601117]  start: 0x4003000000000000
[    0.601118]  end:   0x4003000000003fff
[    0.601119]  flags: 0x100200

Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260206164645.1845366-1-jhkim@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 00ebc44514a67fb75a46d60e4b44614ebf91230f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
index 5841dfc4fe..a8f08272fe 100644
--- a/hw/s390x/s390-pci-inst.c
+++ b/hw/s390x/s390-pci-inst.c
@@ -307,7 +307,7 @@ int clp_service_call(S390CPU *cpu, uint8_t r2, uintptr_=
t ra)
             uint32_t data =3D pci_get_long(pbdev->pdev->config +
                 PCI_BASE_ADDRESS_0 + (i * 4));
=20
-            stl_be_p(&resquery->bar[i], data);
+            stl_le_p(&resquery->bar[i], data);
             resquery->bar_size[i] =3D pbdev->pdev->io_regions[i].size ?
                                     ctz64(pbdev->pdev->io_regions[i].size)=
 : 0;
             trace_s390_pci_bar(i,
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257782; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ighQej5+GzhrmNlK7OpCRcweSDavyRhm7CojjntlA26SFRGVvkZCaa+MmOoXvAttUq9Kz8EXFjOZ2vcKVbnyC7NjGwCyXzkyVC6ioK1qeO3GXIpFLikhTib2bOBMtlPA5EgOTCVruhuo6qq+zlaxLcDuPWpYyzsUzuwT8P6zLqc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257782;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=K4ewQZcyWaqxFxbjWgw89qUjx6zwGLruGy4Pg7GfB8U=;
	b=HJ3vaWjTXm8rC83Lj8uhEBq9KQdMDehO/Qbg6xJLyL6K+SyebvEU30DdGzPPAXEqQP8m/xAwjAZu02nauZ4Hqs0jhQec2l7krucWXgAhWvLVS48Z7gzuXsiNZ3JbBd+t/FpXH6jYDEQ50yIOfO+UB/ShYSwQJzON7/7/oN3tCPE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257781773389.74821902352244;
 Wed, 11 Mar 2026 12:36:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PKy-0007Sc-O3; Wed, 11 Mar 2026 15:35:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKp-0007Rp-Kc; Wed, 11 Mar 2026 15:35:13 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKn-0008Ua-SH; Wed, 11 Mar 2026 15:35:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EFCA01920EA;
 Wed, 11 Mar 2026 22:34:25 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3F20837C44F;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257665; bh=UkC+mGEKAng2ipeWdHY5FpVi3rpU3TW2kt6s+TMUcoc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=B2x/v/IfM6v4zL2faSJBrmZMaXEDPscMCEAXZQX1ZG6rIpecFULsX1R21+x4Ye9U8
 I8Qq9AgCZbXvaV170NaCpqsjMYKKSdeTC2WNeeoUBhBZvHfxBaj4Eew2NBqvhPpVPt
 2boovpAeXdwiwjWohBx6nnAVx96j68R5ssBHKTeRo4rvdLeEJbUcxQgLXf5b3FLddD
 wPVZcYavaEK4LV7M892ROqH4tBQVcP//yAWWRmQrd6M8zfNGRMvh4oTKty23oT8GxF
 IFYpWi0dlk1nav7vE66m08RjMzUNifbz/dtCW+Hkz1d8A39D/7NtaKc+uj8qe2nC2J
 +MRR4tYYMHcTw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Mohamed Mediouni <mohamed@unpredictable.fr>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 02/53] plugins: fix cross-build using LLVM for Windows
 targets
Date: Wed, 11 Mar 2026 22:33:55 +0300
Message-ID: <20260311193449.1096110-2-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257790002158500
Content-Type: text/plain; charset="utf-8"

From: Mohamed Mediouni <mohamed@unpredictable.fr>

llvm-dlltool assumes that it's by default targeting the host architecture
it's running on. That assumption doesn't hold true when cross-compiling.

Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260210040722.11375-1-mohamed@unp=
redictable.fr
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit b0353beebb0c4fa4059c88362561a8362ada8b4c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/plugins/meson.build b/plugins/meson.build
index 62c991d87f..222aed8c2e 100644
--- a/plugins/meson.build
+++ b/plugins/meson.build
@@ -41,9 +41,16 @@ if host_os =3D=3D 'windows'
   # to find missing symbols in current program.
   win32_qemu_plugin_api_link_flags =3D ['-Lplugins', '-lqemu_plugin_api']
   if meson.get_compiler('c').get_id() =3D=3D 'clang'
+    if host_machine.cpu() =3D=3D 'x86_64'
+      dlltool_target =3D 'i386:x86-64'
+    elif host_machine.cpu() =3D=3D 'aarch64'
+      dlltool_target =3D 'arm64'
+    else
+      error('Unknown machine')
+    endif
     # With LLVM/lld, delaylib is specified at link time (-delayload)
     dlltool =3D find_program('llvm-dlltool', required: true)
-    dlltool_cmd =3D [dlltool, '-d', '@INPUT@', '-l', '@OUTPUT@', '-D', 'qe=
mu.exe']
+    dlltool_cmd =3D [dlltool, '-m', dlltool_target,'-d', '@INPUT@', '-l', =
'@OUTPUT@', '-D', 'qemu.exe']
     win32_qemu_plugin_api_link_flags +=3D ['-Wl,-delayload=3Dqemu.exe']
   else
     # With gcc/ld, delay lib is built with a specific delay parameter.
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257989; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Q914FOOZb+v6UaynFOQULQScIkY8CD8jyydsRKUo7o7cYXsCjnsi8eSc5PptACCR3dTd7WOVtgIkbSUAZjXn1BbYPOvceWk1o1Bq30ic09mbS0n6cNwsDShfQU+dfUyuCHeqoiG7BfrR/G3o0g5/4m2a4mh2fVQYruzE7KqBWg4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257989;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=UoGb0BKqTNLVbqMypWVdpjTUN53yHk/kila/Ec8DzfQ=;
	b=ed0gTBH8nxGP0nm3tV78LOv//gPqJqMzb9vNZ7SQDCwLNnd4EXbOu14u8FXdcRmLx49PbA22s30Ja+QmTPAwyfCIRO1JriyIFbxiq4D5BeUv3cO0z1eu2FDwBIqA++NUaC51XoNY59KvbLasTtkWDq8OoY2WaaujdOZ3Qemt7eo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257989606833.4652874486736;
 Wed, 11 Mar 2026 12:39:49 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLA-0007WQ-5l; Wed, 11 Mar 2026 15:35:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKr-0007S0-Gq; Wed, 11 Mar 2026 15:35:15 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKp-0008W8-Bq; Wed, 11 Mar 2026 15:35:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0B7E61920EB;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4EBD637C450;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=29LT6J/dsLVkqfhdajZM0lyy+YR1nzRrR8wysJ6fTn8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=wd7JSqXOOYG1PYd9x53fp9gHIhpl/CRjk0S1HoARe5yK/E8a0vGZ8pNH7fix4W9ja
 HJSXua0S0okME+MeO9gS0VKKr9Z/F1Y45cg42+q7g3sVPTwQl8kxmGpi3P8Moaigg1
 3H1QyLBhdT/mVtrTVtwxsW51t1O6CWWdFNGLsgjdjnSkenlJv86fDt2jf/ge7TQelY
 Z6VUr+f4aqloqwaIn6YUWIyVzEmGi9UYO/YQ3vmOB7rMboTV2aZfEiFKjjzv5C8FmT
 9zi6GU6/MChn+kELhUz1C/i1TP9PJI2fHXq569nHLTlrdAwXIIh12pRJbnIrL4qY7W
 NnBifzkHSAcKQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fiona Ebner <f.ebner@proxmox.com>,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 03/53] block/mirror: check range when setting zero
 bitmap for sync write
Date: Wed, 11 Mar 2026 22:33:56 +0300
Message-ID: <20260311193449.1096110-3-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257991579154100
Content-Type: text/plain; charset="utf-8"

From: Fiona Ebner <f.ebner@proxmox.com>

Some Proxmox users reported an occasional assertion failure [0][1] in
busy VMs when using drive mirror with active mode. In particular, the
failure may occur for zero writes shorter than the job granularity:

> #0  0x00007b421154b507 in abort ()
> #1  0x00007b421154b420 in ?? ()
> #2  0x0000641c582e061f in bitmap_set (map=3D0x7b4204014e00, start=3D14, n=
r=3D-1)
> #3  0x0000641c58062824 in do_sync_target_write (job=3D0x641c7e73d1e0,
>       method=3DMIRROR_METHOD_ZERO, offset=3D852480, bytes=3D4096, qiov=3D=
0x0, flags=3D0)
> #4  0x0000641c58062250 in bdrv_mirror_top_do_write (bs=3D0x641c7e62e1f0,
        method=3DMIRROR_METHOD_ZERO, copy_to_target=3Dtrue, offset=3D852480,
        bytes=3D4096, qiov=3D0x0, flags=3D0)
> #5  0x0000641c58061f31 in bdrv_mirror_top_pwrite_zeroes (bs=3D0x641c7e62e=
1f0,
        offset=3D852480, bytes=3D4096, flags=3D0)

The range for the dirty bitmap described by dirty_bitmap_offset and
dirty_bitmap_end is narrower than the original range and in fact,
dirty_bitmap_end might be smaller than dirty_bitmap_offset. There
already is a check for 'dirty_bitmap_offset < dirty_bitmap_end' before
resetting the dirty bitmap. Add such a check for setting the zero
bitmap too, which uses the same narrower range.

[0]: https://forum.proxmox.com/threads/177981/
[1]: https://bugzilla.proxmox.com/show_bug.cgi?id=3D7222

Cc: qemu-stable@nongnu.org
Fixes: 7e277545b9 ("mirror: Skip writing zeroes when target is already zero=
")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260112152544.261923-1-f.ebner@proxmox.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
(cherry picked from commit 4a7b1bd18d2e1a6b3796e177ae5df9b198264a0b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/mirror.c b/block/mirror.c
index b344182c74..bc982cb99a 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1514,9 +1514,12 @@ do_sync_target_write(MirrorBlockJob *job, MirrorMeth=
od method,
         assert(!qiov);
         ret =3D blk_co_pwrite_zeroes(job->target, offset, bytes, flags);
         if (job->zero_bitmap && ret >=3D 0) {
-            bitmap_set(job->zero_bitmap, dirty_bitmap_offset / job->granul=
arity,
-                       (dirty_bitmap_end - dirty_bitmap_offset) /
-                       job->granularity);
+            if (dirty_bitmap_offset < dirty_bitmap_end) {
+                bitmap_set(job->zero_bitmap,
+                           dirty_bitmap_offset / job->granularity,
+                           (dirty_bitmap_end - dirty_bitmap_offset) /
+                           job->granularity);
+            }
         }
         break;
=20
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257827; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NJUO3vxaAENHk+HOZWU6vrEh6IiPc3BqD6Lv/odkrBpAA8i+nARA7+Xdp5z2Z3dRa++RTDhHg+qSBghAzG4oQmJSDHZ+HMgUCDdvjHLCBB/3rjRZaQS9n5zZouumgcd62caojNM9yTCEAVzC3T+GoRmaaeSVQN0Z17ioTbovhvY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257827;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=1Gz7kdd1tK0MuX1S+RI2jvuqkrKyKEPVescjxWN9BMY=;
	b=HsFg/Bv06FVhu1z54QpTg+5kUMSeIalpK/iRNLKdDHT0rkFMCG2eNXa0G4ZOk6fs9dWzPvSG6kxssfXj92MmpjeCLWrOlTdAa+PNDjS9ODY9XO0/q3Z2UCETx051Qs+ZhHn2twDRohQ5jBiQsHUMwz80Oj4T9r8bav9F2vGLMRY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257827218775.5442855657027;
 Wed, 11 Mar 2026 12:37:07 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLJ-0007Z4-Tk; Wed, 11 Mar 2026 15:35:42 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKv-0007Sb-4W; Wed, 11 Mar 2026 15:35:18 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKr-000056-RB; Wed, 11 Mar 2026 15:35:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 51CFA1920EC;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 93C9C37C451;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=AkGdtL1378GuYkw9TJKFVH4lXWbLXsqU//G2VlqmrT0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=o6FFREF6OdLxWQBA78ng80EZGxIAwha7top/k4P4rxq60CLjOOfhSGY2a5h64LV1N
 xZPokuIy660QnOof133zdLhP0a+Igv1bEG59uVNUuJe5hi9D35Iua5ahJDxg65Hew6
 12oUOpgQOhsVnLBEb2GJMniWMm2niehtjp4xF1G10hd80GO4AyOMhjn0SnSjzFnuYi
 pDpqc6JSHUZFkGh2+nGXAtlkjboIGKDeq43afDWpfcTb/8LJqci+j0j43fFSK/relk
 vzUtDbBBC5ww1/xyZaEFgrN6fKRmshc5NNimxmbheb4oyTIZeBVIUBshrDJyK/KTo4
 d781b6R9hfyGA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fiona Ebner <f.ebner@proxmox.com>,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 04/53] iotests: test active mirror with unaligned,
 small write zeroes op
Date: Wed, 11 Mar 2026 22:33:57 +0300
Message-ID: <20260311193449.1096110-4-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257828804158500
Content-Type: text/plain; charset="utf-8"

From: Fiona Ebner <f.ebner@proxmox.com>

This tests the scenario fixed by "block/mirror: check range
when setting zero bitmap for sync write" [0].

[0] https://lore.kernel.org/qemu-devel/20260112152544.261923-1-f.ebner@prox=
mox.com/

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260120113859.251743-1-f.ebner@proxmox.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Tested-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
(cherry picked from commit 267d7ae99a1d3b5be9d3421db3bdf651cc18c7ab)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tests/qemu-iotests/151 b/tests/qemu-iotests/151
index 06ee3585db..9b9c815db5 100755
--- a/tests/qemu-iotests/151
+++ b/tests/qemu-iotests/151
@@ -191,6 +191,26 @@ class TestActiveMirror(iotests.QMPTestCase):
=20
         self.potential_writes_in_flight =3D False
=20
+    def testUnalignedSmallerThanGranularityWriteZeroes(self):
+        # Fill the source image
+        self.vm.hmp_qemu_io('source', 'write -P 1 0 %i' % self.image_len);
+
+        # Start the block job
+        self.vm.cmd('blockdev-mirror',
+                    job_id=3D'mirror',
+                    filter_node_name=3D'mirror-node',
+                    device=3D'source-node',
+                    target=3D'target-node',
+                    sync=3D'full',
+                    copy_mode=3D'write-blocking')
+
+        # Wait for the READY event
+        self.wait_ready(drive=3D'mirror')
+
+        for offset in range(6 * self.image_len // 8, 7 * self.image_len //=
 8, 1024 * 1024):
+            self.vm.hmp_qemu_io('source', 'aio_write -z %i 512' % (offset =
+ 512))
+
+        self.complete_and_wait(drive=3D'mirror', wait_ready=3DFalse)
=20
 class TestThrottledWithNbdExportBase(iotests.QMPTestCase):
     image_len =3D 128 * 1024 * 1024  # MB
diff --git a/tests/qemu-iotests/151.out b/tests/qemu-iotests/151.out
index 3f8a935a08..2f7d3902f2 100644
--- a/tests/qemu-iotests/151.out
+++ b/tests/qemu-iotests/151.out
@@ -1,5 +1,5 @@
-......
+.......
 ----------------------------------------------------------------------
-Ran 6 tests
+Ran 7 tests
=20
 OK
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257850; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RXggOvuqQC4U6XMwhwQIryST1uJMkVAWd+KDUAVBXvowpuuNVxK2GmQDJ20n/L1I1UeHi3EhIqUF4McUGBlMZxlcSpZBRsKad1vtuQh+1AwL2pB8ZvhsJjjQz5Od3WeEst4rofo8Teq/lM3qkWOX0ntt4c8IVJ3cOY1S2faPcb0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257850;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=okdMRNLivTqbv1+SQ1RagToGEgbaPtLSdDkoMAxfwP4=;
	b=jlf14nWk26zOsB5kXbKpnj2r6UcF4rquJQJsJeKQsRB7rSy6ER63UAz+Jd9A/NfxJYG3QBKvjEfq7k50+jNUV6sRCX5rZ5PzQgPyvN3IU8T60q9tqCyeyer/k/CJVUT7yzvcLMRrbDl7PE/3afCwIj6gc00AmsU/wvDM33qs4z0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257850149395.43713809393773;
 Wed, 11 Mar 2026 12:37:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLE-0007YD-Ar; Wed, 11 Mar 2026 15:35:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKw-0007TD-VZ; Wed, 11 Mar 2026 15:35:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKt-00005M-20; Wed, 11 Mar 2026 15:35:18 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6F6B71920ED;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A531637C452;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=0uZ5ATjhIzDgyacoMi6E796UKRKgVRPT0yaUj1O9yhM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=G+3v5oEUBO1t6BItSW000nUgCswMiwXKw5qFOaGW5ad41zQtobeA87Dq8aH8jQQ7p
 392uZYSjYmt7pF7a9Y6U74xTZACMsjMpfIccYNMLddoN6/n/HVjSD1uaCami3Va/I+
 nqoDYr0JyyABbw9k2jihsaDAGFkJKzZhzzFsuPALziePzM5AiEMEvkkDnhHtFiB5gs
 WOa+i3AtX8Q7wCGbg26aO7RNCEHHu57MAgWdck4bNUIbOIfTb6/5shYC5P6nxYpo+t
 oZrAWhOQ/QijcA5gljl2kn7cm8yGVT9CSPouAleAcL0/TfmJqXjhxG2pkgFbgy8nzH
 AxQkRJvR6h4EA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, John Snow <jsnow@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Thomas Huth <thuth@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 05/53] python: drop uses of pkg_resources
Date: Wed, 11 Mar 2026 22:33:58 +0300
Message-ID: <20260311193449.1096110-5-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257852531158500
Content-Type: text/plain; charset="utf-8"

From: John Snow <jsnow@redhat.com>

pkg_resources has been fully dropped from modern pip/setuptools
distributions and we should phase out its use. This patch is enough to,
by itself, repair most GitLab CI tests upstream; with the exception of
tox tests which are still making use of avocado - which will be dropped
in a separate series to restore functionality there.

Signed-off-by: John Snow <jsnow@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260211195804.135144-3-jsnow@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit e44a26ba940214824b61976324058e73d9f41658)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/python/setup.py b/python/setup.py
index c5bc45919a..789fa39b0f 100755
--- a/python/setup.py
+++ b/python/setup.py
@@ -7,7 +7,6 @@
 import setuptools
 from setuptools.command import bdist_egg
 import sys
-import pkg_resources
=20
=20
 class bdist_egg_guard(bdist_egg.bdist_egg):
@@ -30,9 +29,6 @@ def main():
     QEMU tooling installer
     """
=20
-    # https://medium.com/@daveshawley/safely-using-setup-cfg-for-metadata-=
1babbe54c108
-    pkg_resources.require('setuptools>=3D39.2')
-
     setuptools.setup(cmdclass=3D{'bdist_egg': bdist_egg_guard})
=20
=20
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257812; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BTwhi3i5Umr2E4ysQ7iFIGw+KD+wnyXXg5csUEM/+XW0P44bF8JByXPcVpunrf45vKHpeqIPAW5ysQPD2zks/2W98enEZV+SrxaCYANCzlnlY+wQmqLvxitdEoZcORkOCxF+DHtWeECqFAoTAhmB+S5RO1QqEPr5xZhaWCGrz4E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257812;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wR+hUPyzcoaLr/0kiZZS1flGn03HnEHVpcuXjPmwacA=;
	b=bmUWg2VuNWy9dpDgssWRD0wnkuBQIIuYjTyn/l/Pv8SwmIWcWwHC7Ex3zbaTvVkfQKm0GwUJ9wCJ2NsfOTrPjWNXy7T/mJoYp6HRui7OygM+b+4GE79/xXFvfb0lPuwoh32BCtuuWR1ZyWwPk8VmChvGaZZaWujqYonUE2fit54=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257812953512.436131800295;
 Wed, 11 Mar 2026 12:36:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLE-0007YQ-GF; Wed, 11 Mar 2026 15:35:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKy-0007Th-T4; Wed, 11 Mar 2026 15:35:22 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKx-00006e-42; Wed, 11 Mar 2026 15:35:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 820DA1920EE;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C320537C453;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=AREQ/dFnXzezlRlc40BNW1VnJ2gwDKJL+a4jQQus1S0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ifY6Yu441iA5OBaq4XhXByO/DJhXfyQmUhkgtcMardFy8ZtVIGW7c3zu28NsccWPd
 /Qz23KWDhC8cX+WAtb+qeEbrsEfEo4IiruBRgNuBAXuDSBaw4hGjBmYkRMpzRWpPfZ
 LXQ/C+LmIkYshR/iAcdv1d5fOo2I0flbp2b1ZWaorjJ52SHNgLcliLEQZH1++5M4JL
 Zz4mqwGd9/AoImxBggYPy/dNVpxyDw5VoDKGfrGxIpg4O51Sbnrg5urFekmSb6p+pS
 JSOZRL7lp5SnwGL4Q2kVn2DiLPnKDuXeW/ds33VPsAl845u5DurwTrtiiCfIm8x6Cj
 4+iqQ2OfLphpg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 06/53] contrib/plugins/hotblocks: Correctly free
 sorted counts list
Date: Wed, 11 Mar 2026 22:33:59 +0300
Message-ID: <20260311193449.1096110-6-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257814934154100
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

g_list_free should be passed the head of the list.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/cf5a00136738b981a12270b76572e8d502=
daf208.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 90fabd5ddace6ffa5a62a5186201fd071b4e2b74)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index 98404b6885..d3dd23ed9f 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -73,15 +73,16 @@ static void exec_count_free(gpointer key, gpointer valu=
e, gpointer user_data)
 static void plugin_exit(qemu_plugin_id_t id, void *p)
 {
     g_autoptr(GString) report =3D g_string_new("collected ");
-    GList *counts, *it;
+    GList *counts, *sorted_counts, *it;
     int i;
=20
     g_string_append_printf(report, "%d entries in the hash table\n",
                            g_hash_table_size(hotblocks));
     counts =3D g_hash_table_get_values(hotblocks);
-    it =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
+    sorted_counts =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
=20
-    if (it) {
+    if (sorted_counts) {
+        it =3D sorted_counts;
         g_string_append_printf(report, "pc, tcount, icount, ecount\n");
=20
         for (i =3D 0; i < limit && it->next; i++, it =3D it->next) {
@@ -94,7 +95,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
                     qemu_plugin_scoreboard_u64(rec->exec_count)));
         }
=20
-        g_list_free(it);
+        g_list_free(sorted_counts);
     }
=20
     qemu_plugin_outs(report->str);
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257918; cv=none;
	d=zohomail.com; s=zohoarc;
	b=e/g6SdyfcihPR8TdkPx0LiRxHwdSVqD2yLn30U464MrGbru8m1fBlIjjT2FQcL5Nkk13rFkYN9Fse+GnuOgNaUrHsbhoArwxjrGyAfKpmWEQ2hBQE9T31xLPKPY4tRyj6N+E87av+STYu6vB7xkfqDYBHP2Tv1KrJUllmAtSuhk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257918;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Rq0QLobwwzhc6KsCt7U0KM3311LFEJkCaKJbPg2yi/w=;
	b=BNH0peW9PQeeXEoJnYPnKId2B/cJ1F6NLJv2LGw4ibymdviFPfQdRMC6rF+yhRFDg0mRbEVt/yLmKWFCmZTDmFLh4fJsk+wTC1N9VQgYc98W9angoq9uZIq4IRvHdUtfO+bkw3pfCe5sHngGnar4q35Wv8egcdX4nJYwbGbO/ho=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257918624269.6683074229643;
 Wed, 11 Mar 2026 12:38:38 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLM-0007ax-NJ; Wed, 11 Mar 2026 15:35:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKz-0007Tw-Vx; Wed, 11 Mar 2026 15:35:22 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PKy-000071-CZ; Wed, 11 Mar 2026 15:35:21 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 91C2C1920EF;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D4E9B37C454;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=cfcf1z7/JpS4xZDWqSxPZgHSdgbv846o0KdJ0aeJQi0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=gtdJY8fRMZ46i44DRuu4sCX7bZRHPGKxlKkBfqg54dir/IPZTq3nP6HaL18EQ9Zjw
 CZOfVwZmYCHV+J5yf2egc83yHAUaDjdEn/GC6OQPeDLNHLM5+jCsirxDPOPevcsbTP
 ji6PGAwhgnof+XQdu19QfY1rrfawTDMcQGTaGrBIBHyPjDq4oEAp5FOxpS4YHkTVa8
 YS0Tff/tIzN1Xje1DTqYiUqyxMGeakFSsGcee3jqKwO6bHiwvet8AaPo26fncRhqYB
 PAPYMz9c7HGEUn//viZE8eBMJWAUm0rHgtvKYhWnEPKVLH0yuWajCiBpfo4I3HQCIy
 rkpB3e6LNhNlQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 07/53] contrib/plugins/hotblocks: Fix off by one error
 in iteration of sorted blocks
Date: Wed, 11 Mar 2026 22:34:00 +0300
Message-ID: <20260311193449.1096110-7-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257920421154100
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

The logic to iterate over the hottest blocks will never reach the last
item in the list, as it checks `it->next !=3D NULL` before entering the
loop. It's hard to trigger this off-by-one error with the default
limit=3D20, but it is a bug and is problematic if that default is changed
to something larger.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/f1ba2e57c6126472c0c8310774009f2455=
efc370.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 1c1e45fcd66269f8a6dbd97fd7b8267d8f6f58af)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index d3dd23ed9f..cf4d6b8c36 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -82,10 +82,9 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
     sorted_counts =3D g_list_sort_with_data(counts, cmp_exec_count, NULL);
=20
     if (sorted_counts) {
-        it =3D sorted_counts;
         g_string_append_printf(report, "pc, tcount, icount, ecount\n");
=20
-        for (i =3D 0; i < limit && it->next; i++, it =3D it->next) {
+        for (i =3D 0, it =3D sorted_counts; i < limit && it; i++, it =3D i=
t->next) {
             ExecCount *rec =3D (ExecCount *) it->data;
             g_string_append_printf(
                 report, "0x%016"PRIx64", %d, %ld, %"PRId64"\n",
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257810; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FtsJPy/zB0N11NMmu4XNYpn+7GCTFdMVXpox9s5rw+u7z4K/XgbFYxoKUH3tm+FRE77+2W5baQL+ydZP2ngeT+AJ6fFZRhfHbwkY4GKgdKxVENe5XO/VD9XaoAxX/7j7ONRyiX2046RPakuebXPv0gTwh+pKjZM9+g0HAqx15xk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257810;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kkg8aUHyILWwQ3+0hqFTlPB6ypecqke33sQVMjes/Ww=;
	b=EeXBEyzZq/P6VlnJQcFsxZ8Y5QG+15+QA65+8vkaxBA/rtlWlJWiv/KZCInDX6b9eTcL1OGgX0fTvUuHPihjmsF1B3v1fsH8LHcjcK8NL1w2LmnBT0ngeBWq6HSsQ+Ym/9yRp0/1x4P4iWbuPcdB9bI1bUVqrYGHc8hu41gbNuc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257809390288.9292581718837;
 Wed, 11 Mar 2026 12:36:49 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLQ-0007h5-RZ; Wed, 11 Mar 2026 15:35:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL3-0007Uy-N8; Wed, 11 Mar 2026 15:35:26 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL0-00007P-Id; Wed, 11 Mar 2026 15:35:25 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AE5A31920F0;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E53C537C455;
 Wed, 11 Mar 2026 22:35:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=FSMGlYph0E646l8xPKs1QSoOKQfE4LlZnojK7QnNiVY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=nWIAG4VwPlLgRdG7WBU4F6YoUhaXDsUbphBHBTqtsndjriJ+osIjvokSgGIOryE9c
 zoVoAT9qSM3mSdUtVrjWyOPh0PxjtirK7DD2Tc9F5TlwXEAgz4xmz3ZD421htrr+zL
 qJLIhked0xZXWY6lbWlZZxw+l/ox95wnbRmSzZf7reaz9BTdDE8cAwM/aRLCcYzYMg
 /Xe2TNln0ECBQAw9f0KNuA9/iVboqXH53eL87ddkAaO45+G34ekXGn3NpKybIk0Apq
 WPokrZypqdg4cz7l6KicgxcRjmD3H7j8yRJZ4qYXgmX1aJMDI+E8Fru3aIbA/0gicE
 kXfUfc//3Xh4w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 08/53] contrib/plugins/hotblocks: Print uint64_t with
 PRIu64 rather than PRId64
Date: Wed, 11 Mar 2026 22:34:01 +0300
Message-ID: <20260311193449.1096110-8-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257812928158500
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

qemu_plugin_u64_sum returns a uint64_t, so PRIu64 is the correct format
specifier.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/5d26c9d99ee87ac4a4034ff64e3d888125=
3eedf3.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit e777f6ab91406884136b5679a9d64124832668d8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/hotblocks.c b/contrib/plugins/hotblocks.c
index cf4d6b8c36..40d8dae1cd 100644
--- a/contrib/plugins/hotblocks.c
+++ b/contrib/plugins/hotblocks.c
@@ -87,7 +87,7 @@ static void plugin_exit(qemu_plugin_id_t id, void *p)
         for (i =3D 0, it =3D sorted_counts; i < limit && it; i++, it =3D i=
t->next) {
             ExecCount *rec =3D (ExecCount *) it->data;
             g_string_append_printf(
-                report, "0x%016"PRIx64", %d, %ld, %"PRId64"\n",
+                report, "0x%016"PRIx64", %d, %ld, %"PRIu64"\n",
                 rec->start_addr, rec->trans_count,
                 rec->insns,
                 qemu_plugin_u64_sum(
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257932; cv=none;
	d=zohomail.com; s=zohoarc;
	b=S8J788cWpi3IaNDU+Zqj1yu3T2dQo6wIDrS+3giH5kKjDW954Z9ebUShj3zWGWYVbxrJgZQN3Z0y5A3Rz5yOnY+/gQPvzFqzfyry64sK+9WYCltNss9EqmgVBzlWfIL8WT6As/mRov/SoA+BgTSDtHtf2bSaES2qHupkuBrepFU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257932;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=eGO/fH2oszTaBwwFuWTyVdYdyLCQZrPLQV0DPIzrjQM=;
	b=FaD+cpl2EqBceeAWhP3JJM2YFi69AMzh22vXTR8xHA4OdtbBB1nxEWZHPRL74xiuHZfNGg7ryGQxDQKV28ZNyXoDm0icx+A02sB5WGmnGTR2nrI5FSke1vzspWvsOlZRD5UB3mwJk8OgDr/X4BImKsVYgzDgWbIEdNhYgs0W/1c=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257932335293.6575610720662;
 Wed, 11 Mar 2026 12:38:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLM-0007bQ-Ve; Wed, 11 Mar 2026 15:35:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL4-0007VU-Fs; Wed, 11 Mar 2026 15:35:28 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL2-00007c-L3; Wed, 11 Mar 2026 15:35:25 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C96401920F1;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0D0E437C456;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=ZcSeSSmOG2WmDQUP6qnvUX6b0JOT0nQl5f4nE6N15D0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=pSmbrlT1eeKEKA62v03KKqK+5NupePBUZlizZK4iwCCkompBOUc8AA4DC0XWY50k8
 Wxx3P/hemrQFHBuprJ7pVLnFc1PsZ5/C9boJlVYmP0v+1Xk7nMmPx4hfpgOpeSjsAw
 nUmoIsjfCKGsM3au7ZZESv6Y/RiAszbGuJMf6kOa6BQxxZ5qsLDh8RQlGT9DWS4X/+
 Se4ore95PVKBzdIoh5csy1Tyf9ERVz+F66lCpfDOO+jD9Y2XGTrLJwtkRwe/RuXoxx
 VZuLloyl0Z5dEAlzozZxkefDl4VCxxN0v0IFbRXTkE3LwlTVfiKxF2/Vh0eRrxpUpz
 /CS20wDmDz5hg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alex Bradbury <asb@igalia.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 09/53] docs/about/emulation: Add documentation for
 hotblocks plugin arguments
Date: Wed, 11 Mar 2026 22:34:02 +0300
Message-ID: <20260311193449.1096110-9-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257934827154100
Content-Type: text/plain; charset="utf-8"

From: Alex Bradbury <asb@igalia.com>

Currently just 'inline'.

Signed-off-by: Alex Bradbury <asb@igalia.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/35128cc5a86a0c18418f9d3150fb8771c5=
4ef7d8.1753857212.git.asb@igalia.com
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit e4ed74c9aef68cb2e7c10c2b7597fee5491a506a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/docs/about/emulation.rst b/docs/about/emulation.rst
index 4a7d1f4178..543efc4d7d 100644
--- a/docs/about/emulation.rst
+++ b/docs/about/emulation.rst
@@ -463,6 +463,16 @@ Example::
   0x000000004002b0, 1, 4, 66087
   ...
=20
+Behaviour can be tweaked with the following arguments:
+
+.. list-table:: Hot Blocks plugin arguments
+  :widths: 20 80
+  :header-rows: 1
+
+  * - Option
+    - Description
+  * - inline=3Dtrue|false
+    - Use faster inline addition of a single counter.
=20
 Hot Pages
 .........
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257927; cv=none;
	d=zohomail.com; s=zohoarc;
	b=X+CzYsXuGzhfSqnAbjJZhr5QAO+i3yQ8QOlRTvuN8sFB56f0mn/luClq1OG/3FAYlA2638dEOrvukbO1WkxlmaWqubQRirXJgpN8vJbor4tBYQTQs1wUuJYnIxZQthU9cwEF0d760PWMTi+LFelgWgIr0sW4DpfZd1VUYB4Tltw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257927;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=/emhi+RMJR4D52cOf85+smcIzVpI0shy2Y+RZg1wWDI=;
	b=KutfPdPlVoUg1kZNt/4H+gcFIdfFSHsCyewckDuHtrxZBa4nTSLBXOunFhgFcW+qxBjOXk5FGNVJru78ShabqsAGbopy4I6CbLb+fW3iM3GEqtyc3mbSTF9FBso0uGnyAuokAAPyQDDrgbZNV0FIU2Tb4N7WRYRNJizw/CZgQ/4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257927478569.8346759610367;
 Wed, 11 Mar 2026 12:38:47 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLL-0007Zt-Oi; Wed, 11 Mar 2026 15:35:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL6-0007Vc-R8; Wed, 11 Mar 2026 15:35:29 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL5-000081-4X; Wed, 11 Mar 2026 15:35:28 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DB43B1920F2;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 292C337C457;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=yQnZjgyMz3ySbNBJU7G+jkBzponQ6pRrFaMlgEJtwFA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=L3/6ejtgYaqiaUwo94Zh6HMK6+X7j+5Z4len2WtkEIgD9eydJqfEbNxl7RJsvv8iD
 9d5NzMLyoSvZBbf48W9hp86CyocqLWqKA2UraGkYRZlvdx8iW2wPa1PcU5Ri3dM8rH
 KQ87fIDL1RWuXdduijNvVisLOrkVScDAPUy1rtAFDWT8ZNov/npTV81srYssaPBg7Q
 zNfkhhVq1p99l7e/71nSyaTiAbRiMLueiFF9RL4DatGR2b+f61Pre4en9XbmJqeKTh
 ghRA+UqEmTgggMCWgg39xgrSW+V+sBLR47wVKx81h9Ie3gYoAXGy+tIjQxK/5pS+gW
 Y4G7tZPrD5ZKw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jamin Lin <jamin_lin@aspeedtech.com>,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 10/53] hw/i2c/aspeed_i2c: Fix out-of-bounds read in
 I2C MMIO handlers
Date: Wed, 11 Mar 2026 22:34:03 +0300
Message-ID: <20260311193449.1096110-10-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257929053158500

From: Jamin Lin <jamin_lin@aspeedtech.com>

The ASPEED I2C controller exposes a per-bus MMIO window of 0x80 bytes on
AST2600/AST1030/AST2700, but the backing regs[] array was sized for only
28 dwords (0x70 bytes). This allows guest reads in the range [0x70..0x7f]
to index past the end of regs[].

Fix this by:
- Sizing ASPEED_I2C_NEW_NUM_REG to match the 0x80-byte window
  (0x80 >> 2 =3D 32 dwords).
- Avoiding an unconditional pre-read from regs[] in the legacy/new read
  handlers. Initialize the return value to -1 and only read regs[] for
  offsets that are explicitly handled/valid, leaving invalid offsets to
  return -1 with a guest error log.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3290
Reviewed-by: C=C3=A9dric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260210024331.3984696-2-jamin_lin=
@aspeedtech.com
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
(cherry picked from commit c2c5beec42bf9872b37e78b9e259132df7435cb5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/i2c/aspeed_i2c.c b/hw/i2c/aspeed_i2c.c
index c48fa2050b..c455c3eb7c 100644
--- a/hw/i2c/aspeed_i2c.c
+++ b/hw/i2c/aspeed_i2c.c
@@ -94,7 +94,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *bus=
, hwaddr offset,
                                         unsigned size)
 {
     AspeedI2CClass *aic =3D ASPEED_I2C_GET_CLASS(bus->controller);
-    uint64_t value =3D bus->regs[offset / sizeof(*bus->regs)];
+    uint64_t value =3D -1;
=20
     switch (offset) {
     case A_I2CD_FUN_CTRL:
@@ -105,7 +105,7 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus *b=
us, hwaddr offset,
     case A_I2CD_DEV_ADDR:
     case A_I2CD_POOL_CTRL:
     case A_I2CD_BYTE_BUF:
-        /* Value is already set, don't do anything. */
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CD_CMD:
         value =3D SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus-=
>bus));
@@ -113,21 +113,20 @@ static uint64_t aspeed_i2c_bus_old_read(AspeedI2CBus =
*bus, hwaddr offset,
     case A_I2CD_DMA_ADDR:
         if (!aic->has_dma) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func=
__);
-            value =3D -1;
             break;
         }
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CD_DMA_LEN:
         if (!aic->has_dma) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA support\n",  __func=
__);
-            value =3D -1;
+            break;
         }
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
-
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, off=
set);
-        value =3D -1;
         break;
     }
=20
@@ -139,7 +138,7 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus *b=
us, hwaddr offset,
                                         unsigned size)
 {
     AspeedI2CClass *aic =3D ASPEED_I2C_GET_CLASS(bus->controller);
-    uint64_t value =3D bus->regs[offset / sizeof(*bus->regs)];
+    uint64_t value =3D -1;
=20
     switch (offset) {
     case A_I2CC_FUN_CTRL:
@@ -159,13 +158,12 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus =
*bus, hwaddr offset,
     case A_I2CS_CMD:
     case A_I2CS_INTR_CTRL:
     case A_I2CS_DMA_LEN_STS:
-        /* Value is already set, don't do anything. */
+    case A_I2CS_INTR_STS:
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     case A_I2CC_DMA_ADDR:
         value =3D extract64(bus->dma_dram_offset, 0, 32);
         break;
-    case A_I2CS_INTR_STS:
-        break;
     case A_I2CM_CMD:
         value =3D SHARED_FIELD_DP32(value, BUS_BUSY_STS, i2c_bus_busy(bus-=
>bus));
         break;
@@ -176,13 +174,13 @@ static uint64_t aspeed_i2c_bus_new_read(AspeedI2CBus =
*bus, hwaddr offset,
         if (!aic->has_dma64) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: No DMA 64 bits support\n",
             __func__);
-            value =3D -1;
+            break;
         }
+        value =3D bus->regs[offset / sizeof(*bus->regs)];
         break;
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Bad offset 0x%" HWADDR_PRIx "\n", __func__, off=
set);
-        value =3D -1;
         break;
     }
=20
diff --git a/include/hw/i2c/aspeed_i2c.h b/include/hw/i2c/aspeed_i2c.h
index 2daacc10ce..efe8b1a0c5 100644
--- a/include/hw/i2c/aspeed_i2c.h
+++ b/include/hw/i2c/aspeed_i2c.h
@@ -36,8 +36,7 @@ OBJECT_DECLARE_TYPE(AspeedI2CState, AspeedI2CClass, ASPEE=
D_I2C)
 #define ASPEED_I2C_NR_BUSSES 16
 #define ASPEED_I2C_SHARE_POOL_SIZE 0x800
 #define ASPEED_I2C_BUS_POOL_SIZE 0x20
-#define ASPEED_I2C_OLD_NUM_REG 11
-#define ASPEED_I2C_NEW_NUM_REG 28
+#define ASPEED_I2C_NEW_NUM_REG (0x80 >> 2)
=20
 #define A_I2CD_M_STOP_CMD       BIT(5)
 #define A_I2CD_M_RX_CMD         BIT(3)
--=20
2.47.3


From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257810; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TR+0DySXUnmW/sr/alwSpsSEJf2yu+R6yEcOgIByKPqG2UzMBzZP3XOtjCAzJkoJWikHQ0AnyIpEidExignoy18la9sMTU1oHrsuGzprgfU/u7+4i/nhpj91Eb1HPcW7feb85O8MuI/HKBEn6Zlh7L3YOtCf+fi9T5aocOdyI3w=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257810;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=10A6DYP+CEWMf9CmoMnKy1BNtHVJuwS/OWgI1xgsVxo=;
	b=Xqzh/j6wbqb3mWhwNUtk1hiqixDa1Qy+geN8Rcdx7kssqHUomYp9Jl97oxTw9/pvfOdnJ4+xXrz9n/3tDRL87cpJ5sBmxXsWm+VsFaf1iOiQv9n61kNH+bf60BNw/MXmE/p62FAN6i5L9hBzwkj+3wWg4Ewp+j1b2hJN1DuSJbk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325781073583.48838820706885;
 Wed, 11 Mar 2026 12:36:50 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLR-0007hJ-Qm; Wed, 11 Mar 2026 15:35:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL7-0007Vd-JP; Wed, 11 Mar 2026 15:35:29 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PL6-00008C-0C; Wed, 11 Mar 2026 15:35:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EF6921920F3;
 Wed, 11 Mar 2026 22:34:26 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3A78237C458;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257666; bh=FWx38I5a5emH/5IenvOoVjTCDmASckiQpQhd//9ez0Y=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=VrM2/A5h5n5ipCKXf6DbFO7GgAQ4HKgWwS+C4kKDAaBZqqRs6RnXNwLbV6yQ+WpbA
 osshc71B6rNGuc/kwjZ8xeBElu8w9Q/TEqT7Q2Vh19vTCmgwa90PItcb8MQB4RCH1j
 8NpMQexxfGgt/wJvekoQc7n7DdLPYC19QSfgJYRUZi+PgYsXgse9jFe2kvmusjJ6II
 FlGiHRLNgVUhQUR7laJkOcpgeaQSvMKLlwBBMO7d5oITSEcsQXtAD3KDy4UkzTHVIv
 RDd5qg1DX0JbZIWz2otBZKCHH68p9iF38JE0CQx0N9KIOLioxstEREiCN+pQtUcDCj
 GFgFTklFMsDDg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 11/53] target/arm: Account for SME in
 aarch64_sve_narrow_vq() assertion
Date: Wed, 11 Mar 2026 22:34:04 +0300
Message-ID: <20260311193449.1096110-11-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257813858154100

From: Peter Maydell <peter.maydell@linaro.org>

In aarch64_sve_narrow_vq() we assert that the new VQ is within
the maximum supported range for the CPU. We forgot to update
this to account for SME, which might have a different maximum.

Update the assert to permit any VQ which is valid for either
SVE or SME.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-2-peter.maydell@linaro.org
(cherry picked from commit 42eab40a12f12f044a5ca7b7d889d9a1f0d172ee)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 633d314edf..5d31c551e1 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10058,7 +10058,7 @@ void aarch64_sve_narrow_vq(CPUARMState *env, unsign=
ed vq)
     uint64_t pmask;
=20
     assert(vq >=3D 1 && vq <=3D ARM_MAX_VQ);
-    assert(vq <=3D env_archcpu(env)->sve_max_vq);
+    assert(vq <=3D arm_max_vq(env_archcpu(env)));
=20
     /* Zap the high bits of the zregs.  */
     for (i =3D 0; i < 32; i++) {
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 75677945af..d5f6d6546f 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1807,6 +1807,15 @@ static inline uint64_t arm_mdcr_el2_eff(CPUARMState =
*env)
     ((1 << (1 - 1)) | (1 << (2 - 1)) |                  \
      (1 << (4 - 1)) | (1 << (8 - 1)) | (1 << (16 - 1)))
=20
+/*
+ * Return the maximum SVE/SME VQ for this CPU. This defines
+ * the maximum possible size of the Zn vector registers.
+ */
+static inline int arm_max_vq(ARMCPU *cpu)
+{
+    return MAX(cpu->sve_max_vq, cpu->sme_max_vq);
+}
+
 /*
  * Return true if it is possible to take a fine-grained-trap to EL2.
  */
--=20
2.47.3


From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257849; cv=none;
	d=zohomail.com; s=zohoarc;
	b=N6JWk6sMGFNMpOaKQSqu/ERf+aoJQnNfLGT+CS3ZfLmEjwUauUT4c4dXUn6JOrOEpEakBUYmWRsnV67wuPE8RFXdHIinqdweJHPhTaAdLAMvtnbacjV+rXjoVxry056NFY1sj7GhBsnfAEyIHG//H52aSv0P2gt+4J30ooqsYEQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257849;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=2vYwLVRjBSbd1Wmjc9FY2xdiPj8JuNKe22MpvM5ZP/8=;
	b=XRUHoFayJAevoaHtF8gW9usJpVQPFZH9v+X114/Q12i6fVtIeEdy5CxElDf/g8WCqjDsa7czF38uiDuWP5XLBette4OtkrMDFljh1Ggyws0r4C6klFepvl2+zbpkCQb0Lrp++4IM1acI/ACxeDrpj5sBr5pm6nFaKXCvOw7iNyM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257849832730.2655902754344;
 Wed, 11 Mar 2026 12:37:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLW-0007ji-Cz; Wed, 11 Mar 2026 15:35:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLU-0007ii-Fk; Wed, 11 Mar 2026 15:35:52 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLS-00008a-BF; Wed, 11 Mar 2026 15:35:51 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0C5451920F4;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4E9AA37C459;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=YtDoghmkkyVJMChQomssBGKozuJ8XG9j41PlyEXUoaY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=xYsLZJJM2VTN7GYCx6sqoyZmspq9Cne/DYm/TABier9j0ORlg7DE4nlMrUaz/IMoZ
 7G5lehVw7up9eZu1CWcMxovzBV84uoplUr2fsxspfF6Fuhs3cDTUv4PwbQeQkdGBUq
 bwysDF682MDK7KHcmga5TJwBqNqmFEqrfQ2kcnYPth/di2W/GGNL13cBE51TSsikHz
 en8+zrMLXSY9Soy+MV7p3oUo4O8yw0p3Cn7KZOVbrKlLRkltSztzm2oJvYYR/WJ6nl
 XiIV2cfnwoZUGvnqeU/oZKQZsq4WDOBBAdsLnNLLJRL4sblT9OTO4SbAyVqmkDeCgp
 7iPaEcNOw0j4A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 12/53] target/arm: Fix feature check in DO_SVE2_RRX,
 DO_SVE2_RRX_TB
Date: Wed, 11 Mar 2026 22:34:05 +0300
Message-ID: <20260311193449.1096110-12-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257851496154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

In the macros DO_SVE2_RRX and DO_SVE2_RRX_TB we use the
feature check aa64_sve, thus exposing this set of instructions
in SVE as well as SVE2. Use aa64_sve2 instead, so they UNDEF
on an SVE1-only CPU as they should.

Strictly, the condition here should be "SVE2 or SME"; but we
will correct that in a following commit with all the other
missing "or SME" checks.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-id: 20260202133353.2231685-4-peter.maydell@linaro.org
(cherry picked from commit ee5bf0962ed6e0eb42d6bc9bfb3687f2408e3580)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index 07b827fa8e..d69a2f5d75 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -3769,7 +3769,7 @@ TRANS_FEAT(UDOT_zzxw_2s, aa64_sme2_or_sve2p1, gen_gve=
c_ool_arg_zzxz,
            gen_helper_gvec_udot_idx_2h, a)
=20
 #define DO_SVE2_RRX(NAME, FUNC) \
-    TRANS_FEAT(NAME, aa64_sve, gen_gvec_ool_zzz, FUNC,          \
+    TRANS_FEAT(NAME, aa64_sve2, gen_gvec_ool_zzz, FUNC,          \
                a->rd, a->rn, a->rm, a->index)
=20
 DO_SVE2_RRX(MUL_zzx_h, gen_helper_gvec_mul_idx_h)
@@ -3787,7 +3787,7 @@ DO_SVE2_RRX(SQRDMULH_zzx_d, gen_helper_sve2_sqrdmulh_=
idx_d)
 #undef DO_SVE2_RRX
=20
 #define DO_SVE2_RRX_TB(NAME, FUNC, TOP) \
-    TRANS_FEAT(NAME, aa64_sve, gen_gvec_ool_zzz, FUNC,          \
+    TRANS_FEAT(NAME, aa64_sve2, gen_gvec_ool_zzz, FUNC,          \
                a->rd, a->rn, a->rm, (a->index << 1) | TOP)
=20
 DO_SVE2_RRX_TB(SQDMULLB_zzx_s, gen_helper_sve2_sqdmull_idx_s, false)
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257878; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C8qjRaq1E/r1RkC3qFypAmLKuubGQP3y7xIn2htUvJcGq+HIU99bBRZthq/M45ECDPqjScZLhjSWtjYfi+AzztYXSZ1YubjsbbcIanK1qG0F9NNluvI7HPjgZ+3MvA75PI37ii2sZtDjh8wP0F2UhgTtvMR9nbLgGtZzduPA9/Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257878;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=YIkTZSdBUXUkc3x0t7zCIx3G5zraFIHZDSqMp1iy424=;
	b=N+P/rPS/DCmvzrCqi1cZ9n9tDzSYGSvBLMks+APIoEdLpf5Kg5llL3hv9hxobozHZUVj/Yji/NoYz1iMAwqhSis3oQfivD6B7Y555BCV1yVQsuGq1AZkzS5Z5ZYEq+Hpp5Jplv5j+qe86uciHZmbRusiZK3dBcTJ4U26VAwsuqc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257878067800.6623201019197;
 Wed, 11 Mar 2026 12:37:58 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLX-0007kZ-9D; Wed, 11 Mar 2026 15:35:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLV-0007j8-5k; Wed, 11 Mar 2026 15:35:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLT-00008m-3g; Wed, 11 Mar 2026 15:35:52 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1C2431920F5;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5F96837C45A;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=E3cGNeFeUOznE9BBJTE5+LSH/VZ5Z74D9SNno9Uqbrg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=abuf16FW56Hg/3ljW0+24xJCzTgVzqvCoHe5/YYlrHpUxpDTSbyQSvcJrIK/DpstW
 XDEKgvmuEYvBv1mhTwDC5xYK/834GZWSm3BHbVOwABo4LRxnlbYIyos6T0zviT5Shn
 FBwWJMd+a/VrFDHHBqC1eL0Z7ER57BXwTOhV6Z3hK2SPWc9Su14A8y3ZlKV4XwtbYG
 HweruSDKXkPWs3NM9Pr2JMaMmckHSwrO5dE4TCyOHhgOx+YuhkT2H9nrylsDXfc5wG
 vLhykdywhLCPadbpHAXjFHMNEQlQ+6a0X39KSuBbkNJzrQIrY1MlpyYoyzJsc53/cs
 zbJ7bLD0IWmwg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 13/53] target/arm/tcg: Allow SVE RAX1 in SME2p1
 streaming mode
Date: Wed, 11 Mar 2026 22:34:06 +0300
Message-ID: <20260311193449.1096110-13-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257879823154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

The SVE RAX1 instruction is permitted in SME streaming mode starting
from SME2p1.  We forgot to allow this relaxation when we implemented
SME2p1.

Cc: qemu-stable@nongnu.org
Fixes: 7b1613a1020d2 ("target/arm: Enable FEAT_SME2p1 on -cpu max")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-5-peter.maydell@linaro.org
(cherry picked from commit 433097a2242120918090201129e5fbb8e16b3e34)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index d69a2f5d75..76e4a6c52c 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -7803,8 +7803,17 @@ TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gve=
c_ool_arg_zzz,
 TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
                         gen_helper_crypto_sm4ekey, a, 0)
=20
-TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
-                        gen_gvec_rax1, a)
+static bool trans_RAX1(DisasContext *s, arg_RAX1 *a)
+{
+    if (!dc_isar_feature(aa64_sve2_sha3, s)) {
+        return false;
+    }
+    if (!dc_isar_feature(aa64_sme2p1, s)) {
+        /* SME2p1 adds this as valid in streaming SVE mode */
+        s->is_nonstreaming =3D true;
+    }
+    return gen_gvec_fn_arg_zzz(s, gen_gvec_rax1, a);
+}
=20
 TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_A64)
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257839; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mvQSVukSgXIjJCTigCPr9w1KF7ycFZEsFmtkrPFfSY0Ysyr7sijMKF8Uyh3gOr8uX+v7LEfNKW6Fdsq8w5/Rx7MZys9r4h8Y9zsV6wKXinal2dpCYV4tJ5Xiit1MOy9FI2GEWtB4kM9GS1X8S67CtGNmGI1ddpjDFTJWg/oCjjw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257839;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=VkSS4JUOyNgl7tG7QxFHvYVAkStPbbJ5wadsjBvJtdM=;
	b=YYfoHKEZD51HlnTGrtfi1k9RMyVpCIbccQ2/a0DDKEZjWK0c6stKB4Q5SM+X2r3CD+VPvK1HpTFMKLGV7Cj1vUe2YdwauVksa1Dw9mCaL3lBo8S4PLAIWnFVIuRi4Orobemr6u7z1N6h3hZYlCszmSkSntOa7RUkZgj5lOf2Y4o=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325783931471.39993908888016;
 Wed, 11 Mar 2026 12:37:19 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLf-0007nL-Ly; Wed, 11 Mar 2026 15:36:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLY-0007lY-IJ; Wed, 11 Mar 2026 15:35:56 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLW-0000C1-Gi; Wed, 11 Mar 2026 15:35:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2F1541920F6;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7028F37C45B;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=bbmqjRM2rDQUjJA1YR13aTuu13pDhP4NF8kBbLuGsTo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Nx5/wgHZSM6LVrz0QBL7R3F41Yeo7lAyR/ZXh/QospPlJDoCFchkHBCtmCJPjO1/L
 1wo/oZ9I1i8ytb0vdv1vmKOTjZ8XEaVAPIrvPwvhtZ2i5Kh+LiMA7Qo7XJhvNF32xh
 oxv9XM+QuO2mcE3TRbjt5FXa8Thegm25WcdSacZFYkObUeqhpMqro2yIwYYHjVu2bk
 smS3yOZaViwkpsDMXrGP2oLFegcGDx4BUsknJbgTRSAMDaA1/HNCh0PJtPBR4CR5jC
 WzXtKi/Ey38RuAQorNCn/XKAnqaE2k2nqYGfgm1P3bdpVq5ZgQbUiceb6JVIFbresM
 4mssXpPTnqmtQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 14/53] target/arm: Don't let 'sme=on' downgrade SME
Date: Wed, 11 Mar 2026 22:34:07 +0300
Message-ID: <20260311193449.1096110-14-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257841248154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

In our handling of the boolean 'sme' CPU property, we write this 0/1
value directly to ID_AA64PFR1_EL1.SME.  This worked when the only
valid values in that field were 0 (for no SME) and 1 (for SME1).
However, with the addition of SME2 the SME field can now also read 2.
This means that "-cpu max,sme=3Don" will result in an inconsistent set
of ID registers, where ID_AA64PFR1_EL1.SME claims SME1 but
ID_AA64SMFR0_EL1.SMEver claims SME2p1.  This isn't a valid thing to
report, and confuses Linux into reporting SME2 to userspace but not
actually enabling userspace access for it.

Fix this bug by having arm_cpu_sme_finalize() fix up the
ID_AA64PFR1_EL1.SME field to match ID_AA64SMFR0.SMEver.  This means
the "sme" property's semantics are "off" for "no SME" and "on" for
"enable at whatever the default SME version this CPU provides is".

Update the documentation to clarify what 'sve=3Don' and 'sme=3Don' do.
(We don't have the equivalent bug for 'sve=3Don' because
ID_AA64PFR0_EL1.SVE only has 0 and 1 as valid values, but the
semantics of the property are the same.)

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-id: 20260202133353.2231685-6-peter.maydell@linaro.org
(cherry picked from commit aeb3c147fc4a1eb9a73f9f10923fc06def088aeb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-feature=
s.rst
index 37d5dfd15b..024119449c 100644
--- a/docs/system/arm/cpu-features.rst
+++ b/docs/system/arm/cpu-features.rst
@@ -318,6 +318,11 @@ SVE CPU Property Parsing Semantics
      provided an error will be generated.  To avoid this error, one must
      enable at least one vector length prior to enabling SVE.
=20
+  10) Enabling SVE (with ``sve=3Don`` or by default) enables all the SVE
+      sub-features that the CPU supports (for example, it may also
+      enable SVE2). There are not generally any lower-level controls
+      for disabling specific SVE sub-features.
+
 SVE CPU Property Examples
 -------------------------
=20
@@ -430,6 +435,11 @@ and all vector lengths must be powers of 2.  The maxim=
um vector
 length supported by qemu is 2048 bits.  Otherwise, there are no
 additional constraints on the set of vector lengths supported by SME.
=20
+As with SVE, ``sme=3Don`` enables all the SME sub-features the CPU
+supports (for example, it may also enable SME2), and there are
+no lower-level controls for fine-grained disabling of specific
+SME sub-features.
+
 SME User-mode Default Vector Length Property
 --------------------------------------------
=20
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index ae84d8e420..2082672dea 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -363,6 +363,16 @@ void arm_cpu_sme_finalize(ARMCPU *cpu, Error **errp)
=20
     cpu->sme_vq.map =3D vq_map;
     cpu->sme_max_vq =3D 32 - clz32(vq_map);
+
+    /*
+     * The "sme" property setter writes a bool value into ID_AA64PFR1_EL1.=
SME
+     * (and at this point we know it's not 0). Correct that value to report
+     * the same SME version as ID_AA64SMFR0_EL1.SMEver.
+     */
+    if (FIELD_EX64_IDREG(&cpu->isar, ID_AA64SMFR0, SMEVER) !=3D 0) {
+        /* SME2 or better */
+        FIELD_DP64_IDREG(&cpu->isar, ID_AA64PFR1, SME, 2);
+    }
 }
=20
 static bool cpu_arm_get_sme(Object *obj, Error **errp)
@@ -375,6 +385,11 @@ static void cpu_arm_set_sme(Object *obj, bool value, E=
rror **errp)
 {
     ARMCPU *cpu =3D ARM_CPU(obj);
=20
+    /*
+     * For now, write 0 for "off" and 1 for "on" into the PFR1 field.
+     * We will correct this value to report the right SME
+     * level (SME vs SME2) in arm_cpu_sme_finalize() later.
+     */
     FIELD_DP64_IDREG(&cpu->isar, ID_AA64PFR1, SME, value);
 }
=20
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257809; cv=none;
	d=zohomail.com; s=zohoarc;
	b=MW2luB5SN2KuHLH4t/+CshTOisyMqqMindGt3vyUY4b9pTkMLvjjj7enist6aun5jueD283L+GdIZxrOHMXqTCn6ecAorpKRLf2lcH7HEv6QrG5tj3lj5aGMEorc96Dvww5t9nEJli0WEpsSY+BJT4M40vmuDnaMuwEg3jVFAGI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257809;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=T4Ekv886bvzW9YDLaZ5BphbM/O6ZV1i4VDTDvqc82r4=;
	b=AEWCIZhu1FutKS1rIyA6vS/e5aDr3bz8H8T2xKgWn/oZwajL3JNYdZOjzMn3SfhTC8t4PjoLaL3jXgppH6jYBOn3Xm3kLgxfx42azWmO/GlYw5dvO4dEuigV7N43NkRtwP9sAzBxzzj+78gHYP/NkaR8ChEVTWCp+ik3UFpCmkk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325780909460.231963306670536;
 Wed, 11 Mar 2026 12:36:49 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLf-0007qV-Q4; Wed, 11 Mar 2026 15:36:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLY-0007lZ-IR; Wed, 11 Mar 2026 15:35:56 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLW-0000CI-Qo; Wed, 11 Mar 2026 15:35:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 487661920F7;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 81E0A37C45C;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=pUGIMTWA4e1w1FD3KpoHramUOpN7AwMoUPPLi4R07Ls=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=BJUIl0vhXi2dKmo+/yQSsplMqbBpZThU1HQzvK7RV28hC3G/Sf35Hk8o5CpMJ+R9V
 7MlcF/EDjDHX6NLXEjOV1PzCx9yU38TY2g2SRZhpKjbF3fDS+0enaIG3Su6d+IkdAp
 xZhFpd3ObHJ40HycqmJWfS4Qe9Gxo8YvXOnt2qm2pVq/pDAWPYszkiscfN0rJ5mufu
 AEFxRqKmBL/wjchwWR7QaGyFknsoauIEI3rKjee+PhVdhcXAhuo5dlc743/gXKJEZv
 sz6I4HCJlh62BojeuEw0rP3R0ZSoVQpmUPrct8lxt0dJ9UZLHdllf/vjeuwFYSP9e6
 ySw4Y9J7jmHvw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Anton Johansson <anjo@rev.ng>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 15/53] hw/hppa: Add BMC on 64-bit machines only
Date: Wed, 11 Mar 2026 22:34:08 +0300
Message-ID: <20260311193449.1096110-15-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257813986154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Prevent adding the BMC with it's serial ports on 32-bit machines, even
if they have a PCI bus like the B160L. This fixes boot problems with
HP-UX on B160L.

Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: 557bc5260cfd ("hw/hppa: PCI devices depend on availability of PCI bu=
s")
Cc: qemu-stable@nongnu.org
Reviewed-by: Anton Johansson <anjo@rev.ng>
(cherry picked from commit 16786eb7bf8644398707e64fff12e4c9564ec131)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c
index 8c66eed5a2..1a0b8c7648 100644
--- a/hw/hppa/machine.c
+++ b/hw/hppa/machine.c
@@ -376,7 +376,9 @@ static void machine_HP_common_init_tail(MachineState *m=
achine, PCIBus *pci_bus,
=20
     if (pci_bus) {
         pci_init_nic_devices(pci_bus, mc->default_nic);
+    }
=20
+    if (pci_bus && hppa_is_pa20(&cpu[0]->env)) {
         /* BMC board: HP Diva GSP PCI card */
         dev =3D qdev_new("diva-gsp");
         if (dev && !object_property_get_bool(OBJECT(dev), "disable", NULL)=
) {
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257923; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZInZIiZmco/BVjuI6l1FRE2s+Q4lH1JCodtlORWmbSGT85Bk+hojFfyhnsDzI+lrZHDAA39qJqZWuJowhYFN3IWwbWx7nryjiR76mz5mSfDzOGOXyBQTyyKw9BCM23jm+l4CkULOm30e+AXMWfi+Urw7Lq+FAvJbwqmKUSmJWGk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257923;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wXHKdmvB1dC6YxWpDPRS7pClvOFFb5OWIBFihxbPkA0=;
	b=RDbT7PwnD2Hhx4s1Trpr923mo9aJEjiCJ4HrPg2exVmDv/sf/GhqbP1mGLZe7AgMdXEa39rttKF5aTVVRP/SZAPjwkYJERj93o/7bxB/zCgnwj1zobG97qJMLquKFyDdUV+LtQyKLNbq6fZaqUv8VRIhj7OzudL5XYsWJk6xEag=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257923469912.8001060567426;
 Wed, 11 Mar 2026 12:38:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLi-0007uY-HR; Wed, 11 Mar 2026 15:36:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLc-0007nh-84; Wed, 11 Mar 2026 15:36:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLa-0000Cy-8X; Wed, 11 Mar 2026 15:35:59 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5CC9E1920F8;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9B95A37C45D;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=S2/IgILclxRZ7ljyqnMuw+A6wuBRT3cl3juQKdZVFKw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=w7wF94825tsqLtW9TShEHklywyVnx0KIe5e85MwCeB8YX1PoWUgZDHWf16j9CWrYr
 LaZNpa1ptpFtiJm+dsyc4Kn77XooWfWKYTQDTK4y7KJBYNXcJVOkxSvHfFW/ZGISUl
 f6cu157rEhuUviEtYY7IYojJtahYgasSdMlpzZrBMvxFGbEYe7G9FL8I36OIinD00X
 dnHIobbXDKsiR8RNeqcjDZWam4XpsT7wUOcFp8+8GsftItMTqHZvs4IoHMj+h3sgm6
 oYqjd1WnKK8/csyTbcPv27Hp35LFohyGlzO9mPahrfmzSpfhAjJinjdZ6iFBnehlBK
 VRSC5SMcecHLg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,
 Dmitry Osipenko <dmitry.osipenko@collabora.com>,
 Joelle van Dyne <j@getutm.app>, "Michael S. Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 16/53] virtio-gpu-virgl: Add
 virtio-gpu-virgl-hostmem-region type
Date: Wed, 11 Mar 2026 22:34:09 +0300
Message-ID: <20260311193449.1096110-16-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257925409158500
Content-Type: text/plain; charset="utf-8"

From: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>

Commit e27194e087ae ("virtio-gpu-virgl: correct parent for blob memory
region") made the name member of MemoryRegion unset, causing a NULL
pointer dereference[1]:
> Thread 2 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> (gdb) bt
> #0  0x00007ffff56565e2 in __strcmp_evex () at /lib64/libc.so.6
> #1  0x0000555555841bdb in find_fd (head=3D0x5555572337d0 <cpr_state>,
> name=3D0x0, id=3D0) at ../migration/cpr.c:68
> #2  cpr_delete_fd (name=3Dname@entry=3D0x0, id=3Did@entry=3D0) at
> ../migration/cpr.c:77
> #3  0x000055555582290a in qemu_ram_free (block=3D0x7ff7e93aa7f0) at
> ../system/physmem.c:2615
> #4  0x000055555581ae02 in memory_region_finalize (obj=3D<optimized out>)
> at ../system/memory.c:1816
> #5  0x0000555555a70ab9 in object_deinit (obj=3D<optimized out>,
> type=3D<optimized out>) at ../qom/object.c:715
> #6  object_finalize (data=3D0x7ff7e936eff0) at ../qom/object.c:729
> #7  object_unref (objptr=3D0x7ff7e936eff0) at ../qom/object.c:1232
> #8  0x0000555555814fae in memory_region_unref (mr=3D<optimized out>) at
> ../system/memory.c:1848
> #9  flatview_destroy (view=3D0x555559ed6c40) at ../system/memory.c:301
> #10 0x0000555555bfc122 in call_rcu_thread (opaque=3D<optimized out>) at
> ../util/rcu.c:324
> #11 0x0000555555bf17a7 in qemu_thread_start (args=3D0x555557b99520) at
> ../util/qemu-thread-posix.c:393
> #12 0x00007ffff556f464 in start_thread () at /lib64/libc.so.6
> #13 0x00007ffff55f25ac in __clone3 () at /lib64/libc.so.6

The intention of the aforementioned commit is to prevent a MemoryRegion
from parenting itself while its references is counted indendependently
of the device. To achieve the same goal, add a type of QOM objects that
count references and parent MemoryRegions.

[1] https://lore.kernel.org/qemu-devel/4eb93d7a-1fa9-4b3c-8ad7-a2eb64f025a0=
@collabora.com/

Cc: qemu-stable@nongnu.org
Fixes: e27194e087ae ("virtio-gpu-virgl: correct parent for blob memory regi=
on")
Fixes: be88ad424c0b ("virtio-gpu-virgl: correct parent for blob memory regi=
on") for 10.2.x
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Joelle van Dyne <j@getutm.app>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260214-region-v1-1-229f00ae1f38@rsg.ci.i.u-tokyo.ac.jp>
(cherry picked from commit b2a279094c3b86667969cc645f7fb1087e08dd19)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index 741728cabb..4e515c4ef6 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -52,11 +52,17 @@ virgl_get_egl_display(G_GNUC_UNUSED void *cookie)
=20
 #if VIRGL_VERSION_MAJOR >=3D 1
 struct virtio_gpu_virgl_hostmem_region {
+    Object parent_obj;
     MemoryRegion mr;
     struct VirtIOGPU *g;
     bool finish_unmapping;
 };
=20
+#define TYPE_VIRTIO_GPU_VIRGL_HOSTMEM_REGION "virtio-gpu-virgl-hostmem-reg=
ion"
+
+OBJECT_DECLARE_SIMPLE_TYPE(virtio_gpu_virgl_hostmem_region,
+                           VIRTIO_GPU_VIRGL_HOSTMEM_REGION)
+
 static struct virtio_gpu_virgl_hostmem_region *
 to_hostmem_region(MemoryRegion *mr)
 {
@@ -70,14 +76,22 @@ static void virtio_gpu_virgl_resume_cmdq_bh(void *opaqu=
e)
     virtio_gpu_process_cmdq(g);
 }
=20
-static void virtio_gpu_virgl_hostmem_region_free(void *obj)
+/*
+ * MR could outlive the resource if MR's reference is held outside of
+ * virtio-gpu. In order to prevent unmapping resource while MR is alive,
+ * and thus, making the data pointer invalid, we will block virtio-gpu
+ * command processing until MR is fully unreferenced and freed.
+ */
+static void virtio_gpu_virgl_hostmem_region_finalize(Object *obj)
 {
-    MemoryRegion *mr =3D MEMORY_REGION(obj);
-    struct virtio_gpu_virgl_hostmem_region *vmr;
+    struct virtio_gpu_virgl_hostmem_region *vmr =3D VIRTIO_GPU_VIRGL_HOSTM=
EM_REGION(obj);
     VirtIOGPUBase *b;
     VirtIOGPUGL *gl;
=20
-    vmr =3D to_hostmem_region(mr);
+    if (!vmr->g) {
+        return;
+    }
+
     vmr->finish_unmapping =3D true;
=20
     b =3D VIRTIO_GPU_BASE(vmr->g);
@@ -92,11 +106,26 @@ static void virtio_gpu_virgl_hostmem_region_free(void =
*obj)
     qemu_bh_schedule(gl->cmdq_resume_bh);
 }
=20
+static const TypeInfo virtio_gpu_virgl_hostmem_region_info =3D {
+    .parent =3D TYPE_OBJECT,
+    .name =3D TYPE_VIRTIO_GPU_VIRGL_HOSTMEM_REGION,
+    .instance_size =3D sizeof(struct virtio_gpu_virgl_hostmem_region),
+    .instance_finalize =3D virtio_gpu_virgl_hostmem_region_finalize
+};
+
+static void virtio_gpu_virgl_types(void)
+{
+    type_register_static(&virtio_gpu_virgl_hostmem_region_info);
+}
+
+type_init(virtio_gpu_virgl_types)
+
 static int
 virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
                                    struct virtio_gpu_virgl_resource *res,
                                    uint64_t offset)
 {
+    g_autofree char *name =3D NULL;
     struct virtio_gpu_virgl_hostmem_region *vmr;
     VirtIOGPUBase *b =3D VIRTIO_GPU_BASE(g);
     MemoryRegion *mr;
@@ -117,21 +146,16 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
     }
=20
     vmr =3D g_new0(struct virtio_gpu_virgl_hostmem_region, 1);
+    name =3D g_strdup_printf("blob[%" PRIu32 "]", res->base.resource_id);
+    object_initialize_child(OBJECT(g), name, vmr,
+                            TYPE_VIRTIO_GPU_VIRGL_HOSTMEM_REGION);
     vmr->g =3D g;
=20
     mr =3D &vmr->mr;
-    memory_region_init_ram_ptr(mr, OBJECT(mr), NULL, size, data);
+    memory_region_init_ram_ptr(mr, OBJECT(vmr), "mr", size, data);
     memory_region_add_subregion(&b->hostmem, offset, mr);
     memory_region_set_enabled(mr, true);
=20
-    /*
-     * MR could outlive the resource if MR's reference is held outside of
-     * virtio-gpu. In order to prevent unmapping resource while MR is aliv=
e,
-     * and thus, making the data pointer invalid, we will block virtio-gpu
-     * command processing until MR is fully unreferenced and freed.
-     */
-    OBJECT(mr)->free =3D virtio_gpu_virgl_hostmem_region_free;
-
     res->mr =3D mr;
=20
     trace_virtio_gpu_cmd_res_map_blob(res->base.resource_id, vmr, mr);
@@ -163,7 +187,7 @@ virtio_gpu_virgl_unmap_resource_blob(VirtIOGPU *g,
      * 1. Begin async unmapping with memory_region_del_subregion()
      *    and suspend/block cmd processing.
      * 2. Wait for res->mr to be freed and cmd processing resumed
-     *    asynchronously by virtio_gpu_virgl_hostmem_region_free().
+     *    asynchronously by virtio_gpu_virgl_hostmem_region_finalize().
      * 3. Finish the unmapping with final virgl_renderer_resource_unmap().
      */
     if (vmr->finish_unmapping) {
@@ -186,7 +210,7 @@ virtio_gpu_virgl_unmap_resource_blob(VirtIOGPU *g,
         /* memory region owns self res->mr object and frees it by itself */
         memory_region_set_enabled(mr, false);
         memory_region_del_subregion(&b->hostmem, mr);
-        object_unref(OBJECT(mr));
+        object_unparent(OBJECT(vmr));
     }
=20
     return 0;
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257853; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GCfKKGbs+BCFjVq3R7Y6yHCsRwWe3oQXsneMj+AVr5jPDZ+/o86j888psgyxV5bixTug1cGVQ7GKatz5HrK+TD0imJfn225tYYxZv4oqRKmMvEUnPa+mM13aOceWp/JqioBiBX6N1BLVZDEdY2DlgLPPTVrvs9AdfOquR8qm2WA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257853;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gxdeLysaVZWDaxLrL28BbjR7fKALuOVm92/S3JsCzcE=;
	b=bCGhMpqqu+4RCki2Z7VTkBhXLVqEO83HDlx2V0IwT12awDM+m5W19WI+JjImPzn3+uYAk8cdme3wEHBrktnGw27b/MkiA+j3LKfSJf3hcD629zLd/ZaKDUfiAdM9P3NUAqG/8OPhQzxKvc9Cn1DdwghjD7/8AkqcYXQyvHIGGFQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257853824650.8090100427784;
 Wed, 11 Mar 2026 12:37:33 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PLy-0000UL-Sh; Wed, 11 Mar 2026 15:36:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLw-0000Mn-Me; Wed, 11 Mar 2026 15:36:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLu-0000Cx-Bo; Wed, 11 Mar 2026 15:36:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6D22F1920F9;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AFF5737C45E;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=CP+lTb6QIOJ90ijqeHOLJxYZwKH3HY6JpSgt3R7n9Vs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=TMrnyNWEToPWeWJmaDuUVpQmxcLUwY/8MSnPr2WBAB4yX50Q2dfWW0ynFYLmpIN1A
 5I0Yh3UAnuDEYhJ45rmaUe5+JE7RBb3tKF9dCAkzNPjGDjaOpGBMN12EfGUJ/bYvaz
 CVjzXphZrU77/aoEIBTu+VmvRrR3QWrntZDdSj+1tjCwPShq17mH4y/781MukPYEo3
 7hidjfn7/Y3XAJrGINgnzZH55YJmOdf+BcW3aH1RBECpHdRxN2ODKmXbq8yjlTAD+V
 ZbC3Bojc9fqEYb4T92YLid8C4a6DPYeLgAhnJtjc27hfiMv6M+6rVCQLBRpggTw5yR
 2zOo8jzu3YSVQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 "Michael S. Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 17/53] virtio-snd: remove TODO comments
Date: Wed, 11 Mar 2026 22:34:10 +0300
Message-ID: <20260311193449.1096110-17-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257855468154100
Content-Type: text/plain; charset="utf-8"

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

Replying with a VIRTIO_SND_S_BAD_MSG error does not warrant a device
reset. Instead, a device reset happens when the driver requests it from the
transport.

Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-2-207c4f7200a2@linaro.org>
(cherry picked from commit 34238f078a04f24b91199249b83846ab082b4e05)
(Mjt: pick this one up so the next commit applies cleanly)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 9101560f38..fd03efc120 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -168,9 +168,6 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
                                sizeof(virtio_snd_query_info));
=20
     if (msg_sz !=3D sizeof(virtio_snd_query_info)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(virtio_snd_query_info));
@@ -184,9 +181,6 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
=20
     if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
         sizeof(virtio_snd_hdr) + size * count) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         error_report("pcm info: buffer too small, got: %zu, needed: %zu",
                 iov_size(cmd->elem->in_sg, cmd->elem->in_num),
                 sizeof(virtio_snd_pcm_info));
@@ -244,9 +238,6 @@ uint32_t virtio_snd_set_pcm_params(VirtIOSound *s,
     virtio_snd_pcm_set_params *st_params;
=20
     if (stream_id >=3D s->snd_conf.streams || s->pcm->pcm_params =3D=3D NU=
LL) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         virtio_error(VIRTIO_DEVICE(s), "Streams have not been initialized.=
\n");
         return cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
     }
@@ -297,9 +288,6 @@ static void virtio_snd_handle_pcm_set_params(VirtIOSoun=
d *s,
                                sizeof(virtio_snd_pcm_set_params));
=20
     if (msg_sz !=3D sizeof(virtio_snd_pcm_set_params)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(virtio_snd_pcm_set_params=
));
@@ -609,9 +597,6 @@ static void virtio_snd_handle_pcm_release(VirtIOSound *=
s,
                                sizeof(stream_id));
=20
     if (msg_sz !=3D sizeof(stream_id)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(stream_id));
@@ -623,9 +608,6 @@ static void virtio_snd_handle_pcm_release(VirtIOSound *=
s,
     trace_virtio_snd_handle_pcm_release(stream_id);
     stream =3D virtio_snd_pcm_get_stream(s, stream_id);
     if (stream =3D=3D NULL) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         error_report("already released stream %"PRIu32, stream_id);
         virtio_error(VIRTIO_DEVICE(s),
                      "already released stream %"PRIu32,
@@ -668,9 +650,6 @@ process_cmd(VirtIOSound *s, virtio_snd_ctrl_command *cm=
d)
                                sizeof(virtio_snd_hdr));
=20
     if (msg_sz !=3D sizeof(virtio_snd_hdr)) {
-        /*
-         * TODO: do we need to set DEVICE_NEEDS_RESET?
-         */
         qemu_log_mask(LOG_GUEST_ERROR,
                 "%s: virtio-snd command size incorrect %zu vs \
                 %zu\n", __func__, msg_sz, sizeof(virtio_snd_hdr));
--=20
2.47.3
From nobody Tue Apr  7 19:51:12 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257989; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PBCMlUlbUxa3Z/vOUGVCq6IIdhtlN9U65a6xZIdBPjbmjDarIaKMmKvo1Xa3DYKXQdgqvjUB2OaLy4/91N2BCkT37x79qthRBY7nKYpCmU2eImDr77/17VeWISfn0UngIIPhTq044l2TU7O0wOC5HS1seVx/sd/EdpTKdJzHzT0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257989;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=RCINbQdnyCiAEAzTRus1Dc91375mkM3svBYx2majODQ=;
	b=B+3LE/38Q4BKUJy5VowiuIr3vcSPX5FMjBi/hR3Wbl9tZ0EipS4nnRE+gcwcOUcFaBY2vqlvpJOYzOCWKNQUrnoF+WkCIP4+Ou7/pE6wiBYYngh1ZiTGbEQJWTcy5FwhkDexQLuWabPMYMQl0T5oYOYAFEyfN2iQYAb3xZ9KOJk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257989514519.463136834187;
 Wed, 11 Mar 2026 12:39:49 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PM2-0000lH-5G; Wed, 11 Mar 2026 15:36:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLz-0000ZK-N9; Wed, 11 Mar 2026 15:36:23 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLy-0000E2-1d; Wed, 11 Mar 2026 15:36:23 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7F55D1920FA;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C032737C45F;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=fPyVvRaYn/mq2k7qOle+xfmthn7vwe+9dyU+ER3XLP8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=l5yvH5/gP87BG0j6rAjaqdU7mNKHee3JP9UzczzZBhiIrZn6YynPb3buMAvY/3rN5
 07Hx1XxyS3HkI2NYPHZEPMiP4pajMZnuglfFBnUwhTILzI/n+R0WBYyzXABtmP0XTx
 dcIOstONzvYHy7KFh3FnK5CvVygdiGmhSjk8Wsf/OXZl5IYE4/z8nzo+8ILdkeOyAt
 mh7wOvPffiXwNLFcyd8cOi3m2x3pz0jaQm9CW+rmzq2fkRCEoKZxal4/I1iEoNWvcO
 ygRecVaHk3wzPCNqNjpwB+OcuPUEcpAAIPtE48GGq/AJrn83n2bnKQPEALuA5UKFUF
 cWAFR9l0q/M1A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 =?UTF-8?q?=E7=BD=97=E9=93=AD=E6=BA=90?= <myluo24@m.fudan.edu.cn>,
 "Michael S. Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 18/53] virtio-snd: handle 5.14.6.2 for PCM_INFO
 properly
Date: Wed, 11 Mar 2026 22:34:11 +0300
Message-ID: <20260311193449.1096110-18-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257991527154100

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

The section 5.14.6.2 of the VIRTIO spec says:

  5.14.6.2 Driver Requirements: Item Information Request

  - The driver MUST NOT set start_id and count such that start_id +
    count is greater than the total number of particular items that is
    indicated in the device configuration space.

  - The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
    count * size bytes for the response.

While we performed some check for the second requirement, it failed to
check for integer overflow.

Add also a check for the first requirement, which should limit exposure
to any overflow, since realistically the number of streams will be low
enough in value such that overflow is improbable.

Cc: qemu-stable@nongnu.org
Reported-by: =E7=BD=97=E9=93=AD=E6=BA=90 <myluo24@m.fudan.edu.cn>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-3-207c4f7200a2@linaro.org>
(cherry picked from commit 61679d7dcfa2dffc8fb115aa19b09e0e7cf5ea5c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index fd03efc120..e9c24d6795 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -156,7 +156,7 @@ static virtio_snd_pcm_set_params *virtio_snd_pcm_get_pa=
rams(VirtIOSound *s,
 static void virtio_snd_handle_pcm_info(VirtIOSound *s,
                                        virtio_snd_ctrl_command *cmd)
 {
-    uint32_t stream_id, start_id, count, size;
+    uint32_t stream_id, start_id, count, size, tmp;
     virtio_snd_pcm_info val;
     virtio_snd_query_info req;
     VirtIOSoundPCMStream *stream =3D NULL;
@@ -179,11 +179,34 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
     count =3D le32_to_cpu(req.count);
     size =3D le32_to_cpu(req.size);
=20
-    if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
-        sizeof(virtio_snd_hdr) + size * count) {
+    /*
+     * 5.14.6.2 Driver Requirements: Item Information Request
+     * "The driver MUST NOT set start_id and count such that start_id + co=
unt
+     * is greater than the total number of particular items that is indica=
ted
+     * in the device configuration space."
+     */
+    if (start_id > s->snd_conf.streams
+        || !g_uint_checked_add(&tmp, start_id, count)
+        || start_id + count > s->snd_conf.streams) {
+        error_report("pcm info: start_id + count is greater than the total=
 "
+                     "number of streams, got: start_id =3D %u, count =3D %=
u",
+                     start_id, count);
+        cmd->resp.code =3D cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
+        return;
+    }
+
+    /*
+     * 5.14.6.2 Driver Requirements: Item Information Request
+     * "The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
+     * count * size bytes for the response."
+     */
+    if (!g_uint_checked_mul(&tmp, size, count)
+        || !g_uint_checked_add(&tmp, tmp, sizeof(virtio_snd_hdr))
+        || iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
+           sizeof(virtio_snd_hdr) + size * count) {
         error_report("pcm info: buffer too small, got: %zu, needed: %zu",
                 iov_size(cmd->elem->in_sg, cmd->elem->in_num),
-                sizeof(virtio_snd_pcm_info));
+                sizeof(virtio_snd_pcm_info) * count);
         cmd->resp.code =3D cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
         return;
     }
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257876; cv=none;
	d=zohomail.com; s=zohoarc;
	b=dpvAHkAS/E7hl+Vsi2GsVLr5wfxtpb+Bpr6xUG5CGL/RGuyXuG3o/noVFa9MRHBzaX7Zlmxzz9Zbd1vzAuSF1n+On3D/ngPxr6gSen3jAz6Eqg6NdpNH2rFtXIwIEB1GHS5DLV0Ep5bS/XEQmipZv7u4vj255hCsHm0I7j2vtbY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257876;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=QjVhwGtTXV6laWMUz3g57GMwjyTH29uxWuerk/ak10g=;
	b=hyBOCloWjgbIN63A3Sg0Wht1h4fzA2zUb6EZKbYhY9IIsdFHCGZPxMRS61R7JEnan7jOyHAhRCdw872v6GONmzc8yEB62mtW/gUcW3+zQHLwGcEwQudsk04OcIDJynu7cixCEZKQn/ex2xc3lfdQTAL+XYhenNVWN+lv5QbRKxU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257876216103.48060203798184;
 Wed, 11 Mar 2026 12:37:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PM0-0000gj-QL; Wed, 11 Mar 2026 15:36:24 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLz-0000aT-QN; Wed, 11 Mar 2026 15:36:23 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PLy-0000GR-9P; Wed, 11 Mar 2026 15:36:23 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 90CEB1920FB;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D26A537C460;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=Ms++q8qcD0dv8MHuBl8GDPm8oGCD3Q14QGsp5VbK1bs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=P8EK9CVBZiNLsa2GpFtRh3BSHZdeO8u2wrLkoPAP+TOCBiG/n8t4KdRta/0F+KlTe
 gYDXxbMrN35uCeSZvOjpFx1P4EVNxTT/WqymSP1jk0y/DpXpLey9kjjuOjZI1al1/I
 Ya0biiVSw3oABhIZbplp4nAit4DBG5cbuTtUuBJIhZJVgINShg+Eu32C84zvN8Phu0
 OskGudEr3LXXgv216PvQbpTJ2xxPeexuNjlMZNU3uqPtCKxNcIdEcilNfJ8c8/mgji
 ihDjTW3FoAczmmr30yNuFgd0Q+jdY+I7HeKvbVpqHiOxgY7YAzJDdp1EqewidtGr5A
 OFPQP3MpqeDPw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 DARKNAVY <vr@darknavy.com>, "Michael S. Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 19/53] virtio-snd: fix max_size bounds check in input
 cb
Date: Wed, 11 Mar 2026 22:34:12 +0300
Message-ID: <20260311193449.1096110-19-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257877991154100
Content-Type: text/plain; charset="utf-8"

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

In 98e77e3d we calculated the max size and checked that each buffer is smal=
ler than it.

We neglected to subtract the size of the virtio_snd_pcm_status header
from the max size, and max_size was thus larger than the correct value,
leading to potential OOB writes.

If the buffer cannot fit the header or can fit only the header, return
the buffer immediately.

Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size =
bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org>
(cherry picked from commit bcb53328aa70023f1405fade4e253e7f77567261)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index e9c24d6795..3437211f79 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1255,6 +1255,12 @@ static void virtio_snd_pcm_in_cb(void *data, int ava=
ilable)
             }
=20
             max_size =3D iov_size(buffer->elem->in_sg, buffer->elem->in_nu=
m);
+            if (max_size <=3D sizeof(virtio_snd_pcm_status)) {
+                return_rx_buffer(stream, buffer);
+                continue;
+            }
+            max_size -=3D sizeof(virtio_snd_pcm_status);
+
             for (;;) {
                 if (buffer->size >=3D max_size) {
                     return_rx_buffer(stream, buffer);
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257876; cv=none;
	d=zohomail.com; s=zohoarc;
	b=h0xCBW5bm7EZQaOLoESiQk3LHQNyKEkyaRTm+BzOlKgYSLWj3GBlNZrRwTfyrb1LugRN0Qx63qMbcsGYyN4VlltPFHYlD3SG5gg5W7jmCwgjGUsobUogv6BUK+x4xOp6ZtKYxXa9CMMFQ67wLijo20EMwHrWkA+332Cn61hxdts=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257876;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=X0r/rCh52OTtsDnqicyPF7y0Zs5dvqhcRH/aIG169us=;
	b=eQmfPFnTS7HRCOtxVWqEPZ7oiWzGelloj4710KAIjrlQXdnSKXEsIkBFM7CXqh04Jlvo4JCsmXHtaKXNcNg8qRiHH/Rf8jpRYh0kbMPet1Ld10j5jjrwv+X+wKgz8CnF1VLI+R09jfJ3/YXkXP1nHOwY6S49prexenlGcCdqdKo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325787680880.53358421055782;
 Wed, 11 Mar 2026 12:37:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PM4-0000z5-QG; Wed, 11 Mar 2026 15:36:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PM2-0000ps-MQ; Wed, 11 Mar 2026 15:36:26 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PM1-0000H4-7F; Wed, 11 Mar 2026 15:36:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A446A1920FC;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E447837C461;
 Wed, 11 Mar 2026 22:35:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=g/koaWiB8ay4xWoI6dSfka8LqpS8PBRZaEaiUkM5IDc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=NNIooW+PryQKquA9l6hXwleNcZy7ySt4lelvKvp3oZyKGDINmIpP1tgkxJlrEwj9E
 WNSO/2pwWr+KeCQ+mq/uI817KB0vK82ATlTacOoSDix7RzYvZPL/ZJuBSD2wYDo+35
 jQ7zmoZExBQd6h/iYzChP97pa+vIu2cZQdWwxlL1mNv3CnVkm8n7TgJII1J278j6UD
 M3vTNtgPoZj1NfwqN8IzMLej2sKgavxJfUMRie46gF35eDE33eUtloLh5kiOKJrCBg
 FtXxSzfAvk0dh3Eum3vZlcvO6lwBOIGZw5oUD/r5ebCkZw/bF0E3H2kMHl2PIyfGyt
 WN04UJPogncEw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 DARKNAVY <vr@darknavy.com>, "Michael S. Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 20/53] virtio-snd: tighten read amount in in_cb
Date: Wed, 11 Mar 2026 22:34:13 +0300
Message-ID: <20260311193449.1096110-20-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257878678158500
Content-Type: text/plain; charset="utf-8"

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

The amount of bytes to read passed to AUD_read() should never surpass
the maximum available buffer length. Tighten the current amount by
MIN(<amount>, max_size - <existing size>).

Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size =
bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-5-207c4f7200a2@linaro.org>
(cherry picked from commit 7994203bb1b83a6604f3ab00fe9598909bb66164)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 3437211f79..fc0781ae9a 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1240,7 +1240,7 @@ static void virtio_snd_pcm_in_cb(void *data, int avai=
lable)
 {
     VirtIOSoundPCMStream *stream =3D data;
     VirtIOSoundPCMBuffer *buffer;
-    size_t size, max_size;
+    size_t size, max_size, to_read;
=20
     WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
         while (!QSIMPLEQ_EMPTY(&stream->queue)) {
@@ -1266,10 +1266,12 @@ static void virtio_snd_pcm_in_cb(void *data, int av=
ailable)
                     return_rx_buffer(stream, buffer);
                     break;
                 }
+                to_read =3D stream->params.period_bytes - buffer->size;
+                to_read =3D MIN(to_read, available);
+                to_read =3D MIN(to_read, max_size - buffer->size);
                 size =3D AUD_read(stream->voice.in,
-                        buffer->data + buffer->size,
-                        MIN(available, (stream->params.period_bytes -
-                                        buffer->size)));
+                                buffer->data + buffer->size,
+                                to_read);
                 if (!size) {
                     available =3D 0;
                     break;
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258268; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Mk2kAAQz4RDFyz/XA4pBxUvVaQmnfSnu79g/25swZQvzfOXb2CotsQ57wBKn8vOUb739+c21NZWhhn03bgIExFZGg9EaNB6Iy3pbLg8E9RIu7ZBrEsOq2w3xR7XgLh6okjCJJ+hRCK7kw0uOwHQMStnDjvCyRVNOFeH7Zc/y+hs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258268;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=EidjrLkykcg7DTP36jkbFLnnmwzZRYdu81nS1G0BLb4=;
	b=URwEwGCb66rFAlGa1rG79WAODoXo6eW6APgMEQK20D9lD9RilqI+3489Wn1wL+hWiSe7mDlfqZJozkIOzHJrstdnE9+85VcN7n4qKv5wZ+cN/BE5LWNsnsFgeHoMn6/Byvg7VNkpnhHM2VlUbja1duEBUxQL/W4XM4dwAl6SOro=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258268384675.5927777943419;
 Wed, 11 Mar 2026 12:44:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PMT-0001oB-5q; Wed, 11 Mar 2026 15:36:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMM-0001hY-VJ; Wed, 11 Mar 2026 15:36:46 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PML-0000HA-Bo; Wed, 11 Mar 2026 15:36:46 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BFFFE1920FD;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 035D937C462;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=N0GMzjC3W7RYbcpelKlOxpYSyS8lFWCXR90eEAeuy70=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=iB0l2mTAbepuTv0FlOWq/QAoO5JAMPyAosPsWfeKSscdWthIfPG02bKONQ/ac8Rpj
 BYBDfkoInUDvaC/N3b0SnVXLFo6Glv7Z25gJ9KW+aSta9igRh2n46+t6HE/95edNKl
 AxM1Wp/spxqsxfrTy6fauH4Tf1ap30CvHd4JDKxPxTTg1Wg131gbRUpy15fZwYiRyl
 g2qkOm5DNQTF8+o24HYo8g7dUWvuDoUlmRJzX0Cm3nSImOrMOxY9UjmP2RDnDi4EKl
 Nwmu4gDWVfWbOwMukApM+R82/r1n8opQJebOeB/OhF28+PRE3oFkfpKRU1BmQhX1CJ
 upHmdSeMmbWwA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kuan-Wei Chiu <visitorckw@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 21/53] hw/misc/virt_ctrl: Fix incorrect trace event in
 read operation
Date: Wed, 11 Mar 2026 22:34:14 +0300
Message-ID: <20260311193449.1096110-21-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258269804154100

From: Kuan-Wei Chiu <visitorckw@gmail.com>

The virt_ctrl_read() function currently invokes trace_virt_ctrl_write()
instead of trace_virt_ctrl_read(). This results in read operations
appearing as write operations in the trace output, which is misleading
during debugging and analysis.

Replace the incorrect trace call with the proper read-specific trace
event to accurately reflect the hardware behavior.

Fixes: 0791bc02b8fb ("m68k: add a system controller")
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260111184915.1363318-1-visitorckw@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 8608ed356ef90815cc5bcf04fcdbde987fd24bca)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/virt_ctrl.c b/hw/misc/virt_ctrl.c
index 9f16093ca2..7dc2fe4f94 100644
--- a/hw/misc/virt_ctrl.c
+++ b/hw/misc/virt_ctrl.c
@@ -43,7 +43,7 @@ static uint64_t virt_ctrl_read(void *opaque, hwaddr addr,=
 unsigned size)
         break;
     }
=20
-    trace_virt_ctrl_write(s, addr, size, value);
+    trace_virt_ctrl_read(s, addr, size, value);
=20
     return value;
 }
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257972; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nI4TH5rnRUp54IbewxJkXh4muskbl6zXM7s/3xTwo7AJr7QpEQyM43mOY9DH3hC35wXHam2lxdudOXG0AnQ2k+HQ0dyti3TDnlZzIxLQQckt4qDetHeLVxlWjHyTW1t3AyJ+LKAjWvmU1yZJMDpm3M36DDcs2gXrn4uv6v5hZgo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257972;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wha4kEnhBwijLqq93bxpQGpMzcFQ2CBwCdz/BVvpZKc=;
	b=laqAMiX8xVWZeafG/y++YuRYTtRooFkv5njDUkJYmD7a7sobcdyIsaGhJ++IPL6CeF4bUUvc2aAlN/DPFtsB4PRdf6UlIPA00NXLWBgr74J0zgVYqL675HFE9xEhnr/BInYmRhkA7RtnRUwwcAjAMdWjeXOGb9lt7SJTD6JnhQk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257972869595.0605469636346;
 Wed, 11 Mar 2026 12:39:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PMr-0002TL-Kt; Wed, 11 Mar 2026 15:37:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMS-0001ql-S5; Wed, 11 Mar 2026 15:36:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMO-0000Hl-78; Wed, 11 Mar 2026 15:36:51 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D616C1920FE;
 Wed, 11 Mar 2026 22:34:27 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1F51E37C463;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=OQyjN3JiNQKujPfiQykMp7epgbhDBXLON+2RERmtywM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=msAj4/4M9hwhogg+TSUKTZP8MVWvCiqucyKEx/b0dTCfMNnaJuaQLZMYiT9Ejq9cl
 sJj+eT6sbbjZvzmfaH2/WBoHH7l3odfSXVAHSopU+pDYDuLKW84fAg+meaV46TDBud
 QzVgSJ4yWc/taRJYbDmbjiIKgWFSRnzukad5dXKEqPDrHo2lOdBO/PSmwQGCAWqNrA
 X14KGlTdcfC1iidatJOTqotFn/IBt5J+Qx0cxAcYPST27RA2QCwZr9ntTVj/uBOUUA
 Ep/qRC85ev3t5szdwaTH5nU6At8T9Tepb9WfH3WJAnoG/TZtrMN9+55K3yhkcHhZcm
 6dwjniwRdOqVA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Weixie Cui <cuiweixie@gmail.com>,
 Thomas Huth <thuth@redhat.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 22/53] hw/ssi/xilinx_spips: Reset TX FIFO in reset
Date: Wed, 11 Mar 2026 22:34:15 +0300
Message-ID: <20260311193449.1096110-22-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257975249154100
Content-Type: text/plain; charset="utf-8"

From: Weixie Cui <cuiweixie@gmail.com>

In xilinx_spips_reset() and xlnx_zynqmp_qspips_reset() a cut and
paste error meant we reset the RX FIFO twice and the TX FIFO not at
all.  Correct this to reset both FIFOs.

Cc: qemu-stable@nongnu.org
Signed-off-by: Weixie Cui <cuiweixie@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260223095905.67709-1-cuiweixie@gmail.com
[Rewrote commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 669683cf1414ce442d2faea160dbc69747aef007)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index a79f3b8e49..9c5b58a9ec 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -369,7 +369,7 @@ static void xilinx_spips_reset(DeviceState *d)
     memset(s->regs, 0, sizeof(s->regs));
=20
     fifo8_reset(&s->rx_fifo);
-    fifo8_reset(&s->rx_fifo);
+    fifo8_reset(&s->tx_fifo);
     /* non zero resets */
     s->regs[R_CONFIG] |=3D MODEFAIL_GEN_EN;
     s->regs[R_SLAVE_IDLE_COUNT] =3D 0xFF;
@@ -397,7 +397,7 @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d)
     memset(s->regs, 0, sizeof(s->regs));
=20
     fifo8_reset(&s->rx_fifo_g);
-    fifo8_reset(&s->rx_fifo_g);
+    fifo8_reset(&s->tx_fifo_g);
     fifo32_reset(&s->fifo_g);
     s->regs[R_INTR_STATUS] =3D R_INTR_STATUS_RESET;
     s->regs[R_GPIO] =3D 1;
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257961; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JYAUOPRXO0W37d/A36c0gSr76IMQhjOXdj/4JkfwPwzl4G0x92mz/EURSj7ubui/rnKh+e99aYDqodCXylajqiWqJuNynK6AWVJ63waD6VoEcQDlXnN0Zh2ZLtJMxTc+Y/jtgyN3H9CQOSvYP///VNLJ35WuaYdHwg1ymfLfLrI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257961;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=r4adfYDOz/8iNwSixTjewOHPMusLU7Z44oTV3lqHQFw=;
	b=hoXfijK0LA7bTEYNyPO+qL6sf5uPqX4NrpFqmczFDvpoEvRiV5aUHTRmUOvg/b4ioww0ApjuCIU4/yu8bj6pCOCWO02LvlmBhtX6uis6v4BUUf2zjhP2//fmq+I7QQcu4+O7w4bScK/eKQUNOmRPwIrzN6ZIMM9jnFhF6USEp3M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325796116894.26233832188313;
 Wed, 11 Mar 2026 12:39:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PMr-0002Tx-OW; Wed, 11 Mar 2026 15:37:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMS-0001qk-RY; Wed, 11 Mar 2026 15:36:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMQ-0000Kp-RP; Wed, 11 Mar 2026 15:36:52 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 003F11920FF;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 35A3037C464;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257667; bh=t2iW6OMCjhGEYXvayaAslMLjUl2A5vWzYAtHoFt8hxU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=XWoHADQDWxPujqRxqTKLhYjgKtR8JhVOUgiBBQPSN3irvZJhayQdUr2+l0mzy+KNL
 SzLm5vD6gpJisSiX+ZiINk2UVCm5BXZ2e86YCXeebWDo2qoPi9J7BQc283NzhkHm0e
 BTJaHY0asp9XXcRaHtmNKGrPrOB6HKngy4hjrCZsQr7kNXM91oXl1tOlaWxi7LAe1d
 ehM7LpxwoOVIpOJZ5/CktXzL3V7XpcyeAcm7yCWBw5GdSYFcggTAgfkT1IFMxTeR+i
 YAAfDt8HEB5X98+HOFp4DwF1pmAZkpUsNFbgfUV1Vv5AYZg2eZbcP1ju9J9vJGq7Ta
 f2XdWRbqoTfTA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Gustavo Romero <gustavo.romero@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 23/53] target/arm: set the correct TI bits for WFIT
 traps
Date: Wed, 11 Mar 2026 22:34:16 +0300
Message-ID: <20260311193449.1096110-23-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257963208154100

From: Alex Benn=C3=A9e <alex.bennee@linaro.org>

The WFIT trap should be reported as 0b10.

Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-id: 20260220171945.1065102-1-alex.bennee@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 662fd548a027c9362df71ebfc0c9cdd7b1f349fb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c
index 4fbd219555..9c0651f000 100644
--- a/target/arm/tcg/op_helper.c
+++ b/target/arm/tcg/op_helper.c
@@ -448,7 +448,7 @@ void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
=20
     if (target_el) {
         env->pc -=3D 4;
-        raise_exception(env, excp, syn_wfx(1, 0xe, 0, false), target_el);
+        raise_exception(env, excp, syn_wfx(1, 0xe, 2, false), target_el);
     }
=20
     if (uadd64_overflow(timeout, offset, &nexttick)) {
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258073; cv=none;
	d=zohomail.com; s=zohoarc;
	b=K3HxTBxonEMqxP9Gt6vLrlvKSco6IAgUQhC/c1jPjjoFlhndQeGiJusMWiu1f0Y0t0syRURFyh1PEE8x2tWz6rZd5Hp8ipqIZP068sh6L8ZS03Ii6tMZ/PfPpvsOV4l473NYiH2MYMLT5i2WhbfkemXe4x6RynxGi87pcf3PwNk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258073;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=M2r2K9VEYfGxaXGJFWGv3pROfWCj0wz20W+1sB4QYVs=;
	b=MrNMIBJFh64Q79/pQY8f03aRyv79J6enwBTzoYuYBxfYoCw7OwgQQxReFm7AkjlQuM6Trrz4A46ZGdAvRSFNTFDiiFg7epj4LW5gYTXjbg6Vilb1VoqK60UXtOLu2mhlDKwmuYT8SrPJn5SbkO3KrnymDJe8LIwic8jl4Gb3Ky4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325807301740.13898435608962;
 Wed, 11 Mar 2026 12:41:13 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PMr-0002Oh-Cl; Wed, 11 Mar 2026 15:37:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMY-00021G-8c; Wed, 11 Mar 2026 15:37:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMU-0000Lk-Br; Wed, 11 Mar 2026 15:36:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 106C1192100;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 541F737C465;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=rLUHziL3XRMnonK+0RGs8f/A9GwPWYXX7CuCsGPXpRA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=P4Bzm4cbfotdXlvLCWe5QrwNLaNCUyQF1PKceKGXcy0WqXWuHwm6gaDj6e9tHfCLj
 zsD4tS/P5wWnQTuzhF0IbPapSb2NbBJxMQazyw2IFWcrvvCTUB2nfsP28VBdZN8zgp
 Q+fLhI7lqalXJH2Le5zHhL8B2YkcPf2YMEDLzzJcnmjuUVGlqDaiU9GKTNjT5i5fTI
 Hzx4GMc6P+6daqkwX0a0xe1XoLMy+aAjahgJr0sMxpRDbeRxVmOa1ve1AnfVHqPbV/
 aqwcNqHgPS8fai+0kOwIzFURaUpg+aZ+1EFYqTqJ0Hl79jC/Ar7ZzfvKzQG750gaVP
 LZS25EUjowZpg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richie Buturla <richie@linux.ibm.com>,
 Christian Schoenebeck <qemu_oss@crudebyte.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 24/53] hw/9pfs: fix data race in
 v9fs_mark_fids_unreclaim()
Date: Wed, 11 Mar 2026 22:34:17 +0300
Message-ID: <20260311193449.1096110-24-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258074816154100
Content-Type: text/plain; charset="utf-8"

From: Richie Buturla <richie@linux.ibm.com>

A data race between v9fs_mark_fids_unreclaim() and v9fs_path_copy()
causes an inconsistent read of fidp->path. In v9fs_path_copy(), the
path size is set before the data pointer is allocated, creating a
window where size is non-zero but data is NULL.

v9fs_co_open2() holds a write lock during path modifications,
but v9fs_mark_fids_unreclaim() was not acquiring a read
lock, allowing it to race.

Fix by holding the path read lock during FID table iteration.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3300
Signed-off-by: Richie Buturla <richie@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20260211154450.254338-1-richie@lin=
ux.ibm.com/
Fixes: 7a46274529 ("hw/9pfs: Add file descriptor reclaim support")
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
(cherry picked from commit c96f6d2398a9dc068fa82088ea43020a52e2b26d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index bc4a016ee3..127e02a077 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -560,6 +560,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPD=
U *pdu, V9fsPath *path)
             sizeof(V9fsFidState *), 1);
     gint i;
=20
+    v9fs_path_read_lock(s);
     g_hash_table_iter_init(&iter, s->fids);
=20
     /*
@@ -580,6 +581,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPD=
U *pdu, V9fsPath *path)
             g_array_append_val(to_reopen, fidp);
         }
     }
+    v9fs_path_unlock(s);
=20
     for (i =3D 0; i < to_reopen->len; i++) {
         fidp =3D g_array_index(to_reopen, V9fsFidState*, i);
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257999; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eaNBR3uIm9ntoW7UWsdJj/x5lFApfXDsQp3wRNqWQ1Vwlxxd8K4/TraTL0J56I1mqxF3QYZEwDHnRi2HUBmBCb3ha9xsWa9D9EkZLwbten2LnXx2ZTQ9YlQEkPr3gBCpbj63lT4jlA8odZJr5mJQM0Bb5foelaOjKAGwPGQW+vA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257999;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=c66HibitO0lgXZ3nR0gl8Jz7+L8u8Mz7H24/HnfxCxM=;
	b=hqXVjq/1uOLhvai1jWunMheEGKGt7iwAvVK0yPA7CxsxUFUfPxjrAY32SUFGEm40zGAelyVb5OBSrqfSo3aDXt+ymoEkdJE/wdpysmw6zCUxC+WEPPVAm4T57t3o4/jNZK3xMA7W5DqXF7Qa3qG3WkSP1EJ0kfJoJ0mAcB6LlzQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257999212782.1841433449724;
 Wed, 11 Mar 2026 12:39:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PMu-0002sO-6m; Wed, 11 Mar 2026 15:37:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMY-00021F-83; Wed, 11 Mar 2026 15:37:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMU-0000Ll-BR; Wed, 11 Mar 2026 15:36:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 21AAF192101;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6305237C466;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=BIze4T5aXJtgdZO5QZNHp5TBXi0hPbk13fyDU3GcPls=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=an3wEKbWLeNvHm0bipBw7aqpk1mZ+tPAQm9kqAKL29qrXLRFIbYf5SZAXy3nfbUU+
 B7Dd1jo9W/zUpESBaXPhp/YX8HVe6YoEyRQWGlJGEZBgzpvkmaqWjh158pObMh135K
 rN8pFcAXQlpvtRL7lQ6zMHmebKVNAlKNpCuky1rEcOmsmWfuPODb3I8s53ol/u7jn8
 /i6fFkGxdyY9J6SrotCMkGnzpiAKiZSDNEucXChCedE96ZQJCy55P1sZgkXNouaYKq
 ntKKP02ECREH7IF7Ht4Z3tGs8EZPNQEF/ynpr2AuLfnOAavWgusxIN+P82QZwHag0F
 8XTSaxwa+L86Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Christian Schoenebeck <qemu_oss@crudebyte.com>,
 Oliver Chang <ochang@google.com>, Greg Kurz <groug@kaod.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 25/53] hw/9pfs: fix missing EOPNOTSUPP on Twstat and
 Trenameat for fs synth driver
Date: Wed, 11 Mar 2026 22:34:18 +0300
Message-ID: <20260311193449.1096110-25-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258001342158500
Content-Type: text/plain; charset="utf-8"

From: Christian Schoenebeck <qemu_oss@crudebyte.com>

Renaming files/dirs is only supported by path-based fs drivers. EOPNOTSUPP
should be returned on any renaming attempt for not path-based fs drivers.
This was already the case for 9p "Trename" request type. However for 9p
request types "Trenameat" and "Twstat" this was yet missing.

So fix this by checking in Twstat and Trenameat request handlers whether
the fs driver in use is really path based, if not return EOPNOTSUPP and
abort further handling of the request.

This fixes a crash with the 9p "synth" fs driver which is not path-based.

The crash happened because the synth driver stores and expects a raw
V9fsSynthNode pointer instead of a C-string on V9fsPath.data. So the
C-string delivered by 9p server to synth fs driver was incorrectly
casted to a V9fsSynthNode pointer, eventually causing a segfault.

Reported-by: Oliver Chang <ochang@google.com>
Fixes: https://issues.oss-fuzz.com/issues/477990727
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3298
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Link: https://lore.kernel.org/qemu-devel/E1vrbaP-000Gqb-B3@kylie.crudebyte.=
com/
(cherry picked from commit b72d15f47cbd2fc93580f33fa86a7e23595a68dd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 127e02a077..9062a064fb 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3516,6 +3516,12 @@ static void coroutine_fn v9fs_renameat(void *opaque)
         goto out_err;
     }
=20
+    /* if fs driver is not path based, return EOPNOTSUPP */
+    if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
+        err =3D -EOPNOTSUPP;
+        goto out_err;
+    }
+
     v9fs_path_write_lock(s);
     err =3D v9fs_complete_renameat(pdu, olddirfid,
                                  &old_name, newdirfid, &new_name);
@@ -3606,6 +3612,11 @@ static void coroutine_fn v9fs_wstat(void *opaque)
         }
     }
     if (v9stat.name.size !=3D 0) {
+        /* if fs driver is not path based, return EOPNOTSUPP */
+        if (!(s->ctx.export_flags & V9FS_PATHNAME_FSCONTEXT)) {
+            err =3D -EOPNOTSUPP;
+            goto out;
+        }
         v9fs_path_write_lock(s);
         err =3D v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
         v9fs_path_unlock(s);
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257992; cv=none;
	d=zohomail.com; s=zohoarc;
	b=f/9NCs6woHpt8pglqdu1KhYICrjRqFGXL9XV+N0/yA2af9Q4J/tFKkH5Pu5X7jQMddorKuy3ck7uHF/tU8AkLE69jeq5LSR8r56lmHavETOiEHc6GbDezS3Jar+RwXdjf7Z1QdEJ/IlF3kj1AbZAJCqXDIFGJ1FHngOLaxmkO34=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257992;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=anmyfdkjBmrkviZFvyeqFKTe2qVc6hyfaAWu1NnkVfc=;
	b=LXajy/w1HC8Ob7QTtPRvyxgSNbPH57GdDj7tNnl8vyxezSblpYki/4hZfy9ldYes0Vwg/a7GU0vrdB/dSbXe2nCGg1wVu6S71Vv2etpo4I8BhG2LtLXmnfuy5gj3ARCxlqgl0+22OMTX6lFCi6yj4UlhVOckUUpCxUtXy532d64=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257992176797.8180207136411;
 Wed, 11 Mar 2026 12:39:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PN3-0003Gm-8Z; Wed, 11 Mar 2026 15:37:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMx-0003D2-Ic; Wed, 11 Mar 2026 15:37:23 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMu-0000Mu-H3; Wed, 11 Mar 2026 15:37:22 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 39EB7192102;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 74EF737C467;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=M6opmQWek9i4k2a3jmuHHkaT2owoodzgFfXuXulARNg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=p+r34zxwov4aS//O2Y5L1OLA2xxDnQBpWfbHUm6gscMWBj1BdUjzPgIjKfTbrxu5l
 dPycrUwtF1cdxv4gU9PySOlOhprpKP4crjcC8QzXm1JPtEDDsHbLYKcOLQTIPwUNr+
 3Zl2yEJz18jXSr13X5WZd0PpxTKsJYrTLKBnFdpBAtkM+5SmrCnSLxCX6AVc1Z7hcG
 JwuwShGyT+WIn+riZjc6+vDL4gvqsgeT6UZroAOGG0rb8NKZGXSOGBXYL5KJ6M4diE
 ymlhZSlqcwf4WkrGKPeD4R0JEVTnj1MS/dHfTdryF6QnCRNrQas2cvKmF7mVzD4F2l
 LBm7mgtgRe85w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Josh Poimboeuf <jpoimboe@kernel.org>,
 Justin Forbes <jforbes@fedoraproject.org>,
 Alexey Makhalov <alexey.makhalov@broadcom.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 26/53] hw/i386/vmmouse: Fix hypercall clobbers
Date: Wed, 11 Mar 2026 22:34:19 +0300
Message-ID: <20260311193449.1096110-26-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257993679154100

From: Josh Poimboeuf <jpoimboe@kernel.org>

Fedora QA reported the following kernel panic:

  BUG: unable to handle page fault for address: 0000000040003e54
  #PF: supervisor write access in kernel mode
  #PF: error_code(0x0002) - not-present page
  PGD 1082ec067 P4D 0
  Oops: Oops: 0002 [#1] SMP NOPTI
  CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.19.0-0.rc4.260108gf0b9=
d8eb98df.34.fc43.x86_64 #1 PREEMPT(lazy)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.=
fc43 11/19/2025
  RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90
  Code: 48 83 c4 20 5b e9 69 f0 fc fe 8b 05 a0 c1 b2 01 85 c0 74 23 b8 68 5=
8 4d 56 b9 27 00 00 00 31 d2 bb 04 00 00 00 66 ba 58 56 ed <89> 1f 89 0e 41=
 89 10 5b e9 3c f0 fc fe 6a 00 49 89 f9 45 31 c0 31
  RSP: 0018:ff5eeb3240003e40 EFLAGS: 00010046
  RAX: 0000000000000000 RBX: 000000000000ffca RCX: 000000000000ffac
  RDX: 0000000000000000 RSI: 0000000040003e58 RDI: 0000000040003e54
  RBP: ff1e05f3c1204800 R08: ff5eeb3240003e5c R09: 000000009d899c41
  R10: 000000000000003d R11: ff5eeb3240003ff8 R12: 0000000000000000
  R13: 00000000000000ff R14: ff1e05f3c02f9e00 R15: 000000000000000c
  FS:  0000000000000000(0000) GS:ff1e05f489e40000(0000) knlGS:0000000000000=
000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000040003e54 CR3: 000000010841d002 CR4: 0000000000771ef0
  PKRU: 55555554
  Call Trace:
   <IRQ>
   vmmouse_report_events+0x13e/0x1b0
   psmouse_handle_byte+0x15/0x60
   ps2_interrupt+0x8a/0xd0
   ...

It was triggered by dereferencing a bad pointer (RDI) immediately after
a VMware hypercall for VMWARE_CMD_ABSPOINTER_DATA in the vmmouse driver:

  ffffffff82135070 <vmware_hypercall4.constprop.0>:
  ...
  ffffffff821350ac:       b8 68 58 4d 56          mov    $0x564d5868,%eax
  ffffffff821350b1:       b9 27 00 00 00          mov    $0x27,%ecx
  ffffffff821350b6:       31 d2                   xor    %edx,%edx
  ffffffff821350b8:       bb 04 00 00 00          mov    $0x4,%ebx
  ffffffff821350bd:       66 ba 58 56             mov    $0x5658,%dx
  ffffffff821350c1:       ed                      in     (%dx),%eax	<-- hyp=
ercall
  ffffffff821350c2:       89 1f                   mov    %ebx,(%rdi)	<-- cr=
ash

Reading the kernel disassembly shows that RDI should contain the value
of a valid kernel stack address here (0xff5eeb3240003e54).  Instead it
contains 0x40003e54, suggesting the hypervisor cleared the upper 32
bits.

And indeed, Alexey discovered that QEMU's vmmouse_get_data() and
vmmouse_set_data() are only saving/restoring the lower 32 bits, while
clearing the upper 32.  Fix that by changing the type of the saved data
array from uint32_t to uint64_t.

Fixes: 548df2acc6fc ("VMMouse Emulation, by Anthony Liguori.")
Reported-by: Justin Forbes <jforbes@fedoraproject.org>
Debugged-by: Alexey Makhalov <alexey.makhalov@broadcom.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/c508fc1d4a4ccd8c9fb1e51b71df089e31115a53.17=
70309998.git.jpoimboe@kernel.org
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3293
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 48c8916aec4319efc60324d9d971831a8a1d6350)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/i386/vmmouse.c b/hw/i386/vmmouse.c
index 3896159b05..07184a8d56 100644
--- a/hw/i386/vmmouse.c
+++ b/hw/i386/vmmouse.c
@@ -72,7 +72,7 @@ struct VMMouseState {
     ISAKBDState *i8042;
 };
=20
-static void vmmouse_get_data(uint32_t *data)
+static void vmmouse_get_data(uint64_t *data)
 {
     X86CPU *cpu =3D X86_CPU(current_cpu);
     CPUX86State *env =3D &cpu->env;
@@ -82,7 +82,7 @@ static void vmmouse_get_data(uint32_t *data)
     data[4] =3D env->regs[R_ESI]; data[5] =3D env->regs[R_EDI];
 }
=20
-static void vmmouse_set_data(const uint32_t *data)
+static void vmmouse_set_data(const uint64_t *data)
 {
     X86CPU *cpu =3D X86_CPU(current_cpu);
     CPUX86State *env =3D &cpu->env;
@@ -197,7 +197,7 @@ static void vmmouse_disable(VMMouseState *s)
     vmmouse_remove_handler(s);
 }
=20
-static void vmmouse_data(VMMouseState *s, uint32_t *data, uint32_t size)
+static void vmmouse_data(VMMouseState *s, uint64_t *data, uint32_t size)
 {
     int i;
=20
@@ -221,7 +221,7 @@ static void vmmouse_data(VMMouseState *s, uint32_t *dat=
a, uint32_t size)
 static uint32_t vmmouse_ioport_read(void *opaque, uint32_t addr)
 {
     VMMouseState *s =3D opaque;
-    uint32_t data[6];
+    uint64_t data[6];
     uint16_t command;
=20
     vmmouse_get_data(data);
@@ -247,7 +247,7 @@ static uint32_t vmmouse_ioport_read(void *opaque, uint3=
2_t addr)
             vmmouse_request_absolute(s);
             break;
         default:
-            printf("vmmouse: unknown command %x\n", data[1]);
+            printf("vmmouse: unknown command %" PRIx64 "\n", data[1]);
             break;
         }
         break;
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258097; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Uld493MpgvplXsKTFfk+Z4GTrHOWJXeh34Km1j0zoSp114oHtKqUnTAxUhHRNgiqq+2Bz7isbPofwPSjsj5K82x9GqE7LQcnqwqMfXiVf2A7ltixjH2dnAgpxX9bU3rnz8R71JQV6u5Xg2bpbYthRW5SojLEUBBcuf+3rbzz+Jc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258097;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=I4j31yu+w7QzgHSLeJKqRxEGYUKJxec5ah9EQQR9CYs=;
	b=oL1JgnSIYjIKEflqP/MiFQqfIXFyM4+Vb1sry40PNaQMyQYN4a3oKvkAC+0cx9glTMKfO3O34j32TKtYkth4h/p2ncShPH/VlpKd9y8H6HRalXkTy4ZZ2mPWDuLyydzTSHWkDT3EAhjBH1aupaUp688s/sTYWzCKVzdY2JBhfS8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258097302495.78511209701026;
 Wed, 11 Mar 2026 12:41:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PMt-0002mk-Dy; Wed, 11 Mar 2026 15:37:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMc-00024O-79; Wed, 11 Mar 2026 15:37:05 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMa-0000Mw-Ek; Wed, 11 Mar 2026 15:37:01 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 501E0192103;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8DB4537C468;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=ncRKvUmfHxk2xo7lLCqZMz7B/sef0n2UxIPoKz/bu38=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=aYwNBBJvGVyQioAuAwDQVTAL8iMyFZxwruQOYx0UsgPQYskO2Mt/8Vp55GxkhPgFj
 lbQgVd63HHAqjYIDDRGOFqHUJZcO6XUV+AGvkn8PCy9HezOUylXr/MQmzk/0PkbHEO
 Z2uv9238IV7vf4p41zR1vVKSW+OtJgb9KRlHVKw7R8vkpUnOAbYUOZIsOBfG9CqH+A
 YlmyRIJrVYYmi6WyUBe/8CztHJwcO7Mf0FuWt8plgc7fAq2+iTq3ybkw/ZUDHujjYB
 XGqMR4O2GsEWXT3j+SrRhdwnWX2KgCKIeFgSyaA2ekQ/HQjBh4lAzLqJZQqAl4PgZb
 sKXruPXPHTPbQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bernhard Beschow <shentey@gmail.com>,
 Mohamed Mediouni <mohamed@unpredictable.fr>,
 "Wei Liu (Microsoft)" <wei.liu@kernel.org>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 27/53] target/i386/emulate/x86_decode: Fix compiler
 warning
Date: Wed, 11 Mar 2026 22:34:20 +0300
Message-ID: <20260311193449.1096110-27-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258100089158500
Content-Type: text/plain; charset="utf-8"

From: Bernhard Beschow <shentey@gmail.com>

When compiling for i386-softmmu under MSYS2, GCC emits the following warnin=
g:

  In function 'get_reg_val',
      inlined from 'calc_modrm_operand64' at ../src/target/i386/emulate/x86=
_decode.c:1796:15:
  ../src/target/i386/emulate/x86_decode.c:1703:5: error: 'memcpy' forming o=
ffset [4, 7] is out of the bounds [0, 4] of object 'val' with type 'target_=
ulong' {aka 'unsigned int'} [-Werror=3Darray-bounds=3D]
   1703 |     memcpy(&val,
        |     ^~~~~~~~~~~~
   1704 |            get_reg_ref(env, reg, rex_present, is_extended, size),
        |            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   1705 |            size);
        |            ~~~~~
  ../src/target/i386/emulate/x86_decode.c: In function 'calc_modrm_operand6=
4':
  ../src/target/i386/emulate/x86_decode.c:1702:18: note: 'val' declared here
   1702 |     target_ulong val =3D 0;
        |                  ^~~

In the calc_modrm_operand64() case the compiler sees size =3D=3D 8 to be me=
m-copied
to a target_ulong variable which is only 4 bytes wide in case of i386-softm=
mu.
Note that when size !=3D 1, get_reg_ref() always returns a pointer to an 8 =
byte
register, regardless of the target_ulong size. Fix the compiler warning by
always providing 8 bytes of storage by means of uint64_t.

Fixes: 77a2dba45cc9 ("target/i386/emulate: stop overloading decode->op[N].p=
tr")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Reviewed-by: Wei Liu (Microsoft) <wei.liu@kernel.org>
Link: https://lore.kernel.org/r/20260223233950.96076-2-mohamed@unpredictabl=
e.fr
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c86bca1671e9e4161e2a93d73514384de510bbf3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/emulate/x86_decode.c b/target/i386/emulate/x86_dec=
ode.c
index d037ed1142..6ad03b71b0 100644
--- a/target/i386/emulate/x86_decode.c
+++ b/target/i386/emulate/x86_decode.c
@@ -1699,7 +1699,7 @@ void *get_reg_ref(CPUX86State *env, int reg, int rex_=
present,
 target_ulong get_reg_val(CPUX86State *env, int reg, int rex_present,
                          int is_extended, int size)
 {
-    target_ulong val =3D 0;
+    uint64_t val =3D 0;
     memcpy(&val,
            get_reg_ref(env, reg, rex_present, is_extended, size),
            size);
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258112; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZQxsYy2h0/Xzfl4C7o+FW2qyVLkI0g0+zVuuV5TQN7xlXF+0eJNn83EKvWKDHuFqEgiVd7pNXsIdl16V95/jDYFt254F+RkRrUiAofw6i/51zRYQbIgXPjOWs36rbUbVSLObyA293/pE0T+MukIVlwGS4Bhvg74e6cZcbxRgz9U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258112;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=J4bP6TK5AEvvcETDUwWfe/Rxy/00mrXQrdu7iJUEubA=;
	b=Vx9kuNfOhARppvlK1Zr7HtoZ7jcKrWJXjRsRwoYzG3/5qfoDOH9D3LmlRfeYX2B9Z27J8AZR9R+zUF3ov8htYQ8yJCt4TNkrcc5pMCmNgwk0UNqcH/SBiOmz7x6dUAC6OqzbP8ETLN6mP3tYyUNuapTBc3qYtsGr54wg4Bcbj5Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258112346546.996278685876;
 Wed, 11 Mar 2026 12:41:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PND-0003Wk-0W; Wed, 11 Mar 2026 15:37:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMz-0003Gk-U0; Wed, 11 Mar 2026 15:37:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMy-0000Na-7Z; Wed, 11 Mar 2026 15:37:25 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 65C88192104;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A2C9337C469;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=tKIQbFDzUG8EirEZwKlk5qDDgVJRTRx1UDa675ZwRzM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=pMUIksZz3wN7eTdpRzB9cv7t1goAt7JPR5KhYzA7kZ9d4ehNGR/YOF88VjBXui+tv
 YQuGT45X+Xik7ztKdADFekt/7cAJkUuFNZnXmdai2kCkyzpgUPvBtlGIYs6+KJ3a8D
 n6qNQ53aKdi30uvLYSrtVc45ROQlRAioS02NiNBK2LCGDAfWPeSp/loCbeTbrGM47r
 3gRxsgBwldmAXuUqvwlEYFVdqOwI/+8AbzyNsucWRcgI9Pmm/N9kKn6wvQFVkf3LUK
 K6MaMIEtMoV1BAyi8Gn7noaQei5la2eKZ8KKoASL+Ik/faj6C5D/FDYw8n27Y5Mmjf
 /eDBPJDyKJBqA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bernhard Beschow <shentey@gmail.com>,
 Mohamed Mediouni <mohamed@unpredictable.fr>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 "Wei Liu (Microsoft)" <wei.liu@kernel.org>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 28/53] target/i386/hvf/x86_mmu: Fix compiler warning
Date: Wed, 11 Mar 2026 22:34:21 +0300
Message-ID: <20260311193449.1096110-28-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258113370154100

From: Bernhard Beschow <shentey@gmail.com>

When reusing the code in WHPX, GCC emits the following warning when compili=
ng
for i386-softmmu under MSYS2:

  In file included from ../src/target/i386/emulate/x86_mmu.c:20:
  ../src/target/i386/emulate/x86_mmu.c: In function 'vmx_write_mem':
  ../src/target/i386/emulate/x86_mmu.c:251:25: error: format '%llx' expects=
 argument of type 'long long unsigned int', but argument 3 has type 'target=
_ulong' {aka 'unsigned int'} [-Werror=3Dformat=3D]
    251 |             VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __fun=
c__, gva);
        |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~       =
     ~~~
        |                                                                  =
     |
        |                                                                  =
     target_ulong {aka unsigned int}
  ../src/target/i386/emulate/panic.h:34:12: note: in definition of macro 'V=
M_PANIC_EX'
     34 |     printf(__VA_ARGS__); \
        |            ^~~~~~~~~~~
  ../src/target/i386/emulate/x86_mmu.c:251:48: note: format string is defin=
ed here
    251 |             VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __fun=
c__, gva);
        |                                             ~~~^
        |                                                |
        |                                                long long unsigned=
 int
        |                                             %x

Fix the warning by reusing the target-specific macro TARGET_FMT_lx which ex=
ists
for this exact purpose.

Fixes: c97d6d2cdf97 ("i386: hvf: add code base from Google's QEMU repositor=
y")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Wei Liu (Microsoft) <wei.liu@kernel.org>
Link: https://lore.kernel.org/r/20260223233950.96076-3-mohamed@unpredictabl=
e.fr
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 529e5e7643078e19d65e694f51cad64be49090ab)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/hvf/x86_mmu.c b/target/i386/hvf/x86_mmu.c
index afc5c17d5d..fe44d2edf4 100644
--- a/target/i386/hvf/x86_mmu.c
+++ b/target/i386/hvf/x86_mmu.c
@@ -244,7 +244,8 @@ void vmx_write_mem(CPUState *cpu, target_ulong gva, voi=
d *data, int bytes)
         int copy =3D MIN(bytes, 0x1000 - (gva & 0xfff));
=20
         if (!mmu_gva_to_gpa(cpu, gva, &gpa)) {
-            VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __func__, gva);
+            VM_PANIC_EX("%s: mmu_gva_to_gpa " TARGET_FMT_lx " failed\n",
+                        __func__, gva);
         } else {
             address_space_write(&address_space_memory, gpa,
                                 MEMTXATTRS_UNSPECIFIED, data, copy);
@@ -265,7 +266,8 @@ void vmx_read_mem(CPUState *cpu, void *data, target_ulo=
ng gva, int bytes)
         int copy =3D MIN(bytes, 0x1000 - (gva & 0xfff));
=20
         if (!mmu_gva_to_gpa(cpu, gva, &gpa)) {
-            VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __func__, gva);
+            VM_PANIC_EX("%s: mmu_gva_to_gpa " TARGET_FMT_lx " failed\n",
+                        __func__, gva);
         }
         address_space_read(&address_space_memory, gpa, MEMTXATTRS_UNSPECIF=
IED,
                            data, copy);
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257918; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nPIQoxHmyPKis+jatNh78AWi5zX6g0EaztylZ5hFv2TI01Uep804Vg7XKe21y94J49/R8tf+OWhWJBv3Yy9y//9Wcqbev/UjZwUmk1amySjzxWo1QcC8KSihotAugq6UGJWUwhfK02sR5Z8d1M/FJ/I1KMuAELajI8/K9HZcGJ4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257918;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=xd59VvCFkrzPMJuJ9qlWvHBuhWtTrrmbNvF4fqxX1kg=;
	b=DxPg8Yi4eT640EZZe3LoI7/mNsHAD1pEUSaKRZeZAzAxBgDbnBfDhqij0xub9C+xx+OwAY/4dDZEFzI7+znp8wQ+zsR1bvmKdPf0qc6WxiGCOKkEAc76Snph4r2tvQ3zRvBvFTblCno4VOMbOKhu0ZcCd8IDaIRb5rFIiyBI6i0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257918472481.5951440509282;
 Wed, 11 Mar 2026 12:38:38 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNC-0003Sg-P7; Wed, 11 Mar 2026 15:37:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PN0-0003Gp-OM; Wed, 11 Mar 2026 15:37:28 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PMz-0000Q5-0z; Wed, 11 Mar 2026 15:37:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7AF10192105;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B947437C46A;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=QbV5kzJABNYAHlYOieplc3Hn5dbU2xz3lMqVEkf4yoo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=LaTGl/GNGttorzstmDXgLm78tQ23gUZ1Gwdg1PakzO80BCVZy0QbBBCnbvKzFXKmM
 YKfbtVpqnbBXGZGMsK/L/HAe5P4LHxsglL5s8R+dnq5a7AFVdYRxECSDh/6mdr/eoc
 mnyeDS1GaDrNRoKV7dTIXaY/0a5v+oIiLnxJlvd+eJbrQBxCubJsZgBr0mu0yvkEgV
 E++SIKKev75Gs+h2fRzl7V4QHSH0tYKXD4LIfP3BBqSGHHwMCBBfy5t5ipNWj4x8RP
 Mmgbl7YSCcxCioCzfCIdOJMK4wihF2rkgEAQXkVbXq9lZhbGGHN0AWcAkVegSZX5lD
 s4TStBcqvS+sg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bernhard Beschow <shentey@gmail.com>,
 Mohamed Mediouni <mohamed@unpredictable.fr>,
 "Wei Liu (Microsoft)" <wei.liu@kernel.org>,
 Magnus Kulke <magnuskulke@linux.microsoft.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 29/53] target/i386/emulate/x86_decode: Actually use
 stream in decode_instruction_stream()
Date: Wed, 11 Mar 2026 22:34:22 +0300
Message-ID: <20260311193449.1096110-29-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257920761154100
Content-Type: text/plain; charset="utf-8"

From: Bernhard Beschow <shentey@gmail.com>

Compared to decode_instruction(), decode_instruction_stream() has an additi=
onal
stream parameter which avoids some guest memory accesses during instruction
decoding. Both functions defer the actual work to decode_opcode() which wou=
ld
set the stream pointer to zero such that decode_instruction_stream() essent=
ially
behaved like decode_instruction(). Given that all callers of
decode_instruction_stream() properly zero-initialize the decode parameter, =
the
memset() call can be moved into decode_instruction() which is the only other
user of decode_opcode(). This preserves the non-zero stream pointer which
avoids extra guest memory accesses.

Fixes: 1e25327b244a ("target/i386/emulate: Allow instruction decoding from =
stream")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Reviewed-by: Wei Liu (Microsoft) <wei.liu@kernel.org>
Tested-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Link: https://lore.kernel.org/r/20260223233950.96076-4-mohamed@unpredictabl=
e.fr
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1b93832f55927b1b76a6587ca75a5a35676188de)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/emulate/x86_decode.c b/target/i386/emulate/x86_dec=
ode.c
index 6ad03b71b0..7bbcd2a9a2 100644
--- a/target/i386/emulate/x86_decode.c
+++ b/target/i386/emulate/x86_decode.c
@@ -2088,8 +2088,6 @@ static void decode_opcodes(CPUX86State *env, struct x=
86_decode *decode)
=20
 static uint32_t decode_opcode(CPUX86State *env, struct x86_decode *decode)
 {
-    memset(decode, 0, sizeof(*decode));
-
     decode_prefix(env, decode);
     set_addressing_size(env, decode);
     set_operand_size(env, decode);
@@ -2101,6 +2099,8 @@ static uint32_t decode_opcode(CPUX86State *env, struc=
t x86_decode *decode)
=20
 uint32_t decode_instruction(CPUX86State *env, struct x86_decode *decode)
 {
+    memset(decode, 0, sizeof(*decode));
+
     return decode_opcode(env, decode);
 }
=20
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257932; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GPDIl3yiGHXcjFsxxVlYFOln+nxpIRyM5LQxPzjuvcWgXC+41XIkEQCPADvu3lUCkCDUs7C57I+gguinOKPJ//JPpENn1989so6JNVBhd3W0qED6UzA2QfViWtmsbPk2+vZUObmVq3THHj8XFqPSn7AAy/j2guIbnYaieBIblS8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257932;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=EBJGnh26UKDRUTtoOQBNyCSMopgYabHsalo2QEMmU6k=;
	b=K1h2kKxzZtdDnWGP+8xGMJL2mwUgZb+2EsRAK5fGbCjvw8r/brcR0d1kTDhqHh5F+Q4Zw8qYeK1CNV34aDyV1rY1G5bqO1G3dM6mVIrAzOp+iO9PgW9ukyATO0kk9VtD1iNQyyLgYq53tJuO3bKkdOgDEefoRjDifwJSwwQ94bE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257932856441.0872929838963;
 Wed, 11 Mar 2026 12:38:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNG-0003i7-Ec; Wed, 11 Mar 2026 15:37:42 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PN3-0003Li-J6; Wed, 11 Mar 2026 15:37:32 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PN1-0000Ql-Eb; Wed, 11 Mar 2026 15:37:29 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8EE33192106;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CE4EE37C46B;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=TILD+g/uDzhycfS2pBoj1b6TYap1W7Ll1VVHsgb+D8c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Db7eMmN1xwBTtk/gd7vLT1mggiPGlZLGQuV4rlq3+ehIu8QJtCs83XE8I7KxHpz8Z
 fAY8VFltMMrHpwlp1dVnH9VDAq9s0PTvivRiNCyKKy9ET6VOtYwuSGA3Bu7VT/xoxd
 j0BUG5ZzTHMUnKqpPqyzl81TtP5aeL03HbGimIrBbQZV4lZWrWyEpA3hS2BLhhCbM2
 VMzQf4a1nglXOSoi2/fIYo/wmxYbm2JV+XafwUBbhFN/qGJ1ggpkwpZ8CH5l5TcQNf
 rXoZgbeO2c81EQZG4kUPvsCFZD4OOoYAU5r8w9ITESd/OWMExzimB1Ydd/tFuvv0tA
 p3j5yP2foxvHg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Glenn Miles <milesg@linux.ibm.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 30/53] target/ppc/translate: Fix TCG debug assert
 translating CLRBWIBC
Date: Wed, 11 Mar 2026 22:34:23 +0300
Message-ID: <20260311193449.1096110-30-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257934995158500

From: Peter Maydell <peter.maydell@linaro.org>

The test case in the ppe42 functional test triggers a TCG debug
assertion, which causes the test to fail in an --enable-debug
build or when the sanitizers are enabled:

#6  0x00007ffff4a3b517 in __assert_fail
    (assertion=3D0x5555562e7589 "!temp_readonly(ots)", file=3D0x5555562e5b2=
3 "../../tcg/tcg.c", line=3D4928, function=3D0x5555562e8900 <__PRETTY_FUNCT=
ION__.23> "tcg_reg_alloc_mov") at ./assert/assert.c:105
#7  0x0000555555cc2189 in tcg_reg_alloc_mov (s=3D0x7fff60000b70, op=3D0x7ff=
f600126f8) at ../../tcg/tcg.c:4928
#8  0x0000555555cc74e0 in tcg_gen_code (s=3D0x7fff60000b70, tb=3D0x7fffa802=
f540, pc_start=3D4294446080) at ../../tcg/tcg.c:6667
#9  0x0000555555d02abe in setjmp_gen_code
    (env=3D0x555556cbe610, tb=3D0x7fffa802f540, pc=3D4294446080, host_pc=3D=
0x7fffeea00c00, max_insns=3D0x7fffee9f9d74, ti=3D0x7fffee9f9d90)
    at ../../accel/tcg/translate-all.c:257
#10 0x0000555555d02d75 in tb_gen_code (cpu=3D0x555556cba590, s=3D...) at ..=
/../accel/tcg/translate-all.c:325
#11 0x0000555555cf5922 in cpu_exec_loop (cpu=3D0x555556cba590, sc=3D0x7fffe=
e9f9ee0) at ../../accel/tcg/cpu-exec.c:970
#12 0x0000555555cf5aae in cpu_exec_setjmp (cpu=3D0x555556cba590, sc=3D0x7ff=
fee9f9ee0) at ../../accel/tcg/cpu-exec.c:1016
#13 0x0000555555cf5b4b in cpu_exec (cpu=3D0x555556cba590) at ../../accel/tc=
g/cpu-exec.c:1042
#14 0x0000555555d1e7ab in tcg_cpu_exec (cpu=3D0x555556cba590) at ../../acce=
l/tcg/tcg-accel-ops.c:82
#15 0x0000555555d1ff97 in rr_cpu_thread_fn (arg=3D0x555556cba590) at ../../=
accel/tcg/tcg-accel-ops-rr.c:285
#16 0x00005555561586c9 in qemu_thread_start (args=3D0x555556ee3c90) at ../.=
./util/qemu-thread-posix.c:393
#17 0x00007ffff4a9caa4 in start_thread (arg=3D<optimized out>) at ./nptl/pt=
hread_create.c:447
#18 0x00007ffff4b29c6c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/cl=
one3.S:78

This can be reproduced "by hand":

 ./build/clang/qemu-system-ppc -display none -vga none \
    -machine ppe42_machine -serial stdio \
    -device loader,file=3D$HOME/.cache/qemu/download/03c1ac0fb7f6c025102a02=
776a93b35101dae7c14b75e4eab36a337e39042ea8 \
    -device loader,addr=3D0xfff80040,cpu-num=3D0

(assuming you have the image file from the functional test
in your local cache).

This happens for this input:

IN:
0xfff80c00:  07436004  .byte    0x07, 0x43, 0x60, 0x04

which generates (among other things):

 not_i32 $0x80000,$0x80000

which the TCG optimization pass turns into:

 mov_i32 $0x80000,$0xfff7ffff             dead: 1  pref=3D0xffff

and where we then assert because we tried to write to a constant.

This happens for the CLRBWIBC instruction which ends up in
do_mask_branch() with rb_is_gpr false and invert true.  In this case
we will generate code that sets mask to a tcg_constant_tl() but then
uses it as the LHS in tcg_gen_not_tl().

Fix the assertion by doing the invert in the translate time C code
for the "mask is constant" case.

Cc: qemu-stable@nongnu.org
Fixes: f7ec91c23906 ("target/ppc: Add IBM PPE42 special instructions")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260212150753.1749448-1-peter.may=
dell@linaro.org
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
(cherry picked from commit 78c6b6010ce7cfa54874dda514e694640b76f1e4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/ppc/translate/ppe-impl.c.inc b/target/ppc/translate/ppe=
-impl.c.inc
index 0a0590344e..1c27facb89 100644
--- a/target/ppc/translate/ppe-impl.c.inc
+++ b/target/ppc/translate/ppe-impl.c.inc
@@ -424,11 +424,15 @@ static bool do_mask_branch(DisasContext *ctx, arg_FCB=
 * a, bool invert,
         shift =3D tcg_temp_new();
         tcg_gen_andi_tl(shift, cpu_gpr[a->rb], 0x1f);
         tcg_gen_shr_tl(mask, tcg_constant_tl(0x80000000), shift);
+        if (invert) {
+            tcg_gen_not_tl(mask, mask);
+        }
     } else {
-        mask =3D tcg_constant_tl(PPC_BIT32(a->rb));
-    }
-    if (invert) {
-        tcg_gen_not_tl(mask, mask);
+        target_ulong mask_const =3D PPC_BIT32(a->rb);
+        if (invert) {
+            mask_const =3D ~mask_const;
+        }
+        mask =3D tcg_constant_tl(mask_const);
     }
=20
     /* apply mask to ra */
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258022; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NamFl49nDaPwD8STRq9w86cl1AePHEDSu+qR8poeZICK+tQ7lsZsLUBdgKTzO4U4UeHneecBe0s6DxtMRTG5SxNt7kr6IX6l0ZfRahhMKwpzfJuWqdII4fD33oet+OFBYtbe8j32ZQvNTi0TK6TlALyTKIJbsRIIZ+gReYyHYeo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258022;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=x9mpRePRFk405kkrHfpy0yG9BEAQicWWfFoKqXjrA0E=;
	b=czyhLv6IEKVLzy326TFuYepXDS0iaYFS5bR1tF3mthLUA+zC5Ccf3ItB1kjp8b8r5h4zAgTQ+p3jUloHlEhOu/c3WiPhU77U4PknA+KbFU1lS38zwFndpGdFuElY5uA9a83Yh+SuZkQ1tY3AAeDxcaFLyMHh/UDBLSn8Z7trLao=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258022972711.1778854655776;
 Wed, 11 Mar 2026 12:40:22 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNQ-0004Rd-07; Wed, 11 Mar 2026 15:37:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNO-0004Jj-BH; Wed, 11 Mar 2026 15:37:50 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNM-0000Qu-8Z; Wed, 11 Mar 2026 15:37:50 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9E5B8192107;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E12FF37C46C;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=Kuiy3URY4TNTc3h601eE7YSgbxD72vo5uTPcTKrTHaw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ebPXC0OKblK8YWXzPJOYarZ4/mgZNH4qW1SWC921VTJWceIkzsyZGlLmRz1J0cz4R
 E8z6JBrMgU5ATse77kfpvVo0Wj0tJTyjGA3xEqysdUspmiP0FOuVU5zoWFSEVI35iJ
 Lg3yrG2mUPKLQRkSysZKKJOT78GnsyqXPQTuLuQAQvsACaX5tsW+blshdY253VCOPv
 0PP+VsMuYYlJs/75F0zJSd6xpCeB7Tou0dzb5FwwUQD2XDKiH//BSTHWWd52aVjB4Q
 +SCQ1lcZJVk8DPUnIm1B3OyxIXAl6tvYBm8KzJYFaomGDJWn4AOth01k1vHPiG/2YG
 6hTKyv9dDjfog==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 31/53] io: separate freeing of tasks from marking them
 as complete
Date: Wed, 11 Mar 2026 22:34:24 +0300
Message-ID: <20260311193449.1096110-31-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258026136154100

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

The original design of QIOTask was intended to simplify lifecycle
management by automatically freeing it when the task was marked as
complete. This overlooked the fact that when a QIOTask is used in
combination with a GSource, there may be times when the source
callback is never invoked. This is typically when a GSource is
released before any I/O event arrives. In such cases it is not
desirable to mark a QIOTask as complete, but it still needs to be
freed. To satisfy this, the task must be released manually.

Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
(cherry picked from commit 163cd0ae1182e67509b271f244a73dfd938337b9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/include/io/task.h b/include/io/task.h
index 0b5342ee84..98847f5994 100644
--- a/include/io/task.h
+++ b/include/io/task.h
@@ -96,7 +96,7 @@ typedef void (*QIOTaskWorker)(QIOTask *task,
  *                         1000,
  *                         myobject_operation_timer,
  *                         task,
- *                         NULL);
+ *                         qio_task_free);
  *    }
  *   </programlisting>
  * </example>
@@ -138,9 +138,8 @@ typedef void (*QIOTaskWorker)(QIOTask *task,
  * the callback func 'myobject_operation_notify' shown
  * earlier to deal with the results.
  *
- * Once this function returns false, object_unref will be called
- * automatically on the task causing it to be released and the
- * ref on QMyObject dropped too.
+ * Once this function returns FALSE, the task will be freed,
+ * causing it release the ref on QMyObject too.
  *
  * The QIOTask module can also be used to perform operations
  * in a background thread context, while still reporting the
@@ -208,8 +207,8 @@ typedef void (*QIOTaskWorker)(QIOTask *task,
  * 'err' attribute in the task object to determine if
  * the operation was successful or not.
  *
- * The returned task will be released when qio_task_complete()
- * is invoked.
+ * The returned task must be released by calling
+ * qio_task_free() when no longer required.
  *
  * Returns: the task struct
  */
@@ -218,6 +217,19 @@ QIOTask *qio_task_new(Object *source,
                       gpointer opaque,
                       GDestroyNotify destroy);
=20
+/**
+ * qio_task_free:
+ * task: the task object to free
+ *
+ * Free the resources associated with the task. Typically
+ * the qio_task_complete() method will be called immediately
+ * before this to trigger the task callback, however, it is
+ * permissible to free the task in the case of cancellation.
+ * The destroy callback will be used to release the opaque
+ * data provided to qio_task_new().
+ */
+void qio_task_free(QIOTask *task);
+
 /**
  * qio_task_run_in_thread:
  * @task: the task struct
@@ -268,8 +280,9 @@ void qio_task_wait_thread(QIOTask *task);
  * qio_task_complete:
  * @task: the task struct
  *
- * Invoke the completion callback for @task and
- * then free its memory.
+ * Invoke the completion callback for @task. This should typically
+ * only be invoked once on a task, and then qio_task_free() used
+ * to free it.
  */
 void qio_task_complete(QIOTask *task);
=20
diff --git a/io/channel-tls.c b/io/channel-tls.c
index b0cec27cb9..07274c12df 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -170,6 +170,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
         trace_qio_channel_tls_handshake_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         return;
     }
=20
@@ -183,6 +184,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
             trace_qio_channel_tls_credentials_allow(ioc);
         }
         qio_task_complete(task);
+        qio_task_free(task);
     } else {
         GIOCondition condition;
         QIOChannelTLSData *data =3D g_new0(typeof(*data), 1);
@@ -270,11 +272,13 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *i=
oc, QIOTask *task,
         trace_qio_channel_tls_bye_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         return;
     }
=20
     if (status =3D=3D QCRYPTO_TLS_BYE_COMPLETE) {
         qio_task_complete(task);
+        qio_task_free(task);
         return;
     }
=20
diff --git a/io/channel-websock.c b/io/channel-websock.c
index cb4dafdebb..b4f96a0af4 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -561,6 +562,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
             trace_qio_channel_websock_handshake_complete(ioc);
             qio_task_complete(task);
         }
+        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -588,6 +590,7 @@ static gboolean qio_channel_websock_handshake_io(QIOCha=
nnel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
+        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
diff --git a/io/task.c b/io/task.c
index 451f26f8b4..331febd4e1 100644
--- a/io/task.c
+++ b/io/task.c
@@ -70,8 +70,12 @@ QIOTask *qio_task_new(Object *source,
     return task;
 }
=20
-static void qio_task_free(QIOTask *task)
+void qio_task_free(QIOTask *task)
 {
+    if (!task) {
+        return;
+    }
+
     qemu_mutex_lock(&task->thread_lock);
     if (task->thread) {
         if (task->thread->destroy) {
@@ -110,6 +114,7 @@ static gboolean qio_task_thread_result(gpointer opaque)
=20
     trace_qio_task_thread_result(task);
     qio_task_complete(task);
+    qio_task_free(task);
=20
     return FALSE;
 }
@@ -196,7 +201,6 @@ void qio_task_complete(QIOTask *task)
 {
     task->func(task, task->opaque);
     trace_qio_task_complete(task);
-    qio_task_free(task);
 }
=20
=20
diff --git a/tests/unit/test-io-task.c b/tests/unit/test-io-task.c
index 115dba8970..b1c8ecb7ab 100644
--- a/tests/unit/test-io-task.c
+++ b/tests/unit/test-io-task.c
@@ -73,6 +73,7 @@ static void test_task_complete(void)
     src =3D qio_task_get_source(task);
=20
     qio_task_complete(task);
+    qio_task_free(task);
=20
     g_assert(obj =3D=3D src);
=20
@@ -84,6 +85,28 @@ static void test_task_complete(void)
 }
=20
=20
+static void test_task_cancel(void)
+{
+    QIOTask *task;
+    Object *obj =3D object_new(TYPE_DUMMY);
+    Object *src;
+    struct TestTaskData data =3D { NULL, NULL, false };
+
+    task =3D qio_task_new(obj, task_callback, &data, NULL);
+    src =3D qio_task_get_source(task);
+
+    qio_task_free(task);
+
+    g_assert(obj =3D=3D src);
+
+    object_unref(obj);
+
+    g_assert(data.source =3D=3D NULL);
+    g_assert(data.err =3D=3D NULL);
+    g_assert(data.freed =3D=3D false);
+}
+
+
 static void task_data_free(gpointer opaque)
 {
     struct TestTaskData *data =3D opaque;
@@ -101,6 +124,7 @@ static void test_task_data_free(void)
     task =3D qio_task_new(obj, task_callback, &data, task_data_free);
=20
     qio_task_complete(task);
+    qio_task_free(task);
=20
     object_unref(obj);
=20
@@ -123,6 +147,7 @@ static void test_task_failure(void)
=20
     qio_task_set_error(task, err);
     qio_task_complete(task);
+    qio_task_free(task);
=20
     object_unref(obj);
=20
@@ -260,6 +285,7 @@ int main(int argc, char **argv)
     module_call_init(MODULE_INIT_QOM);
     type_register_static(&dummy_info);
     g_test_add_func("/crypto/task/complete", test_task_complete);
+    g_test_add_func("/crypto/task/cancel", test_task_cancel);
     g_test_add_func("/crypto/task/datafree", test_task_data_free);
     g_test_add_func("/crypto/task/failure", test_task_failure);
     g_test_add_func("/crypto/task/thread_complete", test_task_thread_compl=
ete);
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257956; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Gsa6lpvizZOZxig4isEjS8XAUB37NnlrvXniOr6Zohs8/2waT865isZwvYr/U2A3v92hCflVB5Jqs3EUSy8w3aFIVbpzfFxTf3riPysoOMVUIrbJploAhknIjHRx7Jtwx3RtGY5MppJFPQWGl6LzaSlsQtSyNd14EXtt3b8vGXM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257956;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gvMpyuwLzo83kL5tGuTWdKRPVdZT1VBo3qzYsW5HmuQ=;
	b=QPs1yTlRjSyo3M3CPMcQjHri1F72RifD88NwfZBkEEDTDdDejKQtvzsineehi1tUbY8HZwSgPJ5OWnRzFPzE4E4lghHeRoaV36ftb2/wa8TjPe6i1LQMAKqKP6p+gkq4iehVOdvavPNe70W7SDj0NL7rXYOokIbdq2WtBYXqWlQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257956528575.3858452947087;
 Wed, 11 Mar 2026 12:39:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNU-0004ZX-8Y; Wed, 11 Mar 2026 15:37:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNR-0004Vr-V9; Wed, 11 Mar 2026 15:37:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNP-0000Ra-Oi; Wed, 11 Mar 2026 15:37:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ADD29192108;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id F062437C46D;
 Wed, 11 Mar 2026 22:35:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=DPNcQjjubYxmY81U7kzTlqzJtRYroTItcEJezKT+WLc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Mtd+1gt+6UyKav5piTwIbJnOrZARDguzK2ggqSlAeXHjKiQSNke0AlO+M7wZzUDcU
 fV5GJkiyV5CTCPfBvT5DfDbQw4OWm5tL/v64Ev7k4WTxvwoZg5ZkEH3oBryb95BxN8
 334thmnV4sHxqKWsioF3yIzfpne3XB5IRSzyubtojISRXkRZNg3GEUrMIdYGj8KcVS
 E49iqQmI5cT5cyD1dvZv1lWqMuAKonWbvmNBZUOc9e7lG8CtMsKxBbq6X3JOJFyYVk
 i70FZd67KFeL1GD1te0bKWhyuzlmQVq6okgEZR0egLeJlace3hS7ARgrjptKPA6aV1
 zxWzyZLQN5E7A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 32/53] io: fix cleanup for TLS I/O source data on
 cancellation
Date: Wed, 11 Mar 2026 22:34:25 +0300
Message-ID: <20260311193449.1096110-32-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257957117158500

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

The TLS code will create a GSource for tracking completion of the
handshake process, passing a QIOChannelTLSData struct that contains
various data items. The data struct is freed by the callback when
it completes, which means when a source is cancelled, nothing is
free'ing the data struct or its contents.

Switch to provide a data free callback to the GSource, which ensures
the QIOChannelTLSData struct is always freed even when the main event
callback never fires.

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/3114
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
(cherry picked from commit d39d0f3acdd7c1bb275db7e97b511f98254ecd9f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/io/channel-tls.c b/io/channel-tls.c
index 07274c12df..940fc3c6d1 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -153,13 +153,32 @@ struct QIOChannelTLSData {
 };
 typedef struct QIOChannelTLSData QIOChannelTLSData;
=20
+static void qio_channel_tls_io_data_free(gpointer user_data)
+{
+    QIOChannelTLSData *data =3D user_data;
+    /*
+     * Usually 'task' will be NULL since the GSource
+     * callback will either complete the task or pass
+     * it on to a new GSource. We'll see a non-NULL
+     * task here only if the GSource was released before
+     * its callback triggers
+     */
+    if (data->task) {
+        qio_task_free(data->task);
+    }
+    if (data->context) {
+        g_main_context_unref(data->context);
+    }
+    g_free(data);
+}
+
 static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
                                              GIOCondition condition,
                                              gpointer user_data);
=20
-static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
-                                           QIOTask *task,
-                                           GMainContext *context)
+static gboolean qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+                                               QIOTask *task,
+                                               GMainContext *context)
 {
     Error *err =3D NULL;
     int status;
@@ -170,8 +189,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
         trace_qio_channel_tls_handshake_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
-        return;
+        return TRUE;
     }
=20
     if (status =3D=3D QCRYPTO_TLS_HANDSHAKE_COMPLETE) {
@@ -184,7 +202,7 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
             trace_qio_channel_tls_credentials_allow(ioc);
         }
         qio_task_complete(task);
-        qio_task_free(task);
+        return TRUE;
     } else {
         GIOCondition condition;
         QIOChannelTLSData *data =3D g_new0(typeof(*data), 1);
@@ -208,8 +226,9 @@ static void qio_channel_tls_handshake_task(QIOChannelTL=
S *ioc,
                                        condition,
                                        qio_channel_tls_handshake_io,
                                        data,
-                                       NULL,
+                                       qio_channel_tls_io_data_free,
                                        context);
+        return FALSE;
     }
 }
=20
@@ -225,11 +244,9 @@ static gboolean qio_channel_tls_handshake_io(QIOChanne=
l *ioc,
         qio_task_get_source(task));
=20
     tioc->hs_ioc_tag =3D 0;
-    g_free(data);
-    qio_channel_tls_handshake_task(tioc, task, context);
-
-    if (context) {
-        g_main_context_unref(context);
+    if (!qio_channel_tls_handshake_task(tioc, task, context)) {
+        /* task is kept by new GSource so must not be released yet */
+        data->task =3D NULL;
     }
=20
     return FALSE;
@@ -252,14 +269,16 @@ void qio_channel_tls_handshake(QIOChannelTLS *ioc,
                         func, opaque, destroy);
=20
     trace_qio_channel_tls_handshake_start(ioc);
-    qio_channel_tls_handshake_task(ioc, task, context);
+    if (qio_channel_tls_handshake_task(ioc, task, context)) {
+        qio_task_free(task);
+    }
 }
=20
 static gboolean qio_channel_tls_bye_io(QIOChannel *ioc, GIOCondition condi=
tion,
                                        gpointer user_data);
=20
-static void qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
-                                     GMainContext *context)
+static gboolean qio_channel_tls_bye_task(QIOChannelTLS *ioc, QIOTask *task,
+                                         GMainContext *context)
 {
     GIOCondition condition;
     QIOChannelTLSData *data;
@@ -272,14 +291,12 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *i=
oc, QIOTask *task,
         trace_qio_channel_tls_bye_fail(ioc);
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
-        return;
+        return TRUE;
     }
=20
     if (status =3D=3D QCRYPTO_TLS_BYE_COMPLETE) {
         qio_task_complete(task);
-        qio_task_free(task);
-        return;
+        return TRUE;
     }
=20
     data =3D g_new0(typeof(*data), 1);
@@ -299,7 +316,10 @@ static void qio_channel_tls_bye_task(QIOChannelTLS *io=
c, QIOTask *task,
     trace_qio_channel_tls_bye_pending(ioc, status);
     ioc->bye_ioc_tag =3D qio_channel_add_watch_full(ioc->master, condition,
                                                   qio_channel_tls_bye_io,
-                                                  data, NULL, context);
+                                                  data,
+                                                  qio_channel_tls_io_data_=
free,
+                                                  context);
+    return FALSE;
 }
=20
=20
@@ -312,11 +332,9 @@ static gboolean qio_channel_tls_bye_io(QIOChannel *ioc=
, GIOCondition condition,
     QIOChannelTLS *tioc =3D QIO_CHANNEL_TLS(qio_task_get_source(task));
=20
     tioc->bye_ioc_tag =3D 0;
-    g_free(data);
-    qio_channel_tls_bye_task(tioc, task, context);
-
-    if (context) {
-        g_main_context_unref(context);
+    if (!qio_channel_tls_bye_task(tioc, task, context)) {
+        /* task is kept by new GSource so must not be released yet */
+        data->task =3D NULL;
     }
=20
     return FALSE;
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258244; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nHpPgtpJWyV9j/hoQ+gU2vfifHBnocPY0lPHH8M4k2PZXG+D9vxkaluTTd3MRAImxDRNTQRm2GHkLxj5EhlkabclZbiqm4Vk/Oi2j/HvBPCwtHbJr5SaJRO3DqmMFrXcNCHnwwvi0xdoC0pFYGeCy1I3P1ivxynZgOr3PsR56Vk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258244;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ojht2YbKGWhjNMDYBW8/fXm5ZSzIibdmLwJkiMMzDU8=;
	b=c2A3wCp9fPNfHOYs2c2yzmkP6XxNU1n92pQHONXuZQGXr3InPpkiK2CjkqacHzsKC7zmrrY+tn1S9WfxTYzC5iQn3SYLzAPNY0ENpxxuIak502l//hvP4TItfsr7zqnzkw/RO/64rQvS4N1Q2+c/iRu1HDvcNmxlD9jCWxSH17I=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258244681969.0251487185814;
 Wed, 11 Mar 2026 12:44:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNT-0004XH-If; Wed, 11 Mar 2026 15:37:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNR-0004Va-K7; Wed, 11 Mar 2026 15:37:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNP-0000Ue-Qg; Wed, 11 Mar 2026 15:37:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BD163192109;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0CD8A37C46E;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=UieJ/jT2rH8oFQdAVtltbswdEUQ7QiFpJvjfuHuSucg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=u2hotqksFuHHKGknHOuUWEeoN0i35q2KXhB5sUAzEPwi/Ld28Y8PYATGCpiDV1IJW
 SaKL+aADuVG0I1b9+u3kbhcLYZry/k0ErnpdJ1Y6C6pov9mfPLoYPlm6eSp0d4SRc7
 sOK1X+m7DdlWl+RaByNixvcIOjPxohjO0paxCjeUJtESGiScGGV5rb17jbWBBrolJj
 Z5M19zxsmTP5gOCwiG4hxa9fgOr0OEWRhQF+oYcP/oWS+BhwNU93OFzlJ+Xgz4ej+9
 BnxjG7HfJuhvk7hxqB0M3ojopf5odgVZS3QeY2cQSBdfYH9lB4W9b7wfv6Dc4HIzwd
 d0/y2cQzN2wHg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 33/53] io: fix cleanup for websock I/O source data on
 cancellation
Date: Wed, 11 Mar 2026 22:34:26 +0300
Message-ID: <20260311193449.1096110-33-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258246547158500

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

The websock code will create a GSource for tracking completion of the
handshake process, passing a QIOTask which is freed by the callback
when it completes, which means when a source is cancelled, nothing is
free'ing the task.

Switch to provide a data free callback to the GSource, which ensures
the QIOTask is always freed even when the main event callback never
fires.

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/3114
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
(cherry picked from commit 9545c059f77e3f814fcbaba83203572ea655c50e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/io/channel-websock.c b/io/channel-websock.c
index b4f96a0af4..bb10bc4f7f 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -526,11 +526,32 @@ static int qio_channel_websock_handshake_read(QIOChan=
nelWebsock *ioc,
     return 1;
 }
=20
+typedef struct QIOChannelWebsockData {
+    QIOTask *task;
+} QIOChannelWebsockData;
+
+static void qio_channel_websock_data_free(gpointer user_data)
+{
+    QIOChannelWebsockData *data =3D user_data;
+    /*
+     * Usually 'task' will be NULL since the GSource
+     * callback will either complete the task or pass
+     * it on to a new GSource. We'll see a non-NULL
+     * task here only if the GSource was released before
+     * its callback triggers
+     */
+    if (data->task) {
+        qio_task_free(data->task);
+    }
+    g_free(data);
+}
+
 static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
                                                    GIOCondition condition,
                                                    gpointer user_data)
 {
-    QIOTask *task =3D user_data;
+    QIOChannelWebsockData *data =3D user_data;
+    QIOTask *task =3D data->task;
     QIOChannelWebsock *wioc =3D QIO_CHANNEL_WEBSOCK(
         qio_task_get_source(task));
     Error *err =3D NULL;
@@ -545,7 +566,6 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -562,7 +582,6 @@ static gboolean qio_channel_websock_handshake_send(QIOC=
hannel *ioc,
             trace_qio_channel_websock_handshake_complete(ioc);
             qio_task_complete(task);
         }
-        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -574,7 +593,8 @@ static gboolean qio_channel_websock_handshake_io(QIOCha=
nnel *ioc,
                                                  GIOCondition condition,
                                                  gpointer user_data)
 {
-    QIOTask *task =3D user_data;
+    QIOChannelWebsockData *data =3D user_data, *newdata =3D NULL;
+    QIOTask *task =3D data->task;
     QIOChannelWebsock *wioc =3D QIO_CHANNEL_WEBSOCK(
         qio_task_get_source(task));
     Error *err =3D NULL;
@@ -590,7 +610,6 @@ static gboolean qio_channel_websock_handshake_io(QIOCha=
nnel *ioc,
         trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err=
));
         qio_task_set_error(task, err);
         qio_task_complete(task);
-        qio_task_free(task);
         wioc->hs_io_tag =3D 0;
         return FALSE;
     }
@@ -603,12 +622,14 @@ static gboolean qio_channel_websock_handshake_io(QIOC=
hannel *ioc,
     error_propagate(&wioc->io_err, err);
=20
     trace_qio_channel_websock_handshake_reply(ioc);
+    newdata =3D g_new0(QIOChannelWebsockData, 1);
+    newdata->task =3D g_steal_pointer(&data->task);
     wioc->hs_io_tag =3D qio_channel_add_watch(
         wioc->master,
         G_IO_OUT,
         qio_channel_websock_handshake_send,
-        task,
-        NULL);
+        newdata,
+        qio_channel_websock_data_free);
     return FALSE;
 }
=20
@@ -904,12 +925,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock =
*ioc,
                                    gpointer opaque,
                                    GDestroyNotify destroy)
 {
-    QIOTask *task;
+    QIOChannelWebsockData *data =3D g_new0(QIOChannelWebsockData, 1);
=20
-    task =3D qio_task_new(OBJECT(ioc),
-                        func,
-                        opaque,
-                        destroy);
+    data->task =3D qio_task_new(OBJECT(ioc),
+                              func,
+                              opaque,
+                              destroy);
=20
     trace_qio_channel_websock_handshake_start(ioc);
     trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN);
@@ -917,8 +938,8 @@ void qio_channel_websock_handshake(QIOChannelWebsock *i=
oc,
         ioc->master,
         G_IO_IN,
         qio_channel_websock_handshake_io,
-        task,
-        NULL);
+        data,
+        qio_channel_websock_data_free);
 }
=20
=20
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258123; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gk443qFnsFpTYcivP/6d1J6tJM1jQQIiMvGrLhRvPmITi7ZHjgYznbl6OR7w0Z3n9aPufREfoc2/z7+aqregOhjNh+QHad7AC51M1Kfqff1BJ3UaW9myhFnVhTaosjomPZB+CDJcBCQKcmy/zj0Z9/Q0ikzb6zESdtWdExUhHK4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258123;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=sJiE7uNHEvsiY/+RrRDh4zn3+YLFeKF90Wu94hXJjYg=;
	b=cT7VN3jJVj/E5o1XyyH4KhBvGPR9QnfNBRbJju5wV8wtiiquhYXPyZxv6ujWCp48bSRJNDQGZrMO5G2cwUupBnoKqbfbP0hh8lifhxAtvV/jmg1PIEsHHveDvwQrytmMcXn77N/QAUEZMtOiUkl3ee/DGZlPWQ29fLMU6/Z/L+g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258123022584.2209534470772;
 Wed, 11 Mar 2026 12:42:03 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNW-0004gc-J8; Wed, 11 Mar 2026 15:37:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNV-0004dJ-0t; Wed, 11 Mar 2026 15:37:57 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNT-0000V8-30; Wed, 11 Mar 2026 15:37:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D255F19210A;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1CAD037C46F;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=h/kUl/xQLmRb/S4svpv2ZTc8FHO1O9r77yc2rDjhLuM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=orJfXSEZCR2n77QfXbVGqi99JCUy/DX6t6pAe1XbTz/sRlEkqDJvPi4JPvi4Chge3
 2NGkHm1pVNdcRrQJU5sxxL14zHDpTtbvFn2eNHNwidfIUNPXurUZls0VVYPAIQDGCu
 31KSGDrY5CprqHsmef52IQsGKekkdWX3sqENSdEz8Z14WIRX9yeRTsEiGpdD5U+oXl
 DAr0tRstGcgxFb2JcdC9ZKQXLHPc7aG8Q9UqsDiot/52Rv7VrA/qU24vAQXNL3WL8a
 nT/xOdiZQNhFZaPfcLGaSXp+/o1F3oClgblWAEZKsaQ4aFwB6n2bb3/dF+GhbbeLni
 y3NfMstSOrSlQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 34/53] hw/net/smc91c111: Don't allow negative-length
 packets
Date: Wed, 11 Mar 2026 22:34:27 +0300
Message-ID: <20260311193449.1096110-34-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258125569154100

From: Peter Maydell <peter.maydell@linaro.org>

The smc91c111 data frame format in memory (figure 8-1 in the
datasheet) includes a "byte count" field which is intended to be the
total size of the data frame, including not just the packet data but
also the leading and trailing information like the status word and
the byte count field itself.  It is therefore possible for the guest
to set this to a value so small that the leading and trailing fields
won't fit and the packet has effectively a negative area.

We weren't checking for this, with the result that when we subtract 6
from the length to get the length of the packet proper we end up with
a negative length, which is then inconsistently handled in the
qemu_send_packet() code such that we can try to transmit a very large
amount of data and read off the end of the device's data array.

Treat excessively small length values the same way we do excessively
large values.  As with the oversized case, the datasheet does not
describe what happens for this software error case, and there is no
relevant tx error condition for this, so we just log and drop the
packet.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-id: 20260226175549.1319476-1-peter.maydell@linaro.org
(cherry picked from commit d8e19f8042dcaff8e077292209c8196acb150bdd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index 5cd78e334b..f2c2e22dd0 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -30,6 +30,12 @@
  * LAN91C111 datasheet).
  */
 #define MAX_PACKET_SIZE 2048
+/*
+ * Size of the non-data fields in a data frame: status word,
+ * byte count, control byte, and last data byte; this defines
+ * the smallest value the byte count in the frame can validly be.
+ */
+#define MIN_PACKET_SIZE 6
=20
 #define TYPE_SMC91C111 "smc91c111"
 OBJECT_DECLARE_SIMPLE_TYPE(smc91c111_state, SMC91C111)
@@ -289,7 +295,7 @@ static void smc91c111_do_tx(smc91c111_state *s)
         *(p++) =3D 0x40;
         len =3D *(p++);
         len |=3D ((int)*(p++)) << 8;
-        if (len > MAX_PACKET_SIZE) {
+        if (len < MIN_PACKET_SIZE || len > MAX_PACKET_SIZE) {
             /*
              * Datasheet doesn't say what to do here, and there is no
              * relevant tx error condition listed. Log, and drop the packe=
t.
@@ -300,7 +306,13 @@ static void smc91c111_do_tx(smc91c111_state *s)
             smc91c111_complete_tx_packet(s, packetnum);
             continue;
         }
-        len -=3D 6;
+        /*
+         * Convert from size of the data frame to number of bytes of
+         * actual packet data. Whether the "last data byte" field is
+         * included in the packet depends on the ODD bit in the control
+         * byte at the end of the frame.
+         */
+        len -=3D MIN_PACKET_SIZE;
         control =3D p[len + 1];
         if (control & 0x20)
             len++;
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258077; cv=none;
	d=zohomail.com; s=zohoarc;
	b=A17lsR7PaTdnPK62qhUSiDqJDtLBKBZGIwTF1m0undS7nAdF3/0ib0+sTzBUOQiHC8SY64y1rHIsZ10sADjqR2DieKWLfnqJ1vqFXEIPuTK/6YWj3zFk/NFUAV7pHNsixL5GcnySq21+lWTY//fwGSI8fuFk3c/AHXJQcqsl0gY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258077;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Dl/OWycXX4IMvlBB4pPL04b1/jdgsuGYMcxHCEpsNRo=;
	b=VlIvBxpxbT2hk+6AoGKVFwTVuBL7QPjDlr0jmXBpkYgsLdvPBOoLZNa+FpmR63+KpzIFj3X4SfoGcdWnuh8lGuCOUc0XiAL3NxV9BeMzQRPkiC8HloAAS8ak0GzMDdCEIjHYKJmy3tS6GwLkIk1kyt1BrquQjfM/U4qqMmfPmuk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258077061920.6984589120865;
 Wed, 11 Mar 2026 12:41:17 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNX-0004jI-J7; Wed, 11 Mar 2026 15:37:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNV-0004dX-6t; Wed, 11 Mar 2026 15:37:57 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNT-0000VG-Ln; Wed, 11 Mar 2026 15:37:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ED74719210B;
 Wed, 11 Mar 2026 22:34:28 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 318A837C470;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257668; bh=snqvXBZiy7swWW5vj6bRvOATZK4yLblfbZJNO3MMtsA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ka+aB5vtWb85H8nIL37trQMwmrkVq5Qh6/T+Qaq8zRfs52+DetSv4AzS+lHVzLryw
 HLGdBngqUHQheKXPqQZPPTiaQWUM+aBW54bG7RdeWcLeyVhqepzzIJHOu7xAUaztOS
 r2APWhqsVflKZPMZ2Sy7c7Vi01qIuM+0J5MHkJ1cah/v73eGOUMNhMVMliN4hJxV/w
 ueYMNCpLNGGG/HDWLJx8MF7c0129dJaRyOS/ZaWiYfFNqtyWs/KOkIZ0e8uiV7r8c4
 yf/mDoCzP1B4bLtAbLOJTTtsLZmNYI15wd/BzGd1bCLXbynDNoRCDx5sgXa9qWQzHF
 lMnvZQ1SbkSzg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 35/53] block/vmdk: fix OOB read in vmdk_read_extent()
Date: Wed, 11 Mar 2026 22:34:28 +0300
Message-ID: <20260311193449.1096110-35-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258077638158500
Content-Type: text/plain; charset="utf-8"

From: "Halil Oktay (oblivionsage)" <cookieandcream560@gmail.com>

Bounds check for marker.size doesn't account for the 12-byte marker
header, allowing zlib to read past the allocated buffer.

Move the check inside the has_marker block and subtract the marker size.

Fixes: CVE-2026-2243
Reported-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Signed-off-by: Halil Oktay (oblivionsage) <cookieandcream560@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit cfda94eddb6c9c49b66461c950b22845a46a75c9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/vmdk.c b/block/vmdk.c
index 89e89cd10e..cd8b4ec7c8 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1951,10 +1951,10 @@ vmdk_read_extent(VmdkExtent *extent, int64_t cluste=
r_offset,
         marker =3D (VmdkGrainMarker *)cluster_buf;
         compressed_data =3D marker->data;
         data_len =3D le32_to_cpu(marker->size);
-    }
-    if (!data_len || data_len > buf_bytes) {
-        ret =3D -EINVAL;
-        goto out;
+        if (!data_len || data_len > buf_bytes - sizeof(VmdkGrainMarker)) {
+            ret =3D -EINVAL;
+            goto out;
+        }
     }
     ret =3D uncompress(uncomp_buf, &buf_len, compressed_data, data_len);
     if (ret !=3D Z_OK) {
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258076; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PlrwcnQZFw8nwKFViVcZHJhwNRhgGI6wUCD0VioOWKVrqSXLUKpknOuXEQR/HIXnBT2RbGLWxHKE6z+hCviaDbxu6Vb/HvHvKiuwVH68ZNnFZnksEe4MYwmiipPSPkTxnThhVQ5cD4mOTUdjiA5dHkFJNTswxeMbC5tWGrW5WpU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258076;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=69f8hhC9WGbWMsLVZS3jRBuQiV1l0URC9PHxzs1mhoQ=;
	b=Jj5JruYg3zEhEG4cs4E+9oOaQPm7o8lLdS5qRJHEMtXt5JYnIFJVRI7PTkPojaS3AmHqpDDq6HKgKfxFU4xhNLP9PV1vGT12DAQ55KZWddOGjDKE9PvQoS29C+UTptxvf9XvCe7k/Wp3Zfs49gTIDWIiWQonlCjM/Ww/UAgc26E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258076845629.0751972709049;
 Wed, 11 Mar 2026 12:41:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNu-0005Oo-42; Wed, 11 Mar 2026 15:38:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNs-0005O2-9P; Wed, 11 Mar 2026 15:38:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNq-0000Vr-HQ; Wed, 11 Mar 2026 15:38:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0B06E19210C;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4C29E37C471;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=eF3GHeGDQgncqVtw2bAv743vc7IEjgHLgFSfcV78Oqg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=imi6p270j8PXCc6W4m/iyoRUg4Axez/ahctYoT9/GlFtxjXEICMHoPcSvGYV8uywO
 VjUh+T13OZtIICCBL9QA8aAaxkNMvEig+d3lJMfrJTbiCTyXK87Xx2ni576ZkYPN+f
 kwGKpXaCn0CiQ/u/uh3PApp9UYfU/hzUT9u2lCTnINOaFVac8gD2hoqatuotiwitMJ
 JNo4jj8bPSUB5q6nUVzBfEmcbaopf5YIcPOWpaABqarjDOd0YybxEy1BgWqrcnJ5T/
 xohRkmMvj6K0O68rGKBe/z2pz1l7k7U5U+z9LjpKyLHvyYb7nfx7BJ6YytUuqZZh7y
 mWEUoce9IqidA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Antoine Damhet <adamhet@scaleway.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 36/53] block/curl: fix concurrent completion handling
Date: Wed, 11 Mar 2026 22:34:29 +0300
Message-ID: <20260311193449.1096110-36-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258079029154100
Content-Type: text/plain; charset="utf-8"

From: Antoine Damhet <adamhet@scaleway.com>

curl_multi_check_completion would bail upon the first completed
transfer even if more completion messages were available thus leaving
some in flight IOs stuck.

Rework a bit the loop to make the iterations clearer and drop the breaks.

The original hang can be somewhat reproduced with the following command:

$ qemu-img convert -p -m 16 -O qcow2 -c --image-opts \
  'file.driver=3Dhttps,file.url=3Dhttps://scaleway.testdebit.info/10G.iso,f=
ile.readahead=3D1M' \
  /tmp/test.qcow2

Fixes: 1f2cead32443 ("curl: Ensure all informationals are checked for compl=
etion")
Cc: qemu-stable@nongnu.org
Signed-off-by: Antoine Damhet <adamhet@scaleway.com>
Message-ID: <20260212162730.440855-2-adamhet@scaleway.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 6f7b0a23a6ea0cc72ad222ab37936248d99d4256)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/curl.c b/block/curl.c
index 4e77c93b46..6dccf00256 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -324,17 +324,11 @@ curl_find_buf(BDRVCURLState *s, uint64_t start, uint6=
4_t len, CURLAIOCB *acb)
 static void curl_multi_check_completion(BDRVCURLState *s)
 {
     int msgs_in_queue;
+    CURLMsg *msg;
=20
     /* Try to find done transfers, so we can free the easy
      * handle again. */
-    for (;;) {
-        CURLMsg *msg;
-        msg =3D curl_multi_info_read(s->multi, &msgs_in_queue);
-
-        /* Quit when there are no more completions */
-        if (!msg)
-            break;
-
+    while ((msg =3D curl_multi_info_read(s->multi, &msgs_in_queue))) {
         if (msg->msg =3D=3D CURLMSG_DONE) {
             int i;
             CURLState *state =3D NULL;
@@ -397,7 +391,6 @@ static void curl_multi_check_completion(BDRVCURLState *=
s)
             }
=20
             curl_clean_state(state);
-            break;
         }
     }
 }
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258071; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fBXUFW0VgDAva3wjSJ9y5qMkTAGL+B1s1/18x/Oop6tu5b3cj389wHGZJqOCIaJRoG+mBmHE1WKrhBnPHqjijdZWosvbIqmRpMZtLo0ffhDZGwr17JHLIjt3RZBeW9FzjzzQxObX0MJlwLJekjgV/JlKQ6Z0k1bzzjFtcMhGuM0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258071;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gnAqGJeH3fp/VcW9lykx2lorZUaXSLmxiZBdwdui/NY=;
	b=i5lLLJj/dA9LgEFKcyATQWABUnavNzSS6FRReHIvjNFmIByPxOZdjbs0MlDuQzGeG0e8VK3vVUy+t5zGjPtEbNKaHvftgZCmmeJnUjl/9mllknsZTluWU84OXfl9l4tnCQ4BmXhW/e+9yJSWi6wtQZZOUWZSRD920yPvIfoPc1Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258071505587.5098493700688;
 Wed, 11 Mar 2026 12:41:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PNv-0005PZ-Ir; Wed, 11 Mar 2026 15:38:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNt-0005Ob-L8; Wed, 11 Mar 2026 15:38:21 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNq-0000Vw-O4; Wed, 11 Mar 2026 15:38:21 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1D03619210D;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5E0BC37C472;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=CLgO+i9uE6yw0o/c7fPWp6c3Ly99nYGSb8fZpZqd5P0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=s+cLTIhqWI4OGBR+UDi4EYffNJ6MXT4F9sZc/cEattQtOF52p3anLPof6q39fmPRy
 riGorLamM9DXoh2Wp0+S1rwp/U1KE7WE7SWhwrSx5PbIbRde4gKLf3CCTnfr2k/829
 0L+aaF1u0NRYkb4dlfPBhhvgbgMU6RwnWRoYA1OK+9sM09oSXY7sItEiIQNVHp0DZC
 qYEhSMK1uQ8s0AmlHBkO/6jNwCXJsi42YTkTqs75k2hceofnpNhbXvAHqkcaJHHpjB
 93igfBwLEBLdJIvgAUOgW8oKv5ynAK7vSQ7GwFK8Q3/tL3UY+4c4ZWThejYcw0yhoN
 vKnl9oRl6URww==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Fiona Ebner <f.ebner@proxmox.com>,
 Jean-Louis Dupond <jean-louis@dupond.be>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 37/53] mirror: Fix missed dirty bitmap writes during
 startup
Date: Wed, 11 Mar 2026 22:34:30 +0300
Message-ID: <20260311193449.1096110-37-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258073023154100
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

Currently, mirror disables the block layer's dirty bitmap before its own
replacement is working. This means that during startup, there is a
window in which the allocation status of blocks in the source has
already been checked, but new writes coming in aren't tracked yet,
resulting in a corrupted copy:

1. Dirty bitmap is disabled in mirror_start_job()
2. Some request are started in mirror_top_bs while s->job =3D=3D NULL
3. mirror_dirty_init() -> bdrv_co_is_allocated_above() runs and because
   the request hasn't completed yet, the block isn't allocated
4. The request completes, still sees s->job =3D=3D NULL and skips the
   bitmap, and nothing else will mark it dirty either

One ingredient is that mirror_top_opaque->job is only set after the
job is fully initialized. For the rationale, see commit 32125b1460
("mirror: Fix access of uninitialised fields during start").

Fix this by giving mirror_top_bs access to dirty_bitmap and enabling it
to track writes from the beginning. Disabling the block layer's tracking
and enabling the mirror_top_bs one happens in a drained section, so
there is no danger of races with in-flight requests any more. All of
this happens well before the block allocation status is checked, so we
can be sure that no writes will be missed.

Cc: qemu-stable@nongnu.org
Closes: https://gitlab.com/qemu-project/qemu/-/issues/3273
Fixes: 32125b14606a ('mirror: Fix access of uninitialised fields during sta=
rt')
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260219202446.312493-1-kwolf@redhat.com>
Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>
Tested-by: Jean-Louis Dupond <jean-louis@dupond.be>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 0f51f9c3420b31bb383e456dd7bf24d3056eeb73)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/mirror.c b/block/mirror.c
index bc982cb99a..fa1d975eb9 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -99,6 +99,7 @@ typedef struct MirrorBlockJob {
=20
 typedef struct MirrorBDSOpaque {
     MirrorBlockJob *job;
+    BdrvDirtyBitmap *dirty_bitmap;
     bool stop;
     bool is_commit;
 } MirrorBDSOpaque;
@@ -1675,9 +1676,11 @@ bdrv_mirror_top_do_write(BlockDriverState *bs, Mirro=
rMethod method,
         abort();
     }
=20
-    if (!copy_to_target && s->job && s->job->dirty_bitmap) {
-        qatomic_set(&s->job->actively_synced, false);
-        bdrv_set_dirty_bitmap(s->job->dirty_bitmap, offset, bytes);
+    if (!copy_to_target) {
+        if (s->job) {
+            qatomic_set(&s->job->actively_synced, false);
+        }
+        bdrv_set_dirty_bitmap(s->dirty_bitmap, offset, bytes);
     }
=20
     if (ret < 0) {
@@ -1904,13 +1907,35 @@ static BlockJob *mirror_start_job(
=20
     bdrv_drained_begin(bs);
     ret =3D bdrv_append(mirror_top_bs, bs, errp);
-    bdrv_drained_end(bs);
-
     if (ret < 0) {
+        bdrv_drained_end(bs);
+        bdrv_unref(mirror_top_bs);
+        return NULL;
+    }
+
+    bs_opaque->dirty_bitmap =3D bdrv_create_dirty_bitmap(mirror_top_bs,
+                                                       granularity,
+                                                       NULL, errp);
+    if (!bs_opaque->dirty_bitmap) {
+        bdrv_drained_end(bs);
         bdrv_unref(mirror_top_bs);
         return NULL;
     }
=20
+    /*
+     * The mirror job doesn't use the block layer's dirty tracking because=
 it
+     * needs to be able to switch seemlessly between background copy mode =
(which
+     * does need dirty tracking) and write blocking mode (which doesn't) a=
nd
+     * doing that would require draining the node. Instead, mirror_top_bs =
takes
+     * care of updating the dirty bitmap as appropriate.
+     *
+     * Note that write blocking mode only becomes effective after mirror_r=
un()
+     * sets mirror_top_opaque->job (see should_copy_to_target()). Until th=
en,
+     * we're still in background copy mode irrespective of @copy_mode.
+     */
+    bdrv_disable_dirty_bitmap(bs_opaque->dirty_bitmap);
+    bdrv_drained_end(bs);
+
     /* Make sure that the source is not resized while the job is running */
     s =3D block_job_create(job_id, driver, NULL, mirror_top_bs,
                          BLK_PERM_CONSISTENT_READ,
@@ -2005,24 +2030,13 @@ static BlockJob *mirror_start_job(
     s->base_overlay =3D bdrv_find_overlay(bs, base);
     s->granularity =3D granularity;
     s->buf_size =3D ROUND_UP(buf_size, granularity);
+    s->dirty_bitmap =3D bs_opaque->dirty_bitmap;
     s->unmap =3D unmap;
     if (auto_complete) {
         s->should_complete =3D true;
     }
     bdrv_graph_rdunlock_main_loop();
=20
-    s->dirty_bitmap =3D bdrv_create_dirty_bitmap(s->mirror_top_bs, granula=
rity,
-                                               NULL, errp);
-    if (!s->dirty_bitmap) {
-        goto fail;
-    }
-
-    /*
-     * The dirty bitmap is set by bdrv_mirror_top_do_write() when not in a=
ctive
-     * mode.
-     */
-    bdrv_disable_dirty_bitmap(s->dirty_bitmap);
-
     bdrv_graph_wrlock_drained();
     ret =3D block_job_add_bdrv(&s->common, "source", bs, 0,
                              BLK_PERM_WRITE_UNCHANGED | BLK_PERM_WRITE |
@@ -2102,9 +2116,6 @@ fail:
         g_free(s->replaces);
         blk_unref(s->target);
         bs_opaque->job =3D NULL;
-        if (s->dirty_bitmap) {
-            bdrv_release_dirty_bitmap(s->dirty_bitmap);
-        }
         job_early_fail(&s->common.job);
     }
=20
@@ -2118,6 +2129,7 @@ fail:
     bdrv_graph_wrunlock();
     bdrv_drained_end(bs);
=20
+    bdrv_release_dirty_bitmap(bs_opaque->dirty_bitmap);
     bdrv_unref(mirror_top_bs);
=20
     return NULL;
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257986; cv=none;
	d=zohomail.com; s=zohoarc;
	b=j4CRXuhPZLT7KKfeIXlgnVd/X/f8pto4nGA8p4Bjuiw95XKtGsFR2cDe0hEmM8kmxiJ0QBtF9w+7St3O+5q3uZZ8z1l10o5uSlfu1+zkAOC0TYagq/sNPyjPYSQr6GopWhiauPHmbWbXtIklqIDKeA9QR10BazUxRlZGniKkwqI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257986;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=k5cTb7UXGWAliksi+kRjSyJnKdFxAlUQlISTmgdJ5ow=;
	b=Y0WVJIJbeWdOr+DoOAW/eBmYsj+cTCcN9oe70tD6U+/H407xA3ZCI95lC/1D3XkC0wA/ilUWp7F82Ku9AHynrj9ACfeZe9N+MfJ6O1IFc65KoZ6JXkQlptbI1rhuWt9h4gJjm9Y0IU8+tkGW5aS5m+AAMitMvlAfMad9d2Fc79Y=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257986477172.16663234465614;
 Wed, 11 Mar 2026 12:39:46 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PO0-0005Re-CL; Wed, 11 Mar 2026 15:38:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNv-0005Pf-Ha; Wed, 11 Mar 2026 15:38:23 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNt-0000ZK-QD; Wed, 11 Mar 2026 15:38:23 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 61E8719210E;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A35E737C473;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=UGBbBxhOn8DTGsq59K6g9NwOYbkKfELTilKfS+WEXZI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Ekbk8C4xM7iCb57kM7lKcuoUfvZfKrv8YHX1jPwqN6zb1UdVDtv5Jwc7qoDZ9VCsY
 yspTeXMsM8ABYccw08MaV5MFfOhOe0ML7P/fXAFmZ4Bpveu2AP1ErFER8xuIFguCUB
 PY9rFkQ5NfVcFoO2WxSrq4jRilUTA1agr5lDmwPuc9P21Y0Vrs45MNdPs3IWgjRBa9
 8ToeF8H5p1zCa5WQG7xjk+GBXc81bn9z2Z1PX7U5e+EWDynd64lpv99ukHmxFpw8oa
 UcWrk375SA6Y1kxYmAYegLJJYLueOzp81e29o9+AoCy6IiuD/FdhxIQcG/mdgmHIJQ
 KhxOVeA/La+sA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dmitry Guryanov <dmitry.guryanov@gmail.com>,
 Hanna Czenczek <hreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 38/53] block/throttle-groups: fix deadlock with
 iolimits and muliple iothreads
Date: Wed, 11 Mar 2026 22:34:31 +0300
Message-ID: <20260311193449.1096110-38-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257987299158500
Content-Type: text/plain; charset="utf-8"

From: Dmitry Guryanov <dmitry.guryanov@gmail.com>

Details: https://gitlab.com/qemu-project/qemu/-/issues/3144

The function schedule_next_request is called with tg->lock held and
it may call throttle_group_co_restart_queue, which takes
tgm->throttled_reqs_lock, qemu_co_mutex_lock may leave current
coroutine if other iothread has taken the lock. If the next
coroutine will call throttle_group_co_io_limits_intercept - it
will try to take the mutex tg->lock which will never be released.

Here is the backtrace of the iothread:
Thread 30 (Thread 0x7f8aad1fd6c0 (LWP 24240) "IO iothread2"):
 #0  futex_wait (futex_word=3D0x5611adb7d828, expected=3D2, private=3D0) at=
 ../sysdeps/nptl/futex-internal.h:146
 #1  __GI___lll_lock_wait (futex=3Dfutex@entry=3D0x5611adb7d828, private=3D=
0) at lowlevellock.c:49
 #2  0x00007f8ab5a97501 in lll_mutex_lock_optimized (mutex=3D0x5611adb7d828=
) at pthread_mutex_lock.c:48
 #3  ___pthread_mutex_lock (mutex=3D0x5611adb7d828) at pthread_mutex_lock.c=
:93
 #4  0x00005611823f5482 in qemu_mutex_lock_impl (mutex=3D0x5611adb7d828, fi=
le=3D0x56118289daca "../block/throttle-groups.c", line=3D372) at ../util/qe=
mu-thread-posix.c:94
 #5  0x00005611822b0b39 in throttle_group_co_io_limits_intercept (tgm=3D0x5=
611af1bb4d8, bytes=3D4096, direction=3DTHROTTLE_READ) at ../block/throttle-=
groups.c:372
 #6  0x00005611822473b1 in blk_co_do_preadv_part (blk=3D0x5611af1bb490, off=
set=3D15972311040, bytes=3D4096, qiov=3D0x7f8aa4000f98, qiov_offset=3D0, fl=
ags=3DBDRV_REQ_REGISTERED_BUF) at ../block/block-backend.c:1354
 #7  0x0000561182247fa0 in blk_aio_read_entry (opaque=3D0x7f8aa4005910) at =
../block/block-backend.c:1619
 #8  0x000056118241952e in coroutine_trampoline (i0=3D-1543497424, i1=3D326=
50) at ../util/coroutine-ucontext.c:175
 #9  0x00007f8ab5a56f70 in ?? () at ../sysdeps/unix/sysv/linux/x86_64/__sta=
rt_context.S:66 from target:/lib64/libc.so.6
 #10 0x00007f8aad1ef190 in ?? ()
 #11 0x0000000000000000 in ?? ()

The lock is taken in line 386:
(gdb) p tg.lock
$1 =3D {lock =3D {__data =3D {__lock =3D 2, __count =3D 0, __owner =3D 2424=
0, __nusers =3D 1, __kind =3D 0, __spins =3D 0, __elision =3D 0, __list =3D=
 {__prev =3D 0x0, __next =3D 0x0}},
    __size =3D "\002\000\000\000\000\000\000\000\260^\000\000\001", '\000' =
<repeats 26 times>, __align =3D 2}, file =3D 0x56118289daca "../block/throt=
tle-groups.c",
  line =3D 386, initialized =3D true}

The solution is to use tg->lock to protect both ThreadGroup fields and
ThrottleGroupMember.throttled_reqs. It doesn't seem to be possible
to use separate locks because we need to first manipulate ThrottleGroup
fields, then schedule next coroutine using throttled_reqs and after than
update token field from ThrottleGroup depending on the throttled_reqs
state.

Signed-off-by: Dmitry Guryanov <dmitry.guryanov@gmail.com>
Message-ID: <20251208085528.890098-1-dmitry.guryanov@gmail.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit d4816177654d59e26ce212c436513f01842eb410)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/throttle-groups.c b/block/throttle-groups.c
index 66fdce9a90..5329ff1fdb 100644
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@@ -295,19 +295,15 @@ static bool throttle_group_schedule_timer(ThrottleGro=
upMember *tgm,
 /* Start the next pending I/O request for a ThrottleGroupMember. Return wh=
ether
  * any request was actually pending.
  *
+ * This assumes that tg->lock is held.
+ *
  * @tgm:       the current ThrottleGroupMember
  * @direction: the ThrottleDirection
  */
 static bool coroutine_fn throttle_group_co_restart_queue(ThrottleGroupMemb=
er *tgm,
                                                          ThrottleDirection=
 direction)
 {
-    bool ret;
-
-    qemu_co_mutex_lock(&tgm->throttled_reqs_lock);
-    ret =3D qemu_co_queue_next(&tgm->throttled_reqs[direction]);
-    qemu_co_mutex_unlock(&tgm->throttled_reqs_lock);
-
-    return ret;
+    return qemu_co_queue_next(&tgm->throttled_reqs[direction]);
 }
=20
 /* Look for the next pending I/O request and schedule it.
@@ -378,12 +374,8 @@ void coroutine_fn throttle_group_co_io_limits_intercep=
t(ThrottleGroupMember *tgm
     /* Wait if there's a timer set or queued requests of this type */
     if (must_wait || tgm->pending_reqs[direction]) {
         tgm->pending_reqs[direction]++;
-        qemu_mutex_unlock(&tg->lock);
-        qemu_co_mutex_lock(&tgm->throttled_reqs_lock);
         qemu_co_queue_wait(&tgm->throttled_reqs[direction],
-                           &tgm->throttled_reqs_lock);
-        qemu_co_mutex_unlock(&tgm->throttled_reqs_lock);
-        qemu_mutex_lock(&tg->lock);
+                           &tg->lock);
         tgm->pending_reqs[direction]--;
     }
=20
@@ -410,15 +402,15 @@ static void coroutine_fn throttle_group_restart_queue=
_entry(void *opaque)
     ThrottleDirection direction =3D data->direction;
     bool empty_queue;
=20
+    qemu_mutex_lock(&tg->lock);
     empty_queue =3D !throttle_group_co_restart_queue(tgm, direction);
=20
     /* If the request queue was empty then we have to take care of
      * scheduling the next one */
     if (empty_queue) {
-        qemu_mutex_lock(&tg->lock);
         schedule_next_request(tgm, direction);
-        qemu_mutex_unlock(&tg->lock);
     }
+    qemu_mutex_unlock(&tg->lock);
=20
     g_free(data);
=20
@@ -569,7 +561,6 @@ void throttle_group_register_tgm(ThrottleGroupMember *t=
gm,
                          read_timer_cb,
                          write_timer_cb,
                          tgm);
-    qemu_co_mutex_init(&tgm->throttled_reqs_lock);
 }
=20
 /* Unregister a ThrottleGroupMember from its group, removing it from the l=
ist,
diff --git a/include/block/throttle-groups.h b/include/block/throttle-group=
s.h
index 2355e8d9de..7dfc81f7b5 100644
--- a/include/block/throttle-groups.h
+++ b/include/block/throttle-groups.h
@@ -35,8 +35,7 @@
=20
 typedef struct ThrottleGroupMember {
     AioContext   *aio_context;
-    /* throttled_reqs_lock protects the CoQueues for throttled requests.  =
*/
-    CoMutex      throttled_reqs_lock;
+    /* Protected by ThrottleGroup.lock */
     CoQueue      throttled_reqs[THROTTLE_MAX];
=20
     /* Nonzero if the I/O limits are currently being ignored; generally
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258098; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ckxygdYASo0xmyOWqL3re8RiDI/j0J9+ZI+niw+dK+2dvx/qQLGQ8cDB7OfQvshhkN6827/6Vv5F1LQfWjZ/lHPeSuPJ5ZC6M571Lh2n77AJzD2ZVoTYezN8nwqTuWfvfRauefSiDjKZQIQrsj2f+Wah0mNNykL22iVYQS8hEBU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258098;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=6dS2QZrRbbDnWRXENrlHD+sqi7+i3Cd6oWF68BUKUlY=;
	b=cwj2GNT0DGlF2AD3b64sW8fVipF4mFwr+cqWtz9A0gC1zuGe8qQVkmAE8J28mCkoW8vSHGAjk5hPNqQv2oljKL1UCAyArM3OD80rvjrQwbgLoFkKiGp4X2SbYGJDyisf8rLAhOjYZatu4JQNm1yXga1Ar3fFGiWVmkmE016ot3U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325809824444.15078704428322;
 Wed, 11 Mar 2026 12:41:38 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PO0-0005SF-V1; Wed, 11 Mar 2026 15:38:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNw-0005Qi-P0; Wed, 11 Mar 2026 15:38:24 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PNv-0000Zf-6E; Wed, 11 Mar 2026 15:38:24 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6F74A19210F;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B4F1737C474;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=yCKxN9EXM7m2KtiXHZxlia3V3HlZRy1DYdmyeoobu5A=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=YetG6JmdiQHozDRztTHcPtnSKX7TrVc6d00uwPEPvWj1bwoQ8gHVihrPO0EQ3LdxN
 KWvl3MX3sOAqp9uEzKiPm2GNHsehnx2bUAaztMBPQcQQ/sJdTfBnvQdegZH8ZuDE+B
 1121Izx3Btak4bbGvtA9VfcMEmitLlMC+4kNZQ/tRnawE0/uEP6Dk6notJSW7wPpyN
 jqQ5eqm4A5QxlyB8LU58miLXaEw1rYZn/of0RnqrmhEVEVn9zginYA5ubguaIjiKru
 iFMwjzNOHzMw5ABloPycn4QZ9eK47WqEnZmbkXVg65BnV3casGZhWvRpjlgHgu/Mpz
 ZFIpfr2zaKgPA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 39/53] block: Never drop BLOCK_IO_ERROR with
 action=stop for rate limiting
Date: Wed, 11 Mar 2026 22:34:32 +0300
Message-ID: <20260311193449.1096110-39-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258099791158500
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

Commit 2155d2dd introduced rate limiting for BLOCK_IO_ERROR to emit an
event only once a second. This makes sense for cases in which the guest
keeps running and can submit more requests that would possibly also fail
because there is a problem with the backend.

However, if the error policy is configured so that the VM is stopped on
errors, this is both unnecessary because stopping the VM means that the
guest can't issue more requests and in fact harmful because stopping the
VM is an important state change that management tools need to keep track
of even if it happens more than once in a given second. If an event is
dropped, the management tool would see a VM randomly going to paused
state without an associated error, so it has a hard time deciding how to
handle the situation.

This patch disables rate limiting for action=3Dstop by not relying on the
event type alone any more in monitor_qapi_event_queue_no_reenter(), but
checking action for BLOCK_IO_ERROR, too. If the error is reported to the
guest or ignored, the rate limiting stays in place.

Fixes: 2155d2dd7f73 ('block-backend: per-device throttling of BLOCK_IO_ERRO=
R reports')
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260304122800.51923-1-kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 544ddbb6373d61292a0e2dc269809cd6bd5edec6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/monitor/monitor.c b/monitor/monitor.c
index c5a5d30877..ae7cf64de0 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -363,14 +363,33 @@ monitor_qapi_event_queue_no_reenter(QAPIEvent event, =
QDict *qdict)
 {
     MonitorQAPIEventConf *evconf;
     MonitorQAPIEventState *evstate;
+    bool throttled;
=20
     assert(event < QAPI_EVENT__MAX);
     evconf =3D &monitor_qapi_event_conf[event];
     trace_monitor_protocol_event_queue(event, qdict, evconf->rate);
+    throttled =3D evconf->rate;
+
+    /*
+     * Rate limit BLOCK_IO_ERROR only for action !=3D "stop".
+     *
+     * If the VM is stopped after an I/O error, this is important informat=
ion
+     * for the management tool to keep track of the state of QEMU and we c=
an't
+     * merge any events. At the same time, stopping the VM means that the =
guest
+     * can't send additional requests and the number of events is already
+     * limited, so we can do without rate limiting.
+     */
+    if (event =3D=3D QAPI_EVENT_BLOCK_IO_ERROR) {
+        QDict *data =3D qobject_to(QDict, qdict_get(qdict, "data"));
+        const char *action =3D qdict_get_str(data, "action");
+        if (!strcmp(action, "stop")) {
+            throttled =3D false;
+        }
+    }
=20
     QEMU_LOCK_GUARD(&monitor_lock);
=20
-    if (!evconf->rate) {
+    if (!throttled) {
         /* Unthrottled event */
         monitor_qapi_event_emit(event, qdict);
     } else {
diff --git a/qapi/block-core.json b/qapi/block-core.json
index b82af74256..4118d884f4 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -5789,7 +5789,7 @@
 # .. note:: If action is "stop", a `STOP` event will eventually follow
 #    the `BLOCK_IO_ERROR` event.
 #
-# .. note:: This event is rate-limited.
+# .. note:: This event is rate-limited, except if action is "stop".
 #
 # Since: 0.13
 #
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257969; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gF1EbwmmrrPs+CEesJr3ir2Jfl7ZAEIs803LLwwO9kCM846a/kPBg8lVbYInMuoETzZc0sdsPra3af4wSnVnDfBZISPbKDQoaY/LVewJN2/AH8Z6geh22gNC4Df91ucxAyWje3DG/FCfhbCkQXHA4BkjlkRc9xkYqA0j98n7Sbs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257969;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=k/kyokPV6ss980X9FvvjOKllBTXQS6hizMPs+CXq3nc=;
	b=UGjcndqw2Ht/S4iqvTFEk+rlGLAI4iYLYh4Ptfdhejjhn+XPyKnOUDlZiV5VnEg+Ik4kq53B/s7pdgw7t9zZ+xJvmpcRo1nlMwk93xqqpw43SWJG3i798n9isH4XBbjrHGqvHd5FexwaEuwdaKExDtOoiZL63GDSKaa8aSQLjrg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17732579690137.293395973890938;
 Wed, 11 Mar 2026 12:39:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POL-0006fo-NZ; Wed, 11 Mar 2026 15:38:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POJ-0006S8-8H; Wed, 11 Mar 2026 15:38:47 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POH-0000aM-25; Wed, 11 Mar 2026 15:38:46 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8035E192110;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C2A9C37C475;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=xvgjrtvfJYd0ggRcn57FNea3wevtXiKb9K1bOQPoMLM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=hhpMhW5a1BIPPyyr1r4pu7S9i8HTDkE26BDBRb/p51LaU3I25cystDekPoilhXI5X
 yDMa621sb/QLWpChqiiOrViqy+aNoRa3L37+OrXbGOf9DemO4bgTFC79R8BK+5yBNL
 /HUCIM/TYix+p6HgalTsEnytIRx9waQqu3BPwyQL1E8Tn/tZWHIIvHEA7U/zHpV4wX
 EioXDu3/BIJMq/c1aIbujYvyqwdF7D/0ocUW7oPLYbBJTqxPzC4+h/giXj1R/0TPop
 cSmQItVdKAzQTmnP0uCWpQJ820XSxMccGyl4JEln7js4sZnyj+3k9OsNKxcGIypa7g
 In5bqmgtr11XQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 40/53] block/nfs: Do not enter coroutine from CB
Date: Wed, 11 Mar 2026 22:34:33 +0300
Message-ID: <20260311193449.1096110-40-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257971225154100

From: Hanna Czenczek <hreitz@redhat.com>

The reasoning I gave for why it would be safe to call aio_co_wake()
despite holding the mutex was wrong: It is true that the current request
will not re-acquire the mutex, but a subsequent request in the same
coroutine can.  Because the mutex is a non-coroutine mutex, this will
result in a deadlock.

Therefore, we must either not enter the coroutine here (only scheduling
it), or release the mutex around aio_co_wake().  I opt for the former,
as it is the behavior prior to the offending commit, and so seems safe
to do.

Fixes: deb35c129b859b9bec70fd42f856a0b7c1dc6e61
       ("nfs: Run co BH CB in the coroutine=E2=80=99s AioContext")
Buglink: https://gitlab.com/qemu-project/qemu/-/issues/2622#note_2965097035
Cc: qemu-stable@nongnu.org
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260102153246.154207-1-hreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 1d6610099bd7fc159626a38e60a3c84343ff67f7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/nfs.c b/block/nfs.c
index 1d3a34a30c..b78f4f86e8 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -249,14 +249,15 @@ nfs_co_generic_cb(int ret, struct nfs_context *nfs, v=
oid *data,
     }
=20
     /*
-     * Safe to call: nfs_service(), which called us, is only run from the =
FD
-     * handlers, never from the request coroutine.  The request coroutine =
in
-     * turn will yield unconditionally.
-     * No need to release the lock, even if we directly enter the coroutin=
e, as
-     * the lock is never re-taken after yielding.  (Note: If we do enter t=
he
-     * coroutine, @task will probably be dangling once aio_co_wake() retur=
ns.)
+     * Using aio_co_wake() here could re-enter the coroutine directly, whi=
le we
+     * still hold the mutex.  The current request will not attempt to re-t=
ake
+     * the mutex, so that is fine; but if the same coroutine then goes on =
to
+     * submit another request, that new request will try to re-take the mu=
tex,
+     * resulting in a deadlock.
+     * To prevent that, only schedule the coroutine so it will be entered =
later,
+     * with the mutex released.
      */
-    aio_co_wake(task->co);
+    aio_co_schedule(qemu_coroutine_get_aio_context(task->co), task->co);
 }
=20
 static int coroutine_fn nfs_co_preadv(BlockDriverState *bs, int64_t offset,
@@ -716,8 +717,8 @@ nfs_get_allocated_file_size_cb(int ret, struct nfs_cont=
ext *nfs, void *data,
     if (task->ret < 0) {
         error_report("NFS Error: %s", nfs_get_error(nfs));
     }
-    /* Safe to call, see nfs_co_generic_cb() */
-    aio_co_wake(task->co);
+    /* Must not use aio_co_wake(), see nfs_co_generic_cb() */
+    aio_co_schedule(qemu_coroutine_get_aio_context(task->co), task->co);
 }
=20
 static int64_t coroutine_fn nfs_co_get_allocated_file_size(BlockDriverStat=
e *bs)
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258212; cv=none;
	d=zohomail.com; s=zohoarc;
	b=V21PAQreURab2sttpzYbKFqLb8VzAhH87YDE5ybttRaWNDZxXbli3khwBhEuURfIvDKS2Y3uoNqI/kjt1iNHEODhKTwnvyXM2uhVR+1fva3On1pMqMa0snzDj/DHsWZc5aiV0XgclMg7OiPYCfNSzGl0/qB9A4qffJMd89k4PUE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258212;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=jO8Gy0qxweuLkSZt+dw5NTuK1UACgVmQeisw8v29c60=;
	b=ZA1N9pWLTXk3juJazcA8wYCqMIYxh4kCDdpiyEJ2BzRrv8N2EGkoC6ETYdCAyP1xzZyNjoXC69fmzHukMS2Iu36uMpne+mUyuOzzeqOcJBBJcCqiYUM0NFKdjFosX+Tbtbn6acwVuws4szbEPO9NuFDzLrX80m+xH3Wl/kl0xQc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258212160131.8110311291864;
 Wed, 11 Mar 2026 12:43:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POO-0006tS-4i; Wed, 11 Mar 2026 15:38:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POK-0006cG-Lo; Wed, 11 Mar 2026 15:38:48 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POI-0000ac-FB; Wed, 11 Mar 2026 15:38:47 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 93206192111;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D34B737C476;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=6LBpic4XJk4OSTGcGw9K+SF8YRBKjjhnFI6eb0J15Tk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=slmlkPyqBrugB5Zjmu+gKNFCAHL68ZaWvZ21dibGOigU7UrrOtgVFGU7FbqMQ20CG
 j2tOgzr2u+Ar6US8Nw7MEIyL7F/41aqUV0BBY+pObOX9+6QuHvDBSH7G8UkRmZQ/UP
 GZWUfETqQGkbIkw2J6uuCe3JiMgkNDQHSlGhyYfdTbW8DdiBRHQzV4eV6/9oIpdfOG
 ugFaR+OnLcO8Vd5MFV78zxrJqyB620VlDrDrkjSZ7UWfCs0TEwMDJlcXs/Q721+ex0
 nlEsLFyVLw2/hkSVLJXD2K9M0MjKwtFUWOnz/2Y3gxA8lMzQ7regOdirgEqSfdxLcG
 92kUGDRTNTGMg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jens Axboe <axboe@kernel.dk>,
 Kevin Wolf <kwolf@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 41/53] aio-posix: notify main loop when SQEs are
 queued
Date: Wed, 11 Mar 2026 22:34:34 +0300
Message-ID: <20260311193449.1096110-41-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258215340154100
Content-Type: text/plain; charset="utf-8"

From: Jens Axboe <axboe@kernel.dk>

When a vCPU thread handles MMIO (holding BQL), aio_co_enter() runs the
block I/O coroutine inline on the vCPU thread because
qemu_get_current_aio_context() returns the main AioContext when BQL is
held. The coroutine calls luring_co_submit() which queues an SQE via
fdmon_io_uring_add_sqe(), but the actual io_uring_submit() only happens
in gsource_prepare() on the main loop thread.

Since the coroutine ran inline (not via aio_co_schedule()), no BH is
scheduled and aio_notify() is never called. The main loop remains asleep
in ppoll() with up to a 499ms timeout, leaving the SQE unsubmitted until
the next timer fires.

Fix this by calling aio_notify() after queuing the SQE. This wakes the
main loop via the eventfd so it can run gsource_prepare() and submit the
pending SQE promptly.

This is a generic fix that benefits all devices using aio=3Dio_uring.
Without it, AHCI/SATA devices see MUCH worse I/O latency since they use
MMIO (not ioeventfd like virtio) and have no other mechanism to wake the
main loop after queuing block I/O.

This is usually a bit hard to detect, as it also relies on the ppoll
loop not waking up for other activity, and micro benchmarks tend not to
see it because they don't have any real processing time. With a
synthetic test case that has a few usleep() to simulate processing of
read data, it's very noticeable. The below example reads 128MB with
O_DIRECT in 128KB chunks in batches of 16, and has a 1ms delay before
each batch submit, and a 1ms delay after processing each completion.
Running it on /dev/sda yields:

time sudo ./iotest /dev/sda

________________________________________________________
Executed in   25.76 secs	  fish           external
   usr time    6.19 millis  783.00 micros    5.41 millis
   sys time   12.43 millis  642.00 micros   11.79 millis

while on a virtio-blk or NVMe device we get:

time sudo ./iotest /dev/vdb

________________________________________________________
Executed in    1.25 secs      fish           external
   usr time    1.40 millis    0.30 millis    1.10 millis
   sys time   17.61 millis    1.43 millis   16.18 millis

time sudo ./iotest /dev/nvme0n1

________________________________________________________
Executed in    1.26 secs      fish           external
   usr time    6.11 millis    0.52 millis    5.59 millis
   sys time   13.94 millis    1.50 millis   12.43 millis

where the latter are consistent. If we run the same test but keep the
socket for the ssh connection active by having activity there, then
the sda test looks as follows:

time sudo ./iotest /dev/sda

________________________________________________________
Executed in    1.23 secs      fish           external
   usr time    2.70 millis   39.00 micros    2.66 millis
   sys time    4.97 millis  977.00 micros    3.99 millis

as now the ppoll loop is woken all the time anyway.

After this fix, on an idle system:

time sudo ./iotest /dev/sda

________________________________________________________
Executed in    1.30 secs      fish           external
   usr time    2.14 millis    0.14 millis    2.00 millis
   sys time   16.93 millis    1.16 millis   15.76 millis

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Message-Id: <07d701b9-3039-4f9b-99a2-abeae51146a5@kernel.dk>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
[Generalize the comment since this applies to all vCPU thread activity,
not just coroutines, as suggested by Kevin Wolf <kwolf@redhat.com>.
--Stefan]
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2ae361ef1d7d526b07ff88d854552e2d009bfb1b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/aio-posix.c b/util/aio-posix.c
index e24b955fd9..488d964611 100644
--- a/util/aio-posix.c
+++ b/util/aio-posix.c
@@ -23,6 +23,7 @@
 #include "qemu/rcu_queue.h"
 #include "qemu/sockets.h"
 #include "qemu/cutils.h"
+#include "system/iothread.h"
 #include "trace.h"
 #include "aio-posix.h"
=20
@@ -813,5 +814,13 @@ void aio_add_sqe(void (*prep_sqe)(struct io_uring_sqe =
*sqe, void *opaque),
 {
     AioContext *ctx =3D qemu_get_current_aio_context();
     ctx->fdmon_ops->add_sqe(ctx, prep_sqe, opaque, cqe_handler);
+
+    /*
+     * Wake the main loop if it is sleeping in ppoll().  When a vCPU thread
+     * queues SQEs, the actual io_uring_submit() only happens in
+     * gsource_prepare() in the main loop thread.  Without this notify, the
+     * main loop thread's ppoll() can sleep up to 499ms before submitting.
+     */
+    aio_notify(ctx);
 }
 #endif /* CONFIG_LINUX_IO_URING */
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257971; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E8bHRqrCjlrCxVus+w/UUaNYiGYsjgmR8RW/r4v9FQOUe1uay1pR/Svcs8NLh2qsAP192oeParyb1iNMKlf+IqxI3g1JXpL8hjK+UB+A0+AzaBj8VP58lPjfwmxjupTNwXD2k1VutZPmb6R+mBjUi01R2Hp0s8g2s90OXV7H7K4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257971;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=6vzz9Em0KSbrhkHesHlqNxtS8peJgOmDFWhY/5MeZqU=;
	b=MaKRThzzav6aC1wXZsglxWVJhhf+equ4Tu1EIfCfD3Pd4Fah2OGqcPsHDbHHogoy79VWwia/ZtMYezGkV0G4vclZiBCO0zHC24/3+Qmy4d5O1zsyxTCwLqpmjiwfqcoNWM9YQbF585HF7VrT2kBhO7ZjQC0LaMIYpTFcqbrx15k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325797190563.962832539865985;
 Wed, 11 Mar 2026 12:39:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PON-0006oE-JS; Wed, 11 Mar 2026 15:38:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POM-0006kH-Cn; Wed, 11 Mar 2026 15:38:50 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POK-0000ek-Rl; Wed, 11 Mar 2026 15:38:50 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A24B9192112;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E63E337C477;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=jQENt2AgbC8mZlxJWiyfg+ZVOWKHlOxsAGIiAZSIphk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=X3SVdkPzeuTkqxA5h2CHpjXHl1QRSB5JDGLQaqRxJzvvMzoFj+5UYSmaRHmdu3c2z
 IMivtLFhkeuCYV9DScEsFYp3ezxMAw6kodL3wd24avngKEDO5SigDyf957J1owg/A1
 Xo7zP8ByP4nen595S/Pcxh0rLn4hOgAy4ThEzxhBaN0hXpt0yfngvrBSFQW3Xk6/hO
 GlmryJ5VucAHVNNQt4UJVQ4J7HJbJLKZDOWHMLsBMH8uV7uw5rPtDur2lOTpNaahhz
 zmZf4Z4r0syzXaANtGUgFJl5r56eLwhOjP6KaxfXcGx6wxvYGHOO/iDJaUt8q8+fsu
 12xOpoWcVeS5A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jens Axboe <axboe@kernel.dk>,
 Stefan Hajnoczi <stefanha@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 42/53] fdmon-io_uring: check CQ ring directly in
 gsource_check
Date: Wed, 11 Mar 2026 22:34:35 +0300
Message-ID: <20260311193449.1096110-42-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257973383154100
Content-Type: text/plain; charset="utf-8"

From: Jens Axboe <axboe@kernel.dk>

gsource_check() only looks at the ppoll revents for the io_uring fd,
but CQEs can be posted during gsource_prepare()'s io_uring_submit()
call via kernel task_work processing on syscall exit. These completions
are already sitting in the CQ ring but the ring fd may not be signaled
yet, causing gsource_check() to return false.

Add a fallback io_uring_cq_ready() check so completions that arrive
during submission are dispatched immediately rather than waiting for
the next ppoll() cycle.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Message-ID: <20260213143225.161043-3-axboe@kernel.dk>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 961fcc0f22768e7c3432fc645b93dc7cd4932fae)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
index d0b56127c6..b81e412402 100644
--- a/util/fdmon-io_uring.c
+++ b/util/fdmon-io_uring.c
@@ -344,7 +344,19 @@ static void fdmon_io_uring_gsource_prepare(AioContext =
*ctx)
 static bool fdmon_io_uring_gsource_check(AioContext *ctx)
 {
     gpointer tag =3D ctx->io_uring_fd_tag;
-    return g_source_query_unix_fd(&ctx->source, tag) & G_IO_IN;
+
+    /* Check ppoll revents (normal path) */
+    if (g_source_query_unix_fd(&ctx->source, tag) & G_IO_IN) {
+        return true;
+    }
+
+    /*
+     * Also check for CQEs that may have been posted during prepare's
+     * io_uring_submit() via task_work on syscall exit.  Without this,
+     * the main loop can miss completions and sleep in ppoll() until the
+     * next timer fires.
+     */
+    return io_uring_cq_ready(&ctx->fdmon_io_uring);
 }
=20
 /* Dispatch CQE handlers that are ready */
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258236; cv=none;
	d=zohomail.com; s=zohoarc;
	b=kwRrUiQvBl/CoaPPvZbHgEiwDiJc38RrL0a3JikyQxOjqt3f/B0tJgcA504MIX1da0aUDizbjKCoMCo7nyCJEMr0sYHAQS3m6Lz7Jx79DKHi+5mtEre1jyxEiXgzaN3MWy3v7bcE8TM2qZhc0PcqkbhmUp5QYcYg+h6sXtXhdCg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258236;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=8K1v8trSwp1dH04QNMo4EQM8aWDeFKEKJsj5LA+IMDg=;
	b=eXIW5eIPlzIBBL+nc49jap/zK7mTQRTPZby7b0vZz/2T3/dGESmFt4IQOoXrilNiPpZQSL0vq/exuyBh8kERHI4duWi36aNlpSZJe55oieyzP73xUIZ07MeWa1rBbanfhRAw22ZuKv+j5jWAQzvHNIgutVcadwFPUPay9+A6JZY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258236958537.1123465930173;
 Wed, 11 Mar 2026 12:43:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POQ-00072Z-SQ; Wed, 11 Mar 2026 15:38:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PON-0006t2-T0; Wed, 11 Mar 2026 15:38:51 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POM-0000fI-79; Wed, 11 Mar 2026 15:38:51 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B2F86192113;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0133737C478;
 Wed, 11 Mar 2026 22:35:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=aQsgUHqU+mgzDxOJaNa5jTzwJB5/Sre38vAwC70batM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=pJTre/CLlY7VPdpK76ku9U7C3y2FfhtBugYrarmdhRFYxVz+UWR4SBQQoT1UmB937
 9oTqYPjoDhvd3l/gUhQcQ+sDeDlG3hK3b/VfEo/1HXnOuRG1hZBO18Ev6dZ5j5EGtn
 4nqIN5HYzYjTBFaSsQRmQh6zrFNV8GkKrC8aq+I8eWJVXwNdSWGNc3en2g4zBmj3xb
 MdxmbDai4vsUUCtm4O5z7ncVGYaeFPfyVy2TJwtR1BBYXzCh6mOMSMYQr0IyvFZ+t8
 XNFcTl6ruLwfPhtOW3gSr1unCkn1Z6HdfPAIJ+1KZmXIrhv+z2ifAK6ksxl7XCTpr+
 k3YXsVS5KTUmA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dmitry Osipenko <dmitry.osipenko@collabora.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 43/53] virtio-gpu: Ensure BHs are invoked only from
 main-loop thread
Date: Wed, 11 Mar 2026 22:34:36 +0300
Message-ID: <20260311193449.1096110-43-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258238510158500

From: Dmitry Osipenko <dmitry.osipenko@collabora.com>

QEMU's display GL core is tied to main-loop thread and virtio-gpu
interacts with display while processing GPU commands. Virtio-gpu BHs
work in generic AIO context that can be invoked on vCPU thread, while
GL and UI toolkits are bound to the main-loop thread.

Make virtio-gpu BHs use iohandler AIO context that is handled in a
main-loop thread only.

 0  SDL_GL_MakeCurrent() (libSDL3)
 1  SDL_GL_MakeCurrent_REAL() (libSDL2)
 2  sdl2_gl_make_context_current() (ui/sdl2-gl.c:201)
 3  make_current() (virglrenderer.c:639)
 4  vrend_finish_context_switch() (vrend_renderer.c:11630)
 5  vrend_hw_switch_context() (vrend_renderer.c:11613)
 6  vrend_renderer_force_ctx_0() (vrend_renderer.c:12986)
 7  virgl_renderer_force_ctx_0() (virglrenderer.c:460)
 8  virtio_gpu_virgl_process_cmd() (virtio-gpu-virgl.c:1013)
 9  virtio_gpu_process_cmdq() (virtio-gpu.c:1050)
 10 virtio_gpu_gl_handle_ctrl() (virtio-gpu-gl.c:86)
 11 aio_bh_poll() (util/async.c)
 12 aio_poll() (util/aio-posix.c)
 13 blk_pwrite() (block/block-gen.c:1985)
 14 pflash_update() (pflash_cfi01.c:396)
 15 pflash_write() (pflash_cfi01.c:541)
 16 memory_region_dispatch_write() (system/memory.c:1554)
 17 flatview_write() (system/physmem.c:3333)
 18 address_space_write() (system/physmem.c:3453)
 19 kvm_cpu_exec() (accel/kvm/kall-all.c:3248)
 20 kvm_vcpu_thread_fn() (accel/kvm/kaccel-ops.c:53)

Cc: qemu-stable@nongnu.org
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20260303151422.977399-8-dmitry.osipenko@collabora.com>
Message-ID: <20260304165043.1437519-10-alex.bennee@linaro.org>
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
(cherry picked from commit 235f9b36383e4cc7a790bca51eddbe38edd5438c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index 4e515c4ef6..1129301d91 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -1203,9 +1203,9 @@ int virtio_gpu_virgl_init(VirtIOGPU *g)
     }
=20
 #if VIRGL_VERSION_MAJOR >=3D 1
-    gl->cmdq_resume_bh =3D aio_bh_new(qemu_get_aio_context(),
-                                    virtio_gpu_virgl_resume_cmdq_bh,
-                                    g);
+    gl->cmdq_resume_bh =3D virtio_bh_io_new_guarded(DEVICE(g),
+                                                  virtio_gpu_virgl_resume_=
cmdq_bh,
+                                                  g);
 #endif
=20
     return 0;
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 43e88a4daf..ad1ebc0fcd 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1526,9 +1526,9 @@ void virtio_gpu_device_realize(DeviceState *qdev, Err=
or **errp)
=20
     g->ctrl_vq =3D virtio_get_queue(vdev, 0);
     g->cursor_vq =3D virtio_get_queue(vdev, 1);
-    g->ctrl_bh =3D virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
-    g->cursor_bh =3D virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
-    g->reset_bh =3D qemu_bh_new(virtio_gpu_reset_bh, g);
+    g->ctrl_bh =3D virtio_bh_io_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
+    g->cursor_bh =3D virtio_bh_io_new_guarded(qdev, virtio_gpu_cursor_bh, =
g);
+    g->reset_bh =3D virtio_bh_io_new_guarded(qdev, virtio_gpu_reset_bh, g);
     qemu_cond_init(&g->reset_cond);
     QTAILQ_INIT(&g->reslist);
     QTAILQ_INIT(&g->cmdq);
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 257cda506a..683026adc4 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -4475,3 +4475,13 @@ QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
     return qemu_bh_new_full(cb, opaque, name,
                             &transport->mem_reentrancy_guard);
 }
+
+QEMUBH *virtio_bh_io_new_guarded_full(DeviceState *dev,
+                                      QEMUBHFunc *cb, void *opaque,
+                                      const char *name)
+{
+    DeviceState *transport =3D qdev_get_parent_bus(dev)->parent;
+
+    return aio_bh_new_full(iohandler_get_aio_context(), cb, opaque, name,
+                           &transport->mem_reentrancy_guard);
+}
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index d97529c3f1..d5bd921581 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -547,4 +547,14 @@ QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
 #define virtio_bh_new_guarded(dev, cb, opaque) \
     virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
=20
+/*
+ * The "_io" variant runs BH only on a main-loop thread, while generic BH
+ * may run on a vCPU thread.
+ */
+QEMUBH *virtio_bh_io_new_guarded_full(DeviceState *dev,
+                                      QEMUBHFunc *cb, void *opaque,
+                                      const char *name);
+#define virtio_bh_io_new_guarded(dev, cb, opaque) \
+    virtio_bh_io_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
+
 #endif
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257940; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ji2R0c//7vRZSuYl8M6Fs8s7mHUcyVPNrv2qC6Y1q8HFkkYldM1jvnsjUYoCsu/oBBwgtkYrRXcJeR4LFCwA9mMiUo1CHG20qR396R725ZJBGKX8Ub+3/UE96q0nIvJcj6baRuiUyVJ9GO2Jsws9q/1nE9Qk9ScfUFN4EJnosEg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257940;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=784p8Gh6cMhyXfqclR4YGQTlqlF1I4L+UWj90B/PoWo=;
	b=Dvt4Q3KWGiDwjpPF1NBT+4ziLIjnb61BMbXKrsjLUyWCoyY+1L+DYL2V0hJHWD1xL4SKMaOKVsjj5Y9kWufWhg6R8q4GsbPA1jIaKFtM4FX1hqZEZjhqcOi+uN1zHh4fHB0EnegwILiwoKmSHP+OlizsYCMKsoGS0ODK8J/pSy0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257940513568.9362770109184;
 Wed, 11 Mar 2026 12:39:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POS-0007Eg-Pu; Wed, 11 Mar 2026 15:38:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POP-0006yp-Rh; Wed, 11 Mar 2026 15:38:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PON-0000fh-UQ; Wed, 11 Mar 2026 15:38:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C9340192114;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1293837C479;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=slms1divFDsxSmCDxss9KVlZwsvzMKP08cih3QUixto=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vXj9cgkdAyT4+TbYvd+RHZcAr7zJ42T7Aexc0HI2sP/3QLU5/32d64v5EzLYMQM6L
 rMpD0L0Ptp425xsVBcmMW0Vn3fT/X8YoHw/3rirtL1KlSuQd0hkU3d2xbUD40G9uh2
 dpYVz9dUJENmJRgu5IrTl1T9SsHbwoMaYN6HSTZAQj6YID4n87ag4BtfQEQPQn2A79
 UG6mx9Pxiqh96cXLP573CDKExnIte/v+0xKRp1zSY7QA+Nwj+ZXUanCmORPNfZFJmm
 cOjSf7SN9+8rVU0d71ZLKGRXXJGZKlyeRmRnWOg4kPpLVGHW0nUjawBFCA0zQXTmqa
 VQmZIQwxknOYA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Alistair Francis <alistair.francis@wdc.com>,
 "Edgar E. Iglesias" <edgar.iglesias@amd.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 44/53] hw/net/xilinx_ethlite: Check for oversized TX
 packets
Date: Wed, 11 Mar 2026 22:34:37 +0300
Message-ID: <20260311193449.1096110-44-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257942810154100

From: Peter Maydell <peter.maydell@linaro.org>

The xilinx_ethlite network device wasn't checking that the TX packet
size set by the guest was within the size of its dual port RAM, with
the effect that the guest could get it to read off the end of the RAM
block.

Check the length.  There is no provision in this very simple device
for reporting errors, so as with various RX errors we just report via
tracepoint.

This lack of length check has been present since the device was first
introduced, though the code implementing the tx path has changed
somewhat since then.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3317
Fixes: b43848a1005ce ("xilinx: Add ethlite emulation")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-ID: <20260303172718.437015-1-peter.maydell@linaro.org>
[PMD: renamed size -> tx_size to avoid shadow=3Dcompatible-local error]
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 6595a8d5d17ea1716ddafb34455ec2b29381e232)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/trace-events b/hw/net/trace-events
index 23efa91d05..001a20b0e2 100644
--- a/hw/net/trace-events
+++ b/hw/net/trace-events
@@ -527,3 +527,4 @@ xen_netdev_rx(int dev, int idx, int status, int flags) =
"vif%u idx %d status %d f
 # xilinx_ethlite.c
 ethlite_pkt_lost(uint32_t rx_ctrl) "rx_ctrl:0x%" PRIx32
 ethlite_pkt_size_too_big(uint64_t size) "size:0x%" PRIx64
+ethlite_pkt_tx_size_too_big(uint64_t size) "size:0x%" PRIx64
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
index 42b19d07c7..665def8a34 100644
--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
@@ -162,9 +162,15 @@ static void port_tx_write(void *opaque, hwaddr addr, u=
int64_t value,
         break;
     case TX_CTRL:
         if ((value & (CTRL_P | CTRL_S)) =3D=3D CTRL_S) {
-            qemu_send_packet(qemu_get_queue(s->nic),
-                             txbuf_ptr(s, port_index),
-                             s->port[port_index].reg.tx_len);
+            uint32_t tx_size =3D s->port[port_index].reg.tx_len;
+
+            if (tx_size >=3D BUFSZ_MAX) {
+                trace_ethlite_pkt_tx_size_too_big(tx_size);
+            } else {
+                qemu_send_packet(qemu_get_queue(s->nic),
+                                 txbuf_ptr(s, port_index),
+                                 tx_size);
+            }
             if (s->port[port_index].reg.tx_ctrl & CTRL_I) {
                 eth_pulse_irq(s);
             }
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258235; cv=none;
	d=zohomail.com; s=zohoarc;
	b=blogWHSnRcrvPa0mQXLWe4nXgOWUks+q0jv0Q9d+d6veIglikcA80OTE9AsOj/GT3Nb6nfy5LFc2CDsHrj5T9xhEH+apFur53aX3Uu/iHOhLVXBcEwwLP10O4UznUnMwqO9b9p5ApqsudzW0MMrIeRCfdFX4YdAL60uQ/kmsLqc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258235;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=HvsGeHejDKU1xHqR90dgIAEGfqSgxsjnLoL3SdzjfDI=;
	b=CYrTmpMSszVoHZ/NIabQN396STUvGRj7aNTHXGr6uHU+KdIEubCV0TyASqy0TqV1vRuMk8uQGSzt6iitAuskRABh4qMwLSOZyx+N3TB0KhCpdC8kPXG1Cf2lgGGjfUmU/FMt5PPlTBTWwnvKYaqBjtZvaGKCY26iijmUule4CwM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258235322989.1247911453822;
 Wed, 11 Mar 2026 12:43:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POq-0000Hn-Ho; Wed, 11 Mar 2026 15:39:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POn-00005D-7y; Wed, 11 Mar 2026 15:39:17 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POj-0000fy-CB; Wed, 11 Mar 2026 15:39:16 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D8CE6192115;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2815B37C47A;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=XhdHV8jczOPNr01/KUn5dRw/sbBAKvqoX5wqAK2Zzzc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=uuoZDq+j6Y1z1CBPA9EtSALOQKQBxTdw/aqk63IM7suBBCIkEmz1f5FDHGX0yVJTy
 1HH7MQkaTVkMREd++9ct94mcB6v4YLzdHtPfmM4V0hAtAH57TvcDc7ItuHP8sPgHpg
 oCjm+yC9YpT8NWyJsl2VmiBk87JWOgv3ALKS9hQuVuJIL4qoZBzFsd1wYg+yuqF6Po
 jDUKv+NbJ1Uw0VrtXX550pH+iG0YzTY2XtHbY+Mxp6v+KAaiDq6zBBMN4OICyBnqU+
 nt1CDMHH/pxZRBbnOHmuaGahf9qjBbsVLB2mCV3YL8cmg1eFHtnSTICYevdoz4KArA
 X+23qh9N52sWw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bingwu Zhang <xtex@astrafall.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 45/53] linux-user: Deal with mmap where start >
 reserved_va
Date: Wed, 11 Mar 2026 22:34:38 +0300
Message-ID: <20260311193449.1096110-45-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258236450158500
Content-Type: text/plain; charset="utf-8"

From: Bingwu Zhang <xtex@astrafall.org>

Fixes: 4c13048e02d9 ("linux-user: Use page_find_range_empty for mmap_find_v=
ma_reserved")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3310
Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit f2813e13fe910e01127271a87177a477b9438bc6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 4bcfaf7894..281082c2d0 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -423,12 +423,15 @@ abi_ulong mmap_next_start;
 static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
                                         abi_ulong align)
 {
-    target_ulong ret;
+    target_ulong ret =3D -1;
=20
-    ret =3D page_find_range_empty(start, reserved_va, size, align);
+    if (start <=3D reserved_va) {
+        ret =3D page_find_range_empty(start, reserved_va, size, align);
+    }
     if (ret =3D=3D -1 && start > mmap_min_addr) {
         /* Restart at the beginning of the address space. */
-        ret =3D page_find_range_empty(mmap_min_addr, start - 1, size, alig=
n);
+        ret =3D page_find_range_empty(mmap_min_addr, MIN(start - 1, reserv=
ed_va),
+                                    size, align);
     }
=20
     return ret;
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258100; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JY/lPeXGCMaZANW0U5/yTKxQppb21JZLn5jN92fx/HFEI4bA3dPgUL1JhTogw74ygDmh87xHOtE07YHHq5vREtlzPwYX2G5zkiGBW6VONfvYkrGn36h6sec4UxEH/4XcX05HKCH/vkjTW00/WxkUS7lFcerElpwb1ZSNHCWYw7s=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258100;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=RgIUWDUHSYIu5/jF+H29gwP1b987TGp1idwlb7gnRRE=;
	b=Mcm4rMHbeRCe/Q+Z4ac5NJiDLFIEi0PJtp68jeGVW3abHomFQVHztf0odVCMNp7JtyCW5ueamJwey7VzIIIHRk/6YZI/2Hphpg4rrVnB9RlKzyuD1D0lWlNYSRB0F3PtBzOIJSELOkMVS3DmRT74hEbpgPlW/pWOucYZ5PjA+W0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258100584712.0628725628906;
 Wed, 11 Mar 2026 12:41:40 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POs-0000Zc-Fk; Wed, 11 Mar 2026 15:39:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POn-00006x-OD; Wed, 11 Mar 2026 15:39:17 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POl-0000gI-DF; Wed, 11 Mar 2026 15:39:17 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E9F5C192116;
 Wed, 11 Mar 2026 22:34:29 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3813537C47B;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257669; bh=GJqdBp7FyqpOsMWf0Wl48B99vmu74JoTHJjV5TuchzY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ESZ+29wVdHPNVi0Z0InIO7hw+fJpVPomUSBsMo3KMxwO5zSG6xATOOKvUqih9Rkqi
 CNbVSRrvU/Nm6ySn7sBKPl7dLZ/1VBWbPwWbU5TRgW4fzVNeDIEeGP5akh9HnJfcVT
 OXuPSF8w+FqQm4NWL8emBGqUGiLxSFS7thIOK9gcTGGeo1wXh+KvhovPiJl6V6QORk
 VcRU6WuwcwWgLjMJdQdwKbe3C9C89ZreYllLuyyg6+WRtBXX7KyHmS9cwggMyFgNu7
 OwgNDa4b6O22I8vK4uH2GjQjkmy80G69AoNGgB4nhSL9ZDNlfepz3/V7XViioovu7I
 8hxYcYk1ScDDQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bingwu Zhang <xtex@astrafall.org>,
 Helge Deller <deller@gmx.de>, Warner Losh <imp@bsdimp.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 46/53] bsd-user: Deal with mmap where start >
 reserved_va
Date: Wed, 11 Mar 2026 22:34:39 +0300
Message-ID: <20260311193449.1096110-46-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258101896158500
Content-Type: text/plain; charset="utf-8"

From: Bingwu Zhang <xtex@astrafall.org>

Fixes: f12294b5bd21 ("bsd-user: Use page_find_range_empty for mmap_find_vma=
_reserved")
Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit e8e7d1f97785be2fd81fc520e0c7b9d228c10a56)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
index 24ba1728eb..fe77eceb48 100644
--- a/bsd-user/mmap.c
+++ b/bsd-user/mmap.c
@@ -258,12 +258,14 @@ abi_ulong mmap_next_start =3D TASK_UNMAPPED_BASE;
 static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
                                         abi_ulong alignment)
 {
-    abi_ulong ret;
+    abi_ulong ret =3D -1;
=20
-    ret =3D page_find_range_empty(start, reserved_va, size, alignment);
+    if (start <=3D reserved_va) {
+        ret =3D page_find_range_empty(start, reserved_va, size, alignment);
+    }
     if (ret =3D=3D -1 && start > TARGET_PAGE_SIZE) {
         /* Restart at the beginning of the address space. */
-        ret =3D page_find_range_empty(TARGET_PAGE_SIZE, start - 1,
+        ret =3D page_find_range_empty(TARGET_PAGE_SIZE, MIN(start - 1, res=
erved_va),
                                     size, alignment);
     }
=20
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258086; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hxtKi5mjO80G7LQHkUO2SJWFu7nvY4wYgZVZG5Y2C9DhWOGwYTxE79av+aYNmrNu1jnSrZIlAxSnmQdhZ3OtS2gJeP90cnMTvZiwdW9dnRIlBTIanDoEReuTlqj59Qg0Rsll6r2Zrtgcs0qznKZUPm65i2FiqPSPxFJwZaqPbww=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258086;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=DMAAGrsm3kVk7l/bXuA2rKxaEQt3VPXYmmmROQgvT5o=;
	b=SHobSMqfcE280I6ZXKbpyLco/aqZXf46hrFXLaUr1avX60bTIsOehuc80TsJ0w49ZlHB5rI+2bqkdoPSQK5UaHz62H6bCenPFEJedpUFTqFfYKikKAq5jD4he1jLloe+BW746OX2bTTPcYPn8AaMxFxs8gKgbx0a6omsUIG3VIA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325808607379.46213506566698;
 Wed, 11 Mar 2026 12:41:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POv-00013G-Nl; Wed, 11 Mar 2026 15:39:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POq-0000P4-En; Wed, 11 Mar 2026 15:39:20 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POo-0000jx-OC; Wed, 11 Mar 2026 15:39:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 045D1192117;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4864E37C47C;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=+W3eicgXEE2AmYSo7J29g83NNYv1Bgs92Oh+32965CA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=MnKVxMUTGuLR2wZJ2JiuWXAuaUmAFn045MHOpOR4T0k0sulUKeBC2qw2ZU2nIGtsQ
 UIPlsTfNLUSpNVXgnuGvS+lYL3sO/qUIjci8KVm8XSSEg+sHN1YEtPJ5wIi0vFHF4v
 CaEGA9i4YYqjhakxKlcojKXWSlhmgTCjzITrBiaDG1ZEIChJOKKvxk+W1IVr5ZbaLB
 5wbsQ+bKGoF+oNyPVvXteXgoIkHM7BmzRmBx0ViyADLiryAV5VIN48OsjLqszHgA9i
 kgzaP5K6+5cxPhH3G4x86Th2+nx5CXl+YCflzxSqAp4vWwv0AT9AnJVvQU1IcHCIdD
 sOwy4cwURwWGw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bingwu Zhang <xtex@astrafall.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 47/53] tests/tcg/multiarch/test-mmap: Check mmaps
 beyond reserved_va
Date: Wed, 11 Mar 2026 22:34:40 +0300
Message-ID: <20260311193449.1096110-47-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258087223154100
Content-Type: text/plain; charset="utf-8"

From: Bingwu Zhang <xtex@astrafall.org>

Unfixed mmap calls where start > reserved_va or the max guest addr
should have a valid result.

Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit c865b6bce5d0c882b86fb7c3512174cdaf235017)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tests/tcg/multiarch/test-mmap.c b/tests/tcg/multiarch/test-mma=
p.c
index e297f4b1e9..fd9055a90e 100644
--- a/tests/tcg/multiarch/test-mmap.c
+++ b/tests/tcg/multiarch/test-mmap.c
@@ -491,6 +491,20 @@ void check_shrink_mmaps(void)
     munmap(c, 2 * pagesize);
 }
=20
+void check_mmaps_beyond_addr_space(void)
+{
+    unsigned char *addr;
+    addr =3D mmap((void *)(-(unsigned long)pagesize * 10), pagesize * 2,
+                PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    fprintf(stdout, "%s addr=3D%p errno=3D%d", __func__, (void *)addr, err=
no);
+    fail_unless(addr !=3D MAP_FAILED);
+
+    memcpy(dummybuf, addr, 2 * pagesize);
+    munmap(addr, 2 * pagesize);
+
+    fprintf(stdout, " passed\n");
+}
+
 int main(int argc, char **argv)
 {
 	char tempname[] =3D "/tmp/.cmmapXXXXXX";
@@ -534,6 +548,7 @@ int main(int argc, char **argv)
 	check_file_unfixed_eof_mmaps();
 	check_invalid_mmaps();
     check_shrink_mmaps();
+    check_mmaps_beyond_addr_space();
=20
 	/* Fails at the moment.  */
 	/* check_aligned_anonymous_fixed_mmaps_collide_with_host(); */
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773257990; cv=none;
	d=zohomail.com; s=zohoarc;
	b=If0PToxIYdT1LJ1Imvf3Am816ERV1RfgvqMt1nadoegnALXqT4SgawjfN5FLVJt5SqR39xExf+wLUf28zOus8q0BjbuZ43jkItaup/a3k5hUKFsooKUTVl822B9zBMpf5ZT369o1f3a9Wnjk/CWULYZ6j4bUw02dYx54r/w1i2A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773257990;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=W2gJBJ5llIUJniSrgFXix60thjr9rJ5NBerrfSJZcEs=;
	b=X9cMeVHjblAg8Oi8xuPVkh0mUPM0La4ApFKA99ro6dh7+rUZFQYSqeLY6jkeyN99ya2frrvrjzX67N4AYUZyAW4foy0tRyFnXWb04VRmUUjf74W1HaFrRLWOubRpmfZW6ax1cCIsJD7icK3aaCz7H4faWiGxCy33mbHEJ6zknrs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773257990760258.2739670559947;
 Wed, 11 Mar 2026 12:39:50 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POw-0001EZ-Um; Wed, 11 Mar 2026 15:39:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POq-0000R2-Vb; Wed, 11 Mar 2026 15:39:21 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POp-0000k6-En; Wed, 11 Mar 2026 15:39:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1F64B192118;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5727437C47D;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=zsJdKC1oSdqH86t/OM5dqP2jvqDdEPy1KD1EWd5IWzA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=MQ01ITpDHruRhKGxZgli2OIptjhl2XQEx+31EdTzj1+6hDwLDOSQ5/w8VTkRgCpZa
 MVSi6ld1Um3agz6uBbv/xpt21/o7Ou4q1j97PhIO8jGOElsJMiMjD0IJZi+BCsgx9A
 8U+v173HGFQgHPfn6KAPIa8n/gcBTKV5EViracu8iL+nL7dVpw1iELjamCyrmtq9oZ
 CVV8SVjLCpYyMxKgyKaCm91ufZXcrnLRu+WVQgtSrqLa0GO3Z1r81NsWUyyLb04VNg
 4Sa04XCHospHES4pcaSj2IY6SJUAFT0Az0lrt2VrJngM5iHvNw0HUP43WYKqVJlHd+
 9lNUDG6DUu6gA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Andreas Schwab <schwab@suse.de>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 48/53] linux-user: fix TIOCGSID ioctl
Date: Wed, 11 Mar 2026 22:34:41 +0300
Message-ID: <20260311193449.1096110-48-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773257991520154100
Content-Type: text/plain; charset="utf-8"

From: Andreas Schwab <schwab@suse.de>

TIOCGSID is IOC_R, not IOC_W.

Signed-off-by: Andreas Schwab <schwab@suse.de>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 6a1221614fd9344a22cafea78e48d6ded95f317d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 6ecfe6306e..5b7d00e92f 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -26,7 +26,7 @@
      IOCTL(TIOCSCTTY, 0, TYPE_INT)
      IOCTL(TIOCGPGRP, IOC_R, MK_PTR(TYPE_INT))
      IOCTL(TIOCSPGRP, IOC_W, MK_PTR(TYPE_INT))
-     IOCTL(TIOCGSID, IOC_W, MK_PTR(TYPE_INT))
+     IOCTL(TIOCGSID, IOC_R, MK_PTR(TYPE_INT))
      IOCTL(TIOCOUTQ, IOC_R, MK_PTR(TYPE_INT))
      IOCTL(TIOCSTI, IOC_W, MK_PTR(TYPE_INT))
      IOCTL(TIOCMGET, IOC_R, MK_PTR(TYPE_INT))
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258098; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BGWszxWk9DkeqfFAKeXDMhlEmMCeyKPTANKyP3vu50W91xrhsdHkYjtPu1k+0XNoL8u973fQkqN5rfRgPOXWZogtFNykUdbollvFDIsmyb+0b5b6hlgZqn8+pH4xIxxmdYufa7FdqS2yMEMztJU9eH3M0q7OrBaDqTe0+jYzYFs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258098;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wNnQ3Jz52BVk1k8+o9E+oj2UWxOoVGDBGkrdoyS21iI=;
	b=BcrsPAgwKXnBXwV5WP10Wf2/TowzjvHwWtjpg2B51658pH/OjAnH1ma3HmKh796hG4uhMfovgfRhMW8WxotS2fDAOaeOuqFPAu5XchzkU2ytLAzlq+br0fjlgHfb+lCClSkdt+IUuOyTqaZNGDFpv2+x2jreAwBEeDFRsJmaU74=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177325809825641.956866519649566;
 Wed, 11 Mar 2026 12:41:38 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0POw-00019O-GQ; Wed, 11 Mar 2026 15:39:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POt-0000qX-S5; Wed, 11 Mar 2026 15:39:24 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0POs-0000l3-0p; Wed, 11 Mar 2026 15:39:23 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2FD05192119;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7296B37C47E;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=0AjJCEY3OniQicr/5x6Rf/4txbaYcDKZPAUmt5ItGJQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=n0YEMJAJ0EfTJFCAIfa/Hj3c4LZ538akP7LVQItI9s81P08HiCXngRmvTZfFw1z0q
 rC4NOQo8q1+u8CRJkTXEkOgXtmlQzUiti8Edae4/Ef5zHlOqoHn14kepudDLRb10DL
 447iNIjSrUZRDA++4al12uCHdmHxUdgXYU1H1TWCo+nyn+WRCkpbFjWGAOENuH7SgB
 Thm1VP6/Zr8cwz2E6xrtB8M+CHsxII4m2NIXd6Nic5aC1uMwvMR2V48By7nNE9l15D
 g2l47V+g7d8QRhsFvZX15F885RWiQIksPlV4qC90YVtZSWSdrfP9FGhzaTbdUPeMIa
 9RLSBkdu+5Dbg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 49/53] hw/net/npcm_gmac: Catch accesses off the end of
 the register array
Date: Wed, 11 Mar 2026 22:34:42 +0300
Message-ID: <20260311193449.1096110-49-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258099193154100

From: Peter Maydell <peter.maydell@linaro.org>

In the npcm_gmac device, we create the iomem MemoryRegion with
a size of 8KB, but NPCM_GMAC_NR_REGS is only 0x1060 / 4. This
means there's a range of offsets that the guest can access
that don't have gmac->regs[] entries. We weren't catching this,
so the guest could get us to index off the end of the regs array.

Catch and log these invalid accesses.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3316
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260306154016.2194091-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 550391c7134d295d73b2b0e7a1111a922b78c13c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/npcm_gmac.c b/hw/net/npcm_gmac.c
index 5e32cd3edf..176cd604d8 100644
--- a/hw/net/npcm_gmac.c
+++ b/hw/net/npcm_gmac.c
@@ -700,6 +700,13 @@ static uint64_t npcm_gmac_read(void *opaque, hwaddr of=
fset, unsigned size)
     NPCMGMACState *gmac =3D opaque;
     uint32_t v =3D 0;
=20
+    if (offset >=3D NPCM_GMAC_REG_SIZE) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid register offset: 0x%04" HWADDR_PRIx"\n",
+                      DEVICE(gmac)->canonical_path, offset);
+        return v;
+    }
+
     switch (offset) {
     /* Write only registers */
     case A_NPCM_DMA_XMT_POLL_DEMAND:
@@ -724,6 +731,13 @@ static void npcm_gmac_write(void *opaque, hwaddr offse=
t,
=20
     trace_npcm_gmac_reg_write(DEVICE(gmac)->canonical_path, offset, v);
=20
+    if (offset >=3D NPCM_GMAC_REG_SIZE) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid register offset: 0x%04" HWADDR_PRIx"\n",
+                      DEVICE(gmac)->canonical_path, offset);
+        return;
+    }
+
     switch (offset) {
     /* Read only registers */
     case A_NPCM_GMAC_VERSION:
diff --git a/include/hw/net/npcm_gmac.h b/include/hw/net/npcm_gmac.h
index 6340ffe92c..0c21b25a82 100644
--- a/include/hw/net/npcm_gmac.h
+++ b/include/hw/net/npcm_gmac.h
@@ -24,7 +24,8 @@
 #include "hw/sysbus.h"
 #include "net/net.h"
=20
-#define NPCM_GMAC_NR_REGS (0x1060 / sizeof(uint32_t))
+#define NPCM_GMAC_REG_SIZE 0x1060
+#define NPCM_GMAC_NR_REGS (NPCM_GMAC_REG_SIZE / sizeof(uint32_t))
=20
 #define NPCM_GMAC_MAX_PHYS 32
 #define NPCM_GMAC_MAX_PHY_REGS 32
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258066; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C1sMeq3ftQKUb/ZVeHapaba7IpfsBVaYfImtrIXW9iQ76SNOUYmFDt2b7f0Ig6sVl/yNxMHVLW8f4UdTOjEUwF4ZS5V5g/C1NlMMlt0Ah02tzGDvYCn14CAHQs/TMMJUlNuejwVdHr3GxDT8lzfuloL/nI9IyTvpzKxNSieIsag=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258066;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=zfxwG+yOXqT+ZEMHb4WLAaU6vZGLmmZsOjGNH2CUyLI=;
	b=hUBANi9q2dxwkp8/ri5IQqVIKtEMT0n12y/mJLnWpxbl6GwzPp0EyDH2oLUhkNm1Lh0gO2tH/Rw3gDWCYLhMccmzApJTpMKNZ9h6X2mD5yQhKbOhZozVqr//2+bxdq7hRbTgf8qEMWhH9Ml2lUXmYHfrkLr+UJ5E6vh9B6O4cU4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258066358757.6407692939136;
 Wed, 11 Mar 2026 12:41:06 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PPG-000277-0L; Wed, 11 Mar 2026 15:39:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPE-00024y-ES; Wed, 11 Mar 2026 15:39:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPC-0000lG-GT; Wed, 11 Mar 2026 15:39:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3EEAE19211A;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 82C5237C47F;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=HqqeW9DN0m2r9qxws3IasQ7tmhvdTHpfk2tJ3Ob7gAI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=djSG+ul3SepHe6LnJrw7ENzU+OKxRVxoQyX0NXTh/A2+0JXCkOK+q5ce625w0+QTJ
 DNHkSpuJmMHkciAk8BNyqiiqntBJQaPAxPsAOE0OGpbYaeiKOiKcIJrkyMKOLZbjwG
 ZTv7+8pyWRMl6j+UEojB5/e+tjujapbS1kPV6F3XMarOaVboM+IbW7N08MPyHXXEGy
 UH0xuMJoAa1051qmOLlc5T2+B+rBXZDHqncaIVa2uMfWGGXxNxE7oJozatk0KogxRp
 2+STPloavM0PbLucGKwMucEF2pBbrIfPK2VJqHgy971H/ZxHLOCW9Ys6FkNaz6l1iI
 in+cbcKwC5EWg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 50/53] hw: Make qdev_get_printable_name() consistently
 return freeable string
Date: Wed, 11 Mar 2026 22:34:43 +0300
Message-ID: <20260311193449.1096110-50-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258067670158500

From: Peter Maydell <peter.maydell@linaro.org>

The current implementation of qdev_get_printable_name() sometimes
returns a string that must not be freed (vdev->id or the fixed
fallback string "<unknown device>" and sometimes returns a string
that must be freed (the return value of qdev_get_dev_path()). This
forces callers to leak the string in the "must be freed" case.

Make the function consistent that it always returns a string that
the caller must free, and make the three callsites free it.

This fixes leaks like this that show up when running "make check"
with the address sanitizer enabled:

Direct leak of 13 byte(s) in 1 object(s) allocated from:
    #0 0x5561de21f293 in malloc (/home/pm215/qemu/build/san/qemu-system-i38=
6+0x1a2d293) (BuildId: 6d6fad7130fd5c8dbbc03401df554f68b8034936)
    #1 0x767ad7a82ac9 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0=
x62ac9) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
    #2 0x5561deaf34f2 in pcibus_get_dev_path /home/pm215/qemu/build/san/../=
../hw/pci/pci.c:2792:12
    #3 0x5561df9d8830 in qdev_get_printable_name /home/pm215/qemu/build/san=
/../../hw/core/qdev.c:431:24
    #4 0x5561deebdca2 in virtio_init_region_cache /home/pm215/qemu/build/sa=
n/../../hw/virtio/virtio.c:298:17
    #5 0x5561df05f842 in memory_region_write_accessor /home/pm215/qemu/buil=
d/san/../../system/memory.c:491:5
    #6 0x5561df05ed1b in access_with_adjusted_size /home/pm215/qemu/build/s=
an/../../system/memory.c:567:18
    #7 0x5561df05e3fa in memory_region_dispatch_write /home/pm215/qemu/buil=
d/san/../../system/memory.c
    #8 0x5561df0aa805 in address_space_stm_internal /home/pm215/qemu/build/=
san/../../system/memory_ldst.c.inc:85:13
    #9 0x5561df0bcad3 in qtest_process_command /home/pm215/qemu/build/san/.=
./../system/qtest.c:480:13

Cc: qemu-stable@nongnu.org
Fixes: e209d4d7a31b9 ("virtio: improve virtqueue mapping error messages")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260307155046.3940197-3-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 1e3e1d51e20e8b38efa089bf54b5ee2cbbcca221)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index fab42a7270..ce0ee9fcef 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -420,7 +420,7 @@ const char *qdev_get_printable_name(DeviceState *vdev)
      * names.
      */
     if (vdev->id) {
-        return vdev->id;
+        return g_strdup(vdev->id);
     }
     /*
      * Fall back to the canonical QOM device path (eg. ID for PCI
@@ -437,7 +437,7 @@ const char *qdev_get_printable_name(DeviceState *vdev)
      * Final fallback: if all else fails, return a placeholder string.
      * This ensures the error message always contains a valid string.
      */
-    return "<unknown device>";
+    return g_strdup("<unknown device>");
 }
=20
 void qdev_add_unplug_blocker(DeviceState *dev, Error *reason)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 683026adc4..deb7c6695e 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -258,10 +258,12 @@ void virtio_init_region_cache(VirtIODevice *vdev, int=
 n)
     len =3D address_space_cache_init(&new->desc, vdev->dma_as,
                                    addr, size, packed);
     if (len < size) {
+        g_autofree const char *devname =3D qdev_get_printable_name(DEVICE(=
vdev));
+
         virtio_error(vdev,
                 "Failed to map descriptor ring for device %s: "
                 "invalid guest physical address or corrupted queue setup",
-                qdev_get_printable_name(DEVICE(vdev)));
+                devname);
         goto err_desc;
     }
=20
@@ -269,10 +271,12 @@ void virtio_init_region_cache(VirtIODevice *vdev, int=
 n)
     len =3D address_space_cache_init(&new->used, vdev->dma_as,
                                    vq->vring.used, size, true);
     if (len < size) {
+        g_autofree const char *devname =3D qdev_get_printable_name(DEVICE(=
vdev));
+
         virtio_error(vdev,
                 "Failed to map used ring for device %s: "
                 "possible guest misconfiguration or insufficient memory",
-                qdev_get_printable_name(DEVICE(vdev)));
+                devname);
         goto err_used;
     }
=20
@@ -280,10 +284,12 @@ void virtio_init_region_cache(VirtIODevice *vdev, int=
 n)
     len =3D address_space_cache_init(&new->avail, vdev->dma_as,
                                    vq->vring.avail, size, false);
     if (len < size) {
+        g_autofree const char *devname =3D qdev_get_printable_name(DEVICE(=
vdev));
+
         virtio_error(vdev,
                 "Failed to map avalaible ring for device %s: "
                 "possible queue misconfiguration or overlapping memory reg=
ion",
-                qdev_get_printable_name(DEVICE(vdev)));
+                devname);
         goto err_avail;
     }
=20
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 2caa0cbd26..774329bba9 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -1065,6 +1065,22 @@ bool qdev_set_parent_bus(DeviceState *dev, BusState =
*bus, Error **errp);
 extern bool qdev_hot_removed;
=20
 char *qdev_get_dev_path(DeviceState *dev);
+
+/**
+ * qdev_get_printable_name: Return human readable name for device
+ * @dev: Device to get name of
+ *
+ * Returns: A newly allocated string containing some human
+ * readable name for the device, suitable for printing in
+ * user-facing error messages. The function will never return NULL,
+ * so the name can be used without further checking or fallbacks.
+ *
+ * If the device has an explicitly set ID (e.g. by the user on the
+ * command line via "-device thisdev,id=3Dmyid") this is preferred.
+ * Otherwise we try the canonical QOM device path (which will be
+ * the PCI ID for PCI devices, for example). If all else fails
+ * we will return the placeholder "<unknown device">.
+ */
 const char *qdev_get_printable_name(DeviceState *dev);
=20
 void qbus_set_hotplug_handler(BusState *bus, Object *handler);
--=20
2.47.3


From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258054; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QBkSuEL82tObhw4nI4f5FqxK3fdn+bzvuS/P0HVI5X+bzaau4fcuerip7msxvTIY9L1HvgYmQs3nqV5EuwdSeLqVD6WScBXenz9VvsIsTLR2ouq73iL1pyEQDCNHPr88qt6ttsqlEj+CVIkXWLXYrvwElWh/mWLBsBGt+CcEHQ4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258054;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=+rZvulqkWjbqKbiT13/6BH5NVrF+wwuH3/ty7G75788=;
	b=Imi4mZxXHYCZfG2wKaPPjtnzCeZKNWlu/A0gzOmKcQMkWr8UVRsHkaHqW3PfPdXElhfbNpGg3gCm/CCrO6XUikW69An9ANRJURAgqfvGrzvDeKg0+GOPaFxWIuswqXYX6JCdM2nAzFcsCRrID2Y13cIv/wdNDlw1vCEk74/vCh0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258054027330.75126209140797;
 Wed, 11 Mar 2026 12:40:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PPI-00029u-0u; Wed, 11 Mar 2026 15:39:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPG-000295-VH; Wed, 11 Mar 2026 15:39:46 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPF-0000m5-Cv; Wed, 11 Mar 2026 15:39:46 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8442219211B;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 922F437C480;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=Oj8BN/M4HEAm0OcI5+WySxkFpddjnuNaWZfoCR5+BJ4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Nxjcvl6ANAJ4fCGNJdGhXqgDMckLm14lgcYxbU6HQJ+MLI8aLr/UDQ2c+lvEk8siz
 APmqgO8fS2JwxmGAKU3ST8vV7E+gPqIr18trmxU8uoPPWVHJsdUKZBgA3qrGE6dob3
 94J48jeOD7XXKyVdVV+w9wlks6hJuOUJHasUn2AaCVulODb1QmWcdQQRONi1rhDRvU
 u9GbXxkGGROpWGH5Cnhe2xH20ovTAA7v7Iervgw3hQfC4YsFSHdBYgg2/XYFY0c01a
 wVuRLqti2VH7zPPLDxknt2Cy/EcAp07Ip8PslhdZPuzZeEimfj5ExerciJ8b12Dny3
 05DOCNTF23rPA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, rail5 <andrew@rail5.org>,
 Bibo Mao <maobibo@loongson.cn>, Song Gao <gaosong@loongson.cn>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 51/53] target/loongarch: Avoid recursive PNX exception
 on CSR_BADI fetch
Date: Wed, 11 Mar 2026 22:34:44 +0300
Message-ID: <20260311193449.1096110-51-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258056733154100
Content-Type: text/plain; charset="utf-8"

From: rail5 <andrew@rail5.org>

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction with cpu_ldl_code_mmu().

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Fixes: 410dfbf620a ("target/loongarch: Move TCG specified functions to tcg_=
cpu.c")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
(cherry picked from commit db2325f79481fab87211e5a287580d753f582cb8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/loongarch/tcg/tcg_cpu.c b/target/loongarch/tcg/tcg_cpu.c
index 8615e03d14..e777139712 100644
--- a/target/loongarch/tcg/tcg_cpu.c
+++ b/target/loongarch/tcg/tcg_cpu.c
@@ -109,6 +109,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause =3D cs->exception_index;
         update_badinstr =3D 0;
@@ -129,7 +130,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause =3D cs->exception_index;
         break;
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258253; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Cji0InNte+ca6eySLMWt4dEZI6b5WQX8uhujBHrkozyRq3CXf0TYSkoU5rJswHCaKZmFNnYhhiFvUuzs6+bKqzHYuE/nvmspcNj9wpJ+yil8W+QEmG5IpaAFREra9kF5cVzNEdW2GyRlqQ8LHBBKxzMUyxXz62nUc4jVC1dgjY8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258253;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=UzP/WayqMcsEc6DOj/QosW+CkjAoG5ohlaL0MnGUR8Y=;
	b=KBwDwLgdaHzzCxjbh+QUxnB32pTwkS9ckc1W/UFl5SJqQmX+AtgQxWWb3SZDE/5vqIJVsvcbu4giYqBxRurVG2TragUpFhB9Ul5rLLcGodlOR5i2HXZgqiAESad5kLHxNKouu40PJ4zNzpRF10FrSuOtcfJdbhjcAX2xC589bL4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258253970434.01791827911006;
 Wed, 11 Mar 2026 12:44:13 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PPK-0002Fa-3x; Wed, 11 Mar 2026 15:39:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPI-0002As-Bo; Wed, 11 Mar 2026 15:39:48 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPG-0000sD-0M; Wed, 11 Mar 2026 15:39:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 95CD619211C;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D817B37C481;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=kTB2qgTylvkGxZjaODqvgfPdl8AO0j9ezC13KYJ/oFE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=oLrgjCgecxz0tn4mk4I4Z/KRsVYk8f2XZvOvXD0Dvp9GDcqAb6bpBi1UYsHAOGSDu
 +uHyfDB6X8jhsl/GmAy0aV8/0Ue1UkOg4D9L2g2ULiDE67olv0GHRubrNuE7fofrW0
 ZxinlvCa/gg6dBRLI4Rl5y1vqDiwgMV1S8x63UFCjVb4irAiSoRdRdplmvHnsu+GQh
 fG+tHwiIaJCIRad9YNeHiWM2k9X+FzbQyPaD+ugD32l3sE74czCPTJVg88XEFQdHVB
 2vZ4X7LzzzOKvcLJ3NAFJmTuk7pZvcfG9saMa7z/O+74nrM5uLILJOvSNQVAJi9n/d
 nxIGDol2GqZWg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, rail5 <andrew@rail5.org>,
 Bibo Mao <maobibo@loongson.cn>, Song Gao <gaosong@loongson.cn>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 52/53] target/loongarch: Preserve PTE permission bits
 in LDPTE
Date: Wed, 11 Mar 2026 22:34:45 +0300
Message-ID: <20260311193449.1096110-52-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258255851154100
Content-Type: text/plain; charset="utf-8"

From: rail5 <andrew@rail5.org>

The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.

That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.

Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.

Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319

Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
(cherry picked from commit 2d877bc02a3b94998cbdd784d194c173d308a98a)
(Mjt: backport to 10.2.x which lacks v10.2.0-1568-g56599a705f
 "target/loongarch: Introduce loongarch_palen_mask()")
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index d74c3c3766..e9b07382a5 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -430,6 +430,17 @@ static void loongarch_cpu_reset_hold(Object *obj, Rese=
tType type)
=20
 #ifdef CONFIG_TCG
     env->fcsr0_mask =3D FCSR0_M1 | FCSR0_M2 | FCSR0_M3;
+
+    if (is_la64(env)) {
+        env->hw_pte_mask =3D MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_64_PPN_MASK |
+                           R_TLBENTRY_64_NR_MASK |
+                           R_TLBENTRY_64_NX_MASK |
+                           R_TLBENTRY_64_RPLV_MASK;
+    } else {
+        env->hw_pte_mask =3D MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_32_PPN_MASK;
+    }
 #endif
     env->fcsr0 =3D 0x0;
=20
diff --git a/target/loongarch/cpu.h b/target/loongarch/cpu.h
index 1a14469b3b..6fa2045fea 100644
--- a/target/loongarch/cpu.h
+++ b/target/loongarch/cpu.h
@@ -373,6 +373,7 @@ typedef struct CPUArchState {
     uint32_t fcsr0_mask;
     uint64_t lladdr; /* LL virtual address compared against SC */
     uint64_t llval;
+    uint64_t hw_pte_mask; /* Mask of architecturally-defined (hardware) PT=
E bits. */
 #endif
 #ifndef CONFIG_USER_ONLY
 #ifdef CONFIG_TCG
diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_h=
elper.c
index 01e0a27f0b..02b6a35f87 100644
--- a/target/loongarch/tcg/tlb_helper.c
+++ b/target/loongarch/tcg/tlb_helper.c
@@ -686,6 +686,20 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr addres=
s, int size,
     cpu_loop_exit_restore(cs, retaddr);
 }
=20
+static inline uint64_t loongarch_sanitize_hw_pte(CPULoongArchState *env,
+                                                 uint64_t pte)
+{
+    uint64_t ppn_mask =3D is_la64(env) ? R_TLBENTRY_64_PPN_MASK : R_TLBENT=
RY_32_PPN_MASK;
+
+    /*
+     * Keep only architecturally-defined PTE bits. Guests may use some
+     * otherwise-unused bits for software purposes.
+     */
+    pte &=3D env->hw_pte_mask;
+
+    return (pte & ~ppn_mask) | ((pte & ppn_mask) & TARGET_PHYS_MASK);
+}
+
 target_ulong helper_lddir(CPULoongArchState *env, target_ulong base,
                           uint32_t level, uint32_t mem_idx)
 {
@@ -726,6 +740,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong =
base, target_ulong odd,
 {
     CPUState *cs =3D env_cpu(env);
     target_ulong phys, tmp0, ptindex, ptoffset0, ptoffset1, badv;
+    uint64_t pte_raw;
     uint64_t ptbase =3D FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTBASE);
     uint64_t ptwidth =3D FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTWIDTH);
     uint64_t dir_base, dir_width;
@@ -738,7 +753,6 @@ void helper_ldpte(CPULoongArchState *env, target_ulong =
base, target_ulong odd,
      * and the other is the huge page entry,
      * whose bit 6 should be 1.
      */
-    base =3D base & TARGET_PHYS_MASK;
     if (FIELD_EX64(base, TLBENTRY, HUGE)) {
         /*
          * Gets the huge page level and Gets huge page size.
@@ -762,7 +776,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong =
base, target_ulong odd,
          * when loaded into the tlb,
          * so the tlb page size needs to be divided by 2.
          */
-        tmp0 =3D base;
+        tmp0 =3D loongarch_sanitize_hw_pte(env, base);
         if (odd) {
             tmp0 +=3D MAKE_64BIT_MASK(ps, 1);
         }
@@ -774,12 +788,15 @@ void helper_ldpte(CPULoongArchState *env, target_ulon=
g base, target_ulong odd,
     } else {
         badv =3D env->CSR_TLBRBADV;
=20
+        base =3D base & TARGET_PHYS_MASK;
+
         ptindex =3D (badv >> ptbase) & ((1 << ptwidth) - 1);
         ptindex =3D ptindex & ~0x1;   /* clear bit 0 */
         ptoffset0 =3D ptindex << 3;
         ptoffset1 =3D (ptindex + 1) << 3;
         phys =3D base | (odd ? ptoffset1 : ptoffset0);
-        tmp0 =3D ldq_phys(cs->as, phys) & TARGET_PHYS_MASK;
+        pte_raw =3D ldq_le_phys(cs->as, phys);
+        tmp0 =3D loongarch_sanitize_hw_pte(env, pte_raw);
         ps =3D ptbase;
     }
=20
--=20
2.47.3
From nobody Tue Apr  7 19:51:13 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1773258208; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BFntZ44QO8ggozc1YDU5ZrRAnq0FqNbrXQxUGaMr+GovcLcKtrnaWvEpxp+TAF1NwWvtgBJv4+bF4eSzPyLDwiHIpNI8xvQqQsud2Pt7gTy1zAvc/rTHNDZevIKwCFAycbTGxtoxzMMt/OC+ACkDQkgjl9TewWwipXuIWuECipA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773258208;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=inDUBod4rxifPap/EUG2mcJZ5KFZ5p0VexH6iiPz9eA=;
	b=L5pkdkHz051FZQIi4uSDcGn+alWiRkaNrWFE/m7tqEKRwGJ3s9ZZZF10jRp1s/U2hY0deXLGPwK2ilezWel41dycWzbwLFBNwf2RXIUA4lkJDHszZxIAXtB9LEcuxajTTuCl9IEPSliowIN2U1dHvMjD4I2sIsMT/HJULjo3yOg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773258208176129.96406558020112;
 Wed, 11 Mar 2026 12:43:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0PPM-0002MI-0a; Wed, 11 Mar 2026 15:39:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPK-0002I4-CV; Wed, 11 Mar 2026 15:39:50 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1w0PPI-0000sl-Fl; Wed, 11 Mar 2026 15:39:50 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A56C519211D;
 Wed, 11 Mar 2026 22:34:30 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E8CE637C482;
 Wed, 11 Mar 2026 22:35:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1773257670; bh=UhDEF+0FkvE8wwY7FcHd1IRaCkhOlhAOXEZlZtt+UPQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=cP4z15DzZeFEbBZf+CClv0CjrLodn5P7tk0MNos3u8ey1rjwicfOJw6eRmUC5qf8F
 C1cdLNmTprDZMJdPEogEOptIU60W2ZDXKfU8NsjH07FkN/nmpz/n4v3s52RdINIxFD
 anRyhpRyhT0qJhpq3Ax1MezhrAB2j5dCodRHGhcfyLsx3DMv+wDekH6HBv2N+mLx3R
 Q9DjGmYQvRgQDVqAHEJNqN5vj2livOnNjNrdfVLfqT6AdfBHgPybGG4LudLuYB4g1t
 3kTBME2bqW35GfbTmY8RdYXVzTzvidWNz693OYyFT+Z+BFEieugnY9GYI14gVG87kg
 YrhpojhA03V3A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.2 53/53] fuse: Copy write buffer content before polling
Date: Wed, 11 Mar 2026 22:34:46 +0300
Message-ID: <20260311193449.1096110-53-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
References: <qemu-stable-10.2.2-20260311164242@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -2
X-Spam_score: -0.3
X-Spam_bar: /
X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1773258208325158500
Content-Type: text/plain; charset="utf-8"

From: Hanna Czenczek <hreitz@redhat.com>

aio_poll() in I/O functions can lead to nested read_from_fuse_export()
calls, overwriting the request buffer's content.  The only function
affected by this is fuse_write(), which therefore must use a bounce
buffer or corruption may occur.

Note that in addition we do not know whether libfuse-internal structures
can cope with this nesting, and even if we did, we probably cannot rely
on it in the future.  This is the main reason why we want to remove
libfuse from the I/O path.

I do not have a good reproducer for this other than:

$ dd if=3D/dev/urandom of=3Dimage bs=3D1M count=3D4096
$ dd if=3D/dev/zero of=3Dcopy bs=3D1M count=3D4096
$ touch fuse-export
$ qemu-storage-daemon \
    --blockdev file,node-name=3Dfile,filename=3Dcopy \
    --export \
    fuse,id=3Dexp,node-name=3Dfile,mountpoint=3Dfuse-export,writable=3Dtrue=
 \
    &

Other shell:
$ qemu-img convert -p -n -f raw -O raw -t none image fuse-export
$ killall -SIGINT qemu-storage-daemon
$ qemu-img compare image copy
Content mismatch at offset 0!

(The -t none in qemu-img convert is important.)

I tried reproducing this with throttle and small aio_write requests from
another qemu-io instance, but for some reason all requests are perfectly
serialized then.

I think in theory we should get parallel writes only if we set
fi->parallel_direct_writes in fuse_open().  In fact, I can confirm that
if we do that, that throttle-based reproducer works (i.e. does get
parallel (nested) write requests).  I have no idea why we still get
parallel requests with qemu-img convert anyway.

Also, a later patch in this series will set fi->parallel_direct_writes
and note that it makes basically no difference when running fio on the
current libfuse-based version of our code.  It does make a difference
without libfuse.  So something quite fishy is going on.

I will try to investigate further what the root cause is, but I think
for now let's assume that calling blk_pwrite() can invalidate the buffer
contents through nested polling.

Cc: qemu-stable@nongnu.org
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-2-hreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit a3fcbca0ef643a8aecf354bdeb08b1d81e5b33e7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/export/fuse.c b/block/export/fuse.c
index 465cc9891d..aec4d8736d 100644
--- a/block/export/fuse.c
+++ b/block/export/fuse.c
@@ -301,6 +301,12 @@ static void read_from_fuse_export(void *opaque)
         goto out;
     }
=20
+    /*
+     * Note that aio_poll() in any request-processing function can lead to=
 a
+     * nested read_from_fuse_export() call, which will overwrite the conte=
nts of
+     * exp->fuse_buf.  Anything that takes a buffer needs to take care tha=
t the
+     * content is copied before potentially polling via aio_poll().
+     */
     fuse_session_process_buf(exp->fuse_session, &exp->fuse_buf);
=20
 out:
@@ -624,6 +630,7 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inode=
, const char *buf,
                        size_t size, off_t offset, struct fuse_file_info *f=
i)
 {
     FuseExport *exp =3D fuse_req_userdata(req);
+    QEMU_AUTO_VFREE void *copied =3D NULL;
     int64_t length;
     int ret;
=20
@@ -638,6 +645,14 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inod=
e, const char *buf,
         return;
     }
=20
+    /*
+     * Heed the note on read_from_fuse_export(): If we call aio_poll() (wh=
ich
+     * any blk_*() I/O function may do), read_from_fuse_export() may be ne=
sted,
+     * overwriting the request buffer content.  Therefore, we must copy it=
 here.
+     */
+    copied =3D blk_blockalign(exp->common.blk, size);
+    memcpy(copied, buf, size);
+
     /**
      * Clients will expect short writes at EOF, so we have to limit
      * offset+size to the image length.
@@ -660,7 +675,7 @@ static void fuse_write(fuse_req_t req, fuse_ino_t inode=
, const char *buf,
         }
     }
=20
-    ret =3D blk_pwrite(exp->common.blk, offset, size, buf, 0);
+    ret =3D blk_pwrite(exp->common.blk, offset, size, copied, 0);
     if (ret >=3D 0) {
         fuse_reply_write(req, size);
     } else {
--=20
2.47.3