From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620261; cv=none;
	d=zohomail.com; s=zohoarc;
	b=R7Qg/mRNZ3Orf87bx/15MtCX9BRz2NixcG0tdA8YwpkPX4k+zorVT9qrhNc659eSELy+4m59yfElDXe9CTO7SJd+ERQetW8YYHeW8vJHEHZvwlEAsPO/v43xpWhM5Y5Oshd68J4thpFj/SmNRYNIbB/gXvqlGN8nMj7TnbjVTiU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620261;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=2loqxRcG5XUoAJpCJCwugufd/5GZWTELhFMAu3kmTiQ=;
	b=D1PfLugKYl7+6etC6cG1k9ffvWyTP4+54xm5OCLSk5+S2ZmDmxXvE7Vh6BQpCOMrSRTfpK1G789C8eLmKvH0H+N6PcReTqmjbYNs/tvunlUMBGeluXueFvHfbnlXrVHrMSEqLJ8y1n7y+ThQfyxlG5VEJS7H6CffZPCbpZWQ9yw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862026131238.76121866022197;
 Tue, 12 May 2026 14:11:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIg-0004m2-Ul; Tue, 12 May 2026 17:05:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuId-0004Xh-SV; Tue, 12 May 2026 17:05:55 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIb-0000vy-7u; Tue, 12 May 2026 17:05:55 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CAA311AA33C;
 Tue, 12 May 2026 23:54:59 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D29043ABCAE;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619299; bh=C5ExII9Zg+qHbyhArwD1N2xdyn7wDizAHICldTj3iGg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=VZ1ButC9/wUkpOxI3aqjSzOOKEKDgYVaibwo9qpzk5+EMJLDB4u+LWa+CBoFurmCp
 4cqIlHpPfGMAul71lfCc0mnCJjxlJFCJpfS6bFJgMrt7iIRMIfO8zbO34TmzlRPDAK
 3gt6TDAIJV/1oTlEIB7nTBd5tqClzJLGcFPMMY/i5mJHrvQfH/RnGqVESoS5BY1Nyi
 DsLdNClynyyaVHmjwHB/DskLYPT2Iu30/gnz65n4QwD0KlZjllZ/w3kLlXxyb4Tye0
 ccAm1px/fU6MR/ThglaGI/y5ouMWWMb8Q7iMp4Rc2KPOLUJ/qouCMFpiWoL25a/7RT
 oCN3oPFB9C+fg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Yodel Eldar <yodel.eldar@yodel.dev>, Thomas Huth <thuth@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 001/117] hw/net/rtl8319: Work around GCC sanitizer /
 -Wstringop-overflow bug
Date: Tue, 12 May 2026 23:53:03 +0300
Message-ID: <20260512205503.361097-1-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620263816154100

From: Peter Maydell <peter.maydell@linaro.org>

If you compile QEMU with GCC with -fsanitize=3Daddress and
-Wstringop-overflow, this causes GCC to produce a false-positive
warning which it does not produce when the sanitizer is not enabled
(and which makes compilation fail if you're using -Werror, as we do
by default for builds from git):

../../hw/net/rtl8139.c: In function =E2=80=98rtl8139_io_writeb=E2=80=99:
../../hw/net/rtl8139.c:2264:17: error: writing 8 bytes into a region of siz=
e 0 [-Werror=3Dstringop-overflow=3D]
 2264 |                 memcpy(data_to_checksum, saved_ip_header + 12, 8);
      |                 ^
In file included from ../../hw/net/rtl8139.c:62:
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into dest=
ination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~
../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of siz=
e 0 [-Werror=3Dstringop-overflow=3D]
 2192 |                     memcpy(data_to_checksum, saved_ip_header + 12, =
8);
      |                     ^
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into dest=
ination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~
../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of siz=
e 0 [-Werror=3Dstringop-overflow=3D]
 2192 |                     memcpy(data_to_checksum, saved_ip_header + 12, =
8);
      |                     ^
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into dest=
ination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~
In file included from /home/pm215/qemu/include/system/memory.h:21,
                 from /home/pm215/qemu/include/hw/pci/pci.h:4,
                 from /home/pm215/qemu/include/hw/pci/pci_device.h:4,
                 from ../../hw/net/rtl8139.c:54:
In function =E2=80=98stl_he_p=E2=80=99,
    inlined from =E2=80=98stl_be_p=E2=80=99 at /home/pm215/qemu/include/qem=
u/bswap.h:371:5,
    inlined from =E2=80=98rtl8139_cplus_transmit_one=E2=80=99 at ../../hw/n=
et/rtl8139.c:2244:21,
    inlined from =E2=80=98rtl8139_cplus_transmit=E2=80=99 at ../../hw/net/r=
tl8139.c:2345:28,
    inlined from =E2=80=98rtl8139_io_writeb=E2=80=99 at ../../hw/net/rtl813=
9.c:2728:17:
/home/pm215/qemu/include/qemu/bswap.h:284:5: error: writing 4 bytes into a =
region of size 0 [-Werror=3Dstringop-overflow=3D]
  284 |     __builtin_memcpy(ptr, &v, sizeof(v));
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/pm215/qemu/include/net/eth.h: In function =E2=80=98rtl8139_io_writeb=
=E2=80=99:
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [24, 64] into des=
tination object =E2=80=98ip_ver_len=E2=80=99 of size 1
   50 |     uint8_t  ip_ver_len;     /* version and header length */
      |              ^~~~~~~~~~

This has been triaged as a bug in GCC:
 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D114494
 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99673
(the sanitizer pass rewrites the IR in a way that conflicts with its
use by the warning pass that runs afterwards).

Since this is the only place in our code where we hit this, work
around it by disabling the -Wstringop-overflow in the part of
the function that hits it. We do this only when using the
address sanitizer on GCC, so that we still get the benefit
of the warning in most compilation scenarios.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3006
Suggested-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Tested-by: Yodel Eldar <yodel.eldar@yodel.dev>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20260305140512.1330691-1-peter.maydell@linaro.org
(cherry picked from commit b83a42dc779a36b454ce6eeade4584018491faf4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 324fb932aa..eb0bc782bf 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2132,6 +2132,26 @@ static int rtl8139_cplus_transmit_one(RTL8139State *=
s)
                     hlen, ip->ip_sum);
             }
=20
+            /*
+             * The code in this function triggers a GCC bug where an
+             * interaction between -fsanitize=3Daddress and -Wstringop-ove=
rflow
+             * results in a false-positive stringop-overflow warning that =
is
+             * only emitted when the address sanitizer is enabled:
+             *     https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D114494
+             *     https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99673
+             * GCC incorrectly thinks that the eth_payload_data buffer has
+             * the type and size of the first field in 'struct ip_header',=
 i.e.
+             * one byte, and then complains about all other attempts to ac=
cess
+             * data in the buffer.
+             *
+             * Work around this by disabling the warning when building with
+             * GCC and the address sanitizer is enabled.
+             */
+#pragma GCC diagnostic push
+#if !defined(__clang__) && defined(QEMU_SANITIZE_ADDRESS)
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
+
             if ((txdw0 & CP_TX_LGSEN) && ip_protocol =3D=3D IP_PROTO_TCP)
             {
                 /* Large enough for the TCP header? */
@@ -2315,6 +2335,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
                 /* restore IP header */
                 memcpy(eth_payload_data, saved_ip_header, hlen);
             }
+
+#pragma GCC diagnostic pop
+
         }
=20
 skip_offload:
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620271; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lKmuJ8krJAh2glOqPXT0ByGwI+bgoZy735TIAyywoCh7jp5R83s6zRveYOiFdap/wTYGesalRsCDLiplxRjx/XVY+IF7VW46Higk2Kg3d52DWo0C+bgjMn1zW1H4Efz8cS3vBVZGVzpy8oPquPCEUrSaOj0OwqY9XVv//VEfSPs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620271;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=8D11jTBfF+/NslvlPHWF7KMgYf36fIADw7sBsAPSwiI=;
	b=K3alir9dOOJp9PISFZWyaKYs9cKQUQ6kmY427l2Eby1+Vf46jkOF07gSs+vpzCwLpHjj6eCeNHBIVejxQvA/SQ2812OXhRoFqCvOd7EDCwARqO6bGryrhP8BWZgIJ1kBPVyd84jdMgGvYDyBqmH8az/r6DbmGZsjl6xSf7QGhAA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620271954181.7097536325134;
 Tue, 12 May 2026 14:11:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJ1-0005iM-BU; Tue, 12 May 2026 17:06:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIj-00055D-Ne; Tue, 12 May 2026 17:06:04 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIg-0000wz-4F; Tue, 12 May 2026 17:06:01 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D91621AA33D;
 Tue, 12 May 2026 23:54:59 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E61133ABCAF;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619299; bh=wKBCypXp1HQfvmuaKMS70Qh0AHVEyfZLIzqR2UKu/YI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=DwhzBi3JJC3Z99HMOsekgttnWSTyb5ZWN6s90KIwwGHojqS/sVy7FVq3hrJ4LlyBd
 oBBq2g4RNeK1yVLPLd+XFMjWQ2XqGekWgqkkIGBrPdY9+pYh0KWKYvAvpD6rTk14lW
 04tSHukL22hs4Yb3R3cO9UHt+rCTjFSevmK50p44HfYxI5qSQ3AwTIsh2P4NwIc8L9
 LsMfhuXCMdHHWj10/Y+Uflwq6q69R6FrTRh5Q/AdO1aABCr9s9qgspfel1rcnPozU4
 uQA1UzQzgS9R37PXAUh94OHwCuz7U7CajsyDqPWOslCFEUNBRlmimyzOxzfxW6Rdja
 lEHAXhtTc22ZA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Razvan Ghiorghe <razvanghiorghe16@gmail.com>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 002/117] linux-user: Fix zero_bss for RX PT_LOAD
 segments
Date: Tue, 12 May 2026 23:53:04 +0300
Message-ID: <20260512205503.361097-2-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620273946154100
Content-Type: text/plain; charset="utf-8"

From: Razvan Ghiorghe <razvanghiorghe16@gmail.com>

zero_bss() incorrectly assumed that any PT_LOAD containing .bss must be
writable, rejecting valid ELF binaries where .bss overlaps the tail of
an RX file-backed page.

Instead of failing, temporarily enable write access on the overlapping
page to zero the fractional bss range, then restore the original page
permissions once initialization is complete.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3179
Signed-off-by: Razvan Ghiorghe <razvanghiorghe16@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 2ff529c6f64b706213339d4bbce76c7788243ddb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 35471c0c9a..59b543f740 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -449,12 +449,6 @@ static bool zero_bss(abi_ulong start_bss, abi_ulong en=
d_bss,
 {
     abi_ulong align_bss;
=20
-    /* We only expect writable bss; the code segment shouldn't need this. =
*/
-    if (!(prot & PROT_WRITE)) {
-        error_setg(errp, "PT_LOAD with non-writable bss");
-        return false;
-    }
-
     align_bss =3D TARGET_PAGE_ALIGN(start_bss);
     end_bss =3D TARGET_PAGE_ALIGN(end_bss);
=20
@@ -472,20 +466,35 @@ static bool zero_bss(abi_ulong start_bss, abi_ulong e=
nd_bss,
              */
             align_bss -=3D TARGET_PAGE_SIZE;
         } else {
+            abi_ulong start_page_aligned =3D start_bss & TARGET_PAGE_MASK;
             /*
-             * The start of the bss shares a page with something.
-             * The only thing that we expect is the data section,
-             * which would already be marked writable.
-             * Overlapping the RX code segment seems malformed.
+             * The logical OR between flags and PAGE_WRITE works because
+             * in include/exec/page-protection.h they are defined as PROT_*
+             * values, matching mprotect().
+             * Temporarily enable write access to zero the fractional bss.
+             * target_mprotect() handles TB invalidation if needed.
              */
             if (!(flags & PAGE_WRITE)) {
-                error_setg(errp, "PT_LOAD with bss overlapping "
-                           "non-writable page");
-                return false;
+                if (target_mprotect(start_page_aligned,
+                                    TARGET_PAGE_SIZE,
+                                    prot | PAGE_WRITE) =3D=3D -1) {
+                    error_setg_errno(errp, errno,
+                                    "Error enabling write access for bss");
+                    return false;
+                }
             }
=20
-            /* The page is already mapped and writable. */
+            /* The page is already mapped and now guaranteed writable. */
             memset(g2h_untagged(start_bss), 0, align_bss - start_bss);
+
+            if (!(flags & PAGE_WRITE)) {
+                if (target_mprotect(start_page_aligned,
+                                    TARGET_PAGE_SIZE, prot) =3D=3D -1) {
+                    error_setg_errno(errp, errno,
+                                    "Error restoring bss first permissions=
");
+                    return false;
+                }
+            }
         }
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620376; cv=none;
	d=zohomail.com; s=zohoarc;
	b=c2huuc4gaLvUz2aZXHxHMU9jqedVRwjAhvu8L793ff0b+0cIwdIs9J5XklkhdUsnjki6hX6cWxnbzhNorrNMZSl6ZV7K9uXEv46UBuXvcKokyLdeaf7T5956gfAqdYKdHHCP2/P3zgoWjvyAW9Vjmb8qq/NNq4n5JBIKvIJGt1s=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620376;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=/5MXxFCM4J7Oxo4hyAwIhl5ykpmcup/bvyt7YauvNeM=;
	b=LfNZbuVW9PaU3CzcJD1ErxpskYH1eAPmMCi/mD9KnUgWa2E+OYVhMHOZyyYvZw8iXZf8+Ms/FpQni78ltSIk28VZQLzSkclQlNH3hanOIxxOdXHvhBCFx6m2lJn3NbssEofou3lGNqNNxb6HfyPiVrJoCFyK8tvtnxCYtWB0pEk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620376695744.0360554314052;
 Tue, 12 May 2026 14:12:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuIy-0005Gg-9W; Tue, 12 May 2026 17:06:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIh-0004yU-Qz; Tue, 12 May 2026 17:06:01 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIf-0001HW-GI; Tue, 12 May 2026 17:05:59 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E8AF11AA33F;
 Tue, 12 May 2026 23:54:59 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 00C923ABCB0;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619299; bh=YrXr0kbYOsSM0k0PKXm+uH1Ie1ylPTpGPRFLbpDSZW0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=SKJAfrk0LmbpnsDwdOv9Sq7M3ciNpterir/+XiG1JbJ6MpKS5FCllQ2InzCoQvt5t
 a/CTyXV6jFe6ilVqinD5scOZNvF0lrP6UJMr5jmKPP4YAyyFqP07VJhnjuwpy5Ufu7
 7kxEFyElDbggP6ZWPfAdpo6rz5dzgi8oD4zfjnqk1lCrM+cf6M5Wg1cjZ8m8lm6FF1
 +IxRDWXBpR7hi7T2oGxwE6btHBuHC7XQVaRRybxw/WlErQl862BDNdWkYJ6Mk2mqSM
 azLNthViVX6vi/jPa9LPaqj7XtxnovFnjonXm8fVnJ/7KVJPhbZr1WV6onDaH9OGH8
 s/sJMLdx7Rqkw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Razvan Ghiorghe <razvanghiorghe16@gmail.com>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 003/117] linux-user: fix mremap with old_size=0 for
 shared mappings
Date: Tue, 12 May 2026 23:53:05 +0300
Message-ID: <20260512205503.361097-3-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620379553154100
Content-Type: text/plain; charset="utf-8"

From: Razvan Ghiorghe <razvanghiorghe16@gmail.com>

When old_size is zero and old_address refers to a shareable mapping,
mremap() should create a new mapping of the same pages according to the
mremap(2) man page. The MREMAP_MAYMOVE flag must be specified in this case.

Previously, QEMU's target_mremap() rejected this valid case with EFAULT
during the initial validation, before checking for the special
old_size =3D=3D 0 behaviour.

This patch adds proper handling for old_size =3D=3D 0:
- Validates that MREMAP_MAYMOVE flag is set (required by man spec)
- Passes the call through to the host mremap()
- Creates a new mapping without invalidating the original, with both
  being valid and sharing the same physical memory frames.
- Ensures the new mapping address falls within the valid guest address
  region before returning it to the guest.

Tested with the reproducer from the issue on qemu-riscv64, qemu-hppa,
and qemu-aarch64.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3105
Signed-off-by: Razvan Ghiorghe <razvanghiorghe16@gmail.com>
Tested-by: Helge Deller <deller@gmx.de>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 5e5b278d2b1b81fc2b5ca09dba4848f81cd3a718)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 281082c2d0..502f582f97 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -1120,6 +1120,58 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong=
 old_size,
         errno =3D EINVAL;
         return -1;
     }
+
+    if (!old_size) {
+        if (!(flags & MREMAP_MAYMOVE)) {
+            errno =3D EINVAL;
+            return -1;
+        }
+        mmap_lock();
+        if (flags & MREMAP_FIXED) {
+            host_addr =3D mremap(g2h_untagged(old_addr), old_size, new_siz=
e,
+                             flags, g2h_untagged(new_addr));
+        } else {
+            /*
+             * We ensure that the new mapping stands in the
+             * region of guest mappable addresses.
+             */
+            abi_ulong mmap_start;
+
+            mmap_start =3D mmap_find_vma(0, new_size, TARGET_PAGE_SIZE);
+
+            if (mmap_start =3D=3D -1) {
+                errno =3D ENOMEM;
+                mmap_unlock();
+                return -1;
+            }
+
+            host_addr =3D mremap(g2h_untagged(old_addr), old_size, new_siz=
e,
+                             flags | MREMAP_FIXED, g2h_untagged(mmap_start=
));
+
+            new_addr =3D mmap_start;
+        }
+
+        if (host_addr =3D=3D MAP_FAILED) {
+            mmap_unlock();
+            return -1;
+        }
+
+        if (flags & MREMAP_FIXED) {
+            new_addr =3D h2g(host_addr);
+        }
+
+        prot =3D page_get_flags(old_addr);
+        /*
+         * For old_size zero, there is nothing to clear at old_addr.
+         * Only set the flags for the new mapping. They both are valid.
+         */
+        page_set_flags(new_addr, new_addr + new_size - 1,
+                       prot | PAGE_VALID, PAGE_VALID);
+        shm_region_rm_complete(new_addr, new_addr + new_size - 1);
+        mmap_unlock();
+        return new_addr;
+    }
+
     if (!guest_range_valid_untagged(old_addr, old_size)) {
         errno =3D EFAULT;
         return -1;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620504; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DeS3isSGVwn6EBP1Q2ETbV2R2/KaTCTPuoEhTUQKzm6ZJcW40uooGSQ4AyOVzwLp4YR9Reuts46EBxqDW10TmA560AqMrInD0RdV2J4weA55WMdb22m6kYWcKDKmFYy55o7d1oZBWmzbgZbTXnVPGMXyhAotdlpgRuRlAxT2rQk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620504;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vZyB2qQnEqHxnZrcKZ6DAeny0ITmlO1oYPqL6MB3mDc=;
	b=H+32OSl1y7rSBzC5Krkt/qVGmaKbBtTVPHwRi3kVMsV7qh1PhiE/XTYFCrmawukoiVv0Gul9g7Oued3LRRfRLL8IW9HyQmYw2+Lv1X5b2F6OVaihIsSqDfu1rwcNQwnipBtbJFx8SVHW+9P2Pft+yJvIdTaPk7iqI/98gYO1jrI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620504562739.7662717301981;
 Tue, 12 May 2026 14:15:04 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJ3-0005xc-I4; Tue, 12 May 2026 17:06:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIl-00057T-IX; Tue, 12 May 2026 17:06:05 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIj-0001IS-GB; Tue, 12 May 2026 17:06:03 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 02F8C1AA340;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0FC693ABCB1;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=91SIo64egh5vUmwF5Fww1l02vzX7Zslxf3s2lwaqyP8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=a6SozHlTk4mxaaq1rme4kyKMiSjowiDtvMfLfYTByT86oZJfNwjllaOS2wAUIcpkz
 kCr08zLM9gFfrGuiJ44mysPX9S5YhjjOvNV1K4J7v5X99puZzivy5MChGNA7HYg/aG
 PZTopae+EgS3B2Dm7Cor4rV9IPhbYVWkrBxT0FrJFdxHWMNwey1eyqJF/3uF2ybYBL
 bMP/cayNC3XDdPqd6Km9KQCxhV21gUN3zdfhJa4akhKH0yX4s3SrZFwvyls/HDVxg6
 h5SIJYhC3Jl0qN6OCOgF/vwUgvl8OYwzvVqrbMO3y1CtcXd9i68fVXH7OHYQ++VE+a
 mqHYOW2q8N72w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Jim MacArthur <jim.macarthur@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 004/117] hw/dma/pl080: Handle bogus swidth and dwidth
 in transfers
Date: Tue, 12 May 2026 23:53:06 +0300
Message-ID: <20260512205503.361097-4-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620505675154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

The PL080 TRM states that the DWidth and SWidth fields of the channel
control registers can only validly specify widths up to 32 bits (i.e.
values from 0 to 2) and all other values are reserved.

Currently we don't check this, so if the guest specifies an invalid
value we will transfer more data into our local 'buff[]' array than
it can hold.

Check the widths; since the TRM doesn't clearly specify any behaviour
for what to do on invalid values, we choose to log them and then
ignore the channel for transfers.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3203
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260306152140.2191653-1-peter.maydell@linaro.org
(cherry picked from commit 37c9f6fce5c59db216e7f7ad961395b6e702bda9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 277d934322..27b819187d 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -164,6 +164,21 @@ again:
                destination widths are different.  */
             swidth =3D 1 << ((ch->ctrl >> 18) & 7);
             dwidth =3D 1 << ((ch->ctrl >> 21) & 7);
+
+            /* Only widths of 1, 2 or 4 are valid */
+            if (swidth > 4) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "pl080: channel %d: invalid SWidth %d\n",
+                              c, extract32(ch->ctrl, 18, 3));
+                continue;
+            }
+            if (dwidth > 4) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "pl080: channel %d: invalid DWidth %d\n",
+                              c, extract32(ch->ctrl, 21, 3));
+                continue;
+            }
+
             for (n =3D 0; n < dwidth; n+=3D swidth) {
                 address_space_read(&s->downstream_as, ch->src,
                                    MEMTXATTRS_UNSPECIFIED, buff + n, swidt=
h);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620260; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Lox7GAJt2URs8Z/QMHTA1yCI42/WLMSr9POUlIMT6jc9P1VYec1r5lU3grNpow4aMfZa5C+kT5KwAPUiNPj2I0X6jzvMgwEm9rOpvwC9bj6AZUpl2OGRqfeturbXGHlTMSwsUMmX6LosoxKgxLP5s6o9KQ+9Hiwv+Pl0tkMY1Ps=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620260;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=qsCsuxuACN8kBJLtqG5ICAvvL6aJ+iHS+pUyL/nq3CU=;
	b=Mw/w5c0/XOS7u51yR3Wozi+rxeuItRVaLorVhtMjBY3H16xOHEK39aL9NI3php3Y4f5YFhQ19hA3CttWI/UbkWegbgU5ISk9f4IctUro53fE4W7flGpp+bXWBMQjMXqB6LTRxo7HZP17it3o3G5WO0s451Bj3Rbp1AETrBUiEmE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862026069547.303745056259345;
 Tue, 12 May 2026 14:11:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJ3-00061t-UT; Tue, 12 May 2026 17:06:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIn-00058j-0n; Tue, 12 May 2026 17:06:06 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuIl-0001LN-7X; Tue, 12 May 2026 17:06:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 126831AA341;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1E17E3ABCB2;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=BZmsHia3F+lSK/x+kOrFSwxAccYu2nnEEyG+XEeLkRU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sjEutxl3qZHl9OtATBM3pJ2/LyjLaRWXP1+WvBaLUQ/fUt/f+x68vjm+xR4r2giNB
 nb1WQ9dLvwyOk0koJSE60/6j0sNfst4LN4RXEFIaLjYNnPtZRKqK0PtVUo5cFVfekZ
 /uWTqIXdTX+DdD+dkWzqwiLRMqDBAjKZiXJ2DDMAJl7fpacKb7vJOfCZsuLsmtL5K2
 cTsX6ysLUmBvTOPSlnMgHkiicUiXsc/DVDpYgG0nOQ1p3iJfi0OZF4tnUGAi2KGpU9
 zLjvyQrdyOCCvAryuY6sOTyM65FeXjIn02GIptznBqx6Ojmpb8iOqSQJ8DbN22QqQB
 5iIv3HoyIGu9w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Tao Ding <dingtao0430@163.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 005/117] hw/dma/pl080: Update interrupts after
 pl080_run()
Date: Tue, 12 May 2026 23:53:07 +0300
Message-ID: <20260512205503.361097-5-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620263758154101
Content-Type: text/plain; charset="utf-8"

From: Tao Ding <dingtao0430@163.com>

In the codepath in pl080_write() where we run the DMA engine
after a change in the channel configuration register, we were
missing a pl080_update() call, which meant that we weren't
raising any interrupts generated by that DMA transfer.

A repro case for this is to program the PL080 and then
check the interrupt status by looking at the PL190 status
register, since the PL080 interrupt output is connected
to input 17 of the PL190. We look at the register value via
the QEMU monitor:

Reproducer
    ./qemu-system-arm -M versatilepb -m 128M -nographic -S \
    -device loader,addr=3D0x00000000,data=3D0x11223344,data-len=3D4 \
    -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \
    -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \
    -device loader,addr=3D0x10130108,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x1013010C,data=3D0x9e4bf001,data-len=3D4 \
    -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4

Qemu monitor
    (qemu) xp /1wx 0x10140008
    10140008: 0x00000000

The correct result after this fix:
    (qemu) xp /1wx 0x10140008
    10140008: 0x00020000

Cc: qemu-stable@nongnu.org
Signed-off-by: Tao Ding <dingtao0430@163.com>
Message-id: 7584486ba62bc6d767c0d132dc843067f8c5efff.1773301927.git.dingtao=
0430@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: Adjusted commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit b6e61d1cc3bfc9091ab83e25d9781a67ef9c86c1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 27b819187d..3af50425ef 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -227,6 +227,7 @@ again:
         if (--s->running)
             s->running =3D 1;
     }
+    pl080_update(s);
 }
=20
 static uint64_t pl080_read(void *opaque, hwaddr offset,
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620352; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fefnLGHE5H7jaF1kzrIjMT7tsxXoV0y/esb7nMONvlmZkm3/4Y8MdflCov80weOPNngpIxf5uEU883/G7ah6UoelNFxlpKcFvQysipLrFxWkZFQoLPbjVjHbcEfD1q814bz0cPCM1xj5gDYeA2Vv5mLdPPRS0F6LIbuLsSjT4AM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620352;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=lcbKZUHJqm2DhzLhX3Fe3bp6Njm20J8Q4OOYHNps4lI=;
	b=ZzFPTYL7GSIjSndRSCYjbm+GzESFDmIEHxiF9Fk7f9iIP2vZIhn7tXavHppc7GBIVRQR+FYA9AtCpllM64SctZH4yEDjlvimckLxBuNC0R3hh4FRXV20PNR/HQu3ZcNstdksHSXNE3XonD1ccq0gcjHEWXr12qZlxprJl1SXJYI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620352710101.59347220205075;
 Tue, 12 May 2026 14:12:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJD-00070z-Kr; Tue, 12 May 2026 17:06:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJ9-0006l4-BU; Tue, 12 May 2026 17:06:27 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJ7-0001Lp-6M; Tue, 12 May 2026 17:06:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 216C61AA342;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2E23B3ABCB3;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=AKuaDRIW6j3SW5LAWBenlZTyf8BzwdYYtuCqvrmpQAA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=a+Ci7sQtJqCg5nwD+6MB4AW55xpuYR6Ej15dTCi6/UjO5H1PfuZw4keCUvNkHCMRk
 +Hpg50+M/517ggUhrNGibVDlCSx1xfVjCTQzk2tnremuDDtdzaCkcga+WHKaVHw6UN
 pqhwbljn252QlR6FaWz/UsfW85nUhZpn5KDB+yHnpKvRqSRXz9qQYyrGEOC/3wdhjy
 a4dMobHWBNPBXUqGXYCy2qo/DNHldaJXpTmwf178t1l+1R3DGWMzmx+2sW4/6YBGkr
 Pcng4OlvhoWspap9+Ts6fkhqZvgLxPzq1pMXKCsyAqDVnOs4MH/SRqY3V0F+sIo80f
 /SG4H7A+2p5fw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Tao Ding <dingtao0430@163.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 006/117] hw/dma/pl080: Ignore bottom 2 bits of LLI
 register
Date: Tue, 12 May 2026 23:53:08 +0300
Message-ID: <20260512205503.361097-6-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620354303158500
Content-Type: text/plain; charset="utf-8"

From: Tao Ding <dingtao0430@163.com>

The PL080 channel LLI (linked list item) register has bits [31:2] of
the address of the next LLI in bits [31:2], with bit [1] reserved
and bits [0] the AHB master select. We were incorrectly using the
whole register value as the address, which meant that if the guest
programmed something into the AHB master select bit we would use
an incorrect address, and read incorrect data from memory.

The following reproducer creates a setup which has bit 0 set in
an LLI value:

Configuration
    ../configure --target-list=3Darm-softmmu --enable-debug
Reproducer
    ./qemu-system-arm -M versatilepb -m 128M -nographic -S \
     -device loader,addr=3D0x00002000,data=3D0x00000004,data-len=3D4 \
     -device loader,addr=3D0x00002004,data=3D0x00001004,data-len=3D4 \
     -device loader,addr=3D0x00002008,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x0000200c,data=3D0x9e4bf001,data-len=3D4 \
     -device loader,addr=3D0x00000000,data=3D0x44332211,data-len=3D4 \
     -device loader,addr=3D0x00000004,data=3D0x88776655,data-len=3D4 \
     -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x00001004,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \
     -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \
     -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \
     -device loader,addr=3D0x10130108,data=3D0x00002001,data-len=3D4 \
     -device loader,addr=3D0x1013010C,data=3D0x1e4bf001,data-len=3D4 \
     -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4

The correct result with this bug fix:
    (qemu) xp /1wx 0x00001000
     00001000: 0x44332211
    (qemu) xp /1wx 0x00001004
     00001004: 0x88776655

Cc: qemu-stable@nongnu.org
Signed-off-by: Tao Ding <dingtao0430@163.com>
[PMM: Adjusted commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: cb35c1b622674da7a2b70691402132f691933f2c.1773301927.git.dingtao=
0430@163.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f9b16f791502d912cf07ec040a1a2efb1009f713)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 3af50425ef..18f5de3e04 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -102,6 +102,7 @@ static void pl080_run(PL080State *s)
     int size;
     uint8_t buff[4];
     uint32_t req;
+    uint32_t next_lli;
=20
     s->tc_mask =3D 0;
     for (c =3D 0; c < s->nchannels; c++) {
@@ -198,21 +199,22 @@ again:
             ch->ctrl =3D (ch->ctrl & 0xfffff000) | size;
             if (size =3D=3D 0) {
                 /* Transfer complete.  */
-                if (ch->lli) {
+                next_lli =3D (ch->lli & ~3);
+                if (next_lli) {
                     ch->src =3D address_space_ldl_le(&s->downstream_as,
-                                                   ch->lli,
+                                                   next_lli,
                                                    MEMTXATTRS_UNSPECIFIED,
                                                    NULL);
                     ch->dest =3D address_space_ldl_le(&s->downstream_as,
-                                                    ch->lli + 4,
+                                                    next_lli + 4,
                                                     MEMTXATTRS_UNSPECIFIED,
                                                     NULL);
                     ch->ctrl =3D address_space_ldl_le(&s->downstream_as,
-                                                    ch->lli + 12,
+                                                    next_lli + 12,
                                                     MEMTXATTRS_UNSPECIFIED,
                                                     NULL);
                     ch->lli =3D address_space_ldl_le(&s->downstream_as,
-                                                   ch->lli + 8,
+                                                   next_lli + 8,
                                                    MEMTXATTRS_UNSPECIFIED,
                                                    NULL);
                 } else {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620207; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mqgiEOmLG5TKS2GfMS0bmxP/w8srUsMS0CDFhZekRK4St0WHJCcMdV+jvGnd7Ox0LlJcJDwJ3RirBrmBixVYHozG8FXutNkD7FGkTuW5aQ8I+pwqnXhuAZF41j27/NyGd65+QrIk8u6OhMpElDnR3/aCW9J/MxV1SrfIAgxlDT4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620207;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=L+JkWEyneqWQLOZ4GUaD8IlsNnAejbG4WlLXWbpAaXk=;
	b=DQIi62RhJjhd0k89B/mTzkNe3ztNTWJX+xFJTa06EanV0lpJl5u8/lJMDZrqMUYlHYCAlvFrUCb/gyvfp71RkPP3ii0zlMRFXt1oawcRwe80qvQlp5b9erbra2NAM/gzaimtwo0+s2TLRncSq+Vp9r6Ktm6a6TrpO7yaN5qAOz8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620207040728.1809455948908;
 Tue, 12 May 2026 14:10:07 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJS-0007Gx-8r; Tue, 12 May 2026 17:06:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJA-0006vc-PK; Tue, 12 May 2026 17:06:28 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJ8-0001M9-J4; Tue, 12 May 2026 17:06:28 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3111D1AA343;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3CF3F3ABCB4;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=0RIkifSIde5La7mt0eIJIbcUrv4hLCtOK3PGMs8A3bQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kD0lW4WbGkkOVidjzbuEQzqys993F5prvkSu8ryBcsfBs6FMxTtvpI3u6mUj1X9ta
 8v90h88tMojAjgJduuM3J5snTSHFOY2hX14wCquR1Zr2Cu9rF1MrffSBdLeQqtyvZo
 eL2aH2kA4oOUa6AnoZ7VJTOM6ZRP7KWlwy+Mj/U9+fKf2ZqM4ixERBIqdFJUrYoLUu
 z7Jdgqy3t8frqEOajEPs4j4+SpBuS8yZxUdVFDDANC+wrWztsGeZiG6O+0vyngp9oB
 MPzhh929Y/b0EW7r+OVr9AjZTacUgBZQMwuw3/CE9eyfSgtBn5LCqc6knGoMJggOqm
 U6YICMt9l+2Pg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Sergei Heifetz <heifetz@yandex-team.com>,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Zhao Liu <zhao1.liu@intel.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 007/117] target/i386: fix NULL pointer dereference in
 legacy-cache=off handling
Date: Tue, 12 May 2026 23:53:09 +0300
Message-ID: <20260512205503.361097-7-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620209310154100
Content-Type: text/plain; charset="utf-8"

From: Sergei Heifetz <heifetz@yandex-team.com>

The check that xcc->model is not NULL occurs after it is dereferenced
inside x86_cpu_get_versioned_cache_info(), so something like
`-cpu host,legacy-cache=3Doff` leads to a segfault rather than an error.
This patch fixes that.

Fixes: cca0a000d06f897411a8a ("target/i386: allow versioned CPUs to specify=
 new cache_info")
Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
[Mjt: simplify the following condition too]
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 2741d2cc39033929485b50792a85b5c794b1c903)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 78308a82a0..fca6238f55 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -9481,10 +9481,11 @@ static void x86_cpu_realizefn(DeviceState *dev, Err=
or **errp)
=20
     /* Cache information initialization */
     if (!cpu->legacy_cache) {
-        const CPUCaches *cache_info =3D
-            x86_cpu_get_versioned_cache_info(cpu, xcc->model);
+        const CPUCaches *cache_info =3D xcc->model
+            ? x86_cpu_get_versioned_cache_info(cpu, xcc->model)
+            : NULL;
=20
-        if (!xcc->model || !cache_info) {
+        if (!cache_info) {
             g_autofree char *name =3D x86_cpu_class_get_model_name(xcc);
             error_setg(errp,
                        "CPU model '%s' doesn't support legacy-cache=3Doff"=
, name);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622282; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lrAOQccraQBis69u+GJwLvcPEFyY6zhh8KRmuQbCOLi9YY+w2I09RNJLwujCuVUy58Bsh+KqzdqDjlz5DrLuuJN6lI++Q7DgK8uJI2UOu1ssp6WQ4vK5I4o0ZaRrpJEV+Hf7FFBlh04azHPnuuV51+wdjT8WUUVZIM0u3CJmDhk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622282;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=9XXcj1/5xwOS0FWeW5XkRSAV4wWEBeQfv2q9BBRr3FM=;
	b=ST9+Qaap8HmVWixEvlQ6CLhE+EQG0iCaDkB6+YaPlhuboSd3uxtkyYCX4+7NKI3vQA5htzy37wjI2f2kbwgke6qT16FIjNzYKDeaMDK4DyWMfTH/aKC2V29iz72erTN5PNGAFG7oE4Puu6sxaCwPdScyyiUeOl86+j5GnaAPn+o=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622282335957.3247566424144;
 Tue, 12 May 2026 14:44:42 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJa-0007kO-HK; Tue, 12 May 2026 17:06:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJC-000745-Kn; Tue, 12 May 2026 17:06:31 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJA-0001h1-SV; Tue, 12 May 2026 17:06:30 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 473521AA344;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4C02C3ABCB5;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=Thxy7mBG0faqw0YplSgnKR3TWfk56NDAFvbCxIIpGf0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=CXAt/y1pB0fEMkYRqa9fmCJ1QhRLktJU+DOLsv1+r/RK7E8JFjPktSVLDwxaQyi12
 iDd3bZE9Xv9dN7NM0Mj7eGB10ksxBjbbjIRyBm5x5/ogpnzLfrGIdJ6cuDl4O9z6L8
 DAbutr1GWqq67XdBQP7uq2/b8xFm3MIkO1DaH5UeWxLkdv34FxdfmdfycRsiRDVaff
 NYLCAyMLBjSj2BYPYNub4Yx5iaxEyHfOHNAoO3SPB0GOj7fZts2ebPRP+8nQdVyBlc
 5qM2kCrGxGbdwUWKp+dE8xePMQ6pJjU4yPnYPq//wIOiAJ90vA8ICrFX9POup3TBfy
 UqdTxdcsqMVBA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 008/117] contrib/plugins/uftrace.c: fix depth for exit
 events
Date: Tue, 12 May 2026 23:53:10 +0300
Message-ID: <20260512205503.361097-8-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622284618158500
Content-Type: text/plain; charset="utf-8"

From: Pierrick Bouvier <pierrick.bouvier@linaro.org>

Uftrace plugin was recording wrong depth for exit events, resulting in
incoherent traces, especially for partial ones.

Thanks to Honggyu Kim, one of the original author of uftrace, who
spotted the issue.
https://github.com/namhyung/uftrace/pull/2031#issuecomment-4051762627

Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260313063441.2048882-1-pierrick.=
bouvier@linaro.org
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 48221e371686f7704f150aafe46b76bb9306c7b6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/contrib/plugins/uftrace.c b/contrib/plugins/uftrace.c
index b7d6124d2f..88e34e2d6d 100644
--- a/contrib/plugins/uftrace.c
+++ b/contrib/plugins/uftrace.c
@@ -705,7 +705,8 @@ static void track_callstack(unsigned int cpu_index, voi=
d *udata)
     if (fp =3D=3D caller.frame_pointer) {
         /* return */
         CallstackEntry e =3D callstack_pop(cs);
-        trace_exit_function(t, timestamp, e.pc, callstack_depth(cs));
+        /* uftrace convention is to use same depth as entry */
+        trace_exit_function(t, timestamp, e.pc, callstack_depth(cs) + 1);
         return;
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620172; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ml59K0yGDyWJGyDbmGTxMHg0cyq6H8iZxAm9ruwk0R85wPEqh5V7JGCU4EI6IzoN1W9eWwWqZ7EkCcvF/6iZ56tbdwBard7mdU/V0zkiyI2VEo5YP3BNbNDPAFOLYwM7/64fibsoYoj6cJuK4MU6Jjj460zCAJro+WVcK1R7n8M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620172;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=H13ugwg6VXDT62zwUJeX+kwvKBqLb+xo1XT0ARh/TFM=;
	b=CYIdcUX6Rm1DSgOf7iyvPI81EZ0p/b8FVGbw6dWfdp+NXnhrdQFx+uMBjiCufGmlpSvHAfQxYRfQshjA8HOJ0m0bcWoO5v8iUmwu9PT00oEt8XcRZtdoP0IvorFKKaqe0QIPtAzkyPVCy+kYYeUrKd98QhqxFpMjA6puzL3F2lc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620172687697.8497409921082;
 Tue, 12 May 2026 14:09:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuJv-00005O-5v; Tue, 12 May 2026 17:07:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJE-0007CC-IR; Tue, 12 May 2026 17:06:35 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJC-0001jA-7F; Tue, 12 May 2026 17:06:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 53E911AA345;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 61C2C3ABCB6;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=0LVjgUCvNCJJfSlu6OGSkQ1Ty4gO4qNymXYjjVcmpok=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Atnjua/GPT5GiE9G2P7iJzUXkhhdQU0JQt3T6qR6Y1ZrLZiKWlIw0UOpgBqlvWuX1
 /UBwGCKYnPp1alqmHxGOBQHx6Q+9ZAUBZZhxYrK9vDjD0znz4i5Dw/7UiHO8NpwHQr
 90MtogIS59XtOszkwlsDGM91qyMnXFhkMGWX9mJR7PfogPHOk6IhQKqRHCz0BEj5PK
 tflsst/c0QNoLvoIsXAu/vmdCiCUfXzU2uhpNtqdZWikSgGTJH6VaZLbjwnUX607PR
 vQVKCNv8mR9JU+KZkT9J3AdOh7URG+/zGAm5zkMk2Y4TSbsbOCU+l/cj7Vq5qmdCgI
 k0bFIicOf5vOw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alberto Garcia <berto@igalia.com>,
 Hanna Czenczek <hreitz@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 009/117] throttle-group: Fix race condition in
 throttle_group_restart_queue()
Date: Tue, 12 May 2026 23:53:11 +0300
Message-ID: <20260512205503.361097-9-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620174432154100
Content-Type: text/plain; charset="utf-8"

From: Alberto Garcia <berto@igalia.com>

When a timer is fired a pending I/O request is restarted and
tg->any_timer_armed is reset so other requests can be scheduled.

However we're resetting any_timer_armed first in timer_cb() before
the request is actually restarted, and there's a window between both
moments in which another thread can arm the same timer, hitting an
assertion in throttle_group_restart_queue().

This can be solved by deferring the reset of tg->any_timer_armed to
the moment when the queue is actually restarted, which is protected by
tg->lock, preventing other threads from arming the timer before that.

In addition to that, throttle_group_restart_tgm() is also updated to
hold tg->lock while the timer is being inspected. Here we consider
three different scenarios:

- If the tgm has a timer set, fire it immediately
- If another tgm has a timer set, restart the queue anyway
- If there is no timer set in this group then simulate a timer that
  fires immediately, by setting tg->any_timer_armed in order to
  prevent other threads from arming a timer in the meantime.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3194
Signed-off-by: Alberto Garcia <berto@igalia.com>
Message-Id: <825598ef34ad384d936da19d634eda75598508f7.1773316842.git.berto@=
igalia.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit 9c8430f5d65144b85ad76433369288182a1c7baa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/throttle-groups.c b/block/throttle-groups.c
index 5329ff1fdb..4b1b1944c2 100644
--- a/block/throttle-groups.c
+++ b/block/throttle-groups.c
@@ -391,6 +391,7 @@ void coroutine_fn throttle_group_co_io_limits_intercept=
(ThrottleGroupMember *tgm
 typedef struct {
     ThrottleGroupMember *tgm;
     ThrottleDirection direction;
+    bool reset_timer_armed;
 } RestartData;
=20
 static void coroutine_fn throttle_group_restart_queue_entry(void *opaque)
@@ -403,6 +404,9 @@ static void coroutine_fn throttle_group_restart_queue_e=
ntry(void *opaque)
     bool empty_queue;
=20
     qemu_mutex_lock(&tg->lock);
+    if (data->reset_timer_armed) {
+        tg->any_timer_armed[direction] =3D false;
+    }
     empty_queue =3D !throttle_group_co_restart_queue(tgm, direction);
=20
     /* If the request queue was empty then we have to take care of
@@ -419,18 +423,23 @@ static void coroutine_fn throttle_group_restart_queue=
_entry(void *opaque)
 }
=20
 static void throttle_group_restart_queue(ThrottleGroupMember *tgm,
-                                        ThrottleDirection direction)
+                                         ThrottleDirection direction,
+                                         bool reset_timer_armed)
 {
     Coroutine *co;
     RestartData *rd =3D g_new0(RestartData, 1);
=20
     rd->tgm =3D tgm;
     rd->direction =3D direction;
+    rd->reset_timer_armed =3D reset_timer_armed;
=20
-    /* This function is called when a timer is fired or when
-     * throttle_group_restart_tgm() is called. Either way, there can
+    /* If reset_timer_armed is set then this means that this function
+     * was called when a timer was fired (either from timer_cb() or
+     * from throttle_group_restart_tgm()). In this case there can
      * be no timer pending on this tgm at this point */
-    assert(!timer_pending(tgm->throttle_timers.timers[direction]));
+    if (reset_timer_armed) {
+        assert(!timer_pending(tgm->throttle_timers.timers[direction]));
+    }
=20
     qatomic_inc(&tgm->restart_pending);
=20
@@ -444,15 +453,50 @@ void throttle_group_restart_tgm(ThrottleGroupMember *=
tgm)
=20
     if (tgm->throttle_state) {
         for (dir =3D THROTTLE_READ; dir < THROTTLE_MAX; dir++) {
-            QEMUTimer *t =3D tgm->throttle_timers.timers[dir];
+            QEMUTimer *t;
+            ThrottleState *ts =3D tgm->throttle_state;
+            ThrottleGroup *tg =3D container_of(ts, ThrottleGroup, ts);
+            bool reset_timer_armed;
+
+            /*
+             * This function restarts the tgm's queue immediately.
+             * This is used for example for callers to drain all requests.
+             * There are three different scenarios depending on whether
+             * a timer is armed for this tg and which tgm owns the timer.
+             */
+
+            qemu_mutex_lock(&tg->lock);
+
+            t =3D tgm->throttle_timers.timers[dir];
             if (timer_pending(t)) {
-                /* If there's a pending timer on this tgm, fire it now */
+                /*
+                 * Case 1: this tgm has a pending timer.
+                 * We can fire the timer immediately.
+                 */
                 timer_del(t);
-                timer_cb(tgm, dir);
+                reset_timer_armed =3D true;
+            } else if (tg->any_timer_armed[dir]) {
+                /*
+                 * Case 2: another tgm has a pending timer.
+                 * In this case we can still restart the queue but we
+                 * have to leave any_timer_armed untouched so the
+                 * other tgm's timer is not disrupted.
+                 */
+                reset_timer_armed =3D false;
             } else {
-                /* Else run the next request from the queue manually */
-                throttle_group_restart_queue(tgm, dir);
+                /*
+                 * Case 3: there is no timer set for this group.
+                 * Here we can simulate a timer that fires immediately,
+                 * so the queue is restarted but no other thread
+                 * can arm a timer in the meantime.
+                 */
+                tg->any_timer_armed[dir] =3D true;
+                reset_timer_armed =3D true;
             }
+
+            qemu_mutex_unlock(&tg->lock);
+
+            throttle_group_restart_queue(tgm, dir, reset_timer_armed);
         }
     }
 }
@@ -499,16 +543,13 @@ void throttle_group_get_config(ThrottleGroupMember *t=
gm, ThrottleConfig *cfg)
  */
 static void timer_cb(ThrottleGroupMember *tgm, ThrottleDirection direction)
 {
-    ThrottleState *ts =3D tgm->throttle_state;
-    ThrottleGroup *tg =3D container_of(ts, ThrottleGroup, ts);
-
-    /* The timer has just been fired, so we can update the flag */
-    qemu_mutex_lock(&tg->lock);
-    tg->any_timer_armed[direction] =3D false;
-    qemu_mutex_unlock(&tg->lock);
-
-    /* Run the request that was waiting for this timer */
-    throttle_group_restart_queue(tgm, direction);
+    /*
+     * Run the request that was waiting for this timer.
+     * tg->any_timer_armed needs to be cleared, but we'll do it later
+     * when the queue is restarted in order to prevent another thread
+     * from arming the timer before that.
+     */
+    throttle_group_restart_queue(tgm, direction, true);
 }
=20
 static void read_timer_cb(void *opaque)
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620308; cv=none;
	d=zohomail.com; s=zohoarc;
	b=S9qqRmflPcXzw04OsiNOSDqblwVX6x/mBYflct4UQyPzDdArHkqBGAQDVMUg4avh4o2w+WLsc++/Sd5/YAK5+yFgU17BCO1ZJcOY+0D+P234208Vs+fEwBXeg7GoXDyHKGL1g/FwO100ltWlsVYHKCQGSxXanhrIW36D2L/ixWs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620308;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=mdos8G2zwLYFwofROVlJMOaRB3pmlwyrT0JVHUO8Exs=;
	b=bNCiVDFMzzEdm/p+W0BrJxtszTFED4qoXgBC25hb/K99ADLsFvrv/3dUWADXXkgSXqNWLOVsjf/Zn3OIqFGnO7fv1anU9VVKvJh3jdhuPwr5y0FNgZBEEpqIEvqBVEHKRpJg9dAmxDD5iAjWwfn0/RHFuGwlZ1625jiBgBPtUiU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620308149638.191821666033;
 Tue, 12 May 2026 14:11:48 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuKJ-0000Tc-1o; Tue, 12 May 2026 17:07:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJa-0007te-H4; Tue, 12 May 2026 17:06:54 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJY-0001jQ-8v; Tue, 12 May 2026 17:06:53 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 610DE1AA346;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6E42C3ABCB7;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=G+0gqThKbNLLZS71dv1lJG+vMxDq2tBpgVUYj3t34VA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=JymCCgzLosr+TnUgsowHUbnbPEBIOmH0F9V7iyaPhtcKs4sR8s+eJigz28eAuViq9
 lp3wDRc/cobn3BsVH/0QISK6m6UCKcsthhskuqAo6xsliDH3NcNMCOPJR/1h9j6n4M
 8d1w4/Uoy69PvA+4mq0GkU8U6x6gPaV8ajlye1yHxjxAalbSO933RxITLi3fNGQRB8
 PUOvqBl6hoEnzHsZwJrjxl2oGIng7XRakvB8XrXrHi5AL2XtY01gca5r0Gdt/655bY
 bbdULXUBdH6yxe9n4zPI/2hfKDw3yRYAQWsh+d7/6bjlKvqs3+MlTbQbGU550oJyqO
 +5CVxvG6q99xw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fiona Ebner <f.ebner@proxmox.com>,
 Hanna Czenczek <hreitz@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 010/117] block/mirror: fix assertion failure upon
 duplicate complete for job using 'replaces'
Date: Tue, 12 May 2026 23:53:12 +0300
Message-ID: <20260512205503.361097-10-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620310617154100
Content-Type: text/plain; charset="utf-8"

From: Fiona Ebner <f.ebner@proxmox.com>

If s->replace_blocker was already set by an earlier invocation of
mirror_complete(), then there will be an assertion failure when
error_setg() is called for it a second time. The bdrv_op_block_all()
and bdrv_ref() operations should only be done a single time too.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-Id: <20260311145717.668492-2-f.ebner@proxmox.com>
Reviewed-by: Hanna Czenczek <hreitz@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
(cherry picked from commit 9ac85f4cc7995217db8f736733b990d6addcb036)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/mirror.c b/block/mirror.c
index fa1d975eb9..2fcded9e93 100644
--- a/block/mirror.c
+++ b/block/mirror.c
@@ -1276,23 +1276,25 @@ static void mirror_complete(Job *job, Error **errp)
         return;
     }
=20
-    /* block all operations on to_replace bs */
-    if (s->replaces) {
-        s->to_replace =3D bdrv_find_node(s->replaces);
-        if (!s->to_replace) {
-            error_setg(errp, "Node name '%s' not found", s->replaces);
-            return;
+    if (!s->should_complete) {
+        /* block all operations on to_replace bs */
+        if (s->replaces) {
+            s->to_replace =3D bdrv_find_node(s->replaces);
+            if (!s->to_replace) {
+                error_setg(errp, "Node name '%s' not found", s->replaces);
+                return;
+            }
+
+            /* TODO Translate this into child freeze system. */
+            error_setg(&s->replace_blocker,
+                       "block device is in use by block-job-complete");
+            bdrv_op_block_all(s->to_replace, s->replace_blocker);
+            bdrv_ref(s->to_replace);
         }
=20
-        /* TODO Translate this into child freeze system. */
-        error_setg(&s->replace_blocker,
-                   "block device is in use by block-job-complete");
-        bdrv_op_block_all(s->to_replace, s->replace_blocker);
-        bdrv_ref(s->to_replace);
+        s->should_complete =3D true;
     }
=20
-    s->should_complete =3D true;
-
     /* If the job is paused, it will be re-entered when it is resumed */
     WITH_JOB_LOCK_GUARD() {
         if (!job->paused) {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620225; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NhdAFKNBYiZ9pnkgiMs6EPYAiWbRe6NMJWGPWFMe8KKDZ3OhB/5M2vlGDWxRAEzi9r7sfsA+baf/7rEkFcGA2cL+E8SnWy498y4yut+1nL2EayWEK18vCeEfftWkx4KVFTNl+rop0U61AnLY+pW4FNwhbAcpXJvJnoqDzATC88c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620225;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=l59H/E4x4IrhSDDtB2D+eBgj+sdIZVyZKLnuVwsZ9us=;
	b=gSHbplrw54nd4YU0A9tZ7IqI0ziTqqVsCAxPQ7BtajUcxVec0aLiFanyxO4FvKSQPV9LNYKWw2LPcnkhufE5P3DNgP91PbM90I/eW2a68eB9qtsrD9IKtwP9tS8RqHV6PHV9WuSIZvc5ZE12JgultFlr03yAS9XSF2hrEr4Tgmo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620225548525.6195764459692;
 Tue, 12 May 2026 14:10:25 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuL5-0001Fy-CD; Tue, 12 May 2026 17:08:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJc-00080N-Ec; Tue, 12 May 2026 17:06:56 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJa-0001jn-2K; Tue, 12 May 2026 17:06:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 737041AA347;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7C3033ABCB8;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=OjwXyTZuy6DkkkOKWZ4e6baCmCmLueh8Cg5MvuPgeR0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lkYnMUBljpYygi5pI0ufcvPykysnpWKqHbPVfj8M3GuQmBGVjpi6X/UjCTlZ88Bzy
 oDJ5Eob8P2J2Txa5ZTE+JH3odtanQhEhmFWKNd7/HNhBvmitaCLd1K8ZG9ooGLIGGs
 HnkmaOcHNw/8T4UJQgueOBKEYzKQnjgFUS/QO/RhfFtjqGxOowCbCyMP4pn6pZEbji
 3hPYap716PIxjVgoHXhGkQOk5FAGmgi/QIfYalqzztHAYaRz+GPyLR6aLRObvxi1gQ
 tGrhODOk0J6QoC5F+e/HWATRKqQ8SMORYsCLydK1yFdx1VhQ8e0RI0DLKFAAnOJjxX
 eXAP90ggreqhA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Shivang Upadhyay <shivangu@linux.ibm.com>,
 Aditya Gupta <adityag@linux.ibm.com>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 BALATON Zoltan <balaton@eik.bme.hu>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 011/117] ppc/pnv: fix dumpdtb option
Date: Tue, 12 May 2026 23:53:13 +0300
Message-ID: <20260512205503.361097-11-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620227419158500
Content-Type: text/plain; charset="utf-8"

From: Shivang Upadhyay <shivangu@linux.ibm.com>

The '-machine dumpdtb' command line option stopped working on
PowerPC/pnv systems after recent design change [1].

Fixing this by generating fdt blob in `pnv_init`.

[1] https://lore.kernel.org/qemu-devel/20250206151214.2947842-1-peter.mayde=
ll@linaro.org/

Cc: Aditya Gupta <adityag@linux.ibm.com>
Cc: Harsh Prateek Bora <harshpb@linux.ibm.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: BALATON Zoltan <balaton@eik.bme.hu>
Cc: qemu-stable@nongnu.org
Fixes: 8fd2518ef2f8d34 ("hw: Centralize handling of -machine dumpdtb option=
")
Signed-off-by: Shivang Upadhyay <shivangu@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20260311143549.118720-1-shivangu@l=
inux.ibm.com
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
(cherry picked from commit a16d4c2f162a86db1f84ef0836d42eabaf57fe69)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 895132da91..e8a12d87c4 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -772,26 +772,8 @@ static void pnv_reset(MachineState *machine, ResetType=
 type)
         }
     }
=20
-    if (machine->fdt) {
-        fdt =3D machine->fdt;
-    } else {
-        fdt =3D pnv_dt_create(machine);
-        /* Pack resulting tree */
-        _FDT((fdt_pack(fdt)));
-    }
-
+    fdt =3D machine->fdt;
     cpu_physical_memory_write(PNV_FDT_ADDR, fdt, fdt_totalsize(fdt));
-
-    /* Update machine->fdt with latest fdt */
-    if (machine->fdt !=3D fdt) {
-        /*
-         * Set machine->fdt for 'dumpdtb' QMP/HMP command. Free
-         * the existing machine->fdt to avoid leaking it during
-         * a reset.
-         */
-        g_free(machine->fdt);
-        machine->fdt =3D fdt;
-    }
 }
=20
 static ISABus *pnv_chip_power8_isa_create(PnvChip *chip, Error **errp)
@@ -1260,6 +1242,11 @@ static void pnv_init(MachineState *machine)
     if (pmc->i2c_init) {
         pmc->i2c_init(pnv);
     }
+
+    if (!machine->fdt) {
+        machine->fdt =3D pnv_dt_create(machine);
+        _FDT((fdt_pack(machine->fdt)));
+    }
 }
=20
 /*
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620261; cv=none;
	d=zohomail.com; s=zohoarc;
	b=C1SMcTG7Es9jWHQHU6IR7PPdWbD9C4Z3z85EFOmMahGgf0SfpVLyHjl2Gyaefr0nYp1SEV4OECpZDK3tzpIGXGO1ERUEmt0Dzp0YXKrVRIcy2ZhX4xkSIezmN7gOO7RcHmFR3qJDtof0sPe/tNL5mH1G5CjgXtIcGslqW661N1k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620261;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Mnl1Ck3w7gftDtXKitpGOU+L00um4CSwsw59qtdB35w=;
	b=bmxp7aU30dO3cMXhGe1mD4cudVhPCCz/dux+9v6BkJSYlAUzCGcMgHnw/knSgyNDHwrft0Jh3tFxtIywLHlyVtbme4nuZxQDqxACViV9YaG7sSpmpxnm00DKGfn7Nbd3epYnSOkV4PlvA2n2tjXYh5pUEoAIuNqP2WyaxKGsJBg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620261409196.9596969966426;
 Tue, 12 May 2026 14:11:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuKy-00013c-Bp; Tue, 12 May 2026 17:08:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJe-000870-7e; Tue, 12 May 2026 17:07:00 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJb-0001xI-Vg; Tue, 12 May 2026 17:06:57 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 89CD11AA348;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8F0003ABCB9;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=MvMxfg/awm4QKSSpC+nVhMXM7Vz8ngt1ifX4OKpmZ7w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=UgUsAXj+WkIz8nSjvR210XajqneWehmyWhVHI7+EJoc/6l5XgeDkiYMNdjaQ97d3C
 7Lsg53nubezdQJTtDuGBNbpjliIoEbvf+63iMgpwXzuPOnjXtdzTHWT9KnKOQ3NbJ1
 vjqc/KnZvpJJ5MRRU2heJvSk9+LSUZXQC4ylaxXfRGBOPrzCYwCLTDVlgBy4zAoYqw
 7JZeylz9rFM2wRN+1O+ZXzJ1DQ6N1tn+YyBy5AEMLz2iBU7FaKx/c1ODgITno3L1dG
 F2vE9fpU3rD84hkGKiWqM1ryY5c5wEl4rmb9u15T+VHLFpoY3+3l+SW/J40jqYbRvJ
 wYeJ9cTfBy7pw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Shivang Upadhyay <shivangu@linux.ibm.com>,
 Aditya Gupta <adityag@linux.ibm.com>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 BALATON Zoltan <balaton@eik.bme.hu>, Nathan Chancellor <nathan@kernel.org>,
 Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 012/117] ppc/pnv: generate dtb after machine
 initialization is complete
Date: Tue, 12 May 2026 23:53:14 +0300
Message-ID: <20260512205503.361097-12-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620263791154100

From: Shivang Upadhyay <shivangu@linux.ibm.com>

Currently, the machine dtb is generated in pnv_init(), before all devices
are fully initialized. This can result in an incomplete dtb for the system,
as seen in bug [1].

Fix this by deferring dtb generation until machine initialization is comple=
te,
using the machine_init_done_notifier hook.

[1] https://lore.kernel.org/all/20260323231612.GA2637687@ax162/

Cc: Aditya Gupta <adityag@linux.ibm.com>
Cc: Harsh Prateek Bora <harshpb@linux.ibm.com>
Cc: BALATON Zoltan <balaton@eik.bme.hu>
Cc: qemu-stable@nongnu.org
Reported-by: Nathan Chancellor <nathan@kernel.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: a16d4c2f162a86d ("ppc/pnv: fix dumpdtb option")
Fixes: 43ed0362d0b2c4c ("ppc/pnv: fix dumpdtb option") in 10.2.x series
Signed-off-by: Shivang Upadhyay <shivangu@linux.ibm.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260327124136.983955-1-shivangu@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit ba48bff09fa1fea8030eb26f2bc0add8c3549bb7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index e8a12d87c4..090716b1ff 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -747,31 +747,10 @@ static void pnv_powerdown_notify(Notifier *n, void *o=
paque)
=20
 static void pnv_reset(MachineState *machine, ResetType type)
 {
-    PnvMachineState *pnv =3D PNV_MACHINE(machine);
-    IPMIBmc *bmc;
     void *fdt;
=20
     qemu_devices_reset(type);
=20
-    /*
-     * The machine should provide by default an internal BMC simulator.
-     * If not, try to use the BMC device that was provided on the command
-     * line.
-     */
-    bmc =3D pnv_bmc_find(&error_fatal);
-    if (!pnv->bmc) {
-        if (!bmc) {
-            if (!qtest_enabled()) {
-                warn_report("machine has no BMC device. Use '-device "
-                            "ipmi-bmc-sim,id=3Dbmc0 -device isa-ipmi-bt,bm=
c=3Dbmc0,irq=3D10' "
-                            "to define one");
-            }
-        } else {
-            pnv_bmc_set_pnor(bmc, pnv->pnor);
-            pnv->bmc =3D bmc;
-        }
-    }
-
     fdt =3D machine->fdt;
     cpu_physical_memory_write(PNV_FDT_ADDR, fdt, fdt_totalsize(fdt));
 }
@@ -983,6 +962,37 @@ static uint64_t pnv_chip_get_ram_size(PnvMachineState =
*pnv, int chip_id)
     return chip_id =3D=3D 0 ? 1 * GiB : QEMU_ALIGN_DOWN(ram_per_chip, 1 * =
MiB);
 }
=20
+static void pnv_machine_init_done(Notifier *notifier, void *data)
+{
+    PnvMachineState *pnv =3D container_of(notifier, PnvMachineState, machi=
ne_init_done);
+    MachineState *machine =3D MACHINE(pnv);
+    IPMIBmc *bmc;
+
+    /*
+     * The machine should provide by default an internal BMC simulator.
+     * If not, try to use the BMC device that was provided on the command
+     * line.
+     */
+    bmc =3D pnv_bmc_find(&error_fatal);
+    if (!pnv->bmc) {
+        if (!bmc) {
+            if (!qtest_enabled()) {
+                warn_report("machine has no BMC device. Use '-device "
+                            "ipmi-bmc-sim,id=3Dbmc0 -device isa-ipmi-bt,bm=
c=3Dbmc0,irq=3D10' "
+                            "to define one");
+            }
+        } else {
+            pnv_bmc_set_pnor(bmc, pnv->pnor);
+            pnv->bmc =3D bmc;
+        }
+    }
+
+    if (!machine->fdt) {
+        machine->fdt =3D pnv_dt_create(machine);
+        _FDT((fdt_pack(machine->fdt)));
+    }
+}
+
 static void pnv_init(MachineState *machine)
 {
     const char *bios_name =3D machine->firmware ?: FW_FILE_NAME;
@@ -1243,10 +1253,8 @@ static void pnv_init(MachineState *machine)
         pmc->i2c_init(pnv);
     }
=20
-    if (!machine->fdt) {
-        machine->fdt =3D pnv_dt_create(machine);
-        _FDT((fdt_pack(machine->fdt)));
-    }
+    pnv->machine_init_done.notify =3D pnv_machine_init_done;
+    qemu_add_machine_init_done_notifier(&pnv->machine_init_done);
 }
=20
 /*
diff --git a/include/hw/ppc/pnv.h b/include/hw/ppc/pnv.h
index cbdddfc73c..574861ce03 100644
--- a/include/hw/ppc/pnv.h
+++ b/include/hw/ppc/pnv.h
@@ -111,6 +111,8 @@ struct PnvMachineState {
=20
     bool         big_core;
     bool         lpar_per_core;
+
+    Notifier     machine_init_done;
 };
=20
 PnvChip *pnv_get_chip(PnvMachineState *pnv, uint32_t chip_id);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620177; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PX4MCx1jgOILCAXlfc/OKVNC6MHWcoyiM2DDfx4TyN7Yy4noexlDsWdnKavXv0qEdLFS8Qw4b9X9Kz3W74gT+rDw3VHHehRwan4b28XcfOrJ1CwThPZFWOTuU1pqCdnNEaoqxqLb3mbEtecKx9GgsVHXsChW29Vw7d57gzYiLyE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620177;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=J+Ad260IraCa06+Cyp/DmsclSO3PfFLmjgBKgsUt8ws=;
	b=TnIU5OsT9iuUnYilU6KNARX1mzDUXeA5yTbhC50s5+5Z1MYv9qnzkC5+5PUQ0T88P6kfAQ9r5yoMVwl20k4Tyms4ztHVWtmGabM6KBjL7G2QKI4Prv4jVg7Y6wj4PjTMNe+uiSXFRHg+XGRWloCNExaj3hIZAT5LkM7TpQWx2z0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620177410155.40204703744348;
 Tue, 12 May 2026 14:09:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLG-0001ew-6V; Tue, 12 May 2026 17:08:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJf-00089F-Up; Tue, 12 May 2026 17:07:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJe-00021W-49; Tue, 12 May 2026 17:06:59 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 98ED51AA349;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A51A23ABCBA;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=kk+SO4uv5rSjnRmkoUIyX9LBBG3a88CKMhUn5WxzZ6Y=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PuTzGBJZH6wxe506Bg5l8e+9ZG14/wrvYBFqdGNMT6iPQGZ0X4OXEZF/dMRc8AURm
 SermeQcd5gd1jJhZuR5oESpfyLZmS/8MS3/a4q/3NWA24eYBUPzr1YlWjZLAaLR+tR
 EoGl7HpBCuIPtvG8HNvm7mWfdY6Dc6Bl00hg4SxC/Ul4TbU+c4yjbl6vUqMWvDWkeJ
 GBkhee2sej8wST/CHDwu8WW+w4XAstORR+HgxyJ1GIOXI0HdsimT2WkoPzfo2bY3Yv
 YAmHXWsmCxNjX6RCU0sCjOttmqn/8vyPG/OSkIY5qJZntSQStnG3ItvXqWfTZhoNLb
 S9n2oDUhCdb/Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fabiano Rosas <farosas@suse.de>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 013/117] io: Fix TLS bye task leak
Date: Tue, 12 May 2026 23:53:15 +0300
Message-ID: <20260512205503.361097-13-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620179086158500

From: Fabiano Rosas <farosas@suse.de>

Recent fixes to TLS tasks memory handling have left the TLS bye task
uncovered. Fix by freeing the task in the same way the handshake task
is freed.

Direct leak of 704 byte(s) in 4 object(s) allocated from:
    #1 0x7f5909b1d6a0 in g_malloc0 ../glib/gmem.c:163
    #2 0x557650496d61 in qio_task_new ../io/task.c:58:12
    #3 0x557650475d7f in qio_channel_tls_bye ../io/channel-tls.c:352:12
    #4 0x55764f7a1bb4 in migration_tls_channel_end ../migration/tls.c:159:5
    #5 0x55764f709750 in migration_ioc_shutdown_gracefully ../migration/mul=
tifd.c:462:9
    #6 0x55764f6fcf53 in multifd_send_terminate_threads ../migration/multif=
d.c:493:13
    #7 0x55764f6fcafb in multifd_send_shutdown ../migration/multifd.c:580:5
    #8 0x55764f6e1b14 in migration_cleanup ../migration/migration.c:1323:9
    #9 0x55764f6f5bac in migration_cleanup_bh ../migration/migration.c:1350=
:5

Fixes: d39d0f3acd ("io: fix cleanup for TLS I/O source data on cancellation=
")
Fixes: f8943633a9 ("io: fix cleanup for TLS I/O source data on cancellation=
") in 10.2.x series
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Acked-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260311213418.16951-3-farosas@sus=
e.de
Signed-off-by: Fabiano Rosas <farosas@suse.de>
(cherry picked from commit c20f143cc9fb9b1c79627d9f2ecb8daf771bdb4a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/io/channel-tls.c b/io/channel-tls.c
index 940fc3c6d1..31ec4d236d 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -352,7 +352,9 @@ void qio_channel_tls_bye(QIOChannelTLS *ioc, Error **er=
rp)
     task =3D qio_task_new(OBJECT(ioc), propagate_error, errp, NULL);
=20
     trace_qio_channel_tls_bye_start(ioc);
-    qio_channel_tls_bye_task(ioc, task, NULL);
+    if (qio_channel_tls_bye_task(ioc, task, NULL)) {
+        qio_task_free(task);
+    }
 }
=20
 static void qio_channel_tls_init(Object *obj G_GNUC_UNUSED)
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620436; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eOJeXC53lgDYIoIRgqzxk/fJgCiNFBzcX0zlwkp0TIeEICfmWqddUXlhoZLLWdK4XL3Zn6mhvNpNNpMfzuIPiuRAEgwMbtgw4Jx4XYT7TE+bPRymzlnqAtDdX6XdHwiEsec9Z4WZBd0pYTPLRlRPkkzMoa2/hWHFADbnI6/clrE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620436;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=AsWAY1KUZiqrnGnkfQtpXvJR3ZOJ7qnUhmaqSj5gOVM=;
	b=h+x8ZEY+9W1UGIhqUmGhyYKOoCMCkysdSn+r7aWwNQEnQYEvs4TEM1Z98kFnJhue3sZKugXMkjMiTR0sdk/uv0WBEhx9P/z0tzt5dViwpEeqpafnlpbcj6zwHYeY7U3BAqMpSUqiJJWUj6HOPE7E4kLvYJACnbA0A6+y0ipw7cs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620436314292.76973880374135;
 Tue, 12 May 2026 14:13:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLF-0001WN-K3; Tue, 12 May 2026 17:08:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJh-0008BM-Mb; Tue, 12 May 2026 17:07:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuJf-00028O-Qv; Tue, 12 May 2026 17:07:01 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AB72D1AA34A;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B54993ABCBB;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=fujevpJL0px7HAaT3KQH46PQF8625qYraEH2pbFeLU4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ddty8hM63dtarF4r0lFPmFgs3jyucWJ1XGytVZwc552HezwAujfMR4pU9M3BKiWMG
 JojL+0j7m2xAhDcZdTA9sr2CWnWqVvjp7nnVBTDGURT8dnOy1ZJos5l+y+FLGI6dDz
 G8U/Ug4HxSCEhMs5PpViZJzYyrQ09pKPX1lgdtqYliz9q8LPsF3uwfXakeNkq3J0NG
 bSVT8Q3Y0R9PzDvfuvNpXlEt47xAkjuVmTx6pHTQZFYr3DTEf6B9mBQKRzECBuGV96
 r7ZxSm0WfXPYHPgppaF2cXVf7Rq7HI1R547c9bH7yk4a7Cbwixqom6NVToB13oO4YX
 iOQ8l0vx5e7qQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Fiona Ebner <f.ebner@proxmox.com>,
 Fabiano Rosas <farosas@suse.de>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 014/117] ui/vdagent: add migration blocker when
 machine version < 10.1
Date: Tue, 12 May 2026 23:53:16 +0300
Message-ID: <20260512205503.361097-14-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620436767158500

From: Fiona Ebner <f.ebner@proxmox.com>

In QEMU 10.1, commit 5d56bff11e ("ui/vdagent: add migration support")
added migration support for the vdagent chardev and commit 42000e0013
("ui/vdagent: remove migration blocker") removed the migration
blocker. No compat for older machine versions was added, so migration
with pre-10.1 machine version, from a 10.1 binary to a pre-10.1 binary
will result in a failure when loading the VM state in the target
instance:

> Unknown savevm section or instance 'vdagent' 0. Make sure that your
> current VM setup matches your saved VM setup, including any
> hotplugged devices

Add a compat flag to block migration when the machine version is less
than 10.1 to avoid this.

Cc: qemu-stable@nongnu.org
Fixes: 42000e0013 ("ui/vdagent: remove migration blocker")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Message-Id: <20260310142552.240877-1-f.ebner@proxmox.com>
(cherry picked from commit 6f23dde620efa2de1cf3c56dfb474a20d9ce876d)
(Mjt: backport to 10.2.x: qdev-properties.h path and vdagent_chr_open retur=
n)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/core/machine.c b/hw/core/machine.c
index 27372bb01e..53c41b1ebe 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -52,6 +52,7 @@ GlobalProperty hw_compat_10_0[] =3D {
     { "vfio-pci", "x-migration-load-config-after-iter", "off" },
     { "ramfb", "use-legacy-x86-rom", "true"},
     { "vfio-pci-nohotplug", "use-legacy-x86-rom", "true" },
+    { "chardev-qemu-vdagent", "x-migration-blocked", "true" },
 };
 const size_t hw_compat_10_0_len =3D G_N_ELEMENTS(hw_compat_10_0);
=20
diff --git a/ui/vdagent.c b/ui/vdagent.c
index 660686c9c0..1ca90c70df 100644
--- a/ui/vdagent.c
+++ b/ui/vdagent.c
@@ -6,6 +6,8 @@
 #include "qemu/option.h"
 #include "qemu/units.h"
 #include "hw/qdev-core.h"
+#include "hw/qdev-properties.h"
+#include "migration/blocker.h"
 #include "ui/clipboard.h"
 #include "ui/console.h"
 #include "ui/input.h"
@@ -32,6 +34,10 @@
 struct VDAgentChardev {
     Chardev parent;
=20
+    /* needed for machine versions < 10.1 when migration was not supported=
 */
+    Error *migration_blocker;
+    bool migration_blocked;
+
     /* config */
     bool mouse;
     bool clipboard;
@@ -677,6 +683,12 @@ static void vdagent_chr_open(Chardev *chr,
     return;
 #endif
=20
+    if (vd->migration_blocked) {
+        if (migrate_add_blocker(&vd->migration_blocker, errp) !=3D 0) {
+            return;
+        }
+    }
+
     vd->mouse =3D VDAGENT_MOUSE_DEFAULT;
     if (cfg->has_mouse) {
         vd->mouse =3D cfg->mouse;
@@ -920,6 +932,19 @@ static void vdagent_chr_parse(QemuOpts *opts, ChardevB=
ackend *backend,
=20
 /* ------------------------------------------------------------------ */
=20
+static bool get_migration_blocked(Object *o, Error **errp)
+{
+    VDAgentChardev *vd =3D QEMU_VDAGENT_CHARDEV(o);
+    return vd->migration_blocked;
+}
+
+static void set_migration_blocked(Object *o, bool migration_blocked,
+                                   Error **errp)
+{
+    VDAgentChardev *vd =3D QEMU_VDAGENT_CHARDEV(o);
+    vd->migration_blocked =3D migration_blocked;
+}
+
 static void vdagent_chr_class_init(ObjectClass *oc, const void *data)
 {
     ChardevClass *cc =3D CHARDEV_CLASS(oc);
@@ -929,6 +954,10 @@ static void vdagent_chr_class_init(ObjectClass *oc, co=
nst void *data)
     cc->chr_write        =3D vdagent_chr_write;
     cc->chr_set_fe_open  =3D vdagent_chr_set_fe_open;
     cc->chr_accept_input =3D vdagent_chr_accept_input;
+
+    object_class_property_add_bool(oc, "x-migration-blocked",
+                                   get_migration_blocked,
+                                   set_migration_blocked);
 }
=20
 static int post_load(void *opaque, int version_id)
@@ -1083,10 +1112,26 @@ static void vdagent_chr_init(Object *obj)
     vmstate_register_any(NULL, &vmstate_vdagent, vd);
 }
=20
+static void vdagent_post_init(Object *obj)
+{
+    VDAgentChardev *vd =3D QEMU_VDAGENT_CHARDEV(obj);
+
+    object_apply_compat_props(obj);
+
+    if (vd->migration_blocked) {
+        error_setg(&vd->migration_blocker,
+                   "The vdagent chardev doesn't support migration with mac=
hine"
+                   " version less than 10.1");
+    }
+}
+
 static void vdagent_chr_fini(Object *obj)
 {
     VDAgentChardev *vd =3D QEMU_VDAGENT_CHARDEV(obj);
=20
+    if (vd->migration_blocked) {
+        migrate_del_blocker(&vd->migration_blocker);
+    }
     vdagent_disconnect(vd);
     if (vd->mouse_hs) {
         qemu_input_handler_unregister(vd->mouse_hs);
@@ -1099,6 +1144,7 @@ static const TypeInfo vdagent_chr_type_info =3D {
     .parent =3D TYPE_CHARDEV,
     .instance_size =3D sizeof(VDAgentChardev),
     .instance_init =3D vdagent_chr_init,
+    .instance_post_init =3D vdagent_post_init,
     .instance_finalize =3D vdagent_chr_fini,
     .class_init =3D vdagent_chr_class_init,
 };
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620170; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SkxCEn6cuLfffwYzkBdB33nBuxF/Lhnb53oLREsnkve8Jkus4rci7KdUZbhWq6a9kTCJncpD+Q7YsQZOb3oWSvn0e9Mynu8Vv77nUXZR/NxYPRCKWC8voK0oqENIq/uU3pB+haBxxUJ/8OwxCTozVLOJZ2SqRhre0MzLF8pKhe4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620170;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=IFt0yva3eXMXCxxrh9CIs3zD/FKkGQBXnolmr+73VLY=;
	b=YNKo2cKyBMitQ1onyMRhFqrg2eG7W3t/w/YMroAy4XkvcnqI2sD1MILT/TKiRDK61TEP0qIEeU4uXZA19fpU6e3MUweG7V7nEkYOz+QLkOktLRExlXPnFjD/H6vHkVHNP7XD9e8LweASXGJfANf0PdzMlY44ekolfl+AI2ykMn0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620170636552.8883678295477;
 Tue, 12 May 2026 14:09:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLN-0002ke-Ez; Tue, 12 May 2026 17:08:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKF-0000ey-TW; Tue, 12 May 2026 17:07:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuK1-0002F8-GQ; Tue, 12 May 2026 17:07:33 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BCE551AA34B;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C6E3C3ABCBC;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=5ZEi6HVuyizEtqhBHBmW9jFvecV8aVWusi1Vku81uC4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HnhkN9EJed/Pz32xiAQEtEtZtyt9+PBrwO+RH2NQxt8RM1NgHjiZ7vrUSpcJ9ASxq
 eaL+UP0Uova3yR7q8JudNAYCTt1mUfjUeH4aIH5o03rKszkpOh6SJ72LNpRqx2rT9S
 MX/VG1jiOf9q86faWQWRJW/djIZtPBDNIQmEvt6MEjYb7nnWR3efRfSAKvz1gzn+F8
 7P5/Y2w+d9D7HRh1qm+lDSd0OxIw6DXiV/4bscgJBT3EV3KAbHHf41Acu407ozygEr
 2HNyt0UhRroYI3NK3yg8jZhBWRkMRKGwnv0McmqHQhQWVQxHPtC5BKm6F3L111AV6N
 CXjaTeMC7JFBA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Zero Day Initiative <zdi-disclosures@trendmicro.com>,
 Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 015/117] virtio-gpu: fix overflow check when
 allocating 2d image
Date: Tue, 12 May 2026 23:53:17 +0300
Message-ID: <20260512205503.361097-15-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620174781154100

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

The calc_image_hostmem() comment says pixman_image_create_bits() checks
for overflow. However, this relied on the facts that "bits" was NULL and
it performed it when it was introduced. Since commit 9462ff4695aa, the
"bits" argument can be provided and the check is no longer applied.

Promotes the computation to uint64_t and adds an explicit overflow check
to avoid potential later OOB read/write on the image data.

Fixes: CVE-2026-3886
Fixes: ZDI-CAN-27578
Fixes: 9462ff4695aa ("virtio-gpu/win32: allocate shareable 2d resources/ima=
ges")
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-Id: <20260311-cve-v1-1-f72b4c7c1ab2@redhat.com>
(cherry picked from commit c035d5eadf400670593a76778f98f052d7482968)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index ad1ebc0fcd..5df30de69a 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -227,16 +227,20 @@ void virtio_gpu_get_edid(VirtIOGPU *g,
     virtio_gpu_ctrl_response(g, cmd, &edid.hdr, sizeof(edid));
 }
=20
-static uint32_t calc_image_hostmem(pixman_format_code_t pformat,
-                                   uint32_t width, uint32_t height)
+static bool calc_image_hostmem(pixman_format_code_t pformat,
+                               uint32_t width, uint32_t height,
+                               uint32_t *hostmem)
 {
-    /* Copied from pixman/pixman-bits-image.c, skip integer overflow check.
-     * pixman_image_create_bits will fail in case it overflow.
-     */
+    uint64_t bpp =3D PIXMAN_FORMAT_BPP(pformat);
+    uint64_t stride =3D (((uint64_t)width * bpp + 0x1f) >> 5) * sizeof(uin=
t32_t);
+    uint64_t size =3D (uint64_t)height * stride;
=20
-    int bpp =3D PIXMAN_FORMAT_BPP(pformat);
-    int stride =3D ((width * bpp + 0x1f) >> 5) * sizeof(uint32_t);
-    return height * stride;
+    if (size > UINT32_MAX) {
+        return false;
+    }
+
+    *hostmem =3D size;
+    return true;
 }
=20
 static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
@@ -246,6 +250,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
     pixman_format_code_t pformat;
     struct virtio_gpu_simple_resource *res;
     struct virtio_gpu_resource_create_2d c2d;
+    uint32_t hostmem;
=20
     VIRTIO_GPU_FILL_CMD(c2d);
     virtio_gpu_bswap_32(&c2d, sizeof(c2d));
@@ -284,7 +289,12 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
         return;
     }
=20
-    res->hostmem =3D calc_image_hostmem(pformat, c2d.width, c2d.height);
+    if (!calc_image_hostmem(pformat, c2d.width, c2d.height, &hostmem)) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: image dimensions overflow\n",
+                      __func__);
+        goto end;
+    }
+    res->hostmem =3D hostmem;
     if (res->hostmem + g->hostmem < g->conf_max_hostmem) {
         if (!qemu_pixman_image_new_shareable(
                 &res->image,
@@ -1292,7 +1302,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque,=
 size_t size,
     VirtIOGPU *g =3D opaque;
     Error *err =3D NULL;
     struct virtio_gpu_simple_resource *res;
-    uint32_t resource_id, pformat;
+    uint32_t resource_id, pformat, hostmem;
     int i, ret;
=20
     g->hostmem =3D 0;
@@ -1318,7 +1328,11 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque=
, size_t size,
             return -EINVAL;
         }
=20
-        res->hostmem =3D calc_image_hostmem(pformat, res->width, res->heig=
ht);
+        if (!calc_image_hostmem(pformat, res->width, res->height, &hostmem=
)) {
+            g_free(res);
+            return -EINVAL;
+        }
+        res->hostmem =3D hostmem;
         if (!qemu_pixman_image_new_shareable(&res->image,
                                              &res->share_handle,
                                              "virtio-gpu res",
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620221; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Z+SQOWeLcaMieJo3zs70A/wWG/SZ87TkXFxUyg81GRuKKvCgi0NdscIMnVM+KQAKCkREKFloCxIqbKWzwSePjiIoSfAydDQva+qaXWCa2hXq6Xfc858zeuttIiiHbqJxzxXg4yAuVvDte8QJ0oSEl8AlQTtf2H07EWKrYt6vNWg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620221;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=8AbAoQPKzLU1Lh+ikafoXOA9wgMO4WiFBwPLshu8Z5Q=;
	b=URtCxZgu6eEP8rHv0IOQvEqCYJwLuxMnKhM0QbLr9xN1enUXHlsD+v8PLqDqOv4rSRWuVcW/Cn0sz4oyKE3o4fmIeIuftWlioNsWh+vrVh8r3X2WiMVN/lULxOx9CpeOQruuwXhZX63fOki9Pw2Xtg11XjE0HGp8V39SNKHMmnc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620221742752.926276070649;
 Tue, 12 May 2026 14:10:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLn-00046M-AG; Tue, 12 May 2026 17:09:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKI-0000fO-R6; Tue, 12 May 2026 17:07:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKA-0002JH-WC; Tue, 12 May 2026 17:07:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CBE501AA34C;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D836B3ABCBD;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=1cMgbIY13ULemBslmPeGp/ARCsWAexobttnF1QvSKHM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Q6E/A6HMLVHutJs4VGxYV/9kMKXKEO+tCGwgiDdET7S9cBdPcWw84FQ1r2ibepoEW
 OydX1G+ABX338/uHxlVoyOx4WYbvB9NTZ6e/GnSSShs/3ezqmglvtAfHaDQCNTE17O
 YoCo0sNEsB8qbgP7363pgUYe3L5hysvpHIPLpPxqN4V9cr8k8jyO+jF0vxYWANOrgk
 EXJAYM4F6CD2Ld9nqV9Hn3Z0JoTjIUX5yR78k1uH7PsTxkTATrZOWBJAcLaccUz9nh
 jhzShFrJQMLeLjXncyeuqR3evvVHOh1SFHCu96tV8f169G6Ko1FPNbQhV+OqEN6MHy
 CDirLFVpBugbA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Max Chou <max.chou@sifive.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 016/117] target/riscv: rvv: Fix missing flags merge in
 probe_pages for cross-page accesses
Date: Tue, 12 May 2026 23:53:18 +0300
Message-ID: <20260512205503.361097-16-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620223403158500
Content-Type: text/plain; charset="utf-8"

From: Max Chou <max.chou@sifive.com>

When probe_pages probes a memory region that spans two pages, it calls
probe_access_flags twice - once for each page. However, the flags from
the second page probe were overwriting the flags from the first page
instead of being merged together.

Signed-off-by: Max Chou <max.chou@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-2-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 556817773849f7ed6709672759e406217261db97)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 2de3358ee8..2d0e4e4d33 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -151,9 +151,9 @@ static void probe_pages(CPURISCVState *env, target_ulon=
g addr, target_ulong len,
         addr +=3D curlen;
         curlen =3D len - curlen;
         if (flags !=3D NULL) {
-            *flags =3D probe_access_flags(env, adjust_addr(env, addr), cur=
len,
-                                        access_type, mmu_index, nonfault,
-                                        host, ra);
+            *flags |=3D probe_access_flags(env, adjust_addr(env, addr), cu=
rlen,
+                                         access_type, mmu_index, nonfault,
+                                         host, ra);
         } else {
             probe_access(env, adjust_addr(env, addr), curlen, access_type,
                          mmu_index, ra);
@@ -161,7 +161,6 @@ static void probe_pages(CPURISCVState *env, target_ulon=
g addr, target_ulong len,
     }
 }
=20
-
 static inline void vext_set_elem_mask(void *v0, int index,
                                       uint8_t value)
 {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620226; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XM9i4IExSwkSrNX5c50/4bFGnnIRatYOPOBC4BjpF6w/vEGKY0KnN66AIRXyEHuQX7bYcQgX9YEJHXeFLU5tGGSc33WJLK5PMcYfezKABJNEYQUf9fr8TPQFm8+amyiqFRXHV7CniBz8zEbey/7FZpjG6z9UN406pm7s/KZQAVc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620226;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=z8edzs9H5RAc6VnoCWfMGniVs7oi7jDDmvt+lgfKFzA=;
	b=BqKn9pSgfCBtHxJHJiP9+vea3LvOMbkHrmzaPWbj8ucQSojd1OcXYv08UgPqOflt7+RT4lId5LzbtReZMN7jqKAhR+Dthho4zlabR5tiJvFEHDEZYPHDMY+VB7zFu9EI66tJJ5cUStqqWM31e+O2pm1Wot3mZio5R8NrKGim8oc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620226687529.6183879971987;
 Tue, 12 May 2026 14:10:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLQ-0003AO-QF; Tue, 12 May 2026 17:08:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKK-0000i0-Qn; Tue, 12 May 2026 17:07:46 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKH-0002Xs-2H; Tue, 12 May 2026 17:07:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DA1971AA34D;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E6EFC3ABCBE;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=11vdCVxz4OPM4+qs63moEE216t2sf25/9l8vEgzPS5I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vx9ikyFcnSnJoOIeLc8YGSKa0D2zrDcS08Ce04Mw433ydmp6wQr8bQZHpVrtH4TjI
 HwndSXRDzdUU7lpClGq+qnx/Sn8H8AsFMIi4iI2kmeuvwqjAdKDaqLjSLUSiVbEZfl
 6u4s7LsJed7DbTFzFtRkJTUrzKi6ic7/Py9E0dEfhre5uaGdh6MtgmMtYmlFO5U40Q
 s1c8tvp9ZZGwCT+SoQKZUdh+IMN06yYMrotN/xDX9INnyLPniaMfKXPBEOfD5TlcV8
 OzSfJ7s+lYu/ejpqso15GIpmc5qmq0+eVR7ER29ci9rWteI198hZdL/xKjHsfsrW0W
 TGveQAIvQXFmg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Max Chou <max.chou@sifive.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 017/117] target/riscv: rvv: Fix page probe issues in
 vext_ldff
Date: Tue, 12 May 2026 23:53:19 +0300
Message-ID: <20260512205503.361097-17-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620229104154100
Content-Type: text/plain; charset="utf-8"

From: Max Chou <max.chou@sifive.com>

Commit 17288e38bebf ("optimize the memory probing for vector
fault-only-first loads") introduced an optimization that moved from
per-element probing to a fast-path broad probe. Unfortunately it
introduced following bugs in cross-page handling:

- Wrong condition for second page probing: checked "env->vl > elems"
  instead of "env->vl > elems + env->vstart", failing to account for
  the vstart offset.

- Incorrect second page address calculation: used
  "addr + (elems << log2_esz)" instead of "addr + page_split".
  For segment loads (nf > 1), this would probe the wrong address,not
  at the page boundary.

- Wrong second page probe size: used "elems * msize" (the first page
  size) instead of calculating the remaining size as
  "(env->vl - env->vstart) * msize - page_split". This would probe
  too little memory and could miss faults.

This commit fixes these bugs by leveraging the probe_pages helper
which automatically handles cross-page memory accesses correctly.

Fixes: 17288e38bebf ("optimize the memory probing for vector fault-only-fir=
st loads.")

Signed-off-by: Max Chou <max.chou@sifive.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-3-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 0e8ad6a8460fe070ecdde4625e4ed6d791550e3d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 2d0e4e4d33..6c0de3f82d 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -658,9 +658,9 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPURIS=
CVState *env,
     uint32_t esz =3D 1 << log2_esz;
     uint32_t msize =3D nf * esz;
     uint32_t vma =3D vext_vma(desc);
-    target_ulong addr, addr_probe, addr_i, offset, remain, page_split, ele=
ms;
+    target_ulong addr, addr_i, offset, remain, page_split, elems;
     int mmu_index =3D riscv_env_mmu_index(env, false);
-    int flags, probe_flags;
+    int flags;
     void *host;
=20
     VSTART_CHECK_EARLY_EXIT(env, env->vl);
@@ -674,16 +674,8 @@ vext_ldff(void *vd, void *v0, target_ulong base, CPURI=
SCVState *env,
     }
=20
     /* Check page permission/pmp/watchpoint/etc. */
-    probe_pages(env, addr, elems * msize, ra, MMU_DATA_LOAD, mmu_index, &h=
ost,
-                &flags, true);
-
-    /* If we are crossing a page check also the second page. */
-    if (env->vl > elems) {
-        addr_probe =3D addr + (elems << log2_esz);
-        probe_pages(env, addr_probe, elems * msize, ra, MMU_DATA_LOAD,
-                    mmu_index, &host, &probe_flags, true);
-        flags |=3D probe_flags;
-    }
+    probe_pages(env, addr, (env->vl - env->vstart) * msize, ra, MMU_DATA_L=
OAD,
+                mmu_index, &host, &flags, true);
=20
     if (flags & ~TLB_WATCHPOINT) {
         /* probe every access */
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620201; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HD+PteGsDrPGEVxmYUsj3EbO1sc+ZskaVKhkPCLH4dSUztnVtIPIkUvn8qwVzw84NRSDdjX0iqotBdhpd9BbkzmORkgA1HPCm+VY5XGEITUFc2ggZhZaSoz96yVK5DBd6q5rmhzVxC3J9iGIgAmNDEl1Thyron/R8h6Z/IQf48A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620201;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=NmaqFP6GAWp3bc4/au3bNRMEnA2/NCeGuo+qm9mO6No=;
	b=DqZZedoRVuxCUy3NdX7Ao2F+PRm/b/tVg23pfleUEfOkZjnat32lJ0ZdqWzOBiT1O8S0Ty15Tr7y5+IvqZ1F07pzBmzs5a6Dw+dBZHbFDxNDzOG/dQaz1RNgLCvwG6PdhMRNmporpVAVEpyJuJBSeaFs6TEslkq91YiaCR+qk3Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620201595114.26930507729685;
 Tue, 12 May 2026 14:10:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLZ-0003ax-Qc; Tue, 12 May 2026 17:08:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKP-0000jp-MB; Tue, 12 May 2026 17:07:56 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKK-0002ZD-Qr; Tue, 12 May 2026 17:07:42 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EAF3F1AA34E;
 Tue, 12 May 2026 23:55:00 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0200C3ABCBF;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619300; bh=mJSoU6Vc8FPybMmzNTOOY7//BbBd1Ejdi/+OtuOoAks=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kZzRfE8JjAWkVZVbTWntzJNwypNSiT0KyVW+R8vItV06mWyqofyX3b2BkkfZjau36
 8kQDKRg7UzxkIBV3SfZEfKF6thnrBNrfgR6KWKZ4K32xOcj5Edy2aVWhJZ+8EYjXsL
 xkV/fTk4HvRBex/Mf6KZKHuZ1zKc+SEgkQ9LRHZOcn98NL9Ggl46QzCBwY/q5h5Bpk
 Q1POh4CFmuMVDVILX7cQbwDBz/yMWDl1qykFoEt9FXefgSx5xyXEQbQR9ljpyTDnRd
 luadpYHx8Irk3FTHVTC/n56asV4pVdJW9OA9ISmoTR8Lxn3hA8sI9lshwLT0uzNyxj
 m62YsJl+99FBg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 018/117] rust: suggest passing --locked to "cargo
 install"
Date: Tue, 12 May 2026 23:53:20 +0300
Message-ID: <20260512205503.361097-18-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620204742154100

From: Paolo Bonzini <pbonzini@redhat.com>

Without the option, cargo will try using the latest version of the
dependencies of bindgen-cli. While it will obviously respect the
constraints in Cargo.toml, old versions of Cargo do not have
version-constrained resolution and will choke on dependencies
that need Rust 2024.

Cc: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 6257754bb9b00b52018951096a9fba28b98a5b0d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/docs/about/build-platforms.rst b/docs/about/build-platforms.rst
index e95784cdb5..242f1d8820 100644
--- a/docs/about/build-platforms.rst
+++ b/docs/about/build-platforms.rst
@@ -114,7 +114,7 @@ Rust build dependencies
   bindgen tool, which is too big to package and distribute.  The minimum
   supported version of bindgen is 0.60.x.  For distributions that do not
   include bindgen or have an older version, it is recommended to install
-  a newer version using ``cargo install bindgen-cli``.
+  a newer version using ``cargo install --locked bindgen-cli``.
=20
   QEMU requires Rust 1.83.0.  This is available on all supported platforms
   except for the ``mips64el`` architecture on Debian bookworm.  For all ot=
her
diff --git a/meson.build b/meson.build
index d9293294d8..5c8fa456e9 100644
--- a/meson.build
+++ b/meson.build
@@ -110,7 +110,7 @@ if have_rust
   bindgen =3D find_program('bindgen', required: get_option('rust'))
   if not bindgen.found() or bindgen.version().version_compare('<0.60.0')
     if get_option('rust').enabled()
-      error('bindgen version ' + bindgen.version() + ' is unsupported. You=
 can install a new version with "cargo install bindgen-cli"')
+      error('bindgen version ' + bindgen.version() + ' is unsupported. You=
 can install a new version with "cargo install --locked bindgen-cli"')
     else
       if bindgen.found()
         warning('bindgen version ' + bindgen.version() + ' is unsupported,=
 disabling Rust compilation.')
diff --git a/tests/docker/dockerfiles/fedora-rust-nightly.docker b/tests/do=
cker/dockerfiles/fedora-rust-nightly.docker
index 8e3b3a9fd9..8fe727b619 100644
--- a/tests/docker/dockerfiles/fedora-rust-nightly.docker
+++ b/tests/docker/dockerfiles/fedora-rust-nightly.docker
@@ -179,7 +179,7 @@ RUN set -eux && \
   test "$RUSTDOC" =3D "$(/usr/local/cargo/bin/rustup +nightly which rustdo=
c)" && \
   test "$RUSTC" =3D "$(/usr/local/cargo/bin/rustup +nightly which rustc)"
 ENV PATH=3D$CARGO_HOME/bin:$PATH
-RUN /usr/local/cargo/bin/rustup run nightly cargo install bindgen-cli
+RUN /usr/local/cargo/bin/rustup run nightly cargo install --locked bindgen=
-cli
 RUN $CARGO --list
 # As a final step configure the user (if env is defined)
 ARG USER
diff --git a/tests/docker/dockerfiles/ubuntu2204.docker b/tests/docker/dock=
erfiles/ubuntu2204.docker
index 23b33d6ad4..44e763f571 100644
--- a/tests/docker/dockerfiles/ubuntu2204.docker
+++ b/tests/docker/dockerfiles/ubuntu2204.docker
@@ -162,7 +162,7 @@ ENV CARGO_HOME=3D/usr/local/cargo
 ENV PATH=3D$CARGO_HOME/bin:$PATH
 RUN DEBIAN_FRONTEND=3Dnoninteractive eatmydata \
   apt install -y --no-install-recommends cargo
-RUN cargo install bindgen-cli
+RUN cargo install --locked bindgen-cli
 # As a final step configure the user (if env is defined)
 ARG USER
 ARG UID
diff --git a/tests/lcitool/refresh b/tests/lcitool/refresh
index 9df607a55f..8d64708ea1 100755
--- a/tests/lcitool/refresh
+++ b/tests/lcitool/refresh
@@ -147,7 +147,7 @@ fedora_rustup_nightly_extras =3D [
     '  test "$RUSTDOC" =3D "$(/usr/local/cargo/bin/rustup +nightly which r=
ustdoc)" && \\\n',
     '  test "$RUSTC" =3D "$(/usr/local/cargo/bin/rustup +nightly which rus=
tc)"\n',
     'ENV PATH=3D$CARGO_HOME/bin:$PATH\n',
-    'RUN /usr/local/cargo/bin/rustup run nightly cargo install bindgen-cli=
\n',
+    'RUN /usr/local/cargo/bin/rustup run nightly cargo install --locked bi=
ndgen-cli\n',
     'RUN $CARGO --list\n',
 ]
=20
@@ -158,7 +158,7 @@ ubuntu2204_rust_extras =3D [
     'ENV PATH=3D$CARGO_HOME/bin:$PATH\n',
     "RUN DEBIAN_FRONTEND=3Dnoninteractive eatmydata \\\n",
     "  apt install -y --no-install-recommends cargo\n",
-    'RUN cargo install bindgen-cli\n',
+    'RUN cargo install --locked bindgen-cli\n',
 ]
=20
 debian_all_test_cross_compilers =3D [
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620403; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iN3sMTVDYD44/nJF2PHfO6yTfgqGdDlwd/onJLQrdc7aGdcONwFCQUl+9qFHCqA3X86W6iogAdQlYUHYRFrh4dWQri9wzA9gPgwtloQvteJCiiPpSj36q9eecmBM31QrechMkyt8cZY8nLhJrON0n/mB8XkWb+Wj5gpvPJWvjXI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620403;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=QAPETh4AV7SbVwt6wv5oWzR2efqEA8txyqjKcq5MjKI=;
	b=nfA/9kKQHor7xEaichTw3QIUFNejoUc3KFzeggBuV7z7Qsv9AlOViO2K14G0nS4oTNQP2q25UE3zJngYlFy0O0wpFoVPuINMcPwBcsQtfJ6yqt+VYX8r7fcK37uL+/xTDZLM2T3GH9Q0PtIkpnMoixebuFesfKPzvyKMHwGuhDM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620403190926.839036201596;
 Tue, 12 May 2026 14:13:23 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLF-0001Vl-Iy; Tue, 12 May 2026 17:08:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKP-0000jq-Mt; Tue, 12 May 2026 17:07:58 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKM-0002Zk-BD; Tue, 12 May 2026 17:07:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 05F321AA34F;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1190E3ABCC0;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=8qozznvzTVmJVwhcVDfjphOphXa+K/5Iw6UbqW4Nq/Y=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=EgLE+CczG5e56Fhn7n/nScyxXOA6UoSjLGqIR0P0dGgqJCta7RNo1Mvozq7KvLHmC
 N30hW3FqMGBblqLG6mkfFIP6BUt1Fp2rB0F8TZM5TCZzQg1f5ln3VS//SpsIWTozdi
 PEFexuJARXI4AnM7cILrNav/lTn2rVhYpFOgx292yJHrE2gR39YB1d7Pofz2FRrM3i
 mkmHZTissodsv8FOMIunbzg+SJV3ISNOogPdbVVzdrhrCeJMf4YOi8KLGhu1d6Z3GW
 +VSbuxgLqfz12+JuftbnBCpEpHu2G1RVCZfANeITL/MsThNJ/gC985VErxWVWI7sfO
 Hjh8pZPy5CzqA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jenny Guanni Qu <qguanni@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 019/117] hw/usb/hcd-ohci: check for MPS=0 to avoid
 infinite loop
Date: Tue, 12 May 2026 23:53:21 +0300
Message-ID: <20260512205503.361097-19-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620406038154100

From: Jenny Guanni Qu <qguanni@gmail.com>

When a guest sets MaxPacketSize to 0 in an OHCI Endpoint Descriptor,
ohci_service_td() transfers 0 bytes per iteration. The Transfer
Descriptor never completes because CBP never advances toward BE,
causing ohci_service_ed_list() to loop indefinitely and hang QEMU.

Add a check for MPS=3D=3D0 after extracting the field from ED flags.
If MPS is zero, call ohci_die() to reset the controller and return
an error, preventing the infinite loop.

Fixes: CVE-2026-3890
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260321000444.909451-1-qguanni@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 129922c2bc398b656a9180150e667f98fdf0d402)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 72a9f9f474..15406c51f6 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -956,6 +956,17 @@ static int ohci_service_td(OHCIState *ohci, struct ohc=
i_ed *ed)
         if (len && dir !=3D OHCI_TD_DIR_IN) {
             /* The endpoint may not allow us to transfer it all now */
             pktlen =3D (ed->flags & OHCI_ED_MPS_MASK) >> OHCI_ED_MPS_SHIFT;
+            /*
+             * The OHCI spec does not say what to do if the guest hands us
+             * an endpoint descriptor which specifies a MaximumPacketSize
+             * of zero, which would mean we can never actually make forward
+             * progress transferring data to it. We choose to treat it as
+             * an error.
+             */
+            if (pktlen =3D=3D 0) {
+                ohci_die(ohci);
+                return 1;
+            }
             if (pktlen > len) {
                 pktlen =3D len;
             }
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620252; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OYZb3f6f/M3TvirVfg5F3PhO34v9QKRhnGJc4ypD61YnBZKhSJy9rgHxppYZ/WeXC0ZDGIFFMqzNaeFkI3KJfCgjc10bZCPuXrb/Y0IH2rtmrqMGsNv5+2bNksKdyrvFNscXk01Vu4FCsU21lE5OQTP0O/x7VXbWHK+HZixMa00=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620252;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=NAu8izh5sWljyY22fSwYwZVIem7gK30hAAsLMaOVL3E=;
	b=efaIynZ7r0HeiaGTQQEnfOB9cxUQ4ksCaPyo8cV5OZKb4sKcMz2rZyg3teO1u7e2uwQeFJBCgBPq+AE4IvwLd9L4thaktnucOCoQuRM+uJhxHyO0ZnHPMUKoT0Ok1vtXV3bwgZsLfyXlp2GjAoMWH3TGuirjUf4s+slwg10Pdj4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620252724515.8569142300404;
 Tue, 12 May 2026 14:10:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLK-0002FJ-Db; Tue, 12 May 2026 17:08:42 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKc-0000r5-N6; Tue, 12 May 2026 17:08:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKR-0002b4-Hp; Tue, 12 May 2026 17:07:56 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 15F341AA350;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 20BE83ABCC1;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=mLv7YkPc6Sqv4eClWLRJuRY7qEEqRekg8Jd0GQxv6us=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fWmSOkWWlQczjrkEbA513vf5b/eGiaJlB+VN3mj2g0N/VrR7et5RD1xCgiEFs2SWi
 P6xndq7DMmKp/aR2KRQe1yMvji06FO7c22BwELPWr439guBHKLkaVwUYtu7PVcBFaw
 YdD1+BSngtvObvUyuhwaJQ78PmEEb1PnUo8/NDyz/Uz6E1JwSAFkeU0rYo2LT1Fr0x
 C1SjIH7X3BCF3d1by1+Jn53p19obZjH8mkZH4tTb89Jsrp9fVJmUUAauvS6DMWJzkF
 MQ3s0CsWP57iq089kZFd2OOJgXnD2YZ2mqsHRG1BP/TxOFftRwL5i/cxfr8LEYy0Xz
 R1llk3FX9lLJQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Davidlohr Bueso <dave@stgolabs.net>,
 Jonathan Cameron <jonathan.cameron@huawei.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 020/117] hw/cxl: Respect Media Operation max ops
 discovery semantics
Date: Tue, 12 May 2026 23:53:22 +0300
Message-ID: <20260512205503.361097-20-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620253628158500

From: Davidlohr Bueso <dave@stgolabs.net>

The Discovery rejects requests where start_index + num_ops
exceeds the total number of supported operations. Per CXL 4.0
Table 8-332, num_ops is the "Maximum number of Media Operation to
return" - a maximum, not an exact count. The device should return
up to that many entries, not reject the request.

Cap num_ops to the available entries from start_index instead of
erroring the command.

Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media opera=
tions discovery commands cxl r3.2 (8.2.10.9.5.3)")
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Message-ID: <20260319184256.3762391-2-dave@stgolabs.net>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit bc72b2996c0b3f46d422c612b5093500c468fd6c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 9b99d44a80..02c198c5e3 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1995,6 +1995,7 @@ static CXLRetCode media_operations_discovery(uint8_t =
*payload_in,
     } QEMU_PACKED *media_op_in_disc_pl =3D (void *)payload_in;
     struct media_op_discovery_out_pl *media_out_pl =3D
         (struct media_op_discovery_out_pl *)payload_out;
+    int total =3D ARRAY_SIZE(media_op_matrix);
     int num_ops, start_index, i;
     int count =3D 0;
=20
@@ -2011,24 +2012,20 @@ static CXLRetCode media_operations_discovery(uint8_=
t *payload_in,
      * sub class command.
      */
     if (media_op_in_disc_pl->dpa_range_count ||
-        start_index + num_ops > ARRAY_SIZE(media_op_matrix)) {
+        start_index >=3D total) {
         return CXL_MBOX_INVALID_INPUT;
     }
=20
     media_out_pl->dpa_range_granularity =3D CXL_CACHE_LINE_SIZE;
-    media_out_pl->total_supported_operations =3D
-                                     ARRAY_SIZE(media_op_matrix);
-    if (num_ops > 0) {
-        for (i =3D start_index; i < start_index + num_ops; i++) {
-            media_out_pl->entry[count].media_op_class =3D
-                    media_op_matrix[i].media_op_class;
-            media_out_pl->entry[count].media_op_subclass =3D
-                        media_op_matrix[i].media_op_subclass;
-            count++;
-            if (count =3D=3D num_ops) {
-                break;
-            }
-        }
+    media_out_pl->total_supported_operations =3D total;
+
+    num_ops =3D MIN(num_ops, total - start_index);
+    for (i =3D 0; i < num_ops; i++) {
+        media_out_pl->entry[count].media_op_class =3D
+                media_op_matrix[start_index + i].media_op_class;
+        media_out_pl->entry[count].media_op_subclass =3D
+                media_op_matrix[start_index + i].media_op_subclass;
+        count++;
     }
=20
     media_out_pl->num_of_supported_operations =3D count;
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620201; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m9c860gqgARqCpGoLKp5Fk8UbShYjZg/HlzrUxLXHScJs/x1F1PDhOdqASkk1QMa+qPyWyAR9O0/S40+jqt/tgTmGqD7CTnh4Xk9nHTKKlb3I0/iQKuwiif+Bw8kvhmX1+kM+OOFjw+L+IfIVjURfYepz++ayaPYDXrMtXBxopk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620201;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=92L4ZnUYU9Aya7s2vA4Mi+JByu3PcvFCMmhuYCnvKa8=;
	b=g7FS7Ih5WeMIOUdrqGjW0qul3KBx4Pn9+hDokPlCQQmxAWpI0pXivQqeeToX/uZRRs1hMU1s+2XXHpcR4JVr2T1ZCOKUYzoZvbbAygtnJc8JWaVaQmbonzGHUPPncm1PzzVw28NLZh7DKOXxdhOj4foE87XpcmTZSEEOowYc3Jc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620201207957.1417844548865;
 Tue, 12 May 2026 14:10:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLp-0004KP-6N; Tue, 12 May 2026 17:09:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKc-0000qZ-Me; Tue, 12 May 2026 17:08:02 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKR-0002b7-Hr; Tue, 12 May 2026 17:07:57 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 276301AA351;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 31DFA3ABCC2;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=Z9etFZC49HR1o9rfTkfCzrnP5oed3z8PvTMHWVHDrfw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=G7eUQdoX6N/2REaKyz82bC/K7/c2VHZ8Hq08r/XsHvnRw6Ih3rjdOV3tZdETFmFLE
 80vfebsBNKKPb0I84XRpArjW+6jJ4gUcc54p2YYt+2uqr+wSX/UVyC46Q2DmTCGtum
 Z2s2erwwhfWHJf3a6M5mRvQKjL2+Zz67KF36ZDkaG+yrypDiJNIEWTu3BAnu1F4fx3
 Dv0QmyXs2eznA84P07nZjRP3QG2c3a/e2YzEhRSKYATJCT7FzrjHLqhObIZfQZdZfV
 11M6DpkNiGBn6kSX5aXdfUdUV3kMhsbLfdJLQjZMgp1gMKrFfvK1PHrINBe5rwgvGN
 +yprKzh9s5Qnw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Davidlohr Bueso <dave@stgolabs.net>,
 Jonathan Cameron <jonathan.cameron@huawei.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 021/117] hw/cxl: Exclude Discovery from Media
 Operation Discovery output
Date: Tue, 12 May 2026 23:53:23 +0300
Message-ID: <20260512205503.361097-21-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620202669154100

From: Davidlohr Bueso <dave@stgolabs.net>

Per CXL 4.0 Table 8-331, the Discovery operation "returns a list of
all Media Operations that the device supports, with the exception of
the Discovery operation (Class=3D0, Subclass=3D0)."

Filter out Discovery entries when building the output list and adjust
total_supported_operations accordingly.

Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media opera=
tions discovery commands cxl r3.2 (8.2.10.9.5.3)")
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Message-ID: <20260319184256.3762391-3-dave@stgolabs.net>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 20beec283b958e43cbe375ecbfb719e7af55e307)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c
index 02c198c5e3..2e4d697ccf 100644
--- a/hw/cxl/cxl-mailbox-utils.c
+++ b/hw/cxl/cxl-mailbox-utils.c
@@ -1995,7 +1995,7 @@ static CXLRetCode media_operations_discovery(uint8_t =
*payload_in,
     } QEMU_PACKED *media_op_in_disc_pl =3D (void *)payload_in;
     struct media_op_discovery_out_pl *media_out_pl =3D
         (struct media_op_discovery_out_pl *)payload_out;
-    int total =3D ARRAY_SIZE(media_op_matrix);
+    int total =3D ARRAY_SIZE(media_op_matrix) - 1; /* exclude Discovery */
     int num_ops, start_index, i;
     int count =3D 0;
=20
@@ -2021,10 +2021,12 @@ static CXLRetCode media_operations_discovery(uint8_=
t *payload_in,
=20
     num_ops =3D MIN(num_ops, total - start_index);
     for (i =3D 0; i < num_ops; i++) {
+        int idx =3D start_index + i + 1; /* skip Discovery (first entry) */
+
         media_out_pl->entry[count].media_op_class =3D
-                media_op_matrix[start_index + i].media_op_class;
+                media_op_matrix[idx].media_op_class;
         media_out_pl->entry[count].media_op_subclass =3D
-                media_op_matrix[start_index + i].media_op_subclass;
+                media_op_matrix[idx].media_op_subclass;
         count++;
     }
=20
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620272; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SD4yYnJ6gGnrmH8ty08bWLjb61xJVgu7SNNNuSalt1xjVIlX1Nhgu8YnQyP/iLXt9h1zU5f4r3syuemx3wbL2zvIJhvsQnOvoQsBeE9n9XF+TuzZIMr13jp6YDGWFbUdj9vEza/OQ14d2GjNm8jrcPXhRGoDltkQOZYnfB2c1yE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620272;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gkdz68atOfWJgLOybDoLu7swKKalzDzHWkSQObPhYMg=;
	b=CQnF4Xleb7xqoIv9TFdSUPUVq1zfbGB+IhQOpPHtM2Ggd7/B/5KQe3x1FG1YijmCeBXVJ1AFbNushfYaJJhFC/TEWrzl5IhCDvFfl7d7Uvwpp+X370HVBqnB9DTHGwBT2NJM8+yA11sLhqS9QdjqpD1lvepJJ1uwrpaNKGWjWHE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620272435514.731225173554;
 Tue, 12 May 2026 14:11:12 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLN-0002kn-Ey; Tue, 12 May 2026 17:08:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKl-0000xd-27; Tue, 12 May 2026 17:08:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKh-0002d5-Rd; Tue, 12 May 2026 17:08:06 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 373901AA353;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 425E93ABCC3;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=Cz/lC/i69N912HtNUvC2jJsnfey8s5BgllzY8+Cbnco=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=oS3F4G5CCarlvEAqmtvJWKk5z4VpWog9t2tXt9PYnvPFLIYYm5hCoswvO1bZDPZIG
 n8GpGMlsSimq49XAgZ5IQ751PeX361ViI2DxRnnrQ6ZoKjYyaHVm2Ivxx8XIs8K1a0
 YbzZnmnJoMwdDFcLGUF7Jn+qawuvLz/o+92LvOdSdFXPsLcptbJ7+oUGoyR3CMuiFv
 axY87QZ9AgWo9TRo0/nR5YigEKyo7f4+hnJv3EHQ2GYbszMmayZ+S14S8yyBD9UPxr
 dv0U07RX2Xx4DVl9FfPdHwyoS4iyZis/bOZMlJdSvlKMGC69/7ucjUBKIkPRdW6eHZ
 x0vNrs1jGSEJQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Jamin Lin <jamin_lin@aspeedtech.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 022/117] hw/net/ftgmac100: Improve DMA error handling
Date: Tue, 12 May 2026 23:53:24 +0300
Message-ID: <20260512205503.361097-22-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620273734158500

From: C=C3=A9dric Le Goater <clg@redhat.com>

Currently, DMA memory operation errors in the ftgmac100 model are not
all tested and this can lead to a guest-triggerable denial of service
as described in https://gitlab.com/qemu-project/qemu/-/work_items/3335.

To fix this, check the return value of ftgmac100_write_bd() in the TX
path and exit the TX loop on error to prevent further processing. In
the event of a DMA error, also set FTGMAC100_INT_AHB_ERR interrupt
flag as appropriate.

The FTGMAC100_INT_AHB_ERR interrupt status bit only applies to the
AST2400 SoC; on newer Aspeed SoCs, it is a reserved bit.
Nevertheless, since it is supported by the Linux driver and it should
be safe to use in the QEMU implementation across all SoCs.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3335
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260322215732.387383-3-clg@redhat.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit fa4a759fc1e19b2185becfadb00c6d8e57462849)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index c41ce889cf..8d57adb03f 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -624,7 +624,10 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint64_=
t tx_ring,
         bd.des0 &=3D ~FTGMAC100_TXDES0_TXDMA_OWN;
=20
         /* Write back the modified descriptor.  */
-        ftgmac100_write_bd(&bd, addr);
+        if (ftgmac100_write_bd(&bd, addr)) {
+            s->isr |=3D FTGMAC100_INT_AHB_ERR;
+            break;
+        }
         /* Advance to the next descriptor.  */
         if (bd.des0 & s->txdes0_edotr) {
             addr =3D tx_ring;
@@ -1134,7 +1137,10 @@ static ssize_t ftgmac100_receive(NetClientState *nc,=
 const uint8_t *buf,
             bd.des0 |=3D flags | FTGMAC100_RXDES0_LRS;
             s->isr |=3D FTGMAC100_INT_RPKT_BUF;
         }
-        ftgmac100_write_bd(&bd, addr);
+        if (ftgmac100_write_bd(&bd, addr)) {
+            s->isr |=3D FTGMAC100_INT_AHB_ERR;
+            break;
+        }
         if (bd.des0 & s->rxdes0_edorr) {
             addr =3D s->rx_ring;
         } else {
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620951; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iLjlvEryvlwK1qwfnd2kqHL+RzHZjVe79AhWv2EAg5nwvqtEgiXLQ+R3Gc9e5TvVnqQFEqV0C0RtRI3BwClVZeKXaztCIs3/5v5vdBOVVJinedBsOPVRna+P70PnW+/qdEBQEt+oiDSr1rnILYh2xSF3/mWbrvYWkK4uPOW7evM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620951;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=I8t7hZTMeniHdPluug82vHL7yRvskZb7zt+oKSz2Aic=;
	b=a96holiysB/lXLK/eQ7x8CIqlgfzCOuvFvoESKkzjNMxwJvUUZx7jAYWS7Fi96Jdr5YG67mxAz/DRf8XR217J4m3bXuMTCeXERvvZZaOYebCOAusgmyDZ0zY4ATS6KOnADeoPX1lSqmkxcmf6WPrq6JuF9nvqkOthlp8xaFtK/A=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620951513511.89133433101256;
 Tue, 12 May 2026 14:22:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLt-0004yt-E9; Tue, 12 May 2026 17:09:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKl-0000xe-2I; Tue, 12 May 2026 17:08:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKf-0002d4-0I; Tue, 12 May 2026 17:08:06 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4583F1AA354;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 520133ABCC4;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=4udaYFb8wZEl1kO1PHPBwef/lFSby6/dh8NrWRE/A98=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=d4a7hMpW77HBR6nWuzDGKbInuHTKH0XFuwvt5tMDBPVl+hECY8eOLNAqK28gBFMYN
 +AgEFkcQ8Dza+7Ub6FJg6jJ5NcKJphTlIO2W10NCXhm2v+wjew+brIjZRQ/LwtNs+M
 /p4ml96feWXabB3WvlQP8OqsnbuGk34xkP9TseiLSLeHW3XfsxY79CHMRdQmjw7tUD
 LHbjDhb3jaZu8rZkwBEe5U0l8R9cuN4mHOpIlmme6dBKLzVknZ6l48hobceYay1iWY
 AGqZRZ9QKBTQKOy7cm6gAMWZm9YtLA65/FKimCI4UY2w93YKr4qa303K256V9rCdps
 wtcIacEsyOVsg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Jamin Lin <jamin_lin@aspeedtech.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 023/117] hw/ssi/aspeed_smc: Convert mem ops to
 read/write_with_attrs for error handling
Date: Tue, 12 May 2026 23:53:25 +0300
Message-ID: <20260512205503.361097-23-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620952929158500

From: C=C3=A9dric Le Goater <clg@redhat.com>

Error conditions (invalid flash mode, unwritable flash) now return
MEMTX_ERROR instead of silently succeeding or returning undefined
values.

This allows the memory subsystem to properly propagate transaction
errors to the guest, improving QEMU reliability.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3335
Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com>
Link: https://lore.kernel.org/qemu-devel/20260323125545.577653-2-clg@redhat=
.com
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
(cherry picked from commit 80c5be945877ea3f258679c6042df8f0efd77202)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index e33496f502..4153aed3f2 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -493,17 +493,18 @@ static void aspeed_smc_flash_setup(AspeedSMCFlash *fl=
, uint32_t addr)
     }
 }
=20
-static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned =
size)
+static MemTxResult aspeed_smc_flash_read(void *opaque, hwaddr addr,
+                                 uint64_t *data, unsigned size, MemTxAttrs=
 attrs)
 {
     AspeedSMCFlash *fl =3D opaque;
     AspeedSMCState *s =3D fl->controller;
-    uint64_t ret =3D 0;
     int i;
=20
+    *data =3D 0;
     switch (aspeed_smc_flash_mode(fl)) {
     case CTRL_USERMODE:
         for (i =3D 0; i < size; i++) {
-            ret |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
+            *data |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
         }
         break;
     case CTRL_READMODE:
@@ -512,18 +513,19 @@ static uint64_t aspeed_smc_flash_read(void *opaque, h=
waddr addr, unsigned size)
         aspeed_smc_flash_setup(fl, addr);
=20
         for (i =3D 0; i < size; i++) {
-            ret |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
+            *data |=3D (uint64_t) ssi_transfer(s->spi, 0x0) << (8 * i);
         }
=20
         aspeed_smc_flash_unselect(fl);
         break;
     default:
         aspeed_smc_error("invalid flash mode %d", aspeed_smc_flash_mode(fl=
));
+        return MEMTX_ERROR;
     }
=20
-    trace_aspeed_smc_flash_read(fl->cs, addr, size, ret,
+    trace_aspeed_smc_flash_read(fl->cs, addr, size, *data,
                                 aspeed_smc_flash_mode(fl));
-    return ret;
+    return MEMTX_OK;
 }
=20
 /*
@@ -624,8 +626,8 @@ static bool aspeed_smc_do_snoop(AspeedSMCFlash *fl,  ui=
nt64_t data,
     return false;
 }
=20
-static void aspeed_smc_flash_write(void *opaque, hwaddr addr, uint64_t dat=
a,
-                                   unsigned size)
+static MemTxResult aspeed_smc_flash_write(void *opaque, hwaddr addr,
+                                   uint64_t data, unsigned size, MemTxAttr=
s attrs)
 {
     AspeedSMCFlash *fl =3D opaque;
     AspeedSMCState *s =3D fl->controller;
@@ -636,7 +638,7 @@ static void aspeed_smc_flash_write(void *opaque, hwaddr=
 addr, uint64_t data,
=20
     if (!aspeed_smc_is_writable(fl)) {
         aspeed_smc_error("flash is not writable at 0x%" HWADDR_PRIx, addr);
-        return;
+        return MEMTX_ERROR;
     }
=20
     switch (aspeed_smc_flash_mode(fl)) {
@@ -661,12 +663,15 @@ static void aspeed_smc_flash_write(void *opaque, hwad=
dr addr, uint64_t data,
         break;
     default:
         aspeed_smc_error("invalid flash mode %d", aspeed_smc_flash_mode(fl=
));
+        return MEMTX_ERROR;
     }
+
+    return MEMTX_OK;
 }
=20
 static const MemoryRegionOps aspeed_smc_flash_ops =3D {
-    .read =3D aspeed_smc_flash_read,
-    .write =3D aspeed_smc_flash_write,
+    .read_with_attrs =3D aspeed_smc_flash_read,
+    .write_with_attrs =3D aspeed_smc_flash_write,
     .endianness =3D DEVICE_LITTLE_ENDIAN,
     .valid =3D {
         .min_access_size =3D 1,
@@ -754,7 +759,8 @@ static void aspeed_smc_reset(DeviceState *d)
     s->snoop_dummies =3D 0;
 }
=20
-static uint64_t aspeed_smc_read(void *opaque, hwaddr addr, unsigned int si=
ze)
+static MemTxResult aspeed_smc_read(void *opaque, hwaddr addr, uint64_t *da=
ta,
+                                   unsigned int size, MemTxAttrs attrs)
 {
     AspeedSMCState *s =3D ASPEED_SMC(opaque);
     AspeedSMCClass *asc =3D ASPEED_SMC_GET_CLASS(opaque);
@@ -782,12 +788,13 @@ static uint64_t aspeed_smc_read(void *opaque, hwaddr =
addr, unsigned int size)
=20
         trace_aspeed_smc_read(addr << 2, size, s->regs[addr]);
=20
-        return s->regs[addr];
+        *data =3D s->regs[addr];
     } else {
         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\=
n",
                       __func__, addr);
-        return -1;
+        *data =3D -1;
     }
+    return MEMTX_OK;
 }
=20
 static uint8_t aspeed_smc_hclk_divisor(uint8_t hclk_mask)
@@ -1108,8 +1115,8 @@ static void aspeed_2600_smc_dma_ctrl(AspeedSMCState *=
s, uint32_t dma_ctrl)
     s->regs[R_DMA_CTRL] &=3D ~(DMA_CTRL_REQUEST | DMA_CTRL_GRANT);
 }
=20
-static void aspeed_smc_write(void *opaque, hwaddr addr, uint64_t data,
-                             unsigned int size)
+static MemTxResult aspeed_smc_write(void *opaque, hwaddr addr, uint64_t da=
ta,
+                                    unsigned int size, MemTxAttrs attrs)
 {
     AspeedSMCState *s =3D ASPEED_SMC(opaque);
     AspeedSMCClass *asc =3D ASPEED_SMC_GET_CLASS(s);
@@ -1159,13 +1166,13 @@ static void aspeed_smc_write(void *opaque, hwaddr a=
ddr, uint64_t data,
     } else {
         qemu_log_mask(LOG_UNIMP, "%s: not implemented: 0x%" HWADDR_PRIx "\=
n",
                       __func__, addr);
-        return;
     }
+    return MEMTX_OK;
 }
=20
 static const MemoryRegionOps aspeed_smc_ops =3D {
-    .read =3D aspeed_smc_read,
-    .write =3D aspeed_smc_write,
+    .read_with_attrs =3D aspeed_smc_read,
+    .write_with_attrs =3D aspeed_smc_write,
     .endianness =3D DEVICE_LITTLE_ENDIAN,
 };
=20
@@ -2007,8 +2014,8 @@ static const uint32_t aspeed_2700_fmc_resets[ASPEED_S=
MC_R_MAX] =3D {
 };
=20
 static const MemoryRegionOps aspeed_2700_smc_flash_ops =3D {
-    .read =3D aspeed_smc_flash_read,
-    .write =3D aspeed_smc_flash_write,
+    .read_with_attrs =3D aspeed_smc_flash_read,
+    .write_with_attrs =3D aspeed_smc_flash_write,
     .endianness =3D DEVICE_LITTLE_ENDIAN,
     .valid =3D {
         .min_access_size =3D 1,
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620205; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ekTFP8oD3Yk1WELzI5HeaG/8cj6J9rKV3/6+x7dNIR8zhTN1Ld8sEuDJpp1P9QSGQW84pDt7DCOw5H2JNmRCdtgzeRKBZxOKo5jqY2y5ut9t5s5fpEanjUVksYy3Yk68VQwvX34VwzHYJsL0wUzQeSaJt9unspx0Z2WzokeBc2Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620205;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=q6LSbHTQJnmBaG2VtUiTrdyAvfoEo13XpuUQvfKPitQ=;
	b=kvf+mdaKpgMmUxc6J19xsr7A8rpZLMXicp0XcKdBQgfTq4kFDdIpYY4TebHo35Sw/vBN1iFon1W0Xfi29qJpCTMMnYcyQ3CPmnoSlRm9r90yyFPgrbyySAOEJNndqEIxg8QJn7xlBYaTbdpXzsxcoo3axjq8zrjZ5t4h2QJ0bEg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620205666940.332171640867;
 Tue, 12 May 2026 14:10:05 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLf-0003q5-TG; Tue, 12 May 2026 17:09:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKs-00013s-9H; Tue, 12 May 2026 17:08:16 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuKo-0002gE-Gn; Tue, 12 May 2026 17:08:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 54A731AA355;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 60CCA3ABCC5;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=6YQO22w3Zwbye/yy8vSPsyzOejOaTOYJPzkrPIetztY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kXDjNdGTbUcHV9qZuIzbUFtc5UNum4UtTkfgXQ8om4lLs1iEw2EzgtW01yjyL4Fcz
 Vdn5tGUbshoFhy1VxEcxLKjmaKVfPrBBwhZM4+UPZNj2QoWHXkS8oqqsoNvBqCTGiL
 eUMSIscCzlaLCZKRQaFXL5R1Zz+gK7wrE4TiX7X7R45rEFtJ93aOBZRL8d/Jj82xOS
 gUGglybBHAay7y3hzOf/EDxOO/OtORU4l7lInJVEUAabUUpwPLnfn9j3xEMaOmm9VM
 hf50EIcJkThirSpmlrzHByWZhyckm+tHZxyusbYlBPgu/22CeySLQLxBQ7ZvYY9ErW
 qEfceXcu2b9Ng==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jose Martins <josemartins90@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 Gustavo Romero <gustavo.romero@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 024/117] target/arm: fix s2prot not set for two-stage
 PMSA translations
Date: Tue, 12 May 2026 23:53:26 +0300
Message-ID: <20260512205503.361097-24-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620207263158500
Content-Type: text/plain; charset="utf-8"

From: Jose Martins <josemartins90@gmail.com>

Commit a811c5dafb7 ("target/arm: Implement get_S2prot_indirect")
changed get_phys_addr_twostage() to combine stage 1 and stage 2
permissions using the new s2prot field:

  result->f.prot =3D s1_prot & result->s2prot;

The LPAE stage 2 path sets result->s2prot explicitly, but the PMSA
stage 2 path (get_phys_addr_pmsav8) only sets result->f.prot, leaving
s2prot at zero. This causes the combined permission to be zero,
resulting in addr_read being set to -1 in the TLB entry and triggering
an assertion in atomic_mmu_lookup() when the guest executes an atomic
instruction on a two-stage PMSA platform (e.g. Cortex-R52 with EL2).

Set s2prot from f.prot after the PMSA stage 2 lookup, consistent with
what the LPAE path does.

Cc: qemu-stable@nongnu.org
Fixes: a811c5dafb7 ("target/arm: Implement get_S2prot_indirect")
Signed-off-by: Jose Martins <josemartins90@gmail.com>
[PMM: refer to the right commit in the commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321231916.2852653-1-josemartins90@gmail.com
Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 32ebd6c09c18f860671030060cfedabd94c846fb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 2e6b149b2d..b2ae00b89e 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -3210,6 +3210,13 @@ static bool get_phys_addr_pmsav8(CPUARMState *env,
=20
     ret =3D pmsav8_mpu_lookup(env, address, access_type, ptw->in_prot_chec=
k,
                             mmu_idx, secure, result, fi, NULL);
+    /*
+     * For two-stage PMSA translations, s2prot holds the stage 2
+     * permissions to be combined with stage 1 in get_phys_addr_twostage().
+     */
+    if (regime_is_stage2(mmu_idx)) {
+        result->s2prot =3D result->f.prot;
+    }
     if (sattrs.subpage) {
         result->f.lg_page_size =3D 0;
     }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620211; cv=none;
	d=zohomail.com; s=zohoarc;
	b=h7p1Xlo1ELJ12E6ck2pMPX/sxbLybGryfbji1RcGLWXjfAOhfpgPWCD2kCZeGZ9pCcz5b4KDSCK7vAm57DU/L3w1NKxbawpJfv75R2sn0nmZDZiclHOEY5h3ol2K3jeO0ONLWnJN/33wJ4YBi1biJobPV1whdKoZv6X1zXAoI8M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620211;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=I3SHe2j6sgEQYoPdYruzPiYIXgK96Js6nEhg4JXSQIg=;
	b=jgVzbSTRVVEYbpSwLjS1G4RzBmN6F6cAkRbwj3eD0xZ72BhzbT5DPnuH4domK+ArHNjdJmRQkIfZ1ZFaWjjSf7Vrji1ybTEGrds4/NiWKkwuE4Pbvm93sod7lZbLo5rcDs9yGhsmzup5wECQuG5qZY5lWV/RrrYErVwiaIHJnU4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620211520400.0557787720443;
 Tue, 12 May 2026 14:10:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLs-0004nF-ER; Tue, 12 May 2026 17:09:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLD-0001a5-MB; Tue, 12 May 2026 17:08:37 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuL9-0002gF-DR; Tue, 12 May 2026 17:08:34 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 62F871AA356;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6FCB53ABCC6;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=CFdcyFhJMpa4dPXVqM5/4n6Qp9NEAF+U6RtvdELjvEU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=mCf6OWJdiHDUXanGeWYQpYVyWIBsxhzszXacZZh8rLH98XFq3V5g6tBZMXMUSH/Qa
 QJSzm4LTHhf5e2iKZQX0r1Jcq8haEessMrzlWPaeBYeJWd/laqWZ9IcjeGSs0iroZO
 icIcLmXcO0EnzQtZw75zlfl5DxgBNc6t/sjE3CRR4+HtjZB8Kjyw/8Wj3m8kT5OfAT
 QcQkaji9w/9kQBr+TL5R2W+lT18UqHW3W1RhjlGj7veVJANttunfXhqKonUQBeaDl4
 9qq3HK97fLdl1a0BSasJJTpEuG8Rd3Y23nyOzXBHioFkwWrISjXu091jeBhdSGLJDk
 WHuNbOskgr0JA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 025/117] linux-user/i386/signal.c: Correct definition
 of target_fpstate_32
Date: Tue, 12 May 2026 23:53:27 +0300
Message-ID: <20260512205503.361097-25-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620213359158500
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

Our definition of the target_fpstate_32 struct doesn't match the
kernel's version.  We only use this struct definition in the
definition of 'struct sigframe', where it is used in a field that is
present only for legacy reasons to retain the offset of the following
'extramask' field.  So really all that matters is its length, and we
do get that right; but our previous definition using
X86LegacySaveArea implicitly added an extra alignment constraint
(because X86LegacySaveArea is tagged as 16-aligned) which the real
target_fpstate_32 does not have.  Because we allocate and use a
'struct sigframe' on the guest's stack with the guest's alignment
requirements, this resulted in the undefined-behaviour sanitizer
complaining during 'make check-tcg' for i386-linux-user:

../../linux-user/i386/signal.c:471:35: runtime error: member access within =
misaligned address 0x1000c07f75ec for type 'struct sigframe', which require=
s 16 byte alignment
0x1000c07f75ec: note: pointer points here
  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00=
  00 00 00 00 00 00 00 00
              ^

../../linux-user/i386/signal.c:808:5: runtime error: member access within m=
isaligned address 0x1000c07f75f4 for type 'struct target_sigcontext_32', wh=
ich requires 8 byte alignment
0x1000c07f75f4: note: pointer points here
  0a 00 00 00 33 00 00 00  00 00 00 00 2b 00 00 00  2b 00 00 00 40 05 80 40=
  f4 7f 10 08 58 05 80 40
              ^

and various similar errors.

Replace the use of X86LegacyXSaveArea with a set of fields that match
the kernel _fpstate_32 struct, and assert that the length is correct.
We could equally have used
   uint8_t legacy_area[512];
but following the kernel is probably less confusing overall.

Since in target/i386/cpu.h we assert that X86LegacySaveArea is 512
bytes, and in linux-user/i386/signal.c we assert that
target_fregs_state is (32 + 80) bytes, the new assertion confirms
that we didn't change the size of target_fpstate_32 here, only its
alignment requirements.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260305161739.1775232-1-peter.maydell@linaro.org
(cherry picked from commit 0376e9c2dd1f46dd779ebc85f40f7a8cfa46ed6f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/i386/signal.c b/linux-user/i386/signal.c
index 0f11dba831..b646fde431 100644
--- a/linux-user/i386/signal.c
+++ b/linux-user/i386/signal.c
@@ -60,10 +60,33 @@ struct target_fpx_sw_bytes {
 };
 QEMU_BUILD_BUG_ON(sizeof(struct target_fpx_sw_bytes) !=3D 12*4);
=20
+struct fpxreg {
+    uint16_t significand[4];
+    uint16_t exponent;
+    uint16_t padding[3];
+};
+
+struct xmmreg {
+    uint32_t element[4];
+};
+
+/*
+ * This corresponds to the kernel's _fpstate_32. Since we
+ * only use it for the fpstate_unused padding section in
+ * the target sigcontext, it doesn't actually matter what fields
+ * we define here as long as we get the size right.
+ */
 struct target_fpstate_32 {
     struct target_fregs_state fpstate;
-    X86LegacyXSaveArea fxstate;
+    uint32_t fxsr_env[6];
+    uint32_t mxcsr;
+    uint32_t reserved;
+    struct fpxreg fxsr_st[8];
+    struct xmmreg xmm[8];
+    uint32_t padding1[44];
+    uint32_t padding2[12]; /* aka sw_reserved */
 };
+QEMU_BUILD_BUG_ON(sizeof(struct target_fpstate_32) !=3D 32 + 80 + 512);
=20
 struct target_sigcontext_32 {
     uint16_t gs, __gsh;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620254; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RjpaiBUyN+BpjC4JX7jld7C8DncJH2iA9RR1wkIJN1TfcLVHI/K4KCstg9uI6uEPjKwwVLbRM2UfDmdnL6GGZ+ewWN/PUISL2nVgRrINktXj4cb7o5Tz1r/rpoxcMA8l2vBORT8KRrRlDDwWbF3v+SrxV3OTow15Vh7Qqxoutjo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620254;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=xGHz+e9zxANtvSGXSx05qBkJens9imRWRZAibD4zV0g=;
	b=k58AC7y0StWXPrqxkDWO+jQ84D+pLP9ZCc+JjEv3H8MTqb09wj3YM1X3DlukU3jFTw41mZU2pVg8qVKKOLky4phE2jfx3ul6EI6RTJ/sOzV7XCWaOz0LI/nC5BMMud9Qldsz3f52M1OPjsaQzCwrzJzVPWkBIxUE7unBwTN9nm8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620254844563.6411642679432;
 Tue, 12 May 2026 14:10:54 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLv-0005Al-6B; Tue, 12 May 2026 17:09:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLH-0001wG-Fl; Tue, 12 May 2026 17:08:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLD-0002hf-QW; Tue, 12 May 2026 17:08:39 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7120A1AA357;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7E1E83ABCC7;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=qZ2QJafS3qF5NdiU6upHl0gqKDTp+PplXA2JdDEzsO4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=M1MSjDb0X/YjWZFXxcRFNACNwNBKqCAeGb2kw4wlkNknvOcnbDjSr+W1Jg9uXJ4h8
 iYiii9IPWWlFYM8zJqcq4MRJc7n/ZMByqnvd5kGc/0IwdjH7dgFCrU190Rh+Uao2gD
 c6FW+431hRCTgUBza8XmYsscAeLZLTVXyh4ITpeCHdX2OmwG6njRTcQ2YOUC7CVsjM
 F3iAqla2OHBeVl9Vkf4Oyy3GFc6QCSN6uoskgadk2/vvkYkvhs8cgyjgq/8Q+YsqdX
 e/Y2+7qrLi5HZ4DzQmNagFXIfS0HD6Oiy2K7CSBMrtNnbxl7g/AgyGuYDoH1SuGLxt
 F2yc95walKfkA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Tao Ding <dingtao0430@163.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 026/117] hw/dma/pl080: Fix transfer logic in PL080
Date: Tue, 12 May 2026 23:53:28 +0300
Message-ID: <20260512205503.361097-26-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620255640158500
Content-Type: text/plain; charset="utf-8"

From: Tao Ding <dingtao0430@163.com>

The logic in the PL080 for transferring data has multiple bugs:

 * The TransferSize field in the channel control register counts
   in units of the source width; because our loop may do multiple
   source loads if the destination width is greater than the
   source width, we need to decrement it by (xsize / swidth),
   not by 1, each loop

 * It is documented in the TRM that it is a software error to program
   the source and destination width such that SWidth < DWidth and
   TransferSize * SWidth is not a multiple of DWidth. (This would
   mean that there isn't enough data to do a full final destination
   write.) We weren't doing anything sensible with this case.
   The TRM doesn't document what the hardware actually does (though
   it drops some hints that suggest that it probably over-reads
   from the source).

 * In the loop to write to the destination, each loop adds swidth
   to  ch->dest for each loop and also uses (ch->dest + n) as the
   destination address. This moves the destination address on
   further than we should each time round the loop, and also
   is incrementing ch->dest by swidth when it should be dwidth.

This patch fixes these problems:
 * decrement TransferSize by the correct amount
 * log and ignore the transfer size mismatch case
 * correct the loop logic for the destination writes

A repro case which exercises some of this is as follows.  It
configures swidth to 1 byte, dwidth to 4 bytes, and transfer size 4,
for a transfer from 0x00000000 to 0x000010000.  Examining the
destination memory in the QEMU monitor should show that the
source data 0x44332211 has all been copied, but before this
fix it is not:

    ./qemu-system-arm -M versatilepb -m 128M -nographic -S \
    -device loader,addr=3D0x00000000,data=3D0x44332211,data-len=3D4 \
    -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \
    -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \
    -device loader,addr=3D0x10130108,data=3D0x00000000,data-len=3D4 \
    -device loader,addr=3D0x1013010C,data=3D0x9e47f004,data-len=3D4 \
    -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4

Without this patch the QEMU monitor shows:
    (qemu) xp /1wx 0x00001000
    00001000: 0x00002211

Correct result:
    (qemu) xp /1wx 0x00001000
    00001000: 0x44332211

Cc: qemu-stable@nongnu.org
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Tao Ding <dingtao0430@163.com>
[PMM: Wrote up what we are fixing in the commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 5a2fa06b0957adad46ba1abe923bca04aad9a4d2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c
index 18f5de3e04..c198e3582b 100644
--- a/hw/dma/pl080.c
+++ b/hw/dma/pl080.c
@@ -179,23 +179,28 @@ again:
                               c, extract32(ch->ctrl, 21, 3));
                 continue;
             }
-
-            for (n =3D 0; n < dwidth; n+=3D swidth) {
+            if ((size * swidth) % dwidth) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                    "pl080: channel %d: transfer size mismatch: size=3D%d =
swidth=3D%d dwidth=3D%d\n",
+                    c, size, swidth, dwidth);
+                continue;
+            }
+            xsize =3D MAX(swidth, dwidth);
+            for (n =3D 0; n < xsize; n +=3D swidth) {
                 address_space_read(&s->downstream_as, ch->src,
                                    MEMTXATTRS_UNSPECIFIED, buff + n, swidt=
h);
                 if (ch->ctrl & PL080_CCTRL_SI)
                     ch->src +=3D swidth;
             }
-            xsize =3D (dwidth < swidth) ? swidth : dwidth;
             /* ??? This may pad the value incorrectly for dwidth < 32.  */
             for (n =3D 0; n < xsize; n +=3D dwidth) {
-                address_space_write(&s->downstream_as, ch->dest + n,
+                address_space_write(&s->downstream_as, ch->dest,
                                     MEMTXATTRS_UNSPECIFIED, buff + n, dwid=
th);
                 if (ch->ctrl & PL080_CCTRL_DI)
-                    ch->dest +=3D swidth;
+                    ch->dest +=3D dwidth;
             }
=20
-            size--;
+            size -=3D xsize / swidth;
             ch->ctrl =3D (ch->ctrl & 0xfffff000) | size;
             if (size =3D=3D 0) {
                 /* Transfer complete.  */
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620225; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bGWqaoGv0roSlvnaqE6dYviK3aQf7RM4h06INV4OAzLiPwu33DWkZW5K5YSZH77tEKb49LWBpYtJYK8lx+N0az0MUJmpJr0Q7wrJprxKm//Hx2XWZjPnVT9aZpAb8Or7PN/STxTuyTgyu44BR0cppJD5iV9ZPY4Nv/MYXGdeAIE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620225;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vLexH65Z2J8FJuaipQdfLSk7uqHOudh3Uh/SDNYsqbI=;
	b=lJRyswiqO/M0PP+qRJ53tGyWYXqQPchvYPjmMC7FTcb7IzE+dlam9ok61Iji2Hn8pKCoJUcAojP3p2KxA3gTiURVFxPWZ4PfXsmPGGwYEiAOBAGR9Yfn8sng6usXCIVaFDGyQJnDjW29YX3RryiMBdOPJL3o+r6leko4WDuU7AM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620225230130.9979138603652;
 Tue, 12 May 2026 14:10:25 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuLy-0005fk-0g; Tue, 12 May 2026 17:09:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLJ-00029B-07; Tue, 12 May 2026 17:08:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLF-00032w-No; Tue, 12 May 2026 17:08:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 801691AA358;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8C97D3ABCC8;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=u/aQEnXvJd942q4TtFh3EQUiuKe07qXlNsZJXiGvIJI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=msvs7rZYtVwU8Hv2PXoi9BHGoxfNLGGADIrNdgJdncz9WYt8K3mSPdBPunJIsFFX6
 VW+CtCFCtyjqCMhxXebj7apgs3CK0teVY5eXCzkbLEIt0wHCnhnipjNn7UKjLojtL+
 V8VhMUU69/WDtS4OgyK7C0lvOmx+TgJpx9TJbuE85Z6PF+HzWIMvPV0tvbk/IhLc6/
 IIpmRP7ue3ndL8i9HOMbJe/GWdjOlDFnZdbCHrXt+BV96FZY5m3xvTuTMZsRGu4Nlr
 n3qn5fKTuvY0qERdJjtVAXDG8f9XI2VmCKs5TTbmd+qvb+ZliVxmyclcDYrCr0nm97
 p03ecq3v9tUgA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 027/117] linux-aio: Put all parameters into
 qemu_laiocb
Date: Tue, 12 May 2026 23:53:29 +0300
Message-ID: <20260512205503.361097-27-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620225416158501
Content-Type: text/plain; charset="utf-8"

From: Hanna Czenczek <hreitz@redhat.com>

Put all request parameters into the qemu_laiocb struct, which will allow
re-submitting the tail of short reads/writes.

Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-2-hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit cc03b62df47a09c507e199cc043f57bdc941cc67)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/linux-aio.c b/block/linux-aio.c
index c200e7ad20..c2c5e11946 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -41,9 +41,15 @@ struct qemu_laiocb {
     LinuxAioState *ctx;
     struct iocb iocb;
     ssize_t ret;
+    off_t offset;
     size_t nbytes;
     QEMUIOVector *qiov;
-    bool is_read;
+
+    int fd;
+    int type;
+    BdrvRequestFlags flags;
+
+    uint64_t dev_max_batch;
     QSIMPLEQ_ENTRY(qemu_laiocb) next;
 };
=20
@@ -87,7 +93,7 @@ static void qemu_laio_process_completion(struct qemu_laio=
cb *laiocb)
             ret =3D 0;
         } else if (ret >=3D 0) {
             /* Short reads mean EOF, pad with zeros. */
-            if (laiocb->is_read) {
+            if (laiocb->type =3D=3D QEMU_AIO_READ) {
                 qemu_iovec_memset(laiocb->qiov, ret, 0,
                     laiocb->qiov->size - ret);
             } else {
@@ -367,23 +373,23 @@ static void laio_deferred_fn(void *opaque)
     }
 }
=20
-static int laio_do_submit(int fd, struct qemu_laiocb *laiocb, off_t offset,
-                          int type, BdrvRequestFlags flags,
-                          uint64_t dev_max_batch)
+static int laio_do_submit(struct qemu_laiocb *laiocb)
 {
     LinuxAioState *s =3D laiocb->ctx;
     struct iocb *iocbs =3D &laiocb->iocb;
     QEMUIOVector *qiov =3D laiocb->qiov;
+    int fd =3D laiocb->fd;
+    off_t offset =3D laiocb->offset;
=20
-    switch (type) {
+    switch (laiocb->type) {
     case QEMU_AIO_WRITE:
 #ifdef HAVE_IO_PREP_PWRITEV2
     {
-        int laio_flags =3D (flags & BDRV_REQ_FUA) ? RWF_DSYNC : 0;
+        int laio_flags =3D (laiocb->flags & BDRV_REQ_FUA) ? RWF_DSYNC : 0;
         io_prep_pwritev2(iocbs, fd, qiov->iov, qiov->niov, offset, laio_fl=
ags);
     }
 #else
-        assert(flags =3D=3D 0);
+        assert(laiocb->flags =3D=3D 0);
         io_prep_pwritev(iocbs, fd, qiov->iov, qiov->niov, offset);
 #endif
         break;
@@ -399,7 +405,7 @@ static int laio_do_submit(int fd, struct qemu_laiocb *l=
aiocb, off_t offset,
     /* Currently Linux kernel does not support other operations */
     default:
         fprintf(stderr, "%s: invalid AIO request type 0x%x.\n",
-                        __func__, type);
+                        __func__, laiocb->type);
         return -EIO;
     }
     io_set_eventfd(&laiocb->iocb, event_notifier_get_fd(&s->e));
@@ -407,7 +413,7 @@ static int laio_do_submit(int fd, struct qemu_laiocb *l=
aiocb, off_t offset,
     QSIMPLEQ_INSERT_TAIL(&s->io_q.pending, laiocb, next);
     s->io_q.in_queue++;
     if (!s->io_q.blocked) {
-        if (s->io_q.in_queue >=3D laio_max_batch(s, dev_max_batch)) {
+        if (s->io_q.in_queue >=3D laio_max_batch(s, laiocb->dev_max_batch)=
) {
             ioq_submit(s);
         } else {
             defer_call(laio_deferred_fn, s);
@@ -425,14 +431,18 @@ int coroutine_fn laio_co_submit(int fd, uint64_t offs=
et, QEMUIOVector *qiov,
     AioContext *ctx =3D qemu_get_current_aio_context();
     struct qemu_laiocb laiocb =3D {
         .co         =3D qemu_coroutine_self(),
+        .offset     =3D offset,
         .nbytes     =3D qiov ? qiov->size : 0,
         .ctx        =3D aio_get_linux_aio(ctx),
         .ret        =3D -EINPROGRESS,
-        .is_read    =3D (type =3D=3D QEMU_AIO_READ),
         .qiov       =3D qiov,
+        .fd         =3D fd,
+        .type       =3D type,
+        .flags      =3D flags,
+        .dev_max_batch =3D dev_max_batch,
     };
=20
-    ret =3D laio_do_submit(fd, &laiocb, offset, type, flags, dev_max_batch=
);
+    ret =3D laio_do_submit(&laiocb);
     if (ret < 0) {
         return ret;
     }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620379; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Z3lutM35JO+rbsJEULyiqafhznva9kDwPDJkWa60gn6rfn9pu1weq2srUbkXj0MYecI2QWujeK+DrqG9o85bXd0x8zHSuk/anzKAvb+LzZwlzNdwZQsf+d6POMNWm8alOCDtfJL32Vw1wF1p2K7brHjlAQQvfttepdn+4KcFCJg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620379;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=2Pso6X8DDwobXPqga72YYWnE+LSjZt7s7knNzBQtko0=;
	b=DnSmDXQylq6+1Mnj1gMfSKrp7ClzZn1msB7Dlionbzu6CnIqMKkfrREcZTbfbRxVrxQNd4nsrxjQgCaVtsq71GhvMN6P6NYJrKXyJicjt4QH2vlNcV9CAQQ/0rq8ud4/QM14v3vMpZVM8RbMCeprds3fSE/dRV9r2L25MJh73qg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862037975178.22144541292141;
 Tue, 12 May 2026 14:12:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuM5-0006bu-8j; Tue, 12 May 2026 17:09:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLL-0002W6-HB; Tue, 12 May 2026 17:08:43 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLJ-00034k-23; Tue, 12 May 2026 17:08:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8F0631AA359;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9B7D23ABCC9;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=Da64mECTQE17+jqE7g6lsT6YLvaZ/CfaXZUmTbu9wGw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=M5XQKitGCu72zRMXWfzVxOdvTxMNK3HMIjL8oSc3YeE8GqilQy/qMmttOpk8gT+Ss
 q4uI//2KAj/ccIec7++WcvwVVBPUXrUBVOFZZNGThhAxEcRFtbg26iCRB9fq3ZOfhd
 UGDONmjptmq4GJ51KddjdHi5qROkxH8WIwzZTJDQbxw3/JAcpncHR2E1wOKBysqG0n
 yQTJiQvcixEEG0uqdmrSa33Z6+/m2uTwT1Yfz/wLvdQ8TvOG4tKKsC48VBlZ4Q9O3R
 yzoBgQH4l+1tQNgy1wEZ5TrBv7OrpIO1Ra4HuqDRr8Zwcq8VVtKQjSvetCopZO9pgR
 v3HIZxcJTzbRg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Hanna Czenczek <hreitz@redhat.com>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 028/117] linux-aio: Resubmit tails of short
 reads/writes
Date: Tue, 12 May 2026 23:53:30 +0300
Message-ID: <20260512205503.361097-28-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620380466158500
Content-Type: text/plain; charset="utf-8"

From: Hanna Czenczek <hreitz@redhat.com>

Short reads/writes can happen.  One way to reproduce them is via our
FUSE export, with the following diff applied (%s/escaped // to apply --
if you put plain diffs in commit messages, git-am will apply them, and I
would rather avoid breaking FUSE accidentally via this patch):

escaped diff --git a/block/export/fuse.c b/block/export/fuse.c
escaped index a2a478d293..67dc50a412 100644
escaped --- a/block/export/fuse.c
escaped +++ b/block/export/fuse.c
@@ -828,7 +828,7 @@ static ssize_t coroutine_fn GRAPH_RDLOCK
 fuse_co_init(FuseExport *exp, struct fuse_init_out *out,
              const struct fuse_init_in_compat *in)
 {
-    const uint32_t supported_flags =3D FUSE_ASYNC_READ | FUSE_ASYNC_DIO;
+    const uint32_t supported_flags =3D FUSE_ASYNC_READ;

     if (in->major !=3D 7) {
         error_report("FUSE major version mismatch: We have 7, but kernel h=
as %"
@@ -1060,6 +1060,8 @@ fuse_co_read(FuseExport *exp, void **bufptr, uint64_t=
 offset, uint32_t size)
     void *buf;
     int ret;

+    size =3D MIN(size, 4096);
+
     /* Limited by max_read, should not happen */
     if (size > FUSE_MAX_READ_BYTES) {
         return -EINVAL;
@@ -1110,6 +1112,8 @@ fuse_co_write(FuseExport *exp, struct fuse_write_out =
*out,
     int64_t blk_len;
     int ret;

+    size =3D MIN(size, 4096);
+
     QEMU_BUILD_BUG_ON(FUSE_MAX_WRITE_BYTES > BDRV_REQUEST_MAX_BYTES);
     /* Limited by max_write, should not happen */
     if (size > FUSE_MAX_WRITE_BYTES) {

Then:
$ ./qemu-img create -f raw test.raw 8k
Formatting 'test.raw', fmt=3Draw size=3D8192
$ ./qemu-io -f raw -c 'write -P 42 0 8k' test.raw
wrote 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (64.804 MiB/sec and 8294.9003 ops/sec)
$ hexdump -C test.raw
00000000  2a 2a 2a 2a 2a 2a 2a 2a  2a 2a 2a 2a 2a 2a 2a 2a  |**************=
**|
*
00002000

With aio=3Dthreads, short I/O works:
$ storage-daemon/qemu-storage-daemon \
    --blockdev file,node-name=3Dtest,filename=3Dtest.raw \
    --export fuse,id=3Dexp,node-name=3Dtest,mountpoint=3Dtest.raw,writable=
=3Dtrue

Other shell:
$ ./qemu-io --image-opts -c 'read -P 42 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dthreads
read 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (36.563 MiB/sec and 4680.0923 ops/sec)
$ ./qemu-io --image-opts -c 'write -P 23 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dthreads
wrote 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (35.995 MiB/sec and 4607.2970 ops/sec)
$ hexdump -C test.raw
00000000  17 17 17 17 17 17 17 17  17 17 17 17 17 17 17 17  |..............=
..|
*
00002000

But with aio=3Dnative, it does not:
$ ./qemu-io --image-opts -c 'read -P 23 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dnative
Pattern verification failed at offset 0, 8192 bytes
read 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (86.155 MiB/sec and 11027.7900 ops/sec)
$ ./qemu-io --image-opts -c 'write -P 42 0 8k' \
    driver=3Dfile,filename=3Dtest.raw,cache.direct=3Don,aio=3Dnative
write failed: No space left on device
$ hexdump -C test.raw
00000000  2a 2a 2a 2a 2a 2a 2a 2a  2a 2a 2a 2a 2a 2a 2a 2a  |**************=
**|
*
00001000  17 17 17 17 17 17 17 17  17 17 17 17 17 17 17 17  |..............=
..|
*
00002000

This patch fixes that.

Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-3-hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7eca3d4883be8d328377001a9ea7ae9882b00f3c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/linux-aio.c b/block/linux-aio.c
index c2c5e11946..84397de54c 100644
--- a/block/linux-aio.c
+++ b/block/linux-aio.c
@@ -45,6 +45,10 @@ struct qemu_laiocb {
     size_t nbytes;
     QEMUIOVector *qiov;
=20
+    /* For handling short reads/writes */
+    size_t total_done;
+    QEMUIOVector resubmit_qiov;
+
     int fd;
     int type;
     BdrvRequestFlags flags;
@@ -74,28 +78,61 @@ struct LinuxAioState {
 };
=20
 static void ioq_submit(LinuxAioState *s);
+static int laio_do_submit(struct qemu_laiocb *laiocb);
=20
 static inline ssize_t io_event_ret(struct io_event *ev)
 {
     return (ssize_t)(((uint64_t)ev->res2 << 32) | ev->res);
 }
=20
+/**
+ * Retry tail of short requests.
+ */
+static int laio_resubmit_short_io(struct qemu_laiocb *laiocb, size_t done)
+{
+    QEMUIOVector *resubmit_qiov =3D &laiocb->resubmit_qiov;
+
+    laiocb->total_done +=3D done;
+
+    if (!resubmit_qiov->iov) {
+        qemu_iovec_init(resubmit_qiov, laiocb->qiov->niov);
+    } else {
+        qemu_iovec_reset(resubmit_qiov);
+    }
+    qemu_iovec_concat(resubmit_qiov, laiocb->qiov,
+                      laiocb->total_done, laiocb->nbytes - laiocb->total_d=
one);
+
+    return laio_do_submit(laiocb);
+}
+
 /*
  * Completes an AIO request.
  */
 static void qemu_laio_process_completion(struct qemu_laiocb *laiocb)
 {
-    int ret;
+    ssize_t ret;
=20
     ret =3D laiocb->ret;
     if (ret !=3D -ECANCELED) {
-        if (ret =3D=3D laiocb->nbytes) {
+        if (ret =3D=3D laiocb->nbytes - laiocb->total_done) {
             ret =3D 0;
+        } else if (ret > 0 && (laiocb->type =3D=3D QEMU_AIO_READ ||
+                               laiocb->type =3D=3D QEMU_AIO_WRITE)) {
+            ret =3D laio_resubmit_short_io(laiocb, ret);
+            if (!ret) {
+                return;
+            }
         } else if (ret >=3D 0) {
-            /* Short reads mean EOF, pad with zeros. */
+            /*
+             * For normal reads and writes, we only get here if ret =3D=3D=
 0, which
+             * means EOF for reads and ENOSPC for writes.
+             * For zone-append, we get here with any ret >=3D 0, which we =
just
+             * treat as ENOSPC, too (safer than resubmitting, probably, bu=
t not
+             * 100 % clear).
+             */
             if (laiocb->type =3D=3D QEMU_AIO_READ) {
-                qemu_iovec_memset(laiocb->qiov, ret, 0,
-                    laiocb->qiov->size - ret);
+                qemu_iovec_memset(laiocb->qiov, laiocb->total_done, 0,
+                                  laiocb->qiov->size - laiocb->total_done);
             } else {
                 ret =3D -ENOSPC;
             }
@@ -103,6 +140,9 @@ static void qemu_laio_process_completion(struct qemu_la=
iocb *laiocb)
     }
=20
     laiocb->ret =3D ret;
+    if (laiocb->resubmit_qiov.iov) {
+        qemu_iovec_destroy(&laiocb->resubmit_qiov);
+    }
=20
     /*
      * If the coroutine is already entered it must be in ioq_submit() and
@@ -379,7 +419,11 @@ static int laio_do_submit(struct qemu_laiocb *laiocb)
     struct iocb *iocbs =3D &laiocb->iocb;
     QEMUIOVector *qiov =3D laiocb->qiov;
     int fd =3D laiocb->fd;
-    off_t offset =3D laiocb->offset;
+    off_t offset =3D laiocb->offset + laiocb->total_done;
+
+    if (laiocb->resubmit_qiov.iov) {
+        qiov =3D &laiocb->resubmit_qiov;
+    }
=20
     switch (laiocb->type) {
     case QEMU_AIO_WRITE:
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620632; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YCg/SFz7nPapOa6Mi94klMRgI4i/hFanlHOyth9+Grg1tk1x4TMfY6T0Z1n/NZs3lRAyL0yRAQ4ru6z0M+eOP9/SCU5XnT4gm8YuZOICKdL+dcHyVBo/i1P2MRhX3vxRhKI6ECYJBAi8j1jaQ+JiLSo58cYEDfFOTGaSzb3TlcA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620632;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=iD6IwrQ4wb4j2xAjIyQ1CR1wf1//UR7tr+wBUy4JFvg=;
	b=ez+KcbeJ9483+fioOt0/0ToYZw5Q5cfOTZQIbngdmwL9VY9aYrDBbU7PH2zPeWWtSv0sWgjMJXe5Ocq0wsrsLe3ScctHAPJ1DAm0ach40wCLCeJhkNHJy+mA9V5kz6ig8oYQtUrvCJtb5tI6Gbas590F8dTFvhgBJ/EP1f1abwg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620632342689.2406738986363;
 Tue, 12 May 2026 14:17:12 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuM3-0006Na-HZ; Tue, 12 May 2026 17:09:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLM-0002h8-Jk; Tue, 12 May 2026 17:08:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLK-00037C-Hd; Tue, 12 May 2026 17:08:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9D4FA1AA35A;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A9F023ABCCA;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=Ndy1JinN+8dDOV0pkJ/kHNaf9TUEdkRaTYOyEzpMu4Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=tqivsErfdN7YwfYtd46Lzn9uhvUKO7zsGAU4o1PM4bE91Ia1pEq1POwSSBUljpYPr
 wpvldqxluqAYX8kSz6Ta3us/xgKWVQNELGx1nRh2XIG1PADy8GLclfLDkDHji8Y+3I
 BHcoYl0oBvVJB7vB1oVj+DsjZqzvoLwCZvedW0TYw5cmDSsUzMdkZN/oFafVa9fKc5
 dRp1SRp3K1t9vBzv7lqAPipyZHA9m2lNKPcxDwDw0hNqyxtNrYXFrEj/NP+m4jm+mh
 vASv9FJbqeUohSWcF0J5yoU9oxxpH0JIWv3RS/CDScuOqAXnfqYBuH+TwnQqtfTuXh
 n6L5PszFtc6cA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, GuoHan Zhao <zhaoguohan@kylinos.cn>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 029/117] block/curl: free s->password in cleanup paths
Date: Tue, 12 May 2026 23:53:31 +0300
Message-ID: <20260512205503.361097-29-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620634254154100
Content-Type: text/plain; charset="utf-8"

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

When password-secret is used, curl_open() resolves it with
qcrypto_secret_lookup_as_utf8() and stores the returned buffer in
s->password.

Unlike s->proxypassword, s->password is not freed either in the open
failure path or in curl_close(), so the resolved secret leaks once it
has been allocated.

Free s->password in both cleanup paths.

Fixes: 1bff96064290 ('curl: add support for HTTP authentication parameters')
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Message-ID: <20260320063016.262954-1-zhaoguohan_salmon@163.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 51fc8443c122fedf4d4891bbc3a1ff25dd8bacdf)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/block/curl.c b/block/curl.c
index 6dccf00256..a249811ed1 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -865,6 +865,7 @@ out_noclean:
     g_free(s->cookie);
     g_free(s->url);
     g_free(s->username);
+    g_free(s->password);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
     if (s->sockets) {
@@ -976,6 +977,7 @@ static void curl_close(BlockDriverState *bs)
     g_free(s->cookie);
     g_free(s->url);
     g_free(s->username);
+    g_free(s->password);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
 }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620472; cv=none;
	d=zohomail.com; s=zohoarc;
	b=H/PRaNUbGdJBbTbBah74ZUcbxX41NhWbVl7BlD27oO+B2uE35unAcMgH3g208TIKhMGAKnXrGqTz9mlyorPB6dCWwARnjYmK+i7e0m1PU0HknPfH4UKyKBAVF6m1INDIqw+6dT/Nx4JG2Zf/S5tLTlE4O4NvPUrShJdrEoj57Mw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620472;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=soGmmDoifmybLNaOEDFP6JR1f79IRhiP2Skg9LKs3Js=;
	b=ORpjH3muL15HqFyf/5wig3PaiU7lleio3In2ceJw18DPlpd2GseVwOVDxxKp6Qg/anrTO2qIrntC9gI9NXZdi4s2WzOhEpXeqaBw82Ko3jmdp1LBGD3xIbc9dtoSFwNf7+iWmd/cAlkODiMFSDzkCxq63WfzIBL+dud39iUA11k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620472991344.40012440495025;
 Tue, 12 May 2026 14:14:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuM8-0006ys-Cr; Tue, 12 May 2026 17:09:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLO-000303-Ny; Tue, 12 May 2026 17:08:46 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLN-00038b-0Y; Tue, 12 May 2026 17:08:46 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B6A5F1AA35B;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B8D753ABCCB;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=FeMR9GM9i6SwKGLVhcJuzNQK7do177MIgrQ3yktR+ZE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=of5nw8OR4QwYtKxwMksy+ZEt+NoHtoEfJCONxE4mNx0ZZxb+SNFL+o9N/l3levAhs
 +jYkP4LMYoeK7q3ZnCn8HWMZcnanNBB01RHmImvyYOFBz+zVz7OBw0+910ViRxgtVC
 m8mojCDjHg2gfPrHXwga5TaiE5rqtDtXvlRbr4EfucdfymzEuklCyVmPFkbweG0NWA
 N4cecZfsgXHnDfd263xFAWU37d4ve5KFjK4mYGMexiWo+P9QBPggs+201CLL6hJTjM
 HFrKHgzCLh76Z2F7bbt0amKDkASf4Ta87n49lt2rL2FwCXaVJ24zQmdVdKAVpEqsAT
 QmMp/ujFbSujA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Stefan Weil <sw@weilnetz.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 030/117] tdx: fix use-after-free in tdx_fetch_cpuid
Date: Tue, 12 May 2026 23:53:32 +0300
Message-ID: <20260512205503.361097-30-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620475328154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

This is mostly harmless right now because the "if" is never
hit, but the code as written makes no sense.

Reported-by: Stefan Weil <sw@weilnetz.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f093ee7ac3af06e4ed7c86663717cf571b42241e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/kvm/tdx.c b/target/i386/kvm/tdx.c
index dbf0fa2c91..7dcf5b4e4e 100644
--- a/target/i386/kvm/tdx.c
+++ b/target/i386/kvm/tdx.c
@@ -799,7 +799,7 @@ static struct kvm_cpuid2 *tdx_fetch_cpuid(CPUState *cpu=
, int *ret)
         r =3D tdx_vcpu_ioctl(cpu, KVM_TDX_GET_CPUID, 0, fetch_cpuid, &loca=
l_err);
         if (r =3D=3D -E2BIG) {
             g_free(fetch_cpuid);
-            size =3D fetch_cpuid->nent;
+            size *=3D 2;
         }
     } while (r =3D=3D -E2BIG);
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620511; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lthXU5KxiAWpW+u1pMRTHjmYL6GDqHmtGxgTI086PCJKcEAfGt7BbcBdSIXX+GJM9QHJshLCZQU66Sz1Eo3tMTvxbbCiNBOuomBD0yyRj/vbrGsg7afPgD3zjRBBuyktL0zdD2dZdpqc6yoq1/uM2uOTfywAjGQYCW3Z2o9c2Jo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620511;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=vP9a4iEsqtEVf3MIq2LwhvV+72BTVxk/bG700NaTanU=;
	b=O1fg5uTXzHLF0sGFm9vOwnM1StaaNSrzX2KrOrbF0Q7Dd7VpZQ2H8LneJP1EQOEv9zkvbXg3+UfqGcLi/p7h6FvZaTGipX5qUNGOHfFHafQG8+wKgjkfPyBYty41ssLfgBw26heIf7CQN6TXaSHp7WC78e957tcJzbrOOY+obVQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862051148493.222787070555;
 Tue, 12 May 2026 14:15:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuM8-0006yJ-Ch; Tue, 12 May 2026 17:09:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLk-0004Dw-0r; Tue, 12 May 2026 17:09:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLh-00038t-UL; Tue, 12 May 2026 17:09:07 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C53C01AA35C;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D19303ABCCC;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=TYqtFzFabJENrHsmAPzLhe5tF+1dCXgY2mipskF3GIA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fdNF451R9L+mzs33xEFmeghcjI/miymIFl4KnAhmaV1Vq3nm4xt1HJRkENtHV5VMI
 KDkGq09fGKpyUL19EmYz4NMF65lYxH/juYfz7yXfF72YIqlo4/chg2FpfyBdcLFbfd
 Xd58aEJzZx+hj3uS2F+ozwpz//RHcRQSVveGF++d/jkTNQo2kiahTDh1kkBPrOXFNG
 yM5ij815M0ngEj+mcpBmXdygGBp9y/n6Sn3/FdgSjUUj2hD51k83VEznmsdzs2OD/L
 TczDsX+yJWOnTekglRNBYUvq3eiFpkDe8MZN2qJygpCJVwIkpFl6wnGMqWx7Ra5s0W
 iZVs0U21L2zlw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jenny Guanni Qu <qguanni@gmail.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 031/117] hw/audio/sb16: validate VMState fields in
 post_load
Date: Tue, 12 May 2026 23:53:33 +0300
Message-ID: <20260512205503.361097-31-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620513143158500
Content-Type: text/plain; charset="utf-8"

From: Jenny Guanni Qu <qguanni@gmail.com>

The SB16 VMState loads in_index and out_data_len as raw INT32
values with no bounds validation. A crafted migration stream or
VM snapshot can set these to values exceeding their respective
buffer sizes (in2_data[10] and out_data[50]), causing heap OOB
write in dsp_write() and heap OOB read in dsp_read().

Add bounds checks in sb16_post_load() to reject invalid values
before they can be used as array indices.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3326
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
Link: https://lore.kernel.org/r/20260318192918.65481-1-qguanni@gmail.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cb1e8c18df625dc9aed7f5fd5c8b961e8e4d1023)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index 1e3c4caf5e..d248407876 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -1286,6 +1286,13 @@ static int sb16_post_load (void *opaque, int version=
_id)
 {
     SB16State *s =3D opaque;
=20
+
+    if (s->in_index < 0 || s->in_index > (int)sizeof(s->in2_data)) {
+        return -1;
+    }
+    if (s->out_data_len < 0 || s->out_data_len > (int)sizeof(s->out_data))=
 {
+        return -1;
+    }
     if (s->voice) {
         AUD_close_out(s->audio_be, s->voice);
         s->voice =3D NULL;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620461; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PtKIoziuxJdLy8RF4MQV4pPExnlnq9UCrviuJRM0bBgunYHGfvKY1Y9SP9T12992tpSKfuC3TtJUcUIhFtEuGMNhUd4UPoRttq+O/6WihQQwT4xS+h0AL44Qrqn0Sm3iJVMnSiya6hstO+DFFGVntludtRRzT18vBl2H2Edk/v8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620461;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gs+RSkaDn5rb1nHEmAr8jZtby6XKddUcHiYyT4dVh/k=;
	b=aCgE/BKH97qPxfIjfHhFTvHLYtrLUMt9lXTvTom7zRslcprF6kpOw1yycIl+J4dxRdWzJ3tLbWqjwbExDLPcy4xcVOWIcb6YQVnqpSLJ2vaiFv0ZU7Xiv+28axaICYhVtXr7esN8I6AdyIup1qFErkXOB3hxGOBR0JZ/bJdE8Wc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620461076701.9222107523974;
 Tue, 12 May 2026 14:14:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMA-0007Ef-0F; Tue, 12 May 2026 17:09:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLm-0004F6-75; Tue, 12 May 2026 17:09:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLk-000399-5D; Tue, 12 May 2026 17:09:09 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D36AE1AA35D;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E00A23ABCCD;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=lO/xH7F2XwYwmnWfiZMLGCxPffnBX5YPHn1p7EpmG9s=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=fHq9U2HGSRiSH4it/rDlCi7kKEjqexWNYEZ6lU0EH0O4mrXa7pDhKIC9KC81lILuQ
 lq7ojYLBEtLgaoJC09j8V52BWZ8NE2G7QG/u/CiE8U+gryC8V5vgCOpnp8Osd56YgF
 HWs92Xb08wOk1sezcKtTOz4s1U57GuanhdajiFI0bI+SapE7qV2wiUWKobWrPcnF7L
 OWyMcpkgRTKzh6Qs195ke8KoC+hIQfL0Amzl7w5KUCHp1/cvhUdGAQ3fRaN2oftCyU
 kX9f8hqT8/74fSqLLSw1iBJVFmmCv7CeeWrDqmKTuadczjWwJzKTvtdJwTrx7c0DAf
 vERGlYbDHGDXA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 032/117] tcg: Pass host-endian values to
 plugin_gen_mem_callbacks_*
Date: Tue, 12 May 2026 23:53:34 +0300
Message-ID: <20260512205503.361097-32-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620462923158500
Content-Type: text/plain; charset="utf-8"

From: Richard Henderson <richard.henderson@linaro.org>

If the host does not support swapped-endian loads and stores,
then we emulate those within the tcg expanders with explicit
bswap operations.

However, we were passing values to the plugin interface in
the middle of those bswap operations, which meant that we
would pass values of the wrong endianness to plugins when
running on hosts without swapped-endian loads and stores.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3351
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260325024252.3369186-2-pierrick.=
bouvier@linaro.org
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
(cherry picked from commit 539421a428fd4b8231d9be042143f2d09c719e2a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tcg/tcg-op-ldst.c b/tcg/tcg-op-ldst.c
index 7716c3ad7c..c77e394f6c 100644
--- a/tcg/tcg-op-ldst.c
+++ b/tcg/tcg-op-ldst.c
@@ -274,9 +274,6 @@ static void tcg_gen_qemu_ld_i32_int(TCGv_i32 val, TCGTe=
mp *addr,
     addr_new =3D tci_extend_addr(addr);
     copy_addr =3D plugin_maybe_preserve_addr(addr);
     gen_ldst1(INDEX_op_qemu_ld, TCG_TYPE_I32, tcgv_i32_temp(val), addr_new=
, oi);
-    plugin_gen_mem_callbacks_i32(val, copy_addr, addr, orig_oi,
-                                 QEMU_PLUGIN_MEM_R);
-    maybe_free_addr(addr, addr_new);
=20
     if ((orig_memop ^ memop) & MO_BSWAP) {
         switch (orig_memop & MO_SIZE) {
@@ -292,6 +289,10 @@ static void tcg_gen_qemu_ld_i32_int(TCGv_i32 val, TCGT=
emp *addr,
             g_assert_not_reached();
         }
     }
+
+    plugin_gen_mem_callbacks_i32(val, copy_addr, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_R);
+    maybe_free_addr(addr, addr_new);
 }
=20
 void tcg_gen_qemu_ld_i32_chk(TCGv_i32 val, TCGTemp *addr, TCGArg idx,
@@ -302,10 +303,10 @@ void tcg_gen_qemu_ld_i32_chk(TCGv_i32 val, TCGTemp *a=
ddr, TCGArg idx,
     tcg_gen_qemu_ld_i32_int(val, addr, idx, memop);
 }
=20
-static void tcg_gen_qemu_st_i32_int(TCGv_i32 val, TCGTemp *addr,
+static void tcg_gen_qemu_st_i32_int(TCGv_i32 orig_val, TCGTemp *addr,
                                     TCGArg idx, MemOp memop)
 {
-    TCGv_i32 swap =3D NULL;
+    TCGv_i32 val =3D orig_val;
     MemOpIdx orig_oi, oi;
     TCGTemp *addr_new;
=20
@@ -314,29 +315,29 @@ static void tcg_gen_qemu_st_i32_int(TCGv_i32 val, TCG=
Temp *addr,
     orig_oi =3D oi =3D make_memop_idx(memop, idx);
=20
     if ((memop & MO_BSWAP) && !tcg_target_has_memory_bswap(memop)) {
-        swap =3D tcg_temp_ebb_new_i32();
+        val =3D tcg_temp_ebb_new_i32();
         switch (memop & MO_SIZE) {
         case MO_16:
-            tcg_gen_bswap16_i32(swap, val, 0);
+            tcg_gen_bswap16_i32(val, orig_val, 0);
             break;
         case MO_32:
-            tcg_gen_bswap32_i32(swap, val);
+            tcg_gen_bswap32_i32(val, orig_val);
             break;
         default:
             g_assert_not_reached();
         }
-        val =3D swap;
         memop &=3D ~MO_BSWAP;
         oi =3D make_memop_idx(memop, idx);
     }
=20
     addr_new =3D tci_extend_addr(addr);
     gen_ldst1(INDEX_op_qemu_st, TCG_TYPE_I32, tcgv_i32_temp(val), addr_new=
, oi);
-    plugin_gen_mem_callbacks_i32(val, NULL, addr, orig_oi, QEMU_PLUGIN_MEM=
_W);
+    plugin_gen_mem_callbacks_i32(orig_val, NULL, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_W);
     maybe_free_addr(addr, addr_new);
=20
-    if (swap) {
-        tcg_temp_free_i32(swap);
+    if (val !=3D orig_val) {
+        tcg_temp_free_i32(val);
     }
 }
=20
@@ -382,9 +383,6 @@ static void tcg_gen_qemu_ld_i64_int(TCGv_i64 val, TCGTe=
mp *addr,
     addr_new =3D tci_extend_addr(addr);
     copy_addr =3D plugin_maybe_preserve_addr(addr);
     gen_ld_i64(val, addr_new, oi);
-    plugin_gen_mem_callbacks_i64(val, copy_addr, addr, orig_oi,
-                                 QEMU_PLUGIN_MEM_R);
-    maybe_free_addr(addr, addr_new);
=20
     if ((orig_memop ^ memop) & MO_BSWAP) {
         int flags =3D (orig_memop & MO_SIGN
@@ -404,6 +402,10 @@ static void tcg_gen_qemu_ld_i64_int(TCGv_i64 val, TCGT=
emp *addr,
             g_assert_not_reached();
         }
     }
+
+    plugin_gen_mem_callbacks_i64(val, copy_addr, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_R);
+    maybe_free_addr(addr, addr_new);
 }
=20
 void tcg_gen_qemu_ld_i64_chk(TCGv_i64 val, TCGTemp *addr, TCGArg idx,
@@ -414,10 +416,10 @@ void tcg_gen_qemu_ld_i64_chk(TCGv_i64 val, TCGTemp *a=
ddr, TCGArg idx,
     tcg_gen_qemu_ld_i64_int(val, addr, idx, memop);
 }
=20
-static void tcg_gen_qemu_st_i64_int(TCGv_i64 val, TCGTemp *addr,
+static void tcg_gen_qemu_st_i64_int(TCGv_i64 orig_val, TCGTemp *addr,
                                     TCGArg idx, MemOp memop)
 {
-    TCGv_i64 swap =3D NULL;
+    TCGv_i64 val =3D orig_val;
     MemOpIdx orig_oi, oi;
     TCGTemp *addr_new;
=20
@@ -431,32 +433,32 @@ static void tcg_gen_qemu_st_i64_int(TCGv_i64 val, TCG=
Temp *addr,
     orig_oi =3D oi =3D make_memop_idx(memop, idx);
=20
     if ((memop & MO_BSWAP) && !tcg_target_has_memory_bswap(memop)) {
-        swap =3D tcg_temp_ebb_new_i64();
+        val =3D tcg_temp_ebb_new_i64();
         switch (memop & MO_SIZE) {
         case MO_16:
-            tcg_gen_bswap16_i64(swap, val, 0);
+            tcg_gen_bswap16_i64(val, orig_val, 0);
             break;
         case MO_32:
-            tcg_gen_bswap32_i64(swap, val, 0);
+            tcg_gen_bswap32_i64(val, orig_val, 0);
             break;
         case MO_64:
-            tcg_gen_bswap64_i64(swap, val);
+            tcg_gen_bswap64_i64(val, orig_val);
             break;
         default:
             g_assert_not_reached();
         }
-        val =3D swap;
         memop &=3D ~MO_BSWAP;
         oi =3D make_memop_idx(memop, idx);
     }
=20
     addr_new =3D tci_extend_addr(addr);
     gen_st_i64(val, addr_new, oi);
-    plugin_gen_mem_callbacks_i64(val, NULL, addr, orig_oi, QEMU_PLUGIN_MEM=
_W);
+    plugin_gen_mem_callbacks_i64(orig_val, NULL, addr, orig_oi,
+                                 QEMU_PLUGIN_MEM_W);
     maybe_free_addr(addr, addr_new);
=20
-    if (swap) {
-        tcg_temp_free_i64(swap);
+    if (val !=3D orig_val) {
+        tcg_temp_free_i64(val);
     }
 }
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620408; cv=none;
	d=zohomail.com; s=zohoarc;
	b=MUhtp4nQ8oQZZc6QVeFrRR58PtDmKyoqnA8ufMM0bTVh+9uGHFXQ3v+21ViEuQYeCjqKPT5OfuQUo32PktJw7ViGDKyNyNt3bGmgnU8GE7RZeC0tLwCA4KDL5p60TK2WxYkhze6gtnd53kpxXEHEhujjczY/WUC7KDUNrmM3uHw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620408;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Ttvg1GBZo1aXcCwFQ9d285NRAaVN+YccoZrcUOHLg1w=;
	b=C2A7temi6Yip3KXxkNsj/t4qd/lrVVZhVYVAETSxcazanITcFMlcS6Uy0CCPMyYN++ka2H+rTaYVov52AY/tDTSwVuESGA4reVQnBYcC0HxazMp7/RaHRLOo7+YajkoIjfew1GAiYRCzb2g9XqF2jka1sJ+arTpqr8eFgXYw8Pc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620408797673.830638972439;
 Tue, 12 May 2026 14:13:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMA-0007Fd-8x; Tue, 12 May 2026 17:09:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLn-0004HP-9p; Tue, 12 May 2026 17:09:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLl-0003Jg-Gh; Tue, 12 May 2026 17:09:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E28E31AA35E;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id EF1783ABCCE;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=BKMSOWmf0KHPyVvGjY3UKLoevtS5Cggtbz/1YanthO0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Ja7PbFCfyezrZ8JRfvduamrhOa6/UK/2Q4cLKA8VmTVVByV4yiTjGNNdMdmmuWjjj
 qqmIhF6GuDyCQPNRDJkt5lkW9yC6P1WpoZoN+MQgH05Q6Hy/ioGIHPft58tktc6x5T
 HrzY2ldGggg1pVt0Q5ocpKUCa0AlFkaBB+HURKJlaG8c8y5kmj/VQUdlxosGlsZAwS
 BmHJDuCIbIbY3hO4uEnwbFkBFmtWdLjKW7phGwVQpAlIpgQQF5msI5I9YCBdmyr1rL
 qNL8/dr6K2X3niwUdnZbK5U4F/kqjrenvpEGDu4SMKvRGh5Z7XLF+megTGvd0oCVtK
 hjd4e+QosVqfQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Pankaj Raghav <p.raghav@samsung.com>,
 Klaus Jensen <k.jensen@samsung.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 033/117] hw/nvme: re-enable wzds bit in namespace
 dlfeat
Date: Tue, 12 May 2026 23:53:35 +0300
Message-ID: <20260512205503.361097-33-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620410544158501
Content-Type: text/plain; charset="utf-8"

From: Pankaj Raghav <p.raghav@samsung.com>

dlfeat was changed from 0x9 to 0x1 when PI support was added.
It was removed because we can't rely on unmap and have to physically
clear it to get the checksums right but that doesnt mean that we do not
support the bit.

The spec says that if wzds is enabled, then the controller supports
deallocate (DEAC) on write zeroes. But DEAC bit in write zeroes command
is only a hint, the controller might choose to physically write zeroes in
those areas.

As we are sending write zeroes command with BDRV_REQ_MAY_UNMAP to the
underlying block device anyway (if the unmap operation is supported),
change the dlfeat value back to 0x9.

A new flag FALLOC_FL_WRITE_ZEROES has been introduced in linux for
fallocate which will use the wzds bit in dlfeat to quickly zeroout extents
using unmap operation whenever possible[1].

[1] https://lore.kernel.org/linux-fsdevel/20250619111806.3546162-1-yi.zhang=
@huaweicloud.com/

Fixes: 146f720c55 ("hw/block/nvme: end-to-end data protection")
Suggested-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit 55720ba97d2164796215c983255f009993e24432)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/nvme/ns.c b/hw/nvme/ns.c
index 38f86a1726..b0106eaa5c 100644
--- a/hw/nvme/ns.c
+++ b/hw/nvme/ns.c
@@ -75,7 +75,7 @@ static int nvme_ns_init(NvmeNamespace *ns, Error **errp)
     ns->csi =3D NVME_CSI_NVM;
     ns->status =3D 0x0;
=20
-    ns->id_ns.dlfeat =3D 0x1;
+    ns->id_ns.dlfeat =3D 0x9;
=20
     /* support DULBE and I/O optimization fields */
     id_ns->nsfeat |=3D (NVME_ID_NS_NSFEAT_DAE | NVME_ID_NS_NSFEAT_OPTPERF_=
ALL);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620470; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NItbk6TOUWRrG3mfaQ0x5vjz4jlSXOo6ewPwhJKnLCLolCHCLp8z76sUnXTnSUpbBcHzg+Jo8TLeXFnoQgDO1bZnvGLiasbmt9vIQkSjgUfigiDqjiPEuF3D7qrJbB5J4GYNUFDqBmFqfTUF/40UtYSmcR9jxaZsrLtSyv5zAAM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620470;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=w1eQXWKAy99yh5RQQCZMgzdvEmuG6wpuF1yT+5S0Kes=;
	b=TFLYZM3BrYs+rxKazB0IQHZiSruStltsPjZvEYVG5ZPK+eF968JSg104bB6ZnVutJGQlkNcYcShh2GzoOCmbBxlilQ9F+s/oIwQaLNbG2vkDJxDS6xJSnYwJxS4d8XVVF/D5Q7BY8PsceU8A4hBHs2pl1VqBSHG32kmKjFkXPTA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786204706321001.2962586155616;
 Tue, 12 May 2026 14:14:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuME-0007lg-Pr; Tue, 12 May 2026 17:09:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLq-0004d4-8h; Tue, 12 May 2026 17:09:14 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuLo-0003KO-BU; Tue, 12 May 2026 17:09:13 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id F0D651AA35F;
 Tue, 12 May 2026 23:55:01 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 095F43ABCCF;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619301; bh=09zurXupjYuZK4BUVShjpn/N1B1fEWiUNtddFMGFa7w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RtcRsyv9LoX44bOBwK7VhmOBubzBAkxAp5KHizRual9ZTg27NRfN8NpbqVsz6bhUs
 /eiT558RV1unleKmGqcM9UT89eIe/OL43wPD4jbbNFWvRgFl1ys/Y7YgJyU0JryNeK
 GBZUpTALheZqHwrsfwuuvRofUP7LbvlIujr5jS3ar84CzzO2c/PVkOaLoKAKc471CO
 1igAwXgqQR5Sin+RSXe8lBQdYARbs3Odfu5p8/PdnnjCAO31prTLu0szduK+XjLtG4
 ahFdoxkheHRn02eRXVHLcUwgfWJHu1CrCF41UdVoPszMzXZ8USoye/8pWSgX7e4cLW
 pWiYUCVeIoC+Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kaixuan Li <kaixuanli@ntu.edu.sg>,
 Klaus Jensen <k.jensen@samsung.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 034/117] hw/nvme: fix heap-buffer-overflow in
 nvme_abort
Date: Tue, 12 May 2026 23:53:36 +0300
Message-ID: <20260512205503.361097-34-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620473226154100
Content-Type: text/plain; charset="utf-8"

From: Kaixuan Li <kaixuanli@ntu.edu.sg>

In nvme_abort(), the submission queue pointer is dereferenced from the
guest-controlled sqid before validating it with nvme_check_sqid():

    NvmeSQueue *sq =3D n->sq[sqid];

Since sqid is a 16-bit value (range 0-65535) taken directly from CDW10,
and n->sq[] is typically only max_ioqpairs+1 (65) entries, a malicious
guest can trigger an out-of-bounds heap read by sending an Abort command
with a large sqid.

ASan reports this as heap-buffer-overflow in nvme_abort.

Fix this by moving the array dereference to after the nvme_check_sqid()
bounds validation.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3348
Fixes: 75209c071a ("hw/nvme: actually implement abort")
Cc: qemu-stable@nongnu.org
Signed-off-by: Kaixuan Li <kaixuanli@ntu.edu.sg>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
(cherry picked from commit eb5cc99aff17cbfdad16b18d3503c6f22233eeb5)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index cc4593cd42..be6c7028cb 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -6111,7 +6111,7 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *=
req)
 {
     uint16_t sqid =3D le32_to_cpu(req->cmd.cdw10) & 0xffff;
     uint16_t cid  =3D (le32_to_cpu(req->cmd.cdw10) >> 16) & 0xffff;
-    NvmeSQueue *sq =3D n->sq[sqid];
+    NvmeSQueue *sq;
     NvmeRequest *r, *next;
     int i;
=20
@@ -6120,6 +6120,8 @@ static uint16_t nvme_abort(NvmeCtrl *n, NvmeRequest *=
req)
         return NVME_INVALID_FIELD | NVME_DNR;
     }
=20
+    sq =3D n->sq[sqid];
+
     if (sqid =3D=3D 0) {
         for (i =3D 0; i < n->outstanding_aers; i++) {
             NvmeRequest *re =3D n->aer_reqs[i];
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620502; cv=none;
	d=zohomail.com; s=zohoarc;
	b=IpU3BnPNgy3k9y04gySb88OiWYD4mmP4aihx3aHsp7i5a0J5m/ZgOAkiBVhtF+ji9DV2uK7Xwy9QLTS3QLRCQlta7thcRzSFEjZXSRd8aUzC8zJoHEo9sGtwtXYgPZ4txSIcgdQKEt3DZ7MFKfouHJ3ByuifEbeiW+h6skcbHMM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620502;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=dPg1AS6aXtN8lDGgOKTEKyDWMeh1WhkJ53oy5NmSjFA=;
	b=KqJWQH/HPmeIXSBFIn4lyie3gCOxtCiHXEuc4uxco/cIBnJwZ8EHe50klbCnb3/7f2YDbxUfAT4pqatjy1VjWNvOP7QAiavnSBganxowH+pfrY8mpJMcx+TxzRCxpMT3xK1weSswIYL+1i6KFmt+DpzUeWXZkVVZUO+QCHhOYOc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862050205815.009896491219934;
 Tue, 12 May 2026 14:15:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMD-0007eF-He; Tue, 12 May 2026 17:09:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMB-0007Qt-4t; Tue, 12 May 2026 17:09:35 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuM9-0003Ln-10; Tue, 12 May 2026 17:09:34 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0A3961AA360;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1744A3ABCD0;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=MTXhZdUjhIEYWnwZZmspysqWDV7PKPgiFTrPw5Ta2sk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=eOOSAVRxYp3fuSe7dVAj4fP8ZYEnuF42ygXx7Pgwigd3UpglkoPLLPFRwi+T0ol/N
 SjiRn4q2aNWErlcN3wcK9t1Pgl9Udz6e7ydAo8TahHvwc1nYiNygp+iVH2e9sc+Slr
 z8s3VoiiMgy4BliMaKobznmUVPvBzF2hFNnL/MU2hFpp1zyUOL5cbz1jg3HZajqB76
 kHuwd8Aa6qGq6xlp/e6HOX6leXtZntVmWaNkJ2N095747zZHIiOEwwemYomYXL/1Cx
 jeukKNOhDZrjWto3KH2rqjyAYA1idixIJuzh+3H+v+k9DLn5OGhtBDWG6mHAYTnokc
 9DGa9Ko7M5TGg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Kostiantyn Kostiuk <kkostiuk@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 035/117] scripts/qemu-guest-agent/fsfreeze-hook: Avoid
 bash-isms
Date: Tue, 12 May 2026 23:53:37 +0300
Message-ID: <20260512205503.361097-35-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620503107158500
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

The fsfreeze-hook script starts with #!/bin/sh, but it uses
several bash-specific constructs, resulting in misbehaviour
on guest systems where /bin/sh is some other POSIX shell.

Fix the simple ones reported by shellcheck:

In scripts/qemu-guest-agent/fsfreeze-hook line 27:
touch "$LOGFILE" &>/dev/null || USE_SYSLOG=3D1
                 ^---------^ SC3020 (warning): In POSIX sh, &> is undefined.

In scripts/qemu-guest-agent/fsfreeze-hook line 31:
    local message=3D"$1"
    ^-----------^ SC3043 (warning): In POSIX sh, 'local' is undefined.

In scripts/qemu-guest-agent/fsfreeze-hook line 46:
    log_message "Executing $file $@"
                                 ^-- SC2145 (error): Argument mixes string =
and array. Use * or separate argument.

In scripts/qemu-guest-agent/fsfreeze-hook line 55:
    if [ $STATUS -ne 0 ]; then
         ^-----^ SC2086 (info): Double quote to prevent globbing and word s=
plitting.

There is also a use of PIPESTATUS that is more complex to fix;
that will be dealt with in a separate commit.

Cc: qemu-stable@nongnu.org
Fixes: 85978dfb6b1c133 ("qemu-ga: Optimize freeze-hook script logic of logg=
ing error")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260317094806.1944053-2-peter.may=
dell@linaro.org
Signed-off-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
(cherry picked from commit b5abb655fab6145ff3728d4bdaea3648468590fc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-ag=
ent/fsfreeze-hook
index 5b915af017..6e2d7588af 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -24,15 +24,14 @@ USE_SYSLOG=3D0
 # if log file is not writable, fallback to syslog
 [ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
 # try to update log file and fallback to syslog if it fails
-touch "$LOGFILE" &>/dev/null || USE_SYSLOG=3D1
+touch "$LOGFILE" >/dev/null 2>&1 || USE_SYSLOG=3D1
=20
 # Ensure the log file is writable, fallback to syslog if not
 log_message() {
-    local message=3D"$1"
     if [ "$USE_SYSLOG" -eq 0 ]; then
-        printf "%s: %s\n" "$(date)" "$message" >>"$LOGFILE"
+        printf "%s: %s\n" "$(date)" "$1" >>"$LOGFILE"
     else
-        logger -t qemu-ga-freeze-hook "$message"
+        logger -t qemu-ga-freeze-hook "$1"
     fi
 }
=20
@@ -43,7 +42,7 @@ for file in "$FSFREEZE_D"/* ; do
     is_ignored_file "$file" && continue
     [ -x "$file" ] || continue
=20
-    log_message "Executing $file $@"
+    log_message "Executing $file $*"
     if [ "$USE_SYSLOG" -eq 0 ]; then
         "$file" "$@" >>"$LOGFILE" 2>&1
         STATUS=3D$?
@@ -52,7 +51,7 @@ for file in "$FSFREEZE_D"/* ; do
         STATUS=3D${PIPESTATUS[0]}
     fi
=20
-    if [ $STATUS -ne 0 ]; then
+    if [ "$STATUS" -ne 0 ]; then
         log_message "Error: $file finished with status=3D$STATUS"
     else
         log_message "$file finished successfully"
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620321; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YQpuSXran6O1Y5eF0HF7UpFqj/Z4bguHbeWw9W8yf8G1u+dPQfiFY7wIBWMC5cry7KDySg63wN14c93ZLKyhIjtqKX2e53veDIuz6M84Nq9LlT5OYH39zwyo+MFZhnTksHHOBWGOqQdtTnpiI+AYvJxrzQ3ROfXySCZHOnEan7o=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620321;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=+6OWkMFSQmgwTKhyhEjgBJ2Y0P2706krR5kKIjoHwjM=;
	b=nyJyHE6jJMDo1Mhk41wrfaXg7tBObKbTMlwUZbgNzcArAWtM1KUjp+Y6GcJN7xrNxO86ucXpiehMO77z7D8Kf9NheoJEuvUZeYBZ5PUWi8mavmYzQ6K7Hr+QWL6GJwrj0X0WNz2cvK4EehYFduCBkJxB+qlSrD79pb6Rjs14wJY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620321155272.9343020592469;
 Tue, 12 May 2026 14:12:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMQ-0008Cp-2g; Tue, 12 May 2026 17:09:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuME-0007ku-B6; Tue, 12 May 2026 17:09:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMC-0003MX-Ca; Tue, 12 May 2026 17:09:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 17DBB1AA361;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 254B93ABCD1;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=2S1GGvJaNsn51bYl05lwRS9Qw+/ufVmwcAlhOtnfHIM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=jgK+XzZKy25GnvsKu7ac4+vGBg1JsybQs9cQwVxPxJNtevHAR0wc/sDoUxeqoHGLO
 2Pmiw2Jw3OluTskMYgCJDHtgE915eI0qqNK0mTEhm0DuQlJwMb//VQxpVuCC9lSr1i
 Y9PNOEAfI3GcmFN9mVnISLeXA71zlOASvBwpMN6XjpRFYwMGoDywmV1G79aykC8Iy5
 7bE5ooCc92nEPEVsDnA2bGLQYeuXwvz0OwETDHioYWg742nlfXQbWAl9LMsros8D+p
 umNHEjl0nJhrfaSpL9xYMaDvxn8DCTcF/dOLHyBfY1tF7/PbK64vsGPB2B3VDFbPJV
 7nZPsnL1432Eg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Kostiantyn Kostiuk <kkostiuk@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 036/117] scripts/qemu-guest-agent/fsfreeze-hook: Avoid
 use of PIPESTATUS
Date: Tue, 12 May 2026 23:53:38 +0300
Message-ID: <20260512205503.361097-36-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620322622154100
Content-Type: text/plain; charset="utf-8"

From: Peter Maydell <peter.maydell@linaro.org>

PIPESTATUS is a bash-specific construct, and this script is supposed
to be POSIX shell. We only use it in one place, to capture the exit
status of a command whose output we are piping to 'logger'.

Replace the PIPESTATUS usage with the trick described in
https://unix.stackexchange.com/questions/14270/get-exit-status-of-process-t=
hats-piped-to-another/70675#70675
which uses a command-group to capture the status of the
first process in the pipeline.

Cc: qemu-stable@nongnu.org
Fixes: 85978dfb6b1c133 ("qemu-ga: Optimize freeze-hook script logic of logg=
ing error")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3339
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260317094806.1944053-3-peter.may=
dell@linaro.org
Signed-off-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
(cherry picked from commit 65b9f4791c24b09814ae51135e8dad283faed348)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-ag=
ent/fsfreeze-hook
index 6e2d7588af..21eb5c5145 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -47,8 +47,23 @@ for file in "$FSFREEZE_D"/* ; do
         "$file" "$@" >>"$LOGFILE" 2>&1
         STATUS=3D$?
     else
-        "$file" "$@" 2>&1 | logger -t qemu-ga-freeze-hook
-        STATUS=3D${PIPESTATUS[0]}
+        # We want to pipe the output of $file through 'logger' and also
+        # capture its exit status. Since we are a POSIX script we can't
+        # use PIPESTATUS, so instead this is a trick borrowed from
+        # https://unix.stackexchange.com/questions/14270/get-exit-status-o=
f-process-thats-piped-to-another/70675#70675
+        # which uses command-groups and redirection to get the exit status.
+        # This is equivalent to
+        #   "$file" "$@" 2>&1 | logger -t qemu-ga-freeze-hook
+        # plus setting the exit status of the pipe to the exit
+        # status of the first command rather than the last one.
+        { { { {
+                "$file" "$@" 2>&1 3>&- 4>&-
+                echo $? >&3
+            } | logger -t qemu-ga-freeze-hook >&4
+            } 3>&1
+          } | { read -r xs ; exit "$xs"; }
+        } 4>&1
+        STATUS=3D$?
     fi
=20
     if [ "$STATUS" -ne 0 ]; then
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620246; cv=none;
	d=zohomail.com; s=zohoarc;
	b=kug2oesNS3tFJgOP/rCrWXraWUDqlKMT7Cn8TNHFtUbSzpirq52uhQuFzueXdI0tLqQdep5OgbksCUrocY+qAAXTSUGALENf+a+a2qMnWnBmz8lM8tle1J2JvlhmjY4qvd2Y3Qw9NwnPGrfUSAyMXTZ5Fs8HQwT1WQBGZluPIBk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620246;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=GtVFGF8OVdtb0i8QuAlq3SucxrP7tynvz6yUM3XrPbI=;
	b=JgQahl/ctEebDr9QItLYUKfJbreBSSthuzUfqi6ohtj6Pso2yUldGGlspyoIsF/GCgy1m9WASyp3mUHtJO9nrByWmRd4YQKi9MI2r5LqUv1OVHqj6g+5ix06jyTKcbETxhrSCEFktaVKsQPpvVAoR3fde3gfdufvfb5f9QbueG0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620246866211.77717446312477;
 Tue, 12 May 2026 14:10:46 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMU-0008Nx-6W; Tue, 12 May 2026 17:09:57 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuME-0007n6-LL; Tue, 12 May 2026 17:09:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMC-0003Ru-Nt; Tue, 12 May 2026 17:09:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2765C1AA362;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 32F6E3ABCD2;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=opGEO7diMnZcMSLx88mGJUbb/S7qf0ZqVr0UjX8gEhA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rhsPb6bX+njf8F+yoZlN3VKeYTyV1uSCXhWkzpqBwhFuQ8kWCm+WVlJjZ4O/qZM8T
 G9oRc6VLB3wHDxbTU3XCm+WH34rih2MskR26pyPOLBVJy2LkLgbzC9Tr15tcO+fu3v
 Ektq75f/SV7NH8Ft/W5H2RsIpg+UibSPRnr4bLjIZ7V/sv38SKt9GSOfHlhR+ZzDQC
 EfFS2v31PdErSKvYPBZI2jhJu4kgz7P18+2S2Tf2/UBFnpPQ3oGfAdDcPTVW0M+sdT
 K24Yigno9sTk7kFz6gL6Ek0YSBJ81gCyuGq79/s27mEbPpM31QmWgW8o0vzZoRWFyX
 +sHmG8y6p7Pcg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Kostiantyn Kostiuk <kkostiuk@redhat.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 037/117] scripts/qemu-guest-agent/fsfreeze-hook: Fix
 syslog-fallback logic
Date: Tue, 12 May 2026 23:53:39 +0300
Message-ID: <20260512205503.361097-37-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620249433154100

From: Peter Maydell <peter.maydell@linaro.org>

In the fsfreeze script we attempt to implement "log to a file if we
can, and fall back to syslog if we cannot".  We do this with:

  [ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
  touch "$LOGFILE" >/dev/null 2>&1 || USE_SYSLOG=3D1

This has a weird behaviour if it is run in a setup where we have
permissions that would allow us to write to $LOGFILE but it does not
currently exist.  On the first execution, the '-w' fails and so we
set USE_SYSLOG=3D1.  But since we also do the "touch $LOGFILE" step we
create an empty logfile.  Then on the second time the script is
executed, we see a writeable logfile and will use it.  The effect is
"log to syslog once, then to the logfile thereafter", which is not
likely to be what anybody wants.

Update the condition of the first check to only pick syslog if
the logfile exists but is not writable. This means that:
 * if the logfile doesn't exist but we are able to create it,
   we will create it and use it
 * if the logfile already exists and we can write to it,
   we will use it
 * if the logfile already exists but we can't write to it,
   we will fall back to syslog
 * if the logfile doesn't exist and we can't create it,
   we will fall back to syslog

Cc: qemu-stable@nongnu.org
Fixes: 85978dfb6b1c133 ("qemu-ga: Optimize freeze-hook script logic of logg=
ing error")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260317094806.1944053-4-peter.may=
dell@linaro.org
Signed-off-by: Kostiantyn Kostiuk <kkostiuk@redhat.com>
(cherry picked from commit 08497afcb2a737794991f17a37f0a0971fca411e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scripts/qemu-guest-agent/fsfreeze-hook b/scripts/qemu-guest-ag=
ent/fsfreeze-hook
index 21eb5c5145..76669f5caf 100755
--- a/scripts/qemu-guest-agent/fsfreeze-hook
+++ b/scripts/qemu-guest-agent/fsfreeze-hook
@@ -21,8 +21,8 @@ is_ignored_file() {
 }
=20
 USE_SYSLOG=3D0
-# if log file is not writable, fallback to syslog
-[ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
+# if log file exists but is not writable, fallback to syslog
+[ -e "$LOGFILE" ] && [ ! -w "$LOGFILE" ] && USE_SYSLOG=3D1
 # try to update log file and fallback to syslog if it fails
 touch "$LOGFILE" >/dev/null 2>&1 || USE_SYSLOG=3D1
=20
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620531; cv=none;
	d=zohomail.com; s=zohoarc;
	b=F4h4gZCF/ds2h80x2by/rzUESbPfYNIL2wPdGSS00n09sfPI1AK4D2aWeWFfx1GCdTmcl82/urt6LYuSR1bFVJ72p+Ptw5F2LfUUzQrde6c/k/LsrD7n3PeZjuT6v0zY20S9lTrBOKgCiEy258lkfGE7g66sqoGVkhvzw8GrUgk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620531;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nkl0AYx8lTtaJ7XX4LDjzniqHb+tJ/adkxpEJcErY9M=;
	b=Au+9YL1TjuY4s6LQyBBGTcnVMpmJBMyPF1JHlryE4e0HrAtA0GX6U8VezcVLVGCZcGguMWZngJ4BRx66AIgHHFOosYqnQwDXo/kcJu2MItkU5Bc4M8NNgdRFlB4k2H0XxaYK/fXZMTJQn51bfRoJZta5UixE5En2spbCqSV0cas=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620531166199.73369874874504;
 Tue, 12 May 2026 14:15:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMk-00014D-F1; Tue, 12 May 2026 17:10:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMH-00080U-M7; Tue, 12 May 2026 17:09:42 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMG-0003SK-0E; Tue, 12 May 2026 17:09:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3F61B1AA363;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4354E3ABCD3;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=4dB7J9um+urWj0qd77ycHYeU9OrcYP3RFNylth6087Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=c46CCjE0CPw+skXtlzo8or0yw1uCO9Lw1tK3mo8WK8kNBc0g0RzXi1SKQDHPn7gwz
 s7aaml77/+U/a/75ozCBs2+H2/6pOvLc6YhFO+r3Eq8H2hYO/Y714+g+OBvxGkBd2M
 Z9/WjfJo+rfy00bym/aLSpQqoAvcWiIDo9SyorDLS4huRjNRl18obbxxeNSuh5PXZf
 hOSnPM8fgqs4R9VKpRgZCPU5TIyILhkEyKlGgcqAZ24MZ6URc7qf2EQfkZ1AbPV+TC
 k0dHsv5aQf2ZcUd8uR/RMW9GQFudFA3yTi4ZyXcICEqveZ+pezHLQyAbYlkpJ7oZnw
 he/8dJKfyI3ig==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 038/117] lsi53c895a: keep a reference to the device
 while SCRIPTS execute
Date: Tue, 12 May 2026 23:53:40 +0300
Message-ID: <20260512205503.361097-38-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620531301158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

SCRIPTS execution can trigger PCI device unplug and consequently
a use-after-free after the unplug returns.  Avoid this by keeping
the device alive.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3090
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4862d2c95104d9fd0430cc003c205094f8ada1f9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 9ea4aa0a85..2cc7e945e1 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1163,6 +1163,7 @@ static void lsi_execute_script(LSIState *s)
         s->waiting =3D LSI_NOWAIT;
     }
=20
+    object_ref(s);
     reentrancy_level++;
=20
     s->istat1 |=3D LSI_ISTAT1_SRUN;
@@ -1182,6 +1183,7 @@ again:
         s->waiting =3D LSI_WAIT_SCRIPTS;
         lsi_scripts_timer_start(s);
         reentrancy_level--;
+        object_unref(s);
         return;
     }
     insn =3D read_dword(s, s->dsp);
@@ -1630,6 +1632,7 @@ again:
     trace_lsi_execute_script_stop();
=20
     reentrancy_level--;
+    object_unref(s);
 }
=20
 static uint8_t lsi_reg_readb(LSIState *s, int offset)
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620244; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZgKz23RlYwmnD2KiMSC/f9pbv/IJ9qbkSXXW/4Ut0Vt3/CHUraYuLFmu5DXI7dmpfnNUKCJDBpPuTpXLePOcfh+FpbkhPLMNnWY1/lsQtA6gFgQY5M6KS3DEhAKqxPwK/Ds0TN44kCYc16fP8G8sdxY6TLBKDHtgc8MM3qGiXI8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620244;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=L20X6bE6w+dI+2lVyW3uB3MIASxDo1ikICV9Nh+j9Ug=;
	b=EwyJaSReX2GpbTOOfuDamHXa7DaSZxPXiXV42QhZVSKrJhy/CIJh9/l0ziRjZK4Y0eL8P6Ltz+rxAjK0KfezE17apMuFFI0eltqW+GyRAOkVT7uKVCrodAO3qOmjIjXIDHjZXAI71kKSyDUzNJM9iKXYSBhqadvs50IsgwKD3pQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620244726584.6723168954197;
 Tue, 12 May 2026 14:10:44 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMc-000070-6e; Tue, 12 May 2026 17:10:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMH-00080e-SI; Tue, 12 May 2026 17:09:42 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMG-0003SX-AC; Tue, 12 May 2026 17:09:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4C32C1AA364;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5A36E3ABCD4;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=dcm+EEU9bYovOY3rCILU1UweDFUiFVgyc95rz2vw1vM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vsM2lfkvhiBN5xFd4OuNeho5MuMRwfW/cPto4Be/j2wl8ph7jcOuNtTjjCuc7HAM9
 ULciyH1x1hiLZPKRJVZad0yro6MsBojhKGPz0AMiqF4PD3mpgaQnGhscD2gE4EMpn3
 NexL8dKi7WnP5qXAVXIwVtWtFeqbW4/8c/z8XEKFM+gb5g2iVFD11Be+LuRQhz2SLF
 4WR0cV6SzPUEO/q3WgIo0OZHAX2g0edaYYEYUmf+EBtF/VAc7JwH7VgeEFPlYFAsP+
 mdzBHVMqSpy02213HP4gwsfCWOWRF65IENKStCD1kORg04SCXqZO0XiJmG0Jmryoiy
 b2qXg4u+ICfUQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 039/117] lsi53c895a: do not do anything else if a
 reset is requested by writing ISTAT0
Date: Tue, 12 May 2026 23:53:41 +0300
Message-ID: <20260512205503.361097-39-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620245512158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

If the device is reset, anything that is done before will not really
be visible.  So do the reset and exit immediately if that is one
of the requests in the value written to ISTAT0.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 64807c84e83f767c135aa9ba4b5f61162bb177ef)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 2cc7e945e1..651f562d82 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -1949,6 +1949,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, =
uint8_t val)
     CASE_SET_REG32(dsa, 0x10)
     case 0x14: /* ISTAT0 */
         s->istat0 =3D (s->istat0 & 0x0f) | (val & 0xf0);
+        if (val & LSI_ISTAT0_SRST) {
+            device_cold_reset(DEVICE(s));
+            return;
+        }
         if (val & LSI_ISTAT0_ABRT) {
             lsi_script_dma_interrupt(s, LSI_DSTAT_ABRT);
         }
@@ -1962,9 +1966,6 @@ static void lsi_reg_writeb(LSIState *s, int offset, u=
int8_t val)
             s->dsp =3D s->dnad;
             lsi_execute_script(s);
         }
-        if (val & LSI_ISTAT0_SRST) {
-            device_cold_reset(DEVICE(s));
-        }
         break;
     case 0x16: /* MBOX0 */
         s->mbox0 =3D val;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620442; cv=none;
	d=zohomail.com; s=zohoarc;
	b=at1VqgMuD+6+tTrpG+iTWQGI+YGCemYh3RujoNhhyP3SLwJB/ptN8l1wVSCVYhapKp1vWNvXnO/amvBHroWP78KcTxYkUGu+eqgYR6ti9JrjxTGV+PaUZYqg8IZrYmDacU47dXXb506McJi/y+qxfrq3lHddOSWk7EKSyjJsHCg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620442;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=TJ/P3ri/vB+x5UCG+Ink8owoeGQeyHN9JXSof1Zy90M=;
	b=gXsOD7kFVhrPZC7CmZnZptOJKyWianB7GOkONEajhF42h5taUvCJcKIPBeAA0bXoYf3L5TDD97cD7RMc/DuMrEmDfNobT4zzvbIkLvBXwIRo0ctmhGFvEAiI01vAXAAf3zkNVvm/2rkWhCPhsgqkgXAIer5yPKJY5NfYyXZQ5ko=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620442498800.1709860058214;
 Tue, 12 May 2026 14:14:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMt-00022x-Ka; Tue, 12 May 2026 17:10:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMh-0000mR-1h; Tue, 12 May 2026 17:10:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMd-0003Tb-FI; Tue, 12 May 2026 17:10:06 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 59ABA1AA365;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 67B573ABCD5;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=J4Ed4TRf/MsnbFidNRrCCai81Gr6gAV6UQrEHVbJdlQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=asafWBQjKI3+7d+TB+WQWopH71R1QwktPAAuqCuoLaBEjJDzxY5mqppmkgUClgDJz
 SsZK8EUygrzgJJB5DEL3RGM2KcNt1/kspHtWE3tDeL1mjxV2ts2Qflszq7Qb4NH2Ou
 csSIxydLTV+dz0qZF6ENOL4JeVgIujO9SxgyIf7NYZoy8nU4va4NSxdC/O3YhZAviU
 5/s3ijWJAy6enSkJwhG+Q9KJBwiJN+gjlJOHdGwFdJSCrSXumvAMUFk9bmU52vK+Uj
 I0X5B76HZBi5khKu6WeFbcvE5pTdLZydyhxqei2K/W+A7z/pGoI1UdS2FxxqEGkGtc
 A8T9kKraIBNtw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 040/117] lsi53c895a: keep lsi_request and SCSIRequest
 in local variables
Date: Tue, 12 May 2026 23:53:42 +0300
Message-ID: <20260512205503.361097-40-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620444611154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Protect against changes from reentrant device MMIO during DMA, by always
operating on the same request.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1ca38f84e19427c462f077390492f971f9eb11eb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 651f562d82..3f8d7a071c 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -626,6 +626,8 @@ static void lsi_do_dma(LSIState *s, int out)
     uint32_t count;
     dma_addr_t addr;
     SCSIDevice *dev;
+    SCSIRequest *req;
+    lsi_request *p;
=20
     if (!s->current || !s->current->dma_len) {
         /* Wait until data is available.  */
@@ -633,12 +635,14 @@ static void lsi_do_dma(LSIState *s, int out)
         return;
     }
=20
-    dev =3D s->current->req->dev;
+    p =3D s->current;
+    req =3D s->current->req;
+    dev =3D req->dev;
     assert(dev);
=20
     count =3D s->dbc;
-    if (count > s->current->dma_len)
-        count =3D s->current->dma_len;
+    if (count > p->dma_len)
+        count =3D p->dma_len;
=20
     addr =3D s->dnad;
     /* both 40 and Table Indirect 64-bit DMAs store upper bits in dnad64 */
@@ -653,21 +657,22 @@ static void lsi_do_dma(LSIState *s, int out)
     s->csbc +=3D count;
     s->dnad +=3D count;
     s->dbc -=3D count;
-     if (s->current->dma_buf =3D=3D NULL) {
-        s->current->dma_buf =3D scsi_req_get_buf(s->current->req);
+    if (p->dma_buf =3D=3D NULL) {
+        p->dma_buf =3D scsi_req_get_buf(req);
     }
     /* ??? Set SFBR to first data byte.  */
     if (out) {
-        lsi_mem_read(s, addr, s->current->dma_buf, count);
+        lsi_mem_read(s, addr, p->dma_buf, count);
     } else {
-        lsi_mem_write(s, addr, s->current->dma_buf, count);
+        lsi_mem_write(s, addr, p->dma_buf, count);
     }
-    s->current->dma_len -=3D count;
-    if (s->current->dma_len =3D=3D 0) {
-        s->current->dma_buf =3D NULL;
-        scsi_req_continue(s->current->req);
+
+    p->dma_len -=3D count;
+    if (p->dma_len =3D=3D 0) {
+        p->dma_buf =3D NULL;
+        scsi_req_continue(req);
     } else {
-        s->current->dma_buf +=3D count;
+        p->dma_buf +=3D count;
         lsi_resume_script(s);
     }
 }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620252; cv=none;
	d=zohomail.com; s=zohoarc;
	b=a7k+dwh1csw8XPVu0BxAQb4DkelGGpP/RJTktHzo64M/AthFHv4OZLGFFm9LslxoW/rSBqSKYr6ZE8mVbHls6TPk4J/xvBwLXVGnOyu4tpxRC9xVPW6ODD+XvDjrGPoNe4ygOB6FlMq7A21sgvVzPj3Db1ZmW/t1LJfLq2UDvyY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620252;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ml72aUo6Ko9sMgN7j2256Kn+c8ungHDuPC67f5FKAeo=;
	b=XAYQTuQY94ldHxcewazwtJSoAxYmb3UdflxpxkeBcmwf2H8gotPUxebNGAgLH6Cl+AKQphvsUsYmi4hFTp1BAeQVf/QV9UsL+NjLX+uzxQutlMLK+cGQh+pjWqzCYRLYo/UIS6C/iJHwMwcTZg7qXN1Yzd5vcf9KShXwn+bdD0o=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620252608207.27131041990026;
 Tue, 12 May 2026 14:10:52 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMl-00019L-Ld; Tue, 12 May 2026 17:10:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMh-0000mV-9K; Tue, 12 May 2026 17:10:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMd-0003Tg-PR; Tue, 12 May 2026 17:10:06 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 66C8B1AA366;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 74F103ABCD6;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=G+AfL36YOOXlULoPfbwutxY3x8TsoIzSR6fphVV3k8g=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=bskyt0YBk5k0CNoTAcD+HWrD48T5dIs1Q3Rx3rRRVPGtc9TszwmxiatP5TZRixmzc
 tEx91A0jkcTRProlqwXPDiGId0Nzprdl5tFG7dZno3kd3d6lxELVS3yGipIJI6Q3ft
 MlPh0QUjdJ7CDhUNIy4V3AMztCuziMzrEXIeP+eFqueDi6Q8WphbXljxo04eM4n4ga
 fsCEIYaYSQWhNJHDGfGKG+4u9palNYhChm8QbFkzV5ojbY3HObltn4mU2o9UgMATtb
 /3bQwY4Sq/2fuuscdVc52CcrNNaIEYQ/3v1B/WyBraa6WUytMjGsXTF6dPWwpW9Lds
 qQNdWY/bfkMew==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 041/117] lsi53c895a: keep lsi_request alive as long as
 the SCSIRequest
Date: Tue, 12 May 2026 23:53:43 +0300
Message-ID: <20260512205503.361097-41-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620253540158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

To protect against using the lsi_request after SCSIRequest has been freed,
keep the HBA-private data alive until the last reference to the SCSIRequest
is gone.  Because req->hba_private was used (even if just for an assertion)
to check that the request was still either current or queued, add a boolean
field that is set when the SCSIRequest is cancelled or completed, which
is when the lsi_request would have been unqueued.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7c7aaaa342b57b0099d7fc4a9803e987b891322b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 3f8d7a071c..b2d3980286 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -197,6 +197,7 @@ typedef struct lsi_request {
     uint8_t *dma_buf;
     uint32_t pending;
     int out;
+    bool orphan;
     QTAILQ_ENTRY(lsi_request) next;
 } lsi_request;
=20
@@ -748,14 +749,20 @@ static lsi_request *lsi_find_by_tag(LSIState *s, uint=
32_t tag)
     return NULL;
 }
=20
-static void lsi_request_free(LSIState *s, lsi_request *p)
+static void lsi_request_orphan(LSIState *s, lsi_request *p)
 {
+    p->orphan =3D true;
     if (p =3D=3D s->current) {
         s->current =3D NULL;
     } else {
         QTAILQ_REMOVE(&s->queue, p, next);
     }
-    g_free(p);
+    scsi_req_unref(p->req);
+}
+
+static void lsi_free_request(SCSIBus *bus, void *priv)
+{
+    g_free(priv);
 }
=20
 static void lsi_request_cancelled(SCSIRequest *req)
@@ -763,9 +770,7 @@ static void lsi_request_cancelled(SCSIRequest *req)
     LSIState *s =3D LSI53C895A(req->bus->qbus.parent);
     lsi_request *p =3D req->hba_private;
=20
-    req->hba_private =3D NULL;
-    lsi_request_free(s, p);
-    scsi_req_unref(req);
+    lsi_request_orphan(s, p);
 }
=20
 /* Record that data is available for a queued command.  Returns zero if
@@ -817,9 +822,7 @@ static void lsi_command_complete(SCSIRequest *req, size=
_t resid)
     }
=20
     if (req->hba_private =3D=3D s->current) {
-        req->hba_private =3D NULL;
-        lsi_request_free(s, s->current);
-        scsi_req_unref(req);
+        lsi_request_orphan(s, s->current);
     }
     if (!stop) {
         lsi_resume_script(s);
@@ -830,10 +833,11 @@ static void lsi_command_complete(SCSIRequest *req, si=
ze_t resid)
 static void lsi_transfer_data(SCSIRequest *req, uint32_t len)
 {
     LSIState *s =3D LSI53C895A(req->bus->qbus.parent);
+    lsi_request *p =3D req->hba_private;
     int out;
=20
-    assert(req->hba_private);
-    if (s->waiting =3D=3D LSI_WAIT_RESELECT || req->hba_private !=3D s->cu=
rrent ||
+    assert(!p->orphan);
+    if (s->waiting =3D=3D LSI_WAIT_RESELECT || p !=3D s->current ||
         (lsi_irq_on_rsl(s) && !(s->scntl1 & LSI_SCNTL1_CON))) {
         if (lsi_queue_req(s, req, len)) {
             return;
@@ -2325,7 +2329,8 @@ static const struct SCSIBusInfo lsi_scsi_info =3D {
=20
     .transfer_data =3D lsi_transfer_data,
     .complete =3D lsi_command_complete,
-    .cancel =3D lsi_request_cancelled
+    .cancel =3D lsi_request_cancelled,
+    .free_request =3D lsi_free_request,
 };
=20
 static void scripts_timer_cb(void *opaque)
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620466; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EJzssbN8O7BUL7jbcZZDcnocUa+vHPHYfOKKUGfugsUmXoYPYGkIIhjXiMSYWuyMNNZGiTLpc8IXw0rHM7WhJ93UiOgWr/0CSEKCC7SaUf7vFtKZsIfJ1WgyLJ74ulv99dO8Rge5Dkpe82EQbV69onMenb96tzbEUEdhQBJ41Jc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620466;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=eAT4Ho2Q4J+Z1bsDDHDHLaStZFqZpMpVYbKRPYF6TE0=;
	b=Vbh8zv1I6z7Dcd2nJdPXembvGSe9GDdzQ3PNdJIgSMxl0MFvJnuvVwVHHDxyMsbC6O0quH3adcEhIDPngeh7i+MUFPoxy/jeAvleeIk8IzzhvU5EzMl7WRa0JwOXXdc/aDUt/cBgJnNTWQSm/5TrvZlK2SnpeEAo0sdioognkSU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862046626639.26776386878498;
 Tue, 12 May 2026 14:14:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMy-0002eQ-SY; Tue, 12 May 2026 17:10:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMl-0001GF-NX; Tue, 12 May 2026 17:10:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMi-0003hb-TI; Tue, 12 May 2026 17:10:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7E2F71AA367;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 80F823ABCD7;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=5PYlGv51Ih9TzksCqpzyIWicot3ZhsLNMi8S6ghzsnU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=XGuxN2udLXL66fEZpxODgs2nhrgofzZoUQlqvChmihweM5ybnp9yJFIwaokFw8dgK
 cHcxLpvszXNBZGRNvjNY8Om1seJxhTudVfBtSaGkxkNFBIOI6FZjH1iar/bRizsCTZ
 LB7HBWu46COCiFx8DysA30k4xsXdDMfOXzv8Gs+O94vLhhD0zx4qs5TXWgTVPV+TyP
 vNKysfN7r1vCR2u/Fzy5IO4llP/jUQu1gz1/xeJeJYGppfHNOWp3xxzUL8TMtv+rh/
 ehDyPU5XjG87MBmQNQCoy7jHBkFJw1g3Xwfh4IjyoVJC+K7+fHoigxSDihC31wRnKC
 IP0HP4Aez8qmw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Jihe Wang <wangjihe.mail@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 042/117] lsi53c895a: keep SCSIRequest alive during DMA
Date: Tue, 12 May 2026 23:53:44 +0300
Message-ID: <20260512205503.361097-42-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620467024154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Reentrant MMIO can cause the SCSIRequest to be completed, at which
point lsi_request_orphan would drop the last reference.  Anything
that happens afterwards would access freed data.  Keep a reference
to the SCSIRequest and, through req->hba_private, to the lsi_request*
for as long as DMA runs.

Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d459131ff590c517bc89fa5867d4878b5eacbc30)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index b2d3980286..0b1f68a40a 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -637,7 +637,7 @@ static void lsi_do_dma(LSIState *s, int out)
     }
=20
     p =3D s->current;
-    req =3D s->current->req;
+    req =3D scsi_req_ref(s->current->req);
     dev =3D req->dev;
     assert(dev);
=20
@@ -667,6 +667,11 @@ static void lsi_do_dma(LSIState *s, int out)
     } else {
         lsi_mem_write(s, addr, p->dma_buf, count);
     }
+    if (p->orphan) {
+        scsi_req_unref(req);
+        return;
+    }
+    scsi_req_unref(req);
=20
     p->dma_len -=3D count;
     if (p->dma_len =3D=3D 0) {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620388; cv=none;
	d=zohomail.com; s=zohoarc;
	b=R0JbqrmQQ8EwfJjM5aIOOxEBWrdmG3nqoTUZhzuUwNbazqUYTNSpDspYGnKn98xp56fOyfYeeirFz6RtQ9AX7FxEYmBiQf3XBseIy/PybFx8YRj2bPcD9qYwIidNaLDg1eX4G/UPUpnby6wOoDohf1GqY362NsT1jmUcQxTmpRY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620388;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=V12NDKwmg0s4RZHPXDDo2zTqEAxEP51eJTyhU7+J6/k=;
	b=WuaTV++EVTaQXPkQcZ4jYE091XBFxZddnxhFh9noBdgJKwDooRZAEwa/Y3Vehj0HHRRV4YwmTQG707m2KNfj5SSJ6FEnGMev2OU69prgzlBywA3fZAmylHyFCvEYrimCKKSrXQpw2ZgaYbOkT2P+/75Sj71fxdpFoYom4xyIbiE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620388010261.6393367641832;
 Tue, 12 May 2026 14:13:08 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMs-0001uR-EY; Tue, 12 May 2026 17:10:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMm-0001IE-3J; Tue, 12 May 2026 17:10:12 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMj-0003hk-40; Tue, 12 May 2026 17:10:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8CFE11AA368;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 99B6F3ABCD8;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=AHato+pJk/46U2CB00QdotF83uO3YfTaijVJRABAxR8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=IwrrIK9wiFsfK/wsGpiI5XvABqJBmQaasbqHl+GseQfEWeCpkdkn1esnCUB7dEUuC
 uPllPtVQ3YbZSOG0Ao14F7wKSxc+dP1FnZJZUw+muddAiH4qCPSQLANmClVUnuul8S
 fFohufiUaVsFK6YqiXPm7tLjHeS9COojzignlHX3Z600nZSedEi9UXlpaOchiU0Ad7
 2qKMuk3KMDbE0ADVLaQF5mb7dgSdYTKlG5NmACUzWGT2giJkncJkA4a5qQNai7u0ef
 4Cv/oFGt3SWQ5NKVpOTHET0YVe0BPqn4iV4DMkDnNsCZWgXYfXxgEB1t1d2nLvbiqr
 cQodIU6oO0YyQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Zenghui Yu <zenghui.yu@linux.dev>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 043/117] target/arm: Don't skip access flag fault for
 AccessType_AT
Date: Tue, 12 May 2026 23:53:45 +0300
Message-ID: <20260512205503.361097-43-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620389704154100
Content-Type: text/plain; charset="utf-8"

From: Zenghui Yu <zenghui.yu@linux.dev>

As per the pseudo code from DDI0487 M.a.a (on J1-16021) AArch64.S1Walk():

  // Check descriptor AF bit
  elsif (descriptor<10> =3D=3D '0' && walkparams.ha =3D=3D '0' &&
          (!accdesc.acctype IN {AccessType_DC, AccessType_IC} ||
           boolean IMPLEMENTATION_DEFINED "Generate access flag fault on IC=
/DC operations")) then
      fault.statuscode =3D Fault_AccessFlag;

an access flag fault should be generated for AccessType_AT, if the AF bit
is 0 and !param.ha.

Besides, we should continue to not raise the access flag fault for
in_debug =3D true which is what we've been doing previously (before commit
efebeec13d07) for LPAE and is what intention of the debugger access
codepath is.

Cc: qemu-stable@nongnu.org
Fixes: efebeec13d07 ("target/arm: Skip AF and DB updates for AccessType_AT")
Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
Message-id: 20260324160321.96347-1-zenghui.yu@linux.dev
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 31b8d287b7fe59d135b836cacaaa364efe598ec0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index b2ae00b89e..e96b1c11e8 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -2128,6 +2128,14 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1T=
ranslate *ptw,
     descaddr &=3D ~(hwaddr)(page_size - 1);
     descaddr |=3D (address & (page_size - 1));
=20
+    if (likely(!ptw->in_debug)) {
+        /* Check descriptor AF bit */
+        if (!(descriptor & (1 << 10)) && !param.ha) {
+            fi->type =3D ARMFault_AccessFlag;
+            goto do_fault;
+        }
+    }
+
     /*
      * For AccessType_AT, DB is not updated (AArch64.SetDirtyFlag),
      * and it is IMPLEMENTATION DEFINED whether AF is updated
@@ -2137,15 +2145,9 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1T=
ranslate *ptw,
         /*
          * Access flag.
          * If HA is enabled, prepare to update the descriptor below.
-         * Otherwise, pass the access fault on to software.
          */
-        if (!(descriptor & (1 << 10))) {
-            if (param.ha) {
-                new_descriptor |=3D 1 << 10; /* AF */
-            } else {
-                fi->type =3D ARMFault_AccessFlag;
-                goto do_fault;
-            }
+        if (!(descriptor & (1 << 10)) && param.ha) {
+            new_descriptor |=3D 1 << 10; /* AF */
         }
=20
         /*
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620227; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m0CFUez8WCOPO3x/fMBB19DvupoKz6CNXiYrsDIfxPHaG180wx49xcboRjPaXQ4rXUw5Z4VW/UVr9n0oGUiim7LuwxIeTpxvmW9BSGFa0gedTr7ylQ2gSDRr3oIoxUY+TpXRVTW3E6IybuAfodYq4aTREJpY9GOQABLPLbV5VF8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620227;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=CymdjqVBfc1Z4YJHRE0LCZBUbCO06qN6olpf3fqUWUY=;
	b=YFAFziOevr8HlEtkHcFc8nPuENoY7hohgpKxp3lFJnxFhYTqmDx/LGCJVPgE+oXbBBDfPWUfW/6U9U4ksbqk+lPmEcFvRxi9DuBaJZThPnFX6kOEwOR1T+FShMki3qPlq4/I/udTnV3R0pho6164Yw9qjA5n2GojwbKrqbELcls=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620227215528.1980749436194;
 Tue, 12 May 2026 14:10:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuMv-0002HL-Oh; Tue, 12 May 2026 17:10:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMp-0001ep-Me; Tue, 12 May 2026 17:10:15 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuMn-0003jm-BN; Tue, 12 May 2026 17:10:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9B62A1AA369;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A8A8F3ABCD9;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=CMIISKtAozRrOZfl7oljL6zvYJNdXvkzoubSwfP4jS0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=VfWG1TZo/wBepagU1IzP9cZ7OCUqhOECJC62xEElVzemt6hAqlR3f2o2X4i0/f6CK
 COWy2FWmqOzuNs3tRZiOtoddaTZ6m3ogQgBHbk1QfIOwtPrkkgbN5PQAZPCN+zqW9P
 Ae4lTXBvQeBFcI7S893nx1T8KPj91V0QlKOgzgUwuwLNSEjlYJhVX/H00Zll/kVi2c
 CLpv/y98CxwgpS8jtvJ+weeMzfMyr4LkCeZyackEiqSIUJgLqh23H2UF5Gr8jbijfH
 mvqXyXNph8GMlb+O+vYnl8ykZT/APTvytrQNsu1643rh8zXmnbSCxOwaP+Y+E17SH3
 rUOu2ItiL3JMQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 044/117] hw/net/rocker: Avoid double-free of
 l2_flood.group_ids
Date: Tue, 12 May 2026 23:53:46 +0300
Message-ID: <20260512205503.361097-44-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620227421158500

From: Peter Maydell <peter.maydell@linaro.org>

In of_dpa_cmd_add_l2_flood(), we allocate memory for the
group->l2_flood.group_ids array, freeing any previous array.
However, in the error-exit path we free the group_ids memory but do
not clear the pointer to NULL.  This means that if the guest causes
us to take the error-exit path and then later call the function
again, we will try again to free the memory we already freed.

Fix this by clearing the group_ids pointer in the error exit
path, so we maintain the invariant of "either it points at
allocated memory, or it is NULL" (both being valid to g_free()).

Cc: qemu-stable@nongnu.org
Fixes: dc488f88806 ("rocker: add new rocker switch device")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3253
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-id: 20260324193530.375628-1-peter.maydell@linaro.org
(cherry picked from commit a0721c099b71f7bdfafa2675daee331d884163d2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
index 16b9bc7a4b..262ceb35f6 100644
--- a/hw/net/rocker/rocker_of_dpa.c
+++ b/hw/net/rocker/rocker_of_dpa.c
@@ -2054,6 +2054,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfD=
paGroup *group,
 err_out:
     group->l2_flood.group_count =3D 0;
     g_free(group->l2_flood.group_ids);
+    group->l2_flood.group_ids =3D NULL;
     g_free(tlvs);
=20
     return err;
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620505; cv=none;
	d=zohomail.com; s=zohoarc;
	b=IiebsWO/UG53zscU+cKlS0X+fTi8SPs4hzsnJd4Y4xD0LwnLTrD67nCa8zGNlVqxt0/tptUJUtwLTq9i9tbYV/Wh5I7JwtFYYbxepb19b771jV+h5mnf9zcR8XAhv4F6peCVww80AISEgfsCLqqO642SbLtSc4PWMAFY/XQo5+U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620505;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=t1qJ69awVz9GfFGEVxm5W8cA/Q8H/hKBpeZJfLp2QxY=;
	b=DGFETK+NwzUM1iysx+JeK7l/r/Q4/oWYOKSDaXwuTlGu8XAUJB4Z1uvbC2tLTA+32ljRqAAYq8zhUTo19F6a1OPaqE4FDoEtTyJks0naBYX8PmFmxT8wCrN5jc7udWJPagtF+8zZMq1kPC6ux1GD3AidfwuVUG53a2WphYuxgBo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862050597279.69519961526646;
 Tue, 12 May 2026 14:15:05 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuND-0004l9-BB; Tue, 12 May 2026 17:10:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuN9-0004Hb-Gx; Tue, 12 May 2026 17:10:36 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuN7-0003k2-PJ; Tue, 12 May 2026 17:10:35 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AA8171AA36A;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B698F3ABCDA;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=D5ZIIGAf0zEiOYuz/dz/8pp7vesqXIxrnPBW8ysDI9I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rX3N7HY7a+IhOxHSsk6YJAuNfq7uWnl3xYrPAywgnVGy7B83UDIGSZ13/2wOa3CWY
 JuW/Nq83ZFDsKb1J7GHVUE0gbhVAL+9Ddyw14yZfJm8iP2RfLHjni7MIQlvgiSwq2U
 rckXGqo2mtMEzpv+76FSBoOAymzsHWzBdDgdGyrLQ/4pYyhQTP3IABYY7N0Ke644rI
 yqC/Z5DhVEceoQn0nQ05wKTeh9iSBJnySLfS0f5kgxsJxweOIhg2L0X1oiFkOOXQpa
 zGH3D9clG6mkW2+Jg9XVTwQhVfObJbLRL/kDJau6kaMc3r0a8dufM9lVCmkE5UFpVA
 MbDTA5FzKTfaA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 045/117] ui/vnc-jobs: fix VncRectEntry leak on job
 cleanup
Date: Tue, 12 May 2026 23:53:47 +0300
Message-ID: <20260512205503.361097-45-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620507091158500

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

When a VncJob is freed, its associated VncRectEntry list must also be
freed. Previously, vnc_job_push() and the disconnected path in
vnc_worker_thread_loop() called g_free(job) directly, leaking all
VncRectEntry allocations.

Introduce vnc_job_free() which iterates and frees the rectangle entries
before freeing the job itself, and use it in both paths.

Also add QLIST_REMOVE() in the worker loop before g_free(entry), so
that entries processed during normal operation are properly unlinked.
Without this, vnc_job_free() would iterate dangling pointers to
already-freed entries, causing use-after-free.

Fixes: bd023f953e5e ("vnc: threaded VNC server")
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 3cae0b46be5416b26039df5259ffc8fcf2989516)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/vnc-jobs.c b/ui/vnc-jobs.c
index bed33950a8..d2a3c676b0 100644
--- a/ui/vnc-jobs.c
+++ b/ui/vnc-jobs.c
@@ -108,11 +108,25 @@ int vnc_job_add_rect(VncJob *job, int x, int y, int w=
, int h)
     return 1;
 }
=20
+static void vnc_job_free(VncJob *job)
+{
+    VncRectEntry *entry, *tmp;
+
+    if (!job) {
+        return;
+    }
+    QLIST_FOREACH_SAFE(entry, &job->rectangles, next, tmp) {
+        /* no need for QLIST_REMOVE(entry, next) */
+        g_free(entry);
+    }
+    g_free(job);
+}
+
 void vnc_job_push(VncJob *job)
 {
     vnc_lock_queue(queue);
     if (queue->exit || QLIST_EMPTY(&job->rectangles)) {
-        g_free(job);
+        vnc_job_free(job);
     } else {
         QTAILQ_INSERT_TAIL(&queue->jobs, job, next);
         qemu_cond_broadcast(&queue->cond);
@@ -297,6 +311,7 @@ static int vnc_worker_thread_loop(VncJobQueue *queue)
                 n_rectangles +=3D n;
             }
         }
+        QLIST_REMOVE(entry, next);
         g_free(entry);
     }
     trace_vnc_job_nrects(&vs, job, n_rectangles);
@@ -325,7 +340,7 @@ disconnected:
     QTAILQ_REMOVE(&queue->jobs, job, next);
     vnc_unlock_queue(queue);
     qemu_cond_broadcast(&queue->cond);
-    g_free(job);
+    vnc_job_free(job);
     vs.magic =3D 0;
     return 0;
 }
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622489; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iB6xwwr4O85v5vplPlb07qaUq5dJtw1zecgpPzeGiGFgTi4Sz7ZlmliG0E9qpx8AEThBeJJTkS8n0RopWcupzaQwL2UqC1CHby/gdkBgLJvNiwUAYbs6hnqwi0DNAw6abGmQaLLyCZMGyUiRhLnCMlI6GkNESeNrs3NVY38drus=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622489;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=DibopmaN8fIM+IxVGP3lcVGhMMoRW0cKpEj5hUuVdjs=;
	b=mqpRgUh5GKXewpkN9Iq46j5dn6rwFWvU6gTsJyyQicdzSc+UoS+Lue5YkBDMuPy6T/N5t9SqsyRs3cJbZw7UeVADScHDDVxntXDE9tDI7Ymt0DuhxTpYdKvEFpHwGg6JGjvCseoLyUXEEOCDMai4dB6cxL832jx9gEbl//KtPak=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622489550173.02656037591032;
 Tue, 12 May 2026 14:48:09 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNH-0005J8-91; Tue, 12 May 2026 17:10:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuND-0004t4-Vl; Tue, 12 May 2026 17:10:40 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNB-0003mi-9M; Tue, 12 May 2026 17:10:39 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B93691AA36B;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C5B0F3ABCDB;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=o+46Jlaubs6UpYpqgYgSsOiE+4f2A9TyiJGuiVNA7Uk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=TUdnKE7k+/REIqZ85UPRXX+ID0ddDuoHX9hsCoA/AhY+vfcR1Sy842D+Zj5+Zjo1J
 NjTU1ViuWF21h/Bn34DDhbSe+YdPv0Kn5fwXrGRLmZzpPYUaw6DQNw1J+JWAipk0cw
 mHfOwH3rdlM4wNZogUjPxkYLZ5PWt9dV0iTTiDrowhVxDTCsbp/RAAz9M6pOVt3Msm
 D8wf5o2AUSo7D5EddS9Lk7tBIfOINQvWN1o23SKGS+sTSO226wd+ve0I6GCrqkpF9K
 lrF6TWugCktjo8k+HNdO2Kt8X/03kCcI4m6atvnuWr/nH/NjAgBKNibu2wsxB4hyP+
 B/mF8Lb0a/igg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Tingting Mao <timao@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 046/117] ide: Fix potential assertion failure on VM
 stop for PIO read error
Date: Tue, 12 May 2026 23:53:48 +0300
Message-ID: <20260512205503.361097-46-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622489991158500
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

ide_sector_read() as well as its callers neglect to call ide_set_retry()
before starting I/O. If the I/O fails, this means that the retry
information is stale. In particular, ide_handle_rw_error() has an
assertion that s->bus->retry_unit =3D=3D s->unit, which can fail if either
there was no previous request or it came from another device on the bus.
If the assertion weren't there, a wrong request would be retried after
resuming the VM.

Fix this by adding a ide_set_retry() call to ide_sector_read().

This affects only reads because ide_transfer_start() does call
ide_set_retry(). For writes, the data transfer comes first and the I/O
is only started when the data has been read into s->io_buffer, so by
that time, ide_set_retry() has been called. For reads, however, the I/O
comes first and only then the data is transferred to the guest, so the
call in ide_transfer_start() is too late.

Buglink: https://redhat.atlassian.net/browse/RHEL-153537
Reported-by: Tingting Mao <timao@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260326165124.138593-1-kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 59c1d31136688415e5d682a87942292dbb3caaeb)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 8c380abf7c..c66a9d8df0 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -799,6 +799,7 @@ static void ide_sector_read(IDEState *s)
     s->error =3D 0; /* not needed by IDE spec, but needed by Windows */
     sector_num =3D ide_get_sector(s);
     n =3D s->nsector;
+    ide_set_retry(s);
=20
     if (n =3D=3D 0) {
         ide_transfer_stop(s);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622426; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Z9TzHhciwhtKoHyM+PK7mTnz2EEsanjwrgrUtrs5axZkhc23BzvW9L9Llb52r1iN/OahA+CDWP+cYs6v4vp+QWvpnv7LDTTl2CbubBjFrQ/RjzO6kpjiiV9s8WHewggHIzzPjreWeUhn7uIb0KYJgA+5x1C1gJ0fCatnrzRcSbY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622426;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=tFmbOkZuY9ZLKc+MllJKkpUFdBcqWWKQQQjIm4yjJ04=;
	b=EzTcwi3g0JDHvNMbdVlRrLv6zd4nP1ii3K3ioF2EjHYyEVD/q+G+iPj5XMvgxBunb4AYrYvj8cb4QrsJbUlHoqUXHOX8JSwyjVkH+GO5cznq7CneIofRsf5rZN4hyf/Ol6+5NPiylnvb/X6p34d+CdIavm89IWx0cPLoGDuh6zg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622426565572.4763652249723;
 Tue, 12 May 2026 14:47:06 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNH-0005IU-C0; Tue, 12 May 2026 17:10:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNE-0004tv-6p; Tue, 12 May 2026 17:10:40 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNB-0003yM-AV; Tue, 12 May 2026 17:10:39 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C903B1AA36C;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D43703ABCDC;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=r51wgXVRgwo47tV9JqOsKPpvDm7+AmKogHeS5cVH7zc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=uv7a68+G7VMRY/qJr6g/lDt60Ct1TeBwusdgDSJpqb3R7DNEitsXwqRhYNFKEhIxx
 oGRcISqKFVSJth0ymhUVtrQBva25c9EvKtJFFM9x+2ipsTzZDVQG6Sj1MJ1e1ecVU2
 ZoKWWsURasjreO32aAkPv1rBhSRi5Lt8uOtOxYnCPdaEuEAOqiGNDHYLOCPhE/H/K7
 QoWfsdxhhDfEVlBym51ujr9JUHlXcGHzWPpGGznISJY38gzf7YUJGi0dV5/GQmiecL
 knOFLMsHfJc8mr0rvLQKtH0J+SSWJSNS5RTj11CCiKchPmlX6HDOP9/r+uC0BIZvN9
 3ao/0HPiuV/Ow==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Kevin Wolf <kwolf@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 047/117] scsi: Don't consider LOGICAL UNIT NOT
 SUPPORTED guest recoverable
Date: Tue, 12 May 2026 23:53:49 +0300
Message-ID: <20260512205503.361097-47-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622427579158500
Content-Type: text/plain; charset="utf-8"

From: Kevin Wolf <kwolf@redhat.com>

When commit bdf9613b introduced scsi_sense_buf_is_guest_recoverable(),
it included LOGICAL UNIT NOT SUPPORTED in the list of guest recoverable
sense codes. It doesn't really explain how the codes to be in the list
were selected.

As the LUN doesn't come from the guest, but from the block backend
(usually the SCSI device on the host that was opened with host_device,
but it could also be the iscsi block driver), there is really no way the
guest could influence this.

It seems that on some storage arrays, LOGICAL UNIT NOT SUPPORTED can
happen during failover operations. When combined with multipath, the
request should be retried on another path instead of being reported to
the guest, which would offline the filesystem in response.

Simply returning false in scsi_sense_buf_is_guest_recoverable() will
enable the retry logic in file-posix, and will also make sure that if
the error persists, the configured error policy is respected so that the
VM can be stopped.

Buglink: https://redhat.atlassian.net/browse/RHEL-158212
Fixes: bdf9613b7f87 ('scsi: explicitly list guest-recoverable sense codes')
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260330121635.49205-1-kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit ccc613f96c66eb5401185ff6eeba18143892055d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/scsi/utils.c b/scsi/utils.c
index 545956f4f9..daee90ecf0 100644
--- a/scsi/utils.c
+++ b/scsi/utils.c
@@ -373,7 +373,6 @@ static bool scsi_sense_is_guest_recoverable(int key, in=
t asc, int ascq)
     case 0x1a00: /* PARAMETER LIST LENGTH ERROR */
     case 0x2000: /* INVALID OPERATION CODE */
     case 0x2400: /* INVALID FIELD IN CDB */
-    case 0x2500: /* LOGICAL UNIT NOT SUPPORTED */
     case 0x2600: /* INVALID FIELD IN PARAMETER LIST */
=20
     case 0x2104: /* UNALIGNED WRITE COMMAND */
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620315; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Qy7ZAb3YJivd62osJk6cDhzW3j0cVrg6JgQWJ6QSzAaqZkdJ9VoSyd/Le+bkL7Djh/a5e/dFBT1EoRvh2iQm48oCDeMXSPUImW0Io+tgWnLLeb8qQg6NEKQ9KrdxtHQozpRyzJpkJqL6t9NeDG15dZ01vhTe6N5hYzdw4ojhPDo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620315;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=p1pQhZO4pbUQnMf0HJ1VGKKwKZ6Y8Z0eQMUytLegjEs=;
	b=CeGpOoNKDK0bNWpFZtYFsiiePi87AZnftYY1OUaq6utpSf+eM9uw34gAjhbiLfrQiEj4O/Ozk1JaHp2nKlRdF8TLDafQVP5S3/7oCJeiAMxjMiEw7zSeDh5uEoJujBFRrO2nU984slXX0WNpmiisye2LuKG+WOtkcLhiVaEGTQk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786203154641009.6016901456708;
 Tue, 12 May 2026 14:11:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNO-0005sS-0x; Tue, 12 May 2026 17:10:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNI-0005Ys-UM; Tue, 12 May 2026 17:10:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNF-0003zB-Im; Tue, 12 May 2026 17:10:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DAA391AA36D;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E46B33ABCDD;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=gjFyd651RWy0F6xlDfP/SdobmZuQcY+OKU1rjZMzzV0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=bVu/6zad7sSnazaAXm4MBurXQxmxqZ0BgY8RS93WW9FIav2rDhzTDD+r7O0fRo5K3
 i3VAjZBIpkj9tnF7iXEOhE+OLehHBEHyVuZzVPf54MPOf6PEwcwFeKa4fIrieSHwMg
 XVY+0L6cfKvC9xF+H5wZtUBBFU3wKGhw3lgj030GwDbFR8g1ZXLHkRUmJBL4e9Rnz5
 UayU8MtuJbqvOIsuZ7bCSUtnxyTPfdjR5Lq7qi/qiz5lxmk5kW9wmevLRydMGRtrbx
 7uTGrYRFHgGeyaQI3Np7DLdT2g1xUDIIVoXByse4kzYcyU3JqXVuJ+SUDB493j+jcx
 cJ920WAMKycFA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, hongmianquan <hongmianquan@bytedance.com>,
 Kevin Wolf <kwolf@redhat.com>, "wubo.bob" <wubo.bob@bytedance.com>,
 Markus Armbruster <armbru@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 048/117] monitor: Fix deadlock in monitor_cleanup
Date: Tue, 12 May 2026 23:53:50 +0300
Message-ID: <20260512205503.361097-48-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620316131158500
Content-Type: text/plain; charset="utf-8"

From: hongmianquan <hongmianquan@bytedance.com>

During qemu_cleanup, if a non-coroutine QMP command (e.g.,
query-commands) is concurrently received and processed by the
mon_iothread, it can lead to a deadlock in monitor_cleanup.

The root cause is a race condition between the main thread's shutdown
sequence and the coroutine's dispatching mechanism. When handling a
non-coroutine QMP command, qmp_dispatcher_co schedules the actual
command execution as a bottom half in iohandler_ctx and then yields. At
this suspended point, qmp_dispatcher_co_busy remains true.

Subsequently, the main thread in monitor_cleanup(), sets
qmp_dispatcher_co_shutdown, and calls qmp_dispatcher_co_wake(). Since
qmp_dispatcher_co_busy is already true, the aio_co_wake is skipped. The
main thread then enters the AIO_WAIT_WHILE_UNLOCKED loop, it executes
the scheduled BH (do_qmp_dispatch_bh) via aio_poll(iohandler_ctx,
false), which attempts to wake up the coroutine, aio_co_wake schedules a
new wake-up BH in iohandler_ctx. The main thread then blocks
indefinitely in aio_poll(qemu_aio_context, true), while the coroutine's
wake-up BH is starved in iohandler_ctx, qmp_dispatcher_co never reaches
termination, resulting in a deadlock.

The execution sequence is illustrated below:

 IO Thread                 Main Thread (qemu_aio_context)        qmp_dispat=
cher_co (iohandler_ctx)
    |                                 |                                    =
    |
    |-- query-commands                |                                    =
    |
    |-- qmp_dispatcher_co_wake()      |                                    =
    |
    |    (sets busy =3D true)           |                                  =
      |
    |                                 |   <-- Wakes up in iohandler_ctx -->=
    |
    |                                 |                                    =
    |-- qmp_dispatch()
    |                                 |                                    =
    |-- Schedules BH (do_qmp_dispatch_bh)
    |                                 |                                    =
    |-- qemu_coroutine_yield()
    |                                 |                                    =
        [State: Suspended, busy=3Dtrue]
    |   [ quit triggered ]            |
    |                                 |-- monitor_cleanup()
    |                                 |-- qmp_dispatcher_co_shutdown =3D tr=
ue
    |                                 |-- qmp_dispatcher_co_wake()
    |                                 |    -> Checks busy flag. It's TRUE!
    |                                 |    -> Skips aio_co_wake().
    |                                 |
    |                                 |-- AIO_WAIT_WHILE_UNLOCKED:
    |                                 |   |-- aio_poll(iohandler_ctx, false)
    |                                 |   |    -> Executes do_qmp_dispatch_=
bh
    |                                 |   |    -> Schedules 'co_schedule_bh=
' in iohandler_ctx
    |                                 |   |
    |                                 |   |-- aio_poll(qemu_aio_context, tr=
ue)
    |                                 |   |    -> Blocks indefinitely! (Dea=
dlock)
    |                                 |
    |                                 X (Main thread sleeping)             =
    X (Waiting for next iohandler_ctx poll)

To fix this, we add an explicit aio_wait_kick() in do_qmp_dispatch_bh()
to break the main loop out of its blocking poll, allowing it to evaluate
the loop condition and poll iohandler_ctx.

Suggested-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: hongmianquan <hongmianquan@bytedance.com>
Signed-off-by: wubo.bob <wubo.bob@bytedance.com>
Message-ID: <20260327131024.51947-1-hongmianquan@bytedance.com>
Acked-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit fc1a2ec7da531223b3473185dc2584f8a7c6c659)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c
index e569224eae..50eae4f082 100644
--- a/qapi/qmp-dispatch.c
+++ b/qapi/qmp-dispatch.c
@@ -128,6 +128,16 @@ static void do_qmp_dispatch_bh(void *opaque)
     data->cmd->fn(data->args, data->ret, data->errp);
     monitor_set_cur(qemu_coroutine_self(), NULL);
     aio_co_wake(data->co);
+
+    /*
+     * If the QMP dispatcher coroutine is waiting to be scheduled
+     * in iohandler_ctx, we must kick the main loop. This ensures
+     * that AIO_WAIT_WHILE_UNLOCKED() in monitor_cleanup() doesn't
+     * block indefinitely waiting for an event in qemu_aio_context,
+     * but actually gets the chance to poll iohandler_ctx and resume
+     * the coroutine.
+     */
+    aio_wait_kick();
 }
=20
 /*
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620325; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Guwi3on2uxSkKfk9medYIcGRfhVmRsunP+cwFdBboXNP1wodEWLJ7IODrKUy+kTZSevdeWVVlUWqQOepQbGCHLCNqibSrrgB+icbPoOPBjBv4uN9IZ2V6feuO+keOiAHdEi1/ZXNcjkd9czuzz38KwATQNXc+oEzaXw3TD0LQBw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620325;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Fcihnfnl2M7HNPUQCwu/pYkxhL4JGDfGcSBK53WypD0=;
	b=MY4v1AYyI6oIsfzLQ5hfCmFY9oFJPE3d6D31oeFir2+t9aQpYwCt++gxcK108DJX+J+2zjAoVx4EOP497LX2JHEw3UmOAgmyD6ULZy+4tu2l2BHWiqkRvEx9h3m+Xh2iSGJF5GUpcTwGK9UJ31oaT5hywU4jelTflQHqZSYDv+Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862032515662.62593161086477;
 Tue, 12 May 2026 14:12:05 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNQ-0006Jz-Iz; Tue, 12 May 2026 17:10:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNJ-0005bJ-2B; Tue, 12 May 2026 17:10:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNF-0003zK-PR; Tue, 12 May 2026 17:10:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E834C1AA36E;
 Tue, 12 May 2026 23:55:02 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 026533ABCDE;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619302; bh=UQq/eDZEE7tEklYos+iMXpSYI3dn5wNFk46I9CQFGBA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PZh99KugWTlhB9HpJb8FWLrDlOadia7+ETHAOrjjsFBy4KUW7XhvwlWquX3Twvz6M
 zduXJVLeVDFQsyLpHb38M8XDZuUuBBYXWYqKzY9Q4ON2GHFk5YfkWcFsoCdeWJNmMw
 u2nL+p+tDBLEscYGHcbpbCUsU29juwVOTon/K7DQTR6Wtbu0LHCvBa2n7TLrRQ1+gg
 TmioM23MVNWu7GCsgbo0ch7mBmA+jU9txd5ZWiMc2qeC2tyi1gBi4WAz8m4uvG4s1A
 K8AV4+/6aGLeTY4iW//QcLRhZXeQhlQ407/7M3LDbKgZtoPa2Y7nT5/Jv2DWqnaiiV
 AfmJiDwQjW/lA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 049/117] util: fix missing aio_wait sym in qemu guest
 agent only build
Date: Tue, 12 May 2026 23:53:51 +0300
Message-ID: <20260512205503.361097-49-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620326072158500

From: Daniel P. Berrang=C3=A9 <berrange@redhat.com>

Configure QEMU with

 --disable-system --disable-user --disable-tools --enable-guest-agent

and the build with fail with

  FAILED: [code=3D1] qga/qemu-ga
  ld: libqemuutil.a.p/qapi_qmp-dispatch.c.o: in function `do_qmp_dispatch_b=
h':
  qapi/qmp-dispatch.c:140:(.text+0x5c): undefined reference to `aio_wait_ki=
ck'

This aio_kick() usage was recently introduced in qmp-dispatch.c
without updating the build logic.

Fixes commit fc1a2ec7da531223b3473185dc2584f8a7c6c659
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 17fbf3e18c3dbc32ec07cfc24853d6654a813e90)
Fixes: 1275e6abfe82 "monitor: Fix deadlock in monitor_cleanup" in 10.2.x
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/meson.build b/util/meson.build
index 35029380a3..d0465e413d 100644
--- a/util/meson.build
+++ b/util/meson.build
@@ -82,6 +82,7 @@ endif
=20
 if have_block or have_ga
   util_ss.add(files('aiocb.c', 'async.c'))
+  util_ss.add(files('aio-wait.c'))
   util_ss.add(files('base64.c'))
   util_ss.add(files('main-loop.c'))
   util_ss.add(files('qemu-coroutine.c', 'qemu-coroutine-lock.c', 'qemu-cor=
outine-io.c'))
@@ -92,7 +93,6 @@ if have_block or have_ga or have_user
   util_ss.add(files('qemu-sockets.c'))
 endif
 if have_block
-  util_ss.add(files('aio-wait.c'))
   util_ss.add(files('buffer.c'))
   util_ss.add(files('bufferiszero.c'))
   util_ss.add(files('hbitmap.c'))
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620621; cv=none;
	d=zohomail.com; s=zohoarc;
	b=heHzuLfBi+WSCM8or0c2z/+Z58yHhMzUO8bhhz6Mrtfqfog27AZx33SGqlAFSTezp2s3oTtS7iEQ8n38OaWohJRA6btwPtDdX23zRwwLMpmibOEZ8lt/2L4JKo7yazFaPIc5vCQQozv8CxllKiqGDv/pENF9Kvb6UMBJHjiql48=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620621;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nEJJ0cfZXKapGnt/b4HbJdtZUk6mU7Q0sJ8tY4fvlLA=;
	b=ZfiaHPhjRrabzupFOXc8qOUIgblj4jEiEiq9trTMQOZyV2oEh3yakyVAZIBwbNXzft39Ar67f+ri/Bc/4C6gvHnSpcXyIPdGna+PnS7ZYKjmrki7InBxm1dzDZg36dzYFRnel6r6tW2tGflBJ7ytFCjeRyN9HSytUg7vzzqHxPU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862062150683.19253840522049;
 Tue, 12 May 2026 14:17:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNu-00081L-JN; Tue, 12 May 2026 17:11:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNf-0007ot-VJ; Tue, 12 May 2026 17:11:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNe-00040d-Gw; Tue, 12 May 2026 17:11:07 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0CD3A1AA36F;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0F5513ABCDF;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=REayO9aCVDrVaPWZeXJGYE5hvEQMCsaum6RUoViQERk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=WhUC+MsuBnk9EbmKwvLpM6QfOaBaEmZaMylhKlqdmFZsh4+qjGH2wQKYDTCGk4D99
 4ceA478klgQrBAoYmlLP3D8VKyBFez0ohvft/3Ifx3jcVMSoPSrwRDmZfyQ8lunXrH
 mqxnEpThK4vaspA0coLlC8HJmxcbj1+BuEdk9728ada88LfgHmgskIK/Dho+UOXVRd
 32wSIqEq3yS8ummtTCJ14ym5ABsppKKjg2F3yaT4l8fxVAYlYG9oUTFZf3SE3VnRI4
 yTRrgWUDzTjfxjyhj+/UlhAIYgXn6l4waQfkJncsUI4Est7k2Gfoda35ueo03ZgtYS
 wmczjDl4pwlhA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 050/117] accel/tcg: Don't pass NULL to
 get_page_addr_code_hostp
Date: Tue, 12 May 2026 23:53:52 +0300
Message-ID: <20260512205503.361097-50-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620623953154100

From: Richard Henderson <richard.henderson@linaro.org>

Pass a dummy variable instead to let the value be discarded,
in preparation for making the argument mandatory.

Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 813dbe869f4f82f00f2b465fdd22d30db1d5233e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/accel/tcg/internal-common.h b/accel/tcg/internal-common.h
index 6adfeefe13..0ca13750f9 100644
--- a/accel/tcg/internal-common.h
+++ b/accel/tcg/internal-common.h
@@ -105,7 +105,8 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *e=
nv, vaddr addr,
 static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
                                                 vaddr addr)
 {
-    return get_page_addr_code_hostp(env, addr, NULL);
+    void *discard;
+    return get_page_addr_code_hostp(env, addr, &discard);
 }
=20
 /*
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620407; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Zji7BRI9jcRF5aYu/AOKOHdfBCIYOK5GVLvgZyDfayR0rneFZy6ugqUnryHpYAL+8VKkltaQm6+GHRHrANLv4J+ehRjxIez1eG6jow+nsuIvL0gpH7m2Zbx8B2s95Pox39gYfiUrLP7U/44SvowDKMW4khAyjoUwuDUVu301Rwg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620407;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Z4/CJg4nu1oUzl0ubeu8nwO4aj18rzE/2dFMKIKyuXE=;
	b=ScJapYIK72nZBuIm+7yVA1v2NhWwqIta5zrLEBpmH0tVsgDff7bulZXj7egLvDAEYqP2HN8sQR/rGE29Fqvk/Q/9Sf0OlM/W22Wt1hBnlXwajdEuuORNFFbbgUswiUbHaVyRRJJiRH+lXbgS/j0A4XTGySN18+9ZNqlaWlg7Iuc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620407003584.190306166004;
 Tue, 12 May 2026 14:13:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuO9-000054-A2; Tue, 12 May 2026 17:11:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNg-0007p3-AH; Tue, 12 May 2026 17:11:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNe-00040h-Lg; Tue, 12 May 2026 17:11:08 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1CC5E1AA370;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 27C243ABCE0;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=ulGqDMg7rJbIj1wEVL1WQE/D5E4y5lKp07H1knBt8+I=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ex9x/OBOs5cVhPCPgOOcZXGF3dHCI9KSiR8VZw76NfS0t0pY+u8GxYOv6vdz3Ap2y
 jgbYqQwe2rq7pb4Q7YhWM+nfiscRPnR0k91k11IQGFYGbblRGBSfRxT9PjSLaG19gf
 y0HwG5UK/kVyiOlqhvFgukse4EnhzISc6mAmoSQuIXkHAAwWIrbpgUIl0dxLDNLJbN
 RUujLht1WwhWalIrih9ntatelfAXtOLh3ng3+X3NpPkJ7NSgOvyld0QUC55JbLSGMm
 uT/X2MUsee8zBCsEHzZypWPKXAu8VoHMMMVynNJHSl9Av31fM6aFzI9sv+Mbn3Htrn
 O3/4m7/QQCtKw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 Panda Jiang <3160104094@zju.edu.cn>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 051/117] accel/tcg: Fix uninitialized hostp in
 get_page_addr_code_hostp
Date: Tue, 12 May 2026 23:53:53 +0300
Message-ID: <20260512205503.361097-51-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620410548154100

From: Richard Henderson <richard.henderson@linaro.org>

This uninitialized value violates the contract in the
documentation comment, and may lead to a SEGV during
translaton with -d in_asm.

Change the documentation to disallow hostp NULL.
Pass hostp to probe_access_internal directly.

Reported-by: Panda Jiang <3160104094@zju.edu.cn>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 0039e5fd22344fec664c980d7a27443568834264)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index fd1606c856..2d6f51b68c 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1544,18 +1544,18 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchStat=
e *env, vaddr addr,
=20
     (void)probe_access_internal(env_cpu(env), addr, 1, MMU_INST_FETCH,
                                 cpu_mmu_index(env_cpu(env), true), false,
-                                &p, &full, 0, false);
+                                hostp, &full, 0, false);
+
+    p =3D *hostp;
     if (p =3D=3D NULL) {
         return -1;
     }
=20
     if (full->lg_page_size < TARGET_PAGE_BITS) {
+        *hostp =3D NULL;
         return -1;
     }
=20
-    if (hostp) {
-        *hostp =3D p;
-    }
     return qemu_ram_addr_from_host_nofail(p);
 }
=20
diff --git a/accel/tcg/internal-common.h b/accel/tcg/internal-common.h
index 0ca13750f9..9e7be2d78d 100644
--- a/accel/tcg/internal-common.h
+++ b/accel/tcg/internal-common.h
@@ -82,7 +82,7 @@ void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr=
);
  * See get_page_addr_code() (full-system version) for documentation on the
  * return value.
  *
- * Sets *@hostp (when @hostp is non-NULL) as follows.
+ * Sets *@hostp as follows.
  * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
  * to the host address where @addr's content is kept.
  *
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index 1800dffa63..f15bdefb1a 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -822,9 +822,7 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *e=
nv, vaddr addr,
     flags =3D probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0=
);
     g_assert(flags =3D=3D 0);
=20
-    if (hostp) {
-        *hostp =3D g2h_untagged(addr);
-    }
+    *hostp =3D g2h_untagged(addr);
     return addr;
 }
=20
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620887; cv=none;
	d=zohomail.com; s=zohoarc;
	b=B/OtbejdjFdVz02vidugBpZfH+HcfTMoewsHLRuFpwRF0m+kZ87g4q8gsTjlDRmXC9Qj3sdjd7RbmarE8zwTHpJMlt7ICgFd68UlUQonIzh4aGXuRmAK7F/Kyo0KwAZl6YtRPIfYFVfqshjA7cTByZCyv1tslabvWrfUMo0gsps=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620887;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=v90QSsC03Mx7KKP/pDACjJKKWLllecRGHJRODFZOwHE=;
	b=kISh7k+XzFRwnbkgVPqjzqeMc30Vvk9O86GQeb9cXIUzmnaDwV3B8Lv0SndoDUceTXlpHp09qH6zVaZcKE/dSE9/ftomCKUo7t3HiUjrldvzekmKmTmqVPL1riXpCKmZIuMjZN+eo6A4JNNFA7KnTnUiUtMm3hirY0d5BUlFusM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620887182958.1136460455953;
 Tue, 12 May 2026 14:21:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNx-00088L-2n; Tue, 12 May 2026 17:11:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNj-0007uN-Ao; Tue, 12 May 2026 17:11:13 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNh-0004Sd-FA; Tue, 12 May 2026 17:11:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2F99C1AA371;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 387C23ABCE1;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=8O43rCGIV6dv6xRohmtlMa+2vnknZ11NjLXOq+nmMC0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RpaDO9NjOQ7laA4a3vUQk0ZuBUZCrxDS3YBKYTcO4yiQ7XEFlpSHQh3davMfEFk/p
 fczvOsWaK2yKP6oNsMCp9PQPKMTKSf4uuNs8HUyE5xSD9mccW0EBVcFiYS7cJ3dzBc
 elGnX69obkVAO/YOuSbROox/3jbK+JbD+969H8x/mpZPQIPCFPRMTcfiUXYHLv83XY
 wThdRaVuX6cwaa2VkNa/938nf2QfAyuSnEmB4ihnDKCk6sJ7stpxlCWTmpk9R0OFqX
 OwuMP9IiNv2i70o/48Kj9bFKmLyAQHldSZlarhdFALRwGY0sHYoZ3RgvsDT5rq3cqE
 wY7W/vCbeEQBQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Laurent Vivier <laurent@vivier.eu>,
 Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 052/117] include: Don't include guest-host.h in
 cpu-ldst.h
Date: Tue, 12 May 2026 23:53:54 +0300
Message-ID: <20260512205503.361097-52-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620888278154100

From: Peter Maydell <peter.maydell@linaro.org>

We currently include user/guest-host.h from accel/tcg/cpu-ldst.h.
However that file doesn't need anything from guest-host.h, since we
removed the uses of g2h() in commit 9b74d403b30e ("accel/tcg: Move
user-only tlb_vaddr_to_host out of line").

Move the include of guest-host.h to where it's actually needed.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260330143123.1685142-2-peter.maydell@linaro.org
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit ad7a005d672a657a5344575426642bfbea20e3e0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h
index 93388e7c34..61c2e85177 100644
--- a/bsd-user/qemu.h
+++ b/bsd-user/qemu.h
@@ -27,6 +27,7 @@
 #include "user/abitypes.h"
 #include "user/cpu_loop.h"
 #include "user/page-protection.h"
+#include "user/guest-host.h"
=20
 extern char **environ;
=20
diff --git a/include/accel/tcg/cpu-ldst.h b/include/accel/tcg/cpu-ldst.h
index 0de7f5eaa6..88c49a95d3 100644
--- a/include/accel/tcg/cpu-ldst.h
+++ b/include/accel/tcg/cpu-ldst.h
@@ -71,10 +71,6 @@
 #include "accel/tcg/cpu-mmu-index.h"
 #include "exec/abi_ptr.h"
=20
-#if defined(CONFIG_USER_ONLY)
-#include "user/guest-host.h"
-#endif /* CONFIG_USER_ONLY */
-
 static inline uint32_t
 cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr, int mmu_idx, uintptr_t=
 ra)
 {
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 85e68eff7b..cfe5f45fc4 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -10,6 +10,7 @@
 #include "syscall_defs.h"
 #include "target_syscall.h"
 #include "accel/tcg/vcpu-state.h"
+#include "user/guest-host.h"
=20
 /*
  * This is the size of the host kernel's sigset_t, needed where we make
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621607; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jyUsi1wL0buh8YSQ2iHG0ABuTXSimjJEi7ORyEKb98iRPrKEqIHR/8R+WGa7RX16Qd9sj2pEnvlhz7xPzmCzQi5E4s1pN+4WWXUdqOYP2uDnYv92MTEFgj1o1BnKtvXQnWtvc6lMdpIMNjF43iC12eZvyKmzkoi4D1NVv9YP+Hk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621607;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Kk1O/qdhdfPVB7244LStPuPKNLwCy3JaOde7LavnUzM=;
	b=RNUMhdHGnOX9pPFGXL+2SYfYBWkVQdz1orAOP59Gr1WIylVeNVNPeNR/U2TGO2bG8wMaElJs34lu2qTu/9sez8u7R0aiuhotfNxsdrR+LRY1sV5tnIMzdQZBUKyXP4lFHfsrEE7Xej5Sv+d35F66cCfyXtNyXiPVddqEykEXsaQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621607572353.2960219006119;
 Tue, 12 May 2026 14:33:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuNx-00088M-1E; Tue, 12 May 2026 17:11:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNk-0007zO-Hc; Tue, 12 May 2026 17:11:14 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNh-0004Sk-PG; Tue, 12 May 2026 17:11:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 41C611AA372;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4B8B33ABCE2;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=BYL0YDmrEAM5++8yRHmQ7eNSfvcvijkiHpzS+9v3lAQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Qjp9f27sTup8mjDGDU6a2XZ9vJGtAn4fkTkKKQJ2PS0HSX9bdlTE1tjtlM0qB3LVo
 kKdF/lXm/vrsQYxLs2Q6KQe1JBzgPs4wx5WGYsRiZg2BYmZD7S9WZKQOr5/r5aOw0X
 QjjVZ6Zu8DxKqbhx3WG86ViHEVi6c4bsWzlfaHeyJmGUHfMl1c2yhOiei3r7HaSMyO
 neu1ukaEKdsHC1a6sj9pEzHScrbhaEA4QLMwlrF1dyZe60MLTVrvuaMP20tcDNvYBJ
 jkZYS8cKUy2y5PZ0BXZjCTKJTvNNTUoOyG5N9JnGZ8ZkcXNL1wk4XkZpY7X9xWi8df
 qGYz3EnkhGfng==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 Laurent Vivier <laurent@vivier.eu>,
 Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 053/117] include/user/guest-host.h: Provide g2h etc
 for both abi_ptr and vaddr
Date: Tue, 12 May 2026 23:53:55 +0300
Message-ID: <20260512205503.361097-53-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621608721154100

From: Peter Maydell <peter.maydell@linaro.org>

In commit 7804c84a ("include/user: Use vaddr in guest-host.h") we
changed all the functions in guest-host.h that took or returned their
guest address argument in type abi_ptr to instead use vaddr.

This introduced regressions for the case of a 32-bit guest and an
address above 2GB for the common situation where the address is a
syscall argument stored in a variable of type 'abi_long'.  With
abi_ptr (which will be an unsigned 32-bit type for 32-bit guests),
the address is cast to unsigned 32-bit, and then zero-extended to
64-bits in g2h_untagged_vaddr().  With the switch to vaddr (which is
always a 64-bit unsigned type), the guest address will instead be
sign-extended to 64 bits, which gives the wrong answer.

Fix this by providing two versions of the affected functions: the
standard names (g2h(), g2h_untagged(), guest_addr_valid_untagged(),
guest_range_valid_untagged(), cpu_untagged_addr()) return to using
the logically-correct abi_ptr type; new versions with a _vaddr()
prefix use the vaddr type.

accel/tcg/user-exec.c must change to use the _vaddr() versions; this
is the only file that uses guest-host.h that we want to compile once.
All the other uses are in linux-user and bsd-user code that
inherently has to know the sizes of target-ABI types.

Cc: qemu-stable@nongnu.org
Fixes: 7804c84a ("include/user: Use vaddr in guest-host.h")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3333
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260330143123.1685142-3-peter.maydell@linaro.org
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 8330da591ef62484b408e323d828566095a64929)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index f15bdefb1a..589c8654e8 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -647,7 +647,7 @@ void tb_lock_page0(tb_page_addr_t address)
=20
     if (prot & PAGE_WRITE) {
         pageflags_set_clear(start, last, 0, PAGE_WRITE);
-        mprotect(g2h_untagged(start), last - start + 1,
+        mprotect(g2h_untagged_vaddr(start), last - start + 1,
                  prot & (PAGE_READ | PAGE_EXEC) ? PROT_READ : PROT_NONE);
     }
 }
@@ -734,7 +734,7 @@ int page_unprotect(CPUState *cpu, tb_page_addr_t addres=
s, uintptr_t pc)
         if (prot & PAGE_EXEC) {
             prot =3D (prot & ~PAGE_EXEC) | PAGE_READ;
         }
-        mprotect((void *)g2h_untagged(start), len, prot & PAGE_RWX);
+        mprotect((void *)g2h_untagged_vaddr(start), len, prot & PAGE_RWX);
     }
     mmap_unlock();
=20
@@ -763,7 +763,7 @@ static int probe_access_internal(CPUArchState *env, vad=
dr addr,
         g_assert_not_reached();
     }
=20
-    if (guest_addr_valid_untagged(addr)) {
+    if (guest_addr_valid_untagged_vaddr(addr)) {
         int page_flags =3D page_get_flags(addr);
         if (page_flags & acc_flag) {
             if (access_type !=3D MMU_INST_FETCH
@@ -792,7 +792,7 @@ int probe_access_flags(CPUArchState *env, vaddr addr, i=
nt size,
=20
     g_assert(-(addr | TARGET_PAGE_MASK) >=3D size);
     flags =3D probe_access_internal(env, addr, size, access_type, nonfault=
, ra);
-    *phost =3D (flags & TLB_INVALID_MASK) ? NULL : g2h(env_cpu(env), addr);
+    *phost =3D (flags & TLB_INVALID_MASK) ? NULL : g2h_vaddr(env_cpu(env),=
 addr);
     return flags;
 }
=20
@@ -805,13 +805,13 @@ void *probe_access(CPUArchState *env, vaddr addr, int=
 size,
     flags =3D probe_access_internal(env, addr, size, access_type, false, r=
a);
     g_assert((flags & ~TLB_MMIO) =3D=3D 0);
=20
-    return size ? g2h(env_cpu(env), addr) : NULL;
+    return size ? g2h_vaddr(env_cpu(env), addr) : NULL;
 }
=20
 void *tlb_vaddr_to_host(CPUArchState *env, vaddr addr,
                         MMUAccessType access_type, int mmu_idx)
 {
-    return g2h(env_cpu(env), addr);
+    return g2h_vaddr(env_cpu(env), addr);
 }
=20
 tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, vaddr addr,
@@ -822,7 +822,7 @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *e=
nv, vaddr addr,
     flags =3D probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0=
);
     g_assert(flags =3D=3D 0);
=20
-    *hostp =3D g2h_untagged(addr);
+    *hostp =3D g2h_untagged_vaddr(addr);
     return addr;
 }
=20
@@ -938,7 +938,7 @@ static void *cpu_mmu_lookup(CPUState *cpu, vaddr addr,
         cpu_loop_exit_sigbus(cpu, addr, type, ra);
     }
=20
-    ret =3D g2h(cpu, addr);
+    ret =3D g2h_vaddr(cpu, addr);
     set_helper_retaddr(ra);
     return ret;
 }
@@ -968,7 +968,7 @@ int cpu_memory_rw_debug(CPUState *cpu, vaddr addr,
         }
         if (is_write) {
             if (flags & PAGE_WRITE) {
-                memcpy(g2h(cpu, addr), buf, l);
+                memcpy(g2h_vaddr(cpu, addr), buf, l);
             } else {
                 /* Bypass the host page protection using ptrace. */
                 if (fd =3D=3D -1) {
@@ -987,13 +987,13 @@ int cpu_memory_rw_debug(CPUState *cpu, vaddr addr,
                  */
                 tb_invalidate_phys_range(NULL, addr, addr + l - 1);
                 written =3D pwrite(fd, buf, l,
-                                 (off_t)(uintptr_t)g2h_untagged(addr));
+                                 (off_t)(uintptr_t)g2h_untagged_vaddr(addr=
));
                 if (written !=3D l) {
                     goto out_close;
                 }
             }
         } else if (flags & PAGE_READ) {
-            memcpy(buf, g2h(cpu, addr), l);
+            memcpy(buf, g2h_vaddr(cpu, addr), l);
         } else {
             /* Bypass the host page protection using ptrace. */
             if (fd =3D=3D -1) {
@@ -1003,7 +1003,7 @@ int cpu_memory_rw_debug(CPUState *cpu, vaddr addr,
                 }
             }
             if (pread(fd, buf, l,
-                      (off_t)(uintptr_t)g2h_untagged(addr)) !=3D l) {
+                      (off_t)(uintptr_t)g2h_untagged_vaddr(addr)) !=3D l) {
                 goto out_close;
             }
         }
@@ -1231,7 +1231,7 @@ static void *atomic_mmu_lookup(CPUState *cpu, vaddr a=
ddr, MemOpIdx oi,
         cpu_loop_exit_atomic(cpu, retaddr);
     }
=20
-    ret =3D g2h(cpu, addr);
+    ret =3D g2h_vaddr(cpu, addr);
     set_helper_retaddr(retaddr);
     return ret;
 }
diff --git a/include/user/guest-host.h b/include/user/guest-host.h
index 8f7ef75896..ef83ad8a18 100644
--- a/include/user/guest-host.h
+++ b/include/user/guest-host.h
@@ -29,7 +29,12 @@ extern unsigned long reserved_va;
  */
 extern unsigned long guest_addr_max;
=20
-static inline vaddr cpu_untagged_addr(CPUState *cs, vaddr x)
+/*
+ * These functions take the guest virtual address as a vaddr,
+ * and are suitable for use from target-independent code.
+ */
+
+static inline vaddr cpu_untagged_addr_vaddr(CPUState *cs, vaddr x)
 {
     const TCGCPUOps *tcg_ops =3D cs->cc->tcg_ops;
     if (tcg_ops->untagged_addr) {
@@ -39,22 +44,22 @@ static inline vaddr cpu_untagged_addr(CPUState *cs, vad=
dr x)
 }
=20
 /* All direct uses of g2h and h2g need to go away for usermode softmmu.  */
-static inline void *g2h_untagged(vaddr x)
+static inline void *g2h_untagged_vaddr(vaddr x)
 {
     return (void *)((uintptr_t)(x) + guest_base);
 }
=20
-static inline void *g2h(CPUState *cs, vaddr x)
+static inline void *g2h_vaddr(CPUState *cs, vaddr x)
 {
-    return g2h_untagged(cpu_untagged_addr(cs, x));
+    return g2h_untagged_vaddr(cpu_untagged_addr_vaddr(cs, x));
 }
=20
-static inline bool guest_addr_valid_untagged(vaddr x)
+static inline bool guest_addr_valid_untagged_vaddr(vaddr x)
 {
     return x <=3D guest_addr_max;
 }
=20
-static inline bool guest_range_valid_untagged(vaddr start, vaddr len)
+static inline bool guest_range_valid_untagged_vaddr(vaddr start, vaddr len)
 {
     return len - 1 <=3D guest_addr_max && start <=3D guest_addr_max - len =
+ 1;
 }
@@ -73,4 +78,49 @@ static inline bool guest_range_valid_untagged(vaddr star=
t, vaddr len)
     h2g_nocheck(x); \
 })
=20
+#ifdef COMPILING_PER_TARGET
+
+/*
+ * These functions take the guest virtual address as an abi_ptr.  This
+ * is an important difference from a vaddr for the common case where
+ * the address is a syscall argument in a variable of type abi_long,
+ * which may be smaller than the vaddr type. If you pass an address in
+ * an abi_long to these functions then the value will be converted to
+ * an unsigned type and then zero extended to give the vaddr. If you
+ * use the g2h_vaddr() and similar functions which take an argument of
+ * type vaddr, then the value will be sign-extended, giving the wrong
+ * answer for addresses above the 2GB mark on 32-bit guests.
+ *
+ * Providing these functions with their traditional QEMU semantics is
+ * less bug-prone than requiring many callsites to remember to cast
+ * their abi_long variable to an abi_ptr before calling.
+ */
+
+static inline void *g2h(CPUState *cs, abi_ptr x)
+{
+    return g2h_vaddr(cs, x);
+}
+
+static inline void *g2h_untagged(abi_ptr x)
+{
+    return g2h_untagged_vaddr(x);
+}
+
+static inline bool guest_addr_valid_untagged(abi_ptr x)
+{
+    return guest_addr_valid_untagged_vaddr(x);
+}
+
+static inline bool guest_range_valid_untagged(abi_ptr start, abi_ptr len)
+{
+    return guest_range_valid_untagged_vaddr(start, len);
+}
+
+static inline abi_ptr cpu_untagged_addr(CPUState *cs, abi_ptr x)
+{
+    return cpu_untagged_addr_vaddr(cs, x);
+}
+
+#endif
+
 #endif
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620462; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UJhObF74WMQVqPdOnW8Rxv1h4A8UU/4mJpioLUydzlbLyILEYw4kS8PXZ13wXpx/8Q6QBgf/48vkUqAeI3u/GbHXZ9pn71gJJ1ZDdMMppaqugQZYRfPBb23N0cgbg62HRI3rUqElVv4Hdavx8jYNcMqbdYtsl90vJHTwwOY60rg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620462;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=q4G8px8S6JyV6ssKp8ZaHRUnGum8VZ8go/7i8qcXL5o=;
	b=a2giZ47AHj8cf40koyCxis+02qg/xCoYkJemXZArbM3rdmIrll9ZH392KVq8xrIDXM3CrpQJ7eeQBvihQ5kwPt70UbqH/Sxa0vjVaEu2hfm1O66RtYywF+vSybNevJLNuwIGTpEvtnBIFqUWBjYNF1sfW+5LGz9F+wTWDaOv5/E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620462717495.61498865490967;
 Tue, 12 May 2026 14:14:22 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuO9-000055-Ac; Tue, 12 May 2026 17:11:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNm-0007zn-Ot; Tue, 12 May 2026 17:11:15 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuNk-0004T2-Qf; Tue, 12 May 2026 17:11:14 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5240A1AA373;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5D6783ABCE3;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=VeKpgqOhDJvb12hhwxrjcNWGil/fRUopMB5SDdOF6Cw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=uLrlS0/Xn1P9r3rPZJ8HyDAylMiI7RacEuad1GdbonEQPkoaXAr673kvU7u8IzKAi
 9ipehU1rVeXBrvpr+vrTJRr9Ud7t8K3wR/1RqNEWaYOE6BOf4EMeG6iZnVfddLLIzT
 i0rx2XEKsLu1gnnFjVujNFM0HeTHwh4gDLvalBJBQyrrxeSQLJieFPtXhCi9zXv3Kp
 ZIJ96fotyFmElkrwfEGtlh8N2yLDE1lmcKAy5hcqzbVsU0neLDIqozaSk4MeLVFdWc
 pzYcgJQQnDqef31TfUB4lPFY6edqEwQxu0IZZGfy4z4WiSAw8s16zECDWnxnGvmDq5
 qrAxoDVfBDulw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Clayton Craft <craftyguy@postmarketos.org>,
 Helge Deller <deller@gmx.de>, Peter Maydell <peter.maydell@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 054/117] linux-user: fix name_to_handle_at when
 AT_HANDLE_MNT_ID_UNIQUE flag is set
Date: Tue, 12 May 2026 23:53:56 +0300
Message-ID: <20260512205503.361097-54-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620465106154100
Content-Type: text/plain; charset="utf-8"

From: Clayton Craft <craftyguy@postmarketos.org>

Linux 6.12 added AT_HANDLE_MNT_ID_UNIQUE, which indicates that mount_id
is 64-bits. If name_to_handle_at is called with this flag set then qemu
passes a 4 byte int to the kernel, which then tries to store 8 bytes in
a 4 byte variable, causing a SIGSEGV[1][2].

This stores mount_id in a 64-bit var if the flag is set.

1. https://gitlab.postmarketos.org/postmarketOS/pmaports/-/work_items/4431
2. https://github.com/systemd/systemd/issues/41279

Signed-off-by: Clayton Craft <craftyguy@postmarketos.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Message-id: 20260325-fix-name-to-handle-at-v1-1-49fb922e6fd3@craftyguy.net
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 22966937f4130278259a79d6462d1a0887e22c6e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7404af9194..adaa1e3542 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8175,6 +8175,9 @@ static int do_futex(CPUState *cpu, bool time64, targe=
t_ulong uaddr,
 #endif
=20
 #if defined(TARGET_NR_name_to_handle_at) && defined(CONFIG_OPEN_BY_HANDLE)
+#ifndef AT_HANDLE_MNT_ID_UNIQUE
+#define AT_HANDLE_MNT_ID_UNIQUE 0x001
+#endif
 static abi_long do_name_to_handle_at(abi_long dirfd, abi_long pathname,
                                      abi_long handle, abi_long mount_id,
                                      abi_long flags)
@@ -8182,6 +8185,7 @@ static abi_long do_name_to_handle_at(abi_long dirfd, =
abi_long pathname,
     struct file_handle *target_fh;
     struct file_handle *fh;
     int mid =3D 0;
+    uint64_t mid64 =3D 0;
     abi_long ret;
     char *name;
     unsigned int size, total_size;
@@ -8205,7 +8209,12 @@ static abi_long do_name_to_handle_at(abi_long dirfd,=
 abi_long pathname,
     fh =3D g_malloc0(total_size);
     fh->handle_bytes =3D size;
=20
-    ret =3D get_errno(name_to_handle_at(dirfd, path(name), fh, &mid, flags=
));
+    if (flags & AT_HANDLE_MNT_ID_UNIQUE) {
+        ret =3D get_errno(name_to_handle_at(dirfd, path(name), fh,
+                                          (int *)&mid64, flags));
+    } else {
+        ret =3D get_errno(name_to_handle_at(dirfd, path(name), fh, &mid, f=
lags));
+    }
     unlock_user(name, pathname, 0);
=20
     /* man name_to_handle_at(2):
@@ -8219,8 +8228,14 @@ static abi_long do_name_to_handle_at(abi_long dirfd,=
 abi_long pathname,
     g_free(fh);
     unlock_user(target_fh, handle, total_size);
=20
-    if (put_user_s32(mid, mount_id)) {
-        return -TARGET_EFAULT;
+    if (flags & AT_HANDLE_MNT_ID_UNIQUE) {
+        if (put_user_u64(mid64, mount_id)) {
+            return -TARGET_EFAULT;
+        }
+    } else {
+        if (put_user_s32(mid, mount_id)) {
+            return -TARGET_EFAULT;
+        }
     }
=20
     return ret;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620509; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JchibV9Gkw0NdOdJPCLm0ObN5rODcXGecBHgvPP5FbQSEtoqYJOT8ii+TNiiW/75aFQ/yixWgm9sjvMfGgxxAkIG2zYCeGGhoZdpDh6l/Y/f1bQYLYjbN0J8KyNKqQS2wc91yaZ+JTtbzmKXzkDIlQN37zhcOcPjdq8ZJGkoyes=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620509;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=G2CfxbLPg49rqZOfxxqaSIRUQiZN1uClOFW71pEmg3s=;
	b=gju05XJdMcVqVsCC42cB/jmU5rrNW5vl/qSX0+lEQFmfWxdnUXod0HfAFdeZFLtGNfBLm2JoHA2zfnnQrjA29O/seP4xqS0hRoFkOYPnCCnC90AMvr0ytW09cmZGdlH3I1x6e7PqMkWlhtO6dbrijiiArxHSu74E05CU8cd4Fgw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862050989848.15954295801737;
 Tue, 12 May 2026 14:15:09 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuOI-0000xv-Bb; Tue, 12 May 2026 17:11:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuO9-0000AI-BZ; Tue, 12 May 2026 17:11:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuO6-0004TQ-Ao; Tue, 12 May 2026 17:11:37 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 606581AA374;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 6D6E03ABCE4;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=fQ8WOu6IbdgVOqMW1uNPpiqS70Ccp0dhAhYYBXJYpDI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=JUcdyfZ84C6l9Cqk+QeTZEHac2PsTiEEJXsP3yK7uD+0SrUSc9H4oKGX9PTArD+sn
 HH48u70dnRQjIRPIz9l7hwz0QdgZND07PcVeQsnBVv+OzBK936ARPGzzDwcaIgK7BS
 1MrZu58CJKrjl7aTjVh+PuP4La/JKqpNCkoI/TKMS/QvD2VpoYLZpRpDaQpRJ9nDEZ
 VQ2rA7oT+zOB5n0sdkRgDYvZ5HWoNEj6KvR7KwdahALW4Ce5eP+eNboiN+9KOBOOkW
 e0PwEKlQJpflW5C2WRVT82uMwFdGeC2+swuiRdde540A5T6Hiu5Jtd9J87t4rtDPXo
 z2UHfwx4caqmw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Sun Haoyu <shyliuli@aosc.io>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 055/117] linux-user: update select timeout writeback
Date: Tue, 12 May 2026 23:53:57 +0300
Message-ID: <20260512205503.361097-55-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620511169158500
Content-Type: text/plain; charset="utf-8"

From: Sun Haoyu <shyliuli@aosc.io>

The Linux kernel writes back the remaining timeout for select-family
syscalls in poll_select_finish(). If that writeback fails, it keeps
the original return value.

However, QEMU only writes back the timeout on success. If the writeback
fails, QEMU returns -TARGET_EFAULT. This can lose the remaining
timeout and change the return value.

Update do_select(), do_pselect6(), and do_ppoll() to always write back
the timeout to match the Linux kernel's behavior. If the timeout
writeback fails, keep the original return value.

Tested with the issue reproducer.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3343
Signed-off-by: Sun Haoyu <shyliuli@aosc.io>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260320111647.138984-1-shyliuli@aosc.io
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 9b7d64686b82bb70315cc60e5630c70e27eef832)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index adaa1e3542..5441ae6cb5 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1387,14 +1387,15 @@ static abi_long do_select(int n,
             return -TARGET_EFAULT;
         if (efd_addr && copy_to_user_fdset(efd_addr, &efds, n))
             return -TARGET_EFAULT;
-
-        if (target_tv_addr) {
-            tv.tv_sec =3D ts.tv_sec;
-            tv.tv_usec =3D ts.tv_nsec / 1000;
-            if (copy_to_user_timeval(target_tv_addr, &tv)) {
-                return -TARGET_EFAULT;
-            }
-        }
+    }
+    if (target_tv_addr) {
+        tv.tv_sec =3D ts.tv_sec;
+        tv.tv_usec =3D ts.tv_nsec / 1000;
+        /*
+         * Like the kernel, we deliberately ignore possible
+         * failures writing back to the timeout struct.
+         */
+        copy_to_user_timeval(target_tv_addr, &tv);
     }
=20
     return ret;
@@ -1522,14 +1523,16 @@ static abi_long do_pselect6(abi_long arg1, abi_long=
 arg2, abi_long arg3,
         if (efd_addr && copy_to_user_fdset(efd_addr, &efds, n)) {
             return -TARGET_EFAULT;
         }
+    }
+    if (ts_addr) {
+        /*
+         * Like the kernel, we deliberately ignore possible
+         * failures writing back to the timeout struct.
+         */
         if (time64) {
-            if (ts_addr && host_to_target_timespec64(ts_addr, &ts)) {
-                return -TARGET_EFAULT;
-            }
+            host_to_target_timespec64(ts_addr, &ts);
         } else {
-            if (ts_addr && host_to_target_timespec(ts_addr, &ts)) {
-                return -TARGET_EFAULT;
-            }
+            host_to_target_timespec(ts_addr, &ts);
         }
     }
     return ret;
@@ -1599,15 +1602,15 @@ static abi_long do_ppoll(abi_long arg1, abi_long ar=
g2, abi_long arg3,
         if (set) {
             finish_sigsuspend_mask(ret);
         }
-        if (!is_error(ret) && arg3) {
+        if (arg3) {
+            /*
+             * Like the kernel, we deliberately ignore possible
+             * failures writing back to the timeout struct.
+             */
             if (time64) {
-                if (host_to_target_timespec64(arg3, timeout_ts)) {
-                    return -TARGET_EFAULT;
-                }
+                host_to_target_timespec64(arg3, timeout_ts);
             } else {
-                if (host_to_target_timespec(arg3, timeout_ts)) {
-                    return -TARGET_EFAULT;
-                }
+                host_to_target_timespec(arg3, timeout_ts);
             }
         }
     } else {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620649; cv=none;
	d=zohomail.com; s=zohoarc;
	b=n6SpBNcdVIKjQ8XA4v8F1wxfRWybSO0Y/8n+DCgWUeiCyXh0SIiEesMtrBoSZWJ2nMhRayCr2Kw34Vv/IYQGJqaNsoF+3xvQWq/endnrTK4YGcNKe5zYkpyoElxGcv4Zr1mEG8LvZNVrblF4ACHtu/trrVj5i/tl3+gRQgiHTw0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620649;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=6p56/C9JA+9oRYlGabSbt2y9x76iHbD3hBArTwWjsrU=;
	b=W1RArGWuxu96zU6AwFwaCQ25Xy8M05sE59HLyoPvfd660RKXlHyCnGTBb4l1PfNyv6UWD3YhV4k90QtJU7N3EsjLQKwZ/S25wvY1gGQARNq1bshIBZOBgnPBh2FGgybLcfFxo/ro+TT/ZdprpGlVf7B5paQPL1/1uByp+5MjdcI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620649011688.6877829534042;
 Tue, 12 May 2026 14:17:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuOG-0000fH-Df; Tue, 12 May 2026 17:11:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuO9-0000BK-Ts; Tue, 12 May 2026 17:11:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuO8-0004Th-7y; Tue, 12 May 2026 17:11:37 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6EB671AA375;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7BB0F3ABCE5;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=M6mOKWnj2BDxXSkSMiqlrYyDKPcn9+kmgMq7O1jtvS4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=b2pNZTomPiPzsfiw9lU5tisXyxGMAUup6tThKPmGZ0XCR2srluzRuwL+qY2GaOj6I
 H2X6Nq7KG2HgZaSH6UyCAMyvke200s9sb/EaHHUZ3Y8hI2P1ms7KFkO0kPmBn7GKMI
 l97bT3hHfAJx5MGdAwpXeVfEI9J//yGcpKCJpluXUi/EuMAnbv5QTmFiNXCVIuj8JM
 LPDncU4XFhlWfOwmr5iCBdxyixudjlsYAFRVmInHydKFYy426/TpMAdnkkifzFUekX
 zxlTM7MIFgyfuOrFv8KQd62XbQCCbXdqPlAefzr1TsVQOG/8sfQ6S6VpDyMIk23+WQ
 hURFZcbTZY76Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Sun Haoyu <shyliuli@aosc.io>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 056/117] linux-user: Make openat2() use -L for
 absolute paths
Date: Tue, 12 May 2026 23:53:58 +0300
Message-ID: <20260512205503.361097-56-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620650434158500
Content-Type: text/plain; charset="utf-8"

From: Sun Haoyu <shyliuli@aosc.io>

openat2() ignored the -L prefix and opened host files directly.
For example, openat2("/tmp/file") opened /tmp/file on the host, not
QEMU_LD_PREFIX/tmp/file like openat() does.

Fix this by using path() to rewrite absolute paths. Skip this
when RESOLVE_BENEATH or RESOLVE_IN_ROOT is set:
- RESOLVE_BENEATH rejects absolute paths anyway
- RESOLVE_IN_ROOT resolves relative to dirfd

Now openat() and openat2() work in the same way.

Link: https://gitlab.com/qemu-project/qemu/-/work_items/3341

Signed-off-by: Sun Haoyu <shyliuli@aosc.io>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260317053827.25051-1-shyliuli@aosc.io
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit fa6dfcc373c244a767be04d236e0cdd075b80e69)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 5441ae6cb5..0261f2fc5c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8861,7 +8861,16 @@ static int do_openat2(CPUArchState *cpu_env, abi_lon=
g dirfd,
     if (fd > -2) {
         ret =3D get_errno(fd);
     } else {
-        ret =3D get_errno(safe_openat2(dirfd, pathname, &how,
+        const char *host_pathname =3D pathname;
+        if (pathname[0] =3D=3D '/' &&
+            !(how.resolve & (RESOLVE_IN_ROOT | RESOLVE_BENEATH))) {
+            /*
+             * RESOLVE_BENEATH rejects absolute paths; RESOLVE_IN_ROOT
+             * resolves them relative to dirfd.
+             */
+            host_pathname =3D path(pathname);
+        }
+        ret =3D get_errno(safe_openat2(dirfd, host_pathname, &how,
                                      sizeof(struct open_how_ver0)));
     }
=20
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index cd9ff709b8..a2470856be 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2773,7 +2773,12 @@ struct target_open_how_ver0 {
 #ifndef RESOLVE_NO_SYMLINKS
 #define RESOLVE_NO_SYMLINKS     0x04
 #endif
-
+#ifndef RESOLVE_BENEATH
+#define RESOLVE_BENEATH         0x08
+#endif
+#ifndef RESOLVE_IN_ROOT
+#define RESOLVE_IN_ROOT         0x10
+#endif
 #if (defined(TARGET_I386) && defined(TARGET_ABI32)) || \
     (defined(TARGET_ARM) && defined(TARGET_ABI32)) || \
     defined(TARGET_M68K) || defined(TARGET_MICROBLAZE) || \
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620654; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PvsQAvs5uOokRkZ1huvxWTtJMUyBrP5vklOx5llid5KCFKt2SX4rH1uhkiHbehbDtRn6Gw6n/RaFrq4DTGrjXxFKIQNot00uHKaRP2C0MFOCWIADHDkP9YE2ESWXTW2a6j7PZ79AizgthdReG0MBb5m34d/TGr2+R8wceTIyKPk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620654;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=cGK/3I8znWILNQjYOaFcMdzCT+qyeq1VuKX10zzKKr4=;
	b=LINCsMoC8Ff1qHxqSyOk+dlTlYdrMWBopUTzqb8bC5cHVo2up/FrWlxCY2lEw9UTZSPC9JdZndRRX7YLYUcrUddUQyRTRxj5tYVaMFP9lZevwdaiu5MsO84W1CMphcnk/ywt7SYbSFqYlEeJj08ENL4cB+n2jzlwypLSZdjxmkE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620654644218.66365602324277;
 Tue, 12 May 2026 14:17:34 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuOP-000250-0l; Tue, 12 May 2026 17:11:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOD-0000IQ-Lh; Tue, 12 May 2026 17:11:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOA-0004fI-Oa; Tue, 12 May 2026 17:11:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7F03B1AA377;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8A1D43ABCE6;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=U45kgYAj+2v7iIaX8tYnrSLqsn7a9J3SNZbV3Nk05YM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=DX6Mk9yWjvwJF8n8SnIrg9xjRhBITThmhgHEGu4qX1rddNp3qoQtfVIRj6VpIj2Lg
 +fsCGH6YBZMPfPm2U03XQkbwNHX2pqdB7OOicmAbcgfsMWFZSLb2nZ+Kak5QP14edV
 GAhA2Ud1yzxcuIIpxfxdTDvfX7mLeQmkqh8uzsKkDkQ57c51H4nXBlYri5C3GnrDzS
 UW//7BBPeE5/JO5Ghl5CAOffk57PCmFKmPyUDWeuRlS/7dTGh6YGULX1MjismuOdcc
 RwsTVkHzPkm2Lij28JXIOrTKdvXH/GYtxdP8AOhKUdHoLRSgCnqYvUOSNYhlXjGtap
 MVDyNN5egJP8w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Nicholas Piggin <npiggin@gmail.com>,
 Warner Losh <imp@bsdimp.com>, Peter Maydell <peter.maydell@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 057/117] bsd-user,
 linux-user: signal: recursive signal delivery fix
Date: Tue, 12 May 2026 23:53:59 +0300
Message-ID: <20260512205503.361097-57-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620656467154100
Content-Type: text/plain; charset="utf-8"

From: Nicholas Piggin <npiggin@gmail.com>

Synchronous signals must accommodate a synchronous signal being
raised during delivery, as asynchronous ones do. For example
badframe errors during delivery will cause SIGSEGV to be raised.

Without this fix, cpu_loop() runs process_pending_signals() which
delivers the first synchronous signal (e.g., SIGILL) which fails
to set the handler and forces SIGSEGV, but that is not picked up.
process_pending_signals() returns. Then cpu_loop() runs cpu_exec()
again, which attempts to execute the same instruction, another
SIGILL.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321135624.581398-3-npiggin@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 7e966ef38f58f91e05a46fdfda4ba63a9a1567d6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/bsd-user/signal.c b/bsd-user/signal.c
index dadcc037dc..3e5e41e1b1 100644
--- a/bsd-user/signal.c
+++ b/bsd-user/signal.c
@@ -998,7 +998,12 @@ void process_pending_signals(CPUArchState *env)
                 sigdelset(&ts->signal_mask, target_to_host_signal(sig));
                 sigact_table[sig - 1]._sa_handler =3D TARGET_SIG_DFL;
             }
+            /*
+             * Restart scan from the beginning, as handle_pending_signal
+             * might have resulted in a new synchronous signal (eg SIGSEGV=
).
+             */
             handle_pending_signal(env, sig, &ts->sync_signal);
+            goto restart_scan;
         }
=20
         k =3D ts->sigtab;
@@ -1008,10 +1013,7 @@ void process_pending_signals(CPUArchState *env)
             if (k->pending &&
                 !sigismember(blocked_set, target_to_host_signal(sig))) {
                 handle_pending_signal(env, sig, k);
-                /*
-                 * Restart scan from the beginning, as handle_pending_sign=
al
-                 * might have resulted in a new synchronous signal (eg SIG=
SEGV).
-                 */
+                /* Restart scan, explained above. */
                 goto restart_scan;
             }
         }
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 804096bd44..f0a22577e5 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1384,6 +1384,11 @@ void process_pending_signals(CPUArchState *cpu_env)
             }
=20
             handle_pending_signal(cpu_env, sig, &ts->sync_signal);
+            /*
+             * Restart scan from the beginning, as handle_pending_signal
+             * might have resulted in a new synchronous signal (eg SIGSEGV=
).
+             */
+            goto restart_scan;
         }
=20
         for (sig =3D 1; sig <=3D TARGET_NSIG; sig++) {
@@ -1394,9 +1399,7 @@ void process_pending_signals(CPUArchState *cpu_env)
                 (!sigismember(blocked_set,
                               target_to_host_signal_table[sig]))) {
                 handle_pending_signal(cpu_env, sig, &ts->sigtab[sig - 1]);
-                /* Restart scan from the beginning, as handle_pending_sign=
al
-                 * might have resulted in a new synchronous signal (eg SIG=
SEGV).
-                 */
+                /* Restart scan, explained above. */
                 goto restart_scan;
             }
         }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620415; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gRNTDfpiUYmeUobPb/K6HANYXH1/UdFJBJM4LDIPmJlTWZ0aH+Vh1Mbg31L3t0t7BAR22XfX4t2IFj58/5DjIZdBuxv6ey+YH17NpG4BwN6wRJT+GmamG6foiyXkVoseuaaaKP4lnZ9WokLL+AGUPHZ4b0YFZk7jDjW31emsJXI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620415;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=UuRpJppTpUBMLqaN/Crh+hbBkgm12ulMkom8+7LpTnk=;
	b=jX0IsIkmoLMAchDthgKWejm6KrjPQM8bRuBCj6efWuB5O1bUfeggu1LZQQY+TZ/K0Au9F1gHXvwLr9xGjPdTpxMn9vJpnZUF3+gZDoRXvmbIFu0sVCpXfyci3C/Ni55be3scMl4zhLcvz+pOVBxBASHrlaZGMk3MjF3C+9BTfhU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620414753647.2118556260203;
 Tue, 12 May 2026 14:13:34 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuOQ-0002Io-9R; Tue, 12 May 2026 17:11:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOD-0000Id-Om; Tue, 12 May 2026 17:11:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOB-0004fY-Cn; Tue, 12 May 2026 17:11:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8F44B1AA378;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9A8983ABCE7;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=aandxFzjyN5rMbH5L7FWFE20+iDH+W1KfzlGilX/Frc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Tkr2oGrSaGMMgGKwLo6LZJYhXIL7LbT5QJoilYP43M2NRw3QseEbPRMOeIVxgIDD9
 A5EAbaiP0nwo9LmJFGuRmIIUimgi1jGz2kKtmfuUxqduQbzkpwflAi5JdfSVdGdGiP
 82Slxl0/TDxCGJwsth4EdGcKyA/8QVnKEt2A7qDNyNXAJqulshRhWdiF930wi1+KWj
 MR3GX4xFVHly906xiAyI5gQtXB0Zmee1QoKs95IR8tzm7LKUF5GUmc3Dku5S4ntB+2
 U18Ks/Bmnhlk5SgK3MvATVljdjZyKV2fVEdKn0Ogo1dlkURk2nljp+AozjHxvaxIzC
 GMX3FQOi3aXvQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 058/117] target/arm: do_ats_write(): avoid assertion
 when ptw failed
Date: Tue, 12 May 2026 23:54:00 +0300
Message-ID: <20260512205503.361097-58-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620418195154100

From: Peter Maydell <peter.maydell@linaro.org>

In do_ats_write() we try to assert that the cacheattrs from
get_phys_addr_for_at() are in the form we expect:

    /*
     * ATS operations only do S1 or S1+S2 translations, so we never
     * have to deal with the ARMCacheAttrs format for S2 only.
     */
    assert(!res.cacheattrs.is_s2_format);

However, the GetPhysAddrResult struct documents that its fields are
only valid when the page table walk succeeded.  For a two stage page
table walk which fails during stage two, we will return early from
get_phys_addr_twostage() and depending on the fault type the
res.cacheattrs may have been initialized with the stage 2 cache attr
information in stage 2 format.  In this case we will incorrectly
assert here.

Fix the assertion to not look at the res fields if the lookup failed.

Note for stable backports: the do_ats_write() function is in
target/arm/helper.c in older QEMU versions, but the change to the
assert line is the same.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3328
Fixes: 9f225e607f21 ("target/arm: Postpone interpretation of stage 2 descri=
ptor attribute bits")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260331092305.2062580-1-peter.maydell@linaro.org
(cherry picked from commit 84771c64a5ae0f28d4bacc3f85a1f852a70c6edc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/cpregs-at.c b/target/arm/tcg/cpregs-at.c
index 0e8f229aa7..53dd67375d 100644
--- a/target/arm/tcg/cpregs-at.c
+++ b/target/arm/tcg/cpregs-at.c
@@ -37,8 +37,9 @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t v=
alue,
     /*
      * ATS operations only do S1 or S1+S2 translations, so we never
      * have to deal with the ARMCacheAttrs format for S2 only.
+     * (Note that res fields are only valid on ptw success.)
      */
-    assert(!res.cacheattrs.is_s2_format);
+    assert(ret || !res.cacheattrs.is_s2_format);
=20
     if (ret) {
         /*
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621913; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BiyRiTllcyfnQXOkU7IQzOA8USJwGacNBnRK0ssRLD1zDlFux1MqCPoYergFzrDn9OzwuRIi972b1vyCi09qpX6BMBl5gS3Q0CKzrVJsjGqLEj9W2fw682mAXtogTjjlZn2vygWyoVPkho56z3ncVUW/t0kViXrdzmRLkHrCsA8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621913;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=cT10NLraucfQf1k/BwGRSJ3A7MmpA3TAEgnQEb8ZrAI=;
	b=JWIiBeOs13SqsQT/IJD94QG4yaW0p5H6KFL0e1ELd804DE4Q1xHbRXgQYYN/9Hw6OvRlr6DKVdZb+Pgmivgc9VJvD6VHKT+L9yjpFA5KHt0FP9RsJ8OyEH97szzKfoi0nISQ0wLdCZ0gXCOn8HMpyqwAOpk98e1uxSdp7xK1UJ4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621913914816.4458732584736;
 Tue, 12 May 2026 14:38:33 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuOn-0004Dw-GJ; Tue, 12 May 2026 17:12:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOb-0003p1-TN; Tue, 12 May 2026 17:12:06 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOZ-0004gW-DT; Tue, 12 May 2026 17:12:05 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9FABA1AA379;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AADE33ABCE8;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=3w4BZEGu5+aMcubKWy0KGPpOR0vSYNmr/c/r2eJy0TE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=LBCEAPJz9WkTGYw8kjtPhvsYYK+GwZmrgoXdBfx2imDsffonw1Cr9dRekQF2rkA1C
 eqU6xSbveh4RQNUxZBgFxveyQK6PF119sxgMAgqqI/WbC+j9icKu1XlrD/YZrnD9c4
 exOH0oSQuy2fWgPlWW4ORW/TGx6hMCwb8GqlBMS5bIDbIpedPVDZho+weP/5W0+NiJ
 7imCC2My5Gj2a739V5O5ooE2ut2ProBcAIiNIzQfvHL6eAmq2YRnR74sWcC+oBHuiC
 Xkx55hqmMWbPVatuuA/p8Z9orPOsba9d9W3mR81KPrltX6BNofMHvMYh3tdhfmMNB5
 r54IAnyI/m15w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 059/117] target/arm: fix fault_s1ns for stage 2 faults
Date: Tue, 12 May 2026 23:54:01 +0300
Message-ID: <20260512205503.361097-59-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621915776154100

From: Alex Benn=C3=A9e <alex.bennee@linaro.org>

The computation of s1ns was simply wrong. For Stage 2 faults, it
should indicate whether the faulting IPA is in the Non-Secure IPA
space. Correct the logic to check for ARMSS_NonSecure and drop the
extraneous s2_mmu_idx test.

This is effectively a change in the intended semantics of the
ARMMMUFaultInfo::s1ns field, so that we no longer try to make it
exactly match HPFAR_EL2.NS but instead set it for any stage 2 fault
on an NS IPA, relying on users of the field to check whether the
fault is to be taken to Secure EL2 before propagating the field to
the HPFAR_EL2.NS bit.  Since the actual writing of HPFAR_EL2.NS is
already gated by arm_is_secure_below_el3(env), we only need to update
the comments to document this change of semantics.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2568
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260405112410.603223-1-alex.bennee@linaro.org
[PMM: also update comments about the s1ns field]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 566594f10873723a179057a604d890bfaa1a9f0a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/internals.h b/target/arm/internals.h
index d5f6d6546f..6434331ef2 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -739,7 +739,10 @@ typedef enum ARMGPCF {
  * @paddr_space: physical address space that caused a fault for gpc
  * @stage2: True if we faulted at stage 2
  * @s1ptw: True if we faulted at stage 2 while doing a stage 1 page-table =
walk
- * @s1ns: True if we faulted on a non-secure IPA while in secure state
+ * @s1ns: True if we faulted on a non-secure IPA. Note that (unlike the
+ * HPFAR_EL2.NS bit) this is set for any stage 2 fault for an NS IPA, so
+ * code must check that this is for a fault taken to Secure EL2 before
+ * propagating s1ns to HPFAR_EL2.NS.
  * @ea: True if we should set the EA (external abort type) bit in syndrome
  */
 typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index e96b1c11e8..3e3c467eb2 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -613,12 +613,14 @@ static ARMSecuritySpace S2_security_space(ARMSecurity=
Space s1_space,
 static bool fault_s1ns(ARMSecuritySpace space, ARMMMUIdx s2_mmu_idx)
 {
     /*
-     * For stage 2 faults in Secure EL22, S1NS indicates
-     * whether the faulting IPA is in the Secure or NonSecure
-     * IPA space. For all other kinds of fault, it is false.
+     * For stage 2 faults, S1NS indicates whether the faulting IPA is
+     * in the Non-Secure (true) or Secure (false) IPA space. For all
+     * other kinds of fault, it is false. Note that we do not
+     * distinguish "s2 fault on NS IPA taken to Secure EL2" from
+     * "s2 fault on NS IPA taken to NS EL2 or Realm EL2" here, but
+     * instead do that when setting HPFAR_EL2.NS.
      */
-    return space =3D=3D ARMSS_Secure && regime_is_stage2(s2_mmu_idx)
-        && s2_mmu_idx =3D=3D ARMMMUIdx_Stage2_S;
+    return space =3D=3D ARMSS_NonSecure && regime_is_stage2(s2_mmu_idx);
 }
=20
 /* Translate a S1 pagetable walk through S2 if needed.  */
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620692; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NcnTU3wsNAp/PhxANki8l1nRTSIO7wJp7pJ9dJtM5mwTbArue9VmhH9r8JthvJ2WbfOK5k1wP9aSE5GkWRcGzwk8SENhvOD2+TRAqKwmPm1nG8bUuLEW0HCzsSERjuwhLq8coBIVuG5U1+iyJ1rOvJgJW87ZrNHjF29IAq/wThU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620692;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=++zDijuaZ9tNGr7sDZDvcUNKMLMsA0H0kmRR9bpXzI8=;
	b=VGQ7hYpfvoLjt8X3v6skLS/+0zZXG7GMRIgoiFGZCidFzGYuQxXHAdDovOP580xWVTW0FViZnA1HExpRrWnGaKtrcEMMsD8TxvUlngbtzEJHVP+Jr9ZuB4V/ZMxoPcVA1/pUHSPt9oVzjUJahxkmn2/vlFbynqHd7kyfueAWBd4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620692661662.2691085058517;
 Tue, 12 May 2026 14:18:12 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuOS-0002cp-Kx; Tue, 12 May 2026 17:11:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOG-0000r1-Ta; Tue, 12 May 2026 17:11:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOF-0004gc-7G; Tue, 12 May 2026 17:11:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AF72E1AA37A;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id BAF053ABCE9;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=KOc/DiAKjrRpadbwE3U+gOpNg38f5fy9LqaRl7wyL5Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sINOrL22lIFa67rPxeLp6qb6omlIBgmulkHUwTR2FeyRx+4030bc6NBewMrpKjltp
 dNIipyQfqV5vo33DqEgwxoGIw77cAYlqaL16OAQ+riQTqeF/2iLRuRw+rhrFCrwK1l
 CPU4i4/Dw+nmsm9bLoMW7RxDaI0avjxMvy3FqQR2S1sqhnJM3DLke/2wi/kG0TrUKe
 VPSSYK8ABwUAzCNhgWqcAVbSVVBSq1Whe2AtC4MCygdQNRszsltwb137cBxMrgq3qz
 k/5sTjJJVnTBRBZNVBpUMAKGtgqf/yTs4/v4lLRrk43LPdSluPHcRj/cA+fTScrnUM
 lMDmBFGj/WdcQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Nguyen Dinh Phi <phind.uet@gmail.com>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 060/117] util/readline: Fix out-of-bounds access in
 readline_insert_char().
Date: Tue, 12 May 2026 23:54:02 +0300
Message-ID: <20260512205503.361097-60-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620695290154100

From: Nguyen Dinh Phi <phind.uet@gmail.com>

Currently, the readline_insert_char() function is guarded by the cursor
position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_s=
ize).
The current check is:
	if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)

This logic is flawed because if the command buffer is full and a user moves=
 the
cursor backward (e.g. by sending left arrow key), cmd_buf_index can be
decreased without descreasing of buffer size.
This allow subsequent insertions to increase cmd_buf_size past its maximum
limit of rs->cmd_buf.

Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is
immediately followed by the cmd_buf_index integer, once the buffer size is
sufficiently inflated, the memmove() operation inside readline_insert_char()
can write past the end of cmd_buf[] and overwrites cmd_buf_index itself.

The subsequent line:
	rs->cmd_buf[rs->cmd_buf_index] =3D ch;

then writes the input character to an address determined by the now-corrupt=
ed
index.

By providing a specifically crafted input sequence via HMP, this flaw can be
used to redirect the write operation to overwrite any field within the
ReadLineState structure, which can lead to unpredictable behavior or
application crashes.

Fix this by adding the guard to check for buffer fullness.

Cc: qemu-stable@nongnu.org
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Message-id: 20260406050454.284873-2-phind.uet@gmail.com
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 4e4832dd72db59cf9348a5cb787fe65b738d7601)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/readline.c b/util/readline.c
index 0f19674f52..e2664e48ca 100644
--- a/util/readline.c
+++ b/util/readline.c
@@ -84,7 +84,9 @@ static void readline_update(ReadLineState *rs)
=20
 static void readline_insert_char(ReadLineState *rs, int ch)
 {
-    if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) {
+    assert(rs->cmd_buf_index <=3D rs->cmd_buf_size);
+
+    if (rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) {
         memmove(rs->cmd_buf + rs->cmd_buf_index + 1,
                 rs->cmd_buf + rs->cmd_buf_index,
                 rs->cmd_buf_size - rs->cmd_buf_index);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620378; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YEBW/1ZG72NDIjZzBO36mKwSoixoEuqLCnCUi2GF5BCJYddq6CWPgF6eP7bBHjdUZsxd75d2NyFvilDEDrwRCf0I4ClcIhKhXR/OPZKUdEsntUROrPW0jPQJLgKLtRk+EVxqrqXWI/75AhD3sYIUdJPdko5ALBYzUYXYVHoW3y4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620378;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kcFAYCgJzZ+X0xI0uH7aC4AgIpXqb0MvCglz6K2bf6Q=;
	b=ejHuw8PJHRNHqjhzhuydHF2cjDMTrTs3CH+Vb2VqFkrpnvktS09qykSJugLagumvKuHg3Iti18Znku3/22SvxREXtyJgsqX0Pdro9v0GnVDEa4p0TeBEcNq+xQy4JvPT60JmiQA0u0SCmdMznOK7gv6bAktzcX1cy6PN7tz6vJc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620378923484.4221319659115;
 Tue, 12 May 2026 14:12:58 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuP1-0004Ol-8u; Tue, 12 May 2026 17:12:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOe-0003vV-AC; Tue, 12 May 2026 17:12:08 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOc-0004iM-HI; Tue, 12 May 2026 17:12:08 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BDE241AA37B;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id CA9BD3ABCEA;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=2Gtggnx4uN7XeKrjgXmdEZpjam9YIWP8Xqby5s/AinA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RQXf7amGNujHGObHeZSx+M52/1ND02n+kpizb9l67nYx1a3ZUjJQ0N6dOKhp8RJhS
 eLL3rpxtMnBNMJqmNYhSYkHBLequ4mO3or/V/tZJr6WEhkuoLIwwk9YvqV9wTeUEjU
 B7urDZ76Bp7PuCMZGEk7FTTPwZfvd+3J9opu16lZ2nxXTzs+cYqEebNzDHnBUji/1f
 fKwgJYNkNTzk4iETRvmIa0K7iuQc5F47VrmBe6bW3t+6vbIhCv1Mo2Blf0MeMgBlmV
 kqKSyQZdnWQp14oNcnUqyeDLvFLURFer9WuqGdAP197dPwHouVhLK9GcrwqA/6nNWU
 cqKzWcgHRE0Bw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Zhao Liu <zhao1.liu@intel.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 061/117] rust: hide panicking default associated
 constants from rustdoc
Date: Tue, 12 May 2026 23:54:03 +0300
Message-ID: <20260512205503.361097-61-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620380398158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Work around rustdoc issue that panics while trying to evaluate
the constants.

Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 34f66fdfd285eb861cefcec2ab573dbbdf71cfc2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/rust/hw/core/src/qdev.rs b/rust/hw/core/src/qdev.rs
index 4e983da28b..c2ca17f6ce 100644
--- a/rust/hw/core/src/qdev.rs
+++ b/rust/hw/core/src/qdev.rs
@@ -132,6 +132,7 @@ pub trait ResettablePhasesImpl {
 /// [`bindings::PropertyInfo`] pointer for the trait implementation to be =
safe.
 pub unsafe trait QDevProp {
     const BASE_INFO: *const bindings::PropertyInfo;
+    #[doc(hidden)] // https://github.com/rust-lang/rust/issues/149635
     const BIT_INFO: *const bindings::PropertyInfo =3D {
         panic!("invalid type for bit property");
     };
diff --git a/rust/migration/src/vmstate.rs b/rust/migration/src/vmstate.rs
index 267f9c8e05..f9d9f335b9 100644
--- a/rust/migration/src/vmstate.rs
+++ b/rust/migration/src/vmstate.rs
@@ -101,6 +101,7 @@ pub unsafe trait VMState {
     /// type for the length (i.e. if it is not `u8`, `u16`, `u32`), using =
it
     /// in a call to [`vmstate_of!`](crate::vmstate_of) will cause a
     /// compile-time error.
+    #[doc(hidden)] // https://github.com/rust-lang/rust/issues/149635
     const VARRAY_FLAG: VMStateFlags =3D {
         panic!("invalid type for variable-sized array");
     };
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620470; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WqOUNkLyS4XeHtB4DDYd7sY5zebDkW7EEoEYUE/NqesjnBXFr7l09PIYifQNiwLL2EcijFIS2csHBAjc0k9QRhWD4UKKzN9wi0gFwUyP/uJmhF5pr5gBHCOggN4zg0m0a3Gv+RYqre2+wswgSw0fnj7Xb5hPMmX7ZY9hW5kEs+c=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620470;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=q66J1vXkNtranD9tK2NMrqIj5DLe24clfdQeDGzw0eI=;
	b=V8Iqf3nhAMX36+SlXbG9Kt1j6n94lFfkFnRMzzx9IC2tYjeyV98q3gFEXC6J0M1e64PlWMhaXMEPi46tlHPq633LFgZ4/nW7ECrckc2MDIagnI+pEU9IGmyOmB1jKLKisi16dk382m2djYymYGPCYQLV6aQE4jHJVN5ay6GEH08=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620470040281.4930895063625;
 Tue, 12 May 2026 14:14:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuP2-0004TH-Uj; Tue, 12 May 2026 17:12:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOf-0003xl-7C; Tue, 12 May 2026 17:12:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOd-0004l0-De; Tue, 12 May 2026 17:12:08 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CE57A1AA37C;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D99F83ABCEB;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=h0xXB4I5Ov6ATUIOIB+zE9jJbDn2PhZNsiGbdDvWU3Y=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HkR5zRFbQASJ9yqXUO3vQ/9pOB02eYfpyEj/goCbfV71Goe20VZD5Jy6qO6Ba1TAL
 tPMYC06uDdWK5ZIs4w7w/IiJMYYd1ll/YAwXnWbPvvZKSeq1CRPEpd2Az4vYKDyxjE
 0vfxcyYTrV8QbgHgvy86konxrwnW513wdYBwVWaDuQbsYIvpZEPLLRZUD/k/1t/OGR
 xWAvXDAF1T2QdI2L8tIqR8+v6fBLM7R9oTfqSjBNO8PYAcEGMjPFr5oRqDR8iXF/BX
 I5fWeQrnwNiH0FKCa2hwwwSvEW328DEGxT9mjNaFzrlFVAikar9du3PHwJ0KHbxfRe
 kMIaXm5rtr6Ig==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Jihe Wang <wangjihe.mail@gmail.com>, Stefan Hajnoczi <stefanha@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 062/117] virtio-scsi: pass the same cdb_size to
 virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Date: Tue, 12 May 2026 23:54:04 +0300
Message-ID: <20260512205503.361097-62-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620470871158500
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Ensure that there is no allocation/usage mismatch when requests
are processed in virtio_scsi_handle_cmd_vq.  To do this,
retrieve the value once and pass it to both functions.

For other calls to virtio_scsi_pop_req the extra size
can be 0, because control and event requests fit
entirely in VirtIOSCSIReq.

Reported-by: Jihe Wang <wangjihe.mail@gmail.com>
Tested-by: Jihe Wang <wangjihe.mail@gmail.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: CVE-2026-5763
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 79971302935472232a68073faddb085177e3ca54)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 93e87c459c..24ece74e2b 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -227,16 +227,16 @@ static int virtio_scsi_parse_req(VirtIOSCSIReq *req,
     return 0;
 }
=20
-static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, Qe=
muMutex *vq_lock)
+static VirtIOSCSIReq *virtio_scsi_pop_req(VirtIOSCSI *s, VirtQueue *vq, si=
ze_t extra_req_size,
+                                          QemuMutex *vq_lock)
 {
-    VirtIOSCSICommon *vs =3D (VirtIOSCSICommon *)s;
     VirtIOSCSIReq *req;
=20
     if (vq_lock) {
         qemu_mutex_lock(vq_lock);
     }
=20
-    req =3D virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + vs->cdb_size);
+    req =3D virtqueue_pop(vq, sizeof(VirtIOSCSIReq) + extra_req_size);
=20
     if (vq_lock) {
         qemu_mutex_unlock(vq_lock);
@@ -682,7 +682,7 @@ static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, V=
irtQueue *vq)
 {
     VirtIOSCSIReq *req;
=20
-    while ((req =3D virtio_scsi_pop_req(s, vq, &s->ctrl_lock))) {
+    while ((req =3D virtio_scsi_pop_req(s, vq, 0, &s->ctrl_lock))) {
         virtio_scsi_handle_ctrl_req(s, req);
     }
 }
@@ -850,13 +850,14 @@ static void virtio_scsi_fail_cmd_req(VirtIOSCSIReq *r=
eq)
     virtio_scsi_complete_cmd_req(req);
 }
=20
-static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq=
 *req)
+static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq=
 *req,
+                                              size_t cdb_size)
 {
     VirtIOSCSICommon *vs =3D VIRTIO_SCSI_COMMON(s);
     SCSIDevice *d;
     int rc;
=20
-    rc =3D virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + vs->cdb_s=
ize,
+    rc =3D virtio_scsi_parse_req(req, sizeof(VirtIOSCSICmdReq) + cdb_size,
                                sizeof(VirtIOSCSICmdResp) + vs->sense_size);
     if (rc < 0) {
         if (rc =3D=3D -ENOTSUP) {
@@ -878,7 +879,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCS=
I *s, VirtIOSCSIReq *req)
     }
     req->sreq =3D scsi_req_new(d, req->req.cmd.tag,
                              virtio_scsi_get_lun(req->req.cmd.lun),
-                             req->req.cmd.cdb, vs->cdb_size, req);
+                             req->req.cmd.cdb, cdb_size, req);
=20
     if (req->sreq->cmd.mode !=3D SCSI_XFER_NONE
         && (req->sreq->cmd.mode !=3D req->mode ||
@@ -913,12 +914,15 @@ static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, =
VirtQueue *vq)
     QTAILQ_HEAD(, VirtIOSCSIReq) reqs =3D QTAILQ_HEAD_INITIALIZER(reqs);
=20
     do {
+        VirtIOSCSICommon *vs =3D (VirtIOSCSICommon *)s;
+        size_t cdb_size =3D qatomic_read(&vs->cdb_size);
+
         if (suppress_notifications) {
             virtio_queue_set_notification(vq, 0);
         }
=20
-        while ((req =3D virtio_scsi_pop_req(s, vq, NULL))) {
-            ret =3D virtio_scsi_handle_cmd_req_prepare(s, req);
+        while ((req =3D virtio_scsi_pop_req(s, vq, cdb_size, NULL))) {
+            ret =3D virtio_scsi_handle_cmd_req_prepare(s, req, cdb_size);
             if (!ret) {
                 QTAILQ_INSERT_TAIL(&reqs, req, next);
             } else if (ret =3D=3D -EINVAL) {
@@ -989,7 +993,7 @@ static void virtio_scsi_set_config(VirtIODevice *vdev,
     }
=20
     vs->sense_size =3D virtio_ldl_p(vdev, &scsiconf->sense_size);
-    vs->cdb_size =3D virtio_ldl_p(vdev, &scsiconf->cdb_size);
+    qatomic_set(&vs->cdb_size, virtio_ldl_p(vdev, &scsiconf->cdb_size));
 }
=20
 static uint64_t virtio_scsi_get_features(VirtIODevice *vdev,
@@ -1050,7 +1054,7 @@ static void virtio_scsi_push_event(VirtIOSCSI *s,
         return;
     }
=20
-    req =3D virtio_scsi_pop_req(s, vs->event_vq, &s->event_lock);
+    req =3D virtio_scsi_pop_req(s, vs->event_vq, 0, &s->event_lock);
     WITH_QEMU_LOCK_GUARD(&s->event_lock) {
         if (!req) {
             s->events_dropped =3D true;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620441; cv=none;
	d=zohomail.com; s=zohoarc;
	b=X+FMv1qwKAa+/+ptrK4xNw1SWRAJML+1ZdybRglf7gi4huCnUg+RfXpqTEiN+NPY9btvh+CN/stEe4XbHX5oYpakWL87PmndV1+JDkeQsKcCxK8T10zLxpb0QzKi4x6+HFKiKt35DSbEuPdf5CKyu/umaRkpdH4yTcDjaDUrKyc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620441;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=JZCr2OiW3uPP1yTfGkLXqEh/GeXOEz9Bkolur46+TKs=;
	b=TtFCQhgRqQCuwNbSNyUBWCvB77B2vsBoCdD/NXs7SMAj2QxtnF5nZTXs85i90nGUG9SmPMRDAl2Tkx5qjyGvbVcl54Sb8k/ldXfoOWQ48rJioAsnuSp3wuaulQGx5PS4vc3nQQqCoRvbJO8sBvGcZrEiiFigj2XdzeC6mdIaqq4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620441837757.3081936543748;
 Tue, 12 May 2026 14:14:01 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPI-0004mU-GB; Tue, 12 May 2026 17:12:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOh-00045R-D2; Tue, 12 May 2026 17:12:12 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuOf-0004lE-PA; Tue, 12 May 2026 17:12:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E01D71AA37D;
 Tue, 12 May 2026 23:55:03 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E98A93ABCEC;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619303; bh=x53MhJSNwiAtwUdffCZhZr+TtA1zIIn3Ad6o7KPNNxA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sXpjCNsotbPTafOEjFQRuxFLtdkNZFKy1pUiPOvJ8wmJP1yh7ExgW9VPyZlqmNjqV
 G07jLQljEjeoQDyJEufbmJgIoMclDJPkomtvILdPHxDPuGEQ7QQjiqYv6dm8MC4PLn
 g+ni6PwVjpFX+QfUVjlJ4pg2l8diQzTPuK9DXGIBb5qoWpNyBFAGQhVUZsMKE06JKZ
 1TIFIQ73RZAp+tnT/d3DbNxnQONEXrkWby8zshez/YCrwmOTDOKDQQ6C1F6AwbZTAq
 honV6D10ZznIfegcPkQD2WpR9urBc1ljMAGzd8paQ9Y3P6hYJi/lINI0JK5wyxgKcT
 36wH9fGlZrOhg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Yuma Kurogome <yumak@ricsec.co.jp>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 063/117] hw/uefi: fix heap overflow (CVE-2026-5744)
Date: Tue, 12 May 2026 23:54:05 +0300
Message-ID: <20260512205503.361097-63-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620444635154100

From: Gerd Hoffmann <kraxel@redhat.com>

When copying the request response into the pio transfer buffer the code
skips the 'struct mm_header' but does not consider that when calculating
transfer size, so it will copy 24 (=3D=3D sizeof(struct mm_header)) extra
bytes, which can overflow uv->pio_xfer_buffer.

Fix that by copying the complete buffer, including the header, which
also makes the pio code path consistent with the (unaffected) dma code
path.

Fixes: CVE-2026-5744
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Yuma Kurogome <yumak@ricsec.co.jp>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Message-id: 20260408073403.3410541-1-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit af74c9e46bb55e2da042315a0c65666f59c61686)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 6ab8df091a..91548e2f39 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -133,9 +133,8 @@ static uint32_t uefi_vars_cmd_mm(uefi_vars_state *uv, b=
ool dma_mode)
                          uv->buffer, sizeof(*mhdr) + mhdr->length,
                          MEMTXATTRS_UNSPECIFIED);
     } else {
-        memcpy(uv->pio_xfer_buffer + sizeof(*mhdr),
-               uv->buffer + sizeof(*mhdr),
-               sizeof(*mhdr) + mhdr->length);
+        memcpy(uv->pio_xfer_buffer,
+               uv->buffer, sizeof(*mhdr) + mhdr->length);
     }
=20
     return retval;
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622475; cv=none;
	d=zohomail.com; s=zohoarc;
	b=l1XhEFJXJ7mlGnYttGubsGu33WAi6U6QH78HqNjiqJtjPi7ANx2kJfmvrVBVho+4eDeqJvs42I2ApQQ0XeSUseHeHEhC2lhRId3D3I5YOFQasWqjxJq8cYytcix8/2qIuEi4wj0sHTiAZQljlhoTz+YSV4/umzN74SQnNvsbXsA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622475;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Iu8gG1yCiFN0V+OF7e3t+4YLtMF2I/BKIAaN5eBeolw=;
	b=Al8wb/aTke0Jbkg0bZb0lTvxgo8ji+TiWgKcL/gf0nwSxRXYwvMGrFnGgbo/Wks9O4RCo4Z4NlusI1yHKi3GiCAKToSRJ+9r/W6xKtK1I7BJKOV/IF1POTJ4J2RuRGTu6wDtFlBQIJMESpsJrSwC+iOto5/twL1bUqfCRW22zR4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622475558379.3933197359945;
 Tue, 12 May 2026 14:47:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPL-0004tu-3f; Tue, 12 May 2026 17:12:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP3-0004ZA-5E; Tue, 12 May 2026 17:12:35 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP0-0004lT-LB; Tue, 12 May 2026 17:12:32 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 05ADA1AA37E;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 078113ABCED;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=DJe7hKOYwXUs3gk0qN5S/UXT47d6/+7rjTaDwt9g5+M=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=NyGSGqjyKGsksGKMx/MwdNILNLdap8oDsf9+oLD2p/XItZCZxp84SE71fKS2L7wmb
 g9ispeZbA2NFA09P4vtbEijlOVKa3D2kfhzbHSn0EA4Mh4Y2iYAjlkwvZlzosfYLmm
 Rfi+ZNDbGW7u3hSX5hAUM1etLPYv2A5VdnfYE9ejQrAuT/DI+hAG1krylpF78mGE9A
 O2DKBEDP0kSSsMktXBLuzX91fLweNqFdzOI4uj0om4tCK5ZM9dfFGZcFZXImC1K7ey
 wJMGV2k3KEkTrbXH3uNkOq88ZUEucPb0ByzAVCc+IcIaqohjWhVjIDOkaOLPLFkb3Z
 M+KshCPk+t+Ig==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Dietmar Maurer <dietmar@proxmox.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 064/117] qemu-keymap: fix altgr modifier lookup for
 newer xkeyboard-config
Date: Tue, 12 May 2026 23:54:06 +0300
Message-ID: <20260512205503.361097-64-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622477840154100

From: Dietmar Maurer <dietmar@proxmox.com>

xkeyboard-config 2.37 removed the "AltGr" virtual modifier in favor
of mapping upper groups directly to Mod5. Since then,
xkb_keymap_mod_get_index(map, "AltGr") returns XKB_MOD_INVALID, so
AltGr-based keysyms were never generated.

See: https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/com=
mit/473f9bc32f9ba869829cc0d06a75cd1f2560aa60

Try "AltGr" first, and fall back to "Mod5" for compatibility with
both old and new xkeyboard-config versions.

Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260408091459.4001711-1-dietmar@proxmox.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 4e6fb62fb0f33c815b089d0b59e1313b768c55d0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/qemu-keymap.c b/qemu-keymap.c
index 1c081db287..d4dccf456e 100644
--- a/qemu-keymap.c
+++ b/qemu-keymap.c
@@ -230,6 +230,9 @@ int main(int argc, char *argv[])
     shift =3D get_mod(map, "Shift");
     ctrl =3D get_mod(map, "Control");
     altgr =3D get_mod(map, "AltGr");
+    if (!altgr) {
+        altgr =3D get_mod(map, "Mod5");
+    }
     numlock =3D get_mod(map, "NumLock");
=20
     state =3D xkb_state_new(map);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620693; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cqrq0ld9Eclb3FKJCEMYV94DYIrGj8v1EAv0DnElFr47tidefPpJmUR3DBNyb07CqDu0p/xjXi3fRoAkEXiysxJhP38q4TU5bbKY6NRTnTFE6GnKxEuhGvRgnd3pT3zvZfSvdPTdUnfuM0ZVguKD3YcYe+97wcxvuiKBTy4/9o8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620693;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=AFeUFvWtnqhQKPsG0SV5Ffb0KnDD6ZMDdCSTTL5AQLI=;
	b=l24WPZsGoaz3TnD+nTLM8vOUOS9fatrLhwQgOLco8dnATX2odO/846z7w1ATixff8yijL/fDtlruBXB58Qg3v0bTRo/3pKvH8QDyqIhStPCkhBMFZPoSaucN0wYva/2twexMD8+KjXRj4pV2eZafVP1EeaIOyFTMZJo3TiTCmDQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620693590393.23160310685864;
 Tue, 12 May 2026 14:18:13 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPP-0005Ja-O0; Tue, 12 May 2026 17:12:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP5-0004cA-Dh; Tue, 12 May 2026 17:12:37 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP2-0004lv-Tt; Tue, 12 May 2026 17:12:35 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 184C11AA37F;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 212A73ABCEE;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=PWUq43cW6SN6WAT/yznkqdGl6nwfRhz/rTEWL0/VDB8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HSmxOAB1EjORqa9/loLfcJ/hN90zGaYh7uatmYGUTUM3ADPY2BOrelDmlFcMRRXsU
 VRBxpeM3Erj+Ek7K8Zo1LZgSZSp56BNlmi4gKXEFp9fvpjL+gP8h61lwrIwOCDC2Bd
 1uoHQniZsR+VW907qda12bl+Xl/A97qc7384+SQJWcoTsD40KxufqcmQlP+LG60az1
 18gr3a7pAYdPLyrHJUbNfBwoi0+dOpGnRLTe2jQyLhT7aLVvgWG5Sz2NOBTcOuk1nM
 T0phzmn1nkAQtbAvai0CzdKQeMKaBc+QWTAz1/v3crRlzpcWOr7puyOs+yUBUmtWDZ
 lC2L09II2wSBw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
 Sam Li <faithilikerun@gmail.com>, Damien Le Moal <dlemoal@kernel.org>,
 Dmitry Fomichev <dmitry.fomichev@wdc.com>,
 Mingyuan Luo <myluo24@m.fudan.edu.cn>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 065/117] virtio-blk: fix zone report buffer
 out-of-memory (CVE-2026-5761)
Date: Tue, 12 May 2026 23:54:07 +0300
Message-ID: <20260512205503.361097-65-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620695432154100
Content-Type: text/plain; charset="utf-8"

From: Stefan Hajnoczi <stefanha@redhat.com>

An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT
requests. The buffer's size is controlled by the guest. A large value
can result in g_malloc() failure and the QEMU process aborts, resulting
in a Denial of Service (DoS) (most likely in cases where an untrusted
guest application or a nested guest with virtio-blk passthrough is able
to abort QEMU).

Modify the zone report implementation to work incrementally with a
bounded buffer size.

This is purely a QEMU implementation issue and no VIRTIO spec changes
are needed.

Mingyuan Luo found this bug and provided a reproducer which I haven't
put into tests/qtest/ because it requires a zoned storage device (e.g.
root and modprobe null_blk):

1) Prepare a zoned nullblk backend (/dev/nullb0):

sudo modprobe -r null_blk || true
sudo modprobe null_blk nr_devices=3D1 zoned=3D1
sudo chmod 0666 /dev/nullb0
cat /sys/block/nullb0/queue/zoned

2) Create qtest input:

cat >/tmp/vblk-zone-report-oom.qtest <<'EOF'
outl 0xcf8 0x80002004
outw 0xcfc 0x0007
outl 0xcf8 0x80002010
outl 0xcfc 0x0000c001
outb 0xc012 0x00
outb 0xc012 0x01
outb 0xc012 0x03
outl 0xc004 0x00000000
outw 0xc00e 0x0000
outl 0xc008 0x00000100
outb 0xc012 0x07
writel 0x00020000 0x00000010
writel 0x00020004 0x00000000
writeq 0x00020008 0x0000000000000000
writeq 0x00100000 0x0000000000020000
writel 0x00100008 0x00000010
writew 0x0010000c 0x0001
writew 0x0010000e 0x0001
EOF

for i in $(seq 1 1022); do
d=3D$((0x00100000 + i * 16))
n=3D$((i + 1))
printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-o=
om.qtest
printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom=
.qtest
printf 'writew 0x%08x 0x0003\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qt=
est
printf 'writew 0x%08x 0x%04x\n' $((d + 14)) "$n" >> /tmp/vblk-zone-report-o=
om.qtest
done

d=3D$((0x00100000 + 1023 * 16))
printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-o=
om.qtest
printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom=
.qtest
printf 'writew 0x%08x 0x0002\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qt=
est
printf 'writew 0x%08x 0x0000\n' $((d + 14)) >> /tmp/vblk-zone-report-oom.qt=
est
cat >> /tmp/vblk-zone-report-oom.qtest <<'EOF'
writew 0x00104000 0x0000
writew 0x00104002 0x0001
writew 0x00104004 0x0000
outw 0xc010 0x0000
EOF

3) Run the qtest input with ASAN build (compile qemu with --enable-asan):

build/qemu-system-x86_64 -display none \
-accel qtest -qtest stdio \
-machine pc -nodefaults -m 512M -monitor none -serial none \
-blockdev driver=3Dhost_device,node-name=3Ddisk0,filename=3D/dev/nullb0 \
-device virtio-blk-pci-transitional,drive=3Ddisk0,addr=3D04.0,queue-size=3D=
1024 \
< /tmp/vblk-zone-report-oom.qtest

Cc: Sam Li <faithilikerun@gmail.com>
Cc: Damien Le Moal <dlemoal@kernel.org>
Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>
Fixes: CVE-2026-5761
Fixes: 4f7366506a9 ("virtio-blk: add zoned storage emulation for zoned devi=
ces")
Reported-by: Mingyuan Luo <myluo24@m.fudan.edu.cn>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 4913ae36f9796c55d434dcbfa6bdb9ebb3e5e4b1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 64efce4846..065373cc59 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -38,6 +38,9 @@
 #include "hw/virtio/virtio-blk-common.h"
 #include "qemu/coroutine.h"
=20
+/* Internal buffer size limit for zone report */
+#define VIRTIO_BLK_MAX_ZONES_PER_BATCH 4096
+
 static void virtio_blk_ioeventfd_attach(VirtIOBlock *s);
=20
 static void virtio_blk_init_request(VirtIOBlock *s, VirtQueue *vq,
@@ -447,15 +450,22 @@ err:
     return err_status;
 }
=20
+typedef struct {
+    unsigned int total_nr_zones;    /* max zones to fill in this request */
+    unsigned int nr_zones_done;     /* how many zones have been filled in =
*/
+    int64_t iov_offset;             /* current byte position in in_iov[] */
+    int64_t offset;                 /* current zone report disk offset */
+    unsigned int nr_zones;          /* for zone report calls */
+    unsigned int zones_per_batch;   /* size of zone report buffer */
+    BlockZoneDescriptor *zones;     /* zone report buffer */
+} ZoneReportData;
+
 typedef struct ZoneCmdData {
     VirtIOBlockReq *req;
     struct iovec *in_iov;
     unsigned in_num;
     union {
-        struct {
-            unsigned int nr_zones;
-            BlockZoneDescriptor *zones;
-        } zone_report_data;
+        ZoneReportData zone_report_data;
         struct {
             int64_t offset;
         } zone_append_data;
@@ -512,16 +522,15 @@ static bool check_zoned_request(VirtIOBlock *s, int64=
_t offset, int64_t len,
 static void virtio_blk_zone_report_complete(void *opaque, int ret)
 {
     ZoneCmdData *data =3D opaque;
+    ZoneReportData *zrd =3D &data->zone_report_data;
     VirtIOBlockReq *req =3D data->req;
     VirtIODevice *vdev =3D VIRTIO_DEVICE(req->dev);
     struct iovec *in_iov =3D data->in_iov;
     unsigned in_num =3D data->in_num;
-    int64_t zrp_size, n, j =3D 0;
-    int64_t nz =3D data->zone_report_data.nr_zones;
+    int64_t n;
+    unsigned nz =3D zrd->nr_zones;
     int8_t err_status =3D VIRTIO_BLK_S_OK;
-    struct virtio_blk_zone_report zrp_hdr =3D (struct virtio_blk_zone_repo=
rt) {
-        .nr_zones =3D cpu_to_le64(nz),
-    };
+    struct virtio_blk_zone_report zrp_hdr =3D {};
=20
     trace_virtio_blk_zone_report_complete(vdev, req, nz, ret);
     if (ret) {
@@ -529,28 +538,18 @@ static void virtio_blk_zone_report_complete(void *opa=
que, int ret)
         goto out;
     }
=20
-    zrp_size =3D sizeof(struct virtio_blk_zone_report)
-               + sizeof(struct virtio_blk_zone_descriptor) * nz;
-    n =3D iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));
-    if (n !=3D sizeof(zrp_hdr)) {
-        virtio_error(vdev, "Driver provided input buffer that is too small=
!");
-        err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD;
-        goto out;
-    }
-
-    for (size_t i =3D sizeof(zrp_hdr); i < zrp_size;
-        i +=3D sizeof(struct virtio_blk_zone_descriptor), ++j) {
+    for (unsigned j =3D 0; j < nz; j++) {
         struct virtio_blk_zone_descriptor desc =3D
             (struct virtio_blk_zone_descriptor) {
-                .z_start =3D cpu_to_le64(data->zone_report_data.zones[j].s=
tart
+                .z_start =3D cpu_to_le64(zrd->zones[j].start
                     >> BDRV_SECTOR_BITS),
-                .z_cap =3D cpu_to_le64(data->zone_report_data.zones[j].cap
+                .z_cap =3D cpu_to_le64(zrd->zones[j].cap
                     >> BDRV_SECTOR_BITS),
-                .z_wp =3D cpu_to_le64(data->zone_report_data.zones[j].wp
+                .z_wp =3D cpu_to_le64(zrd->zones[j].wp
                     >> BDRV_SECTOR_BITS),
         };
=20
-        switch (data->zone_report_data.zones[j].type) {
+        switch (zrd->zones[j].type) {
         case BLK_ZT_CONV:
             desc.z_type =3D VIRTIO_BLK_ZT_CONV;
             break;
@@ -564,7 +563,7 @@ static void virtio_blk_zone_report_complete(void *opaqu=
e, int ret)
             g_assert_not_reached();
         }
=20
-        switch (data->zone_report_data.zones[j].state) {
+        switch (zrd->zones[j].state) {
         case BLK_ZS_RDONLY:
             desc.z_state =3D VIRTIO_BLK_ZS_RDONLY;
             break;
@@ -594,18 +593,47 @@ static void virtio_blk_zone_report_complete(void *opa=
que, int ret)
         }
=20
         /* TODO: it takes O(n^2) time complexity. Optimizations required. =
*/
-        n =3D iov_from_buf(in_iov, in_num, i, &desc, sizeof(desc));
+        n =3D iov_from_buf(in_iov, in_num, zrd->iov_offset, &desc, sizeof(=
desc));
         if (n !=3D sizeof(desc)) {
             virtio_error(vdev, "Driver provided input buffer "
                                "for descriptors that is too small!");
             err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD;
+            goto out;
         }
+
+        zrd->iov_offset +=3D sizeof(desc);
+    }
+
+    if (nz > 0) {
+        BlockZoneDescriptor *zone =3D &zrd->zones[nz - 1];
+        zrd->offset =3D zone->start + zone->length;
+    }
+
+    zrd->nr_zones_done +=3D nz;
+
+    /* Call zone report again if the end hasn't been reached yet */
+    if (nz =3D=3D zrd->zones_per_batch &&
+        zrd->nr_zones_done < zrd->total_nr_zones) {
+        zrd->nr_zones =3D MIN(zrd->zones_per_batch,
+                            zrd->total_nr_zones - zrd->nr_zones_done);
+        blk_aio_zone_report(req->dev->blk, zrd->offset, &zrd->nr_zones,
+                            zrd->zones, virtio_blk_zone_report_complete, d=
ata);
+        return;
+    }
+
+    /* Fill in header now that all zones have been reported */
+    zrp_hdr.nr_zones =3D cpu_to_le64(zrd->nr_zones_done);
+    n =3D iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));
+    if (n !=3D sizeof(zrp_hdr)) {
+        virtio_error(vdev, "Driver provided input buffer that is too small=
!");
+        err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD;
+        goto out;
     }
=20
 out:
     virtio_blk_req_complete(req, err_status);
     g_free(req);
-    g_free(data->zone_report_data.zones);
+    g_free(zrd->zones);
     g_free(data);
 }
=20
@@ -617,7 +645,8 @@ static void virtio_blk_handle_zone_report(VirtIOBlockRe=
q *req,
     VirtIODevice *vdev =3D VIRTIO_DEVICE(s);
     unsigned int nr_zones;
     ZoneCmdData *data;
-    int64_t zone_size, offset;
+    ZoneReportData *zrd;
+    int64_t offset;
     uint8_t err_status;
=20
     if (req->in_len < sizeof(struct virtio_blk_inhdr) +
@@ -639,16 +668,21 @@ static void virtio_blk_handle_zone_report(VirtIOBlock=
Req *req,
     trace_virtio_blk_handle_zone_report(vdev, req,
                                         offset >> BDRV_SECTOR_BITS, nr_zon=
es);
=20
-    zone_size =3D sizeof(BlockZoneDescriptor) * nr_zones;
     data =3D g_malloc(sizeof(ZoneCmdData));
     data->req =3D req;
     data->in_iov =3D in_iov;
     data->in_num =3D in_num;
-    data->zone_report_data.nr_zones =3D nr_zones;
-    data->zone_report_data.zones =3D g_malloc(zone_size),
=20
-    blk_aio_zone_report(s->blk, offset, &data->zone_report_data.nr_zones,
-                        data->zone_report_data.zones,
+    zrd =3D &data->zone_report_data;
+    zrd->total_nr_zones =3D nr_zones;
+    zrd->nr_zones_done =3D 0;
+    zrd->iov_offset =3D sizeof(struct virtio_blk_zone_report);
+    zrd->offset =3D offset;
+    zrd->zones_per_batch =3D MIN(nr_zones, VIRTIO_BLK_MAX_ZONES_PER_BATCH);
+    zrd->zones =3D g_malloc(zrd->zones_per_batch * sizeof(BlockZoneDescrip=
tor));
+
+    zrd->nr_zones =3D zrd->zones_per_batch;
+    blk_aio_zone_report(s->blk, offset, &zrd->nr_zones, zrd->zones,
                         virtio_blk_zone_report_complete, data);
     return;
 out:
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620648; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RFN1PWZCby/PsVE6WPNJqtFdc9XNzrUnU0flKLTGMM0bTCrpmnt9wy+lHtvfO2gN5K6POahiyKnJvfzvG7xDpD7QyxSyvIrjj7zTXjDzh47j/Oe5c3iLW19g01JYoHuQk9wZvn4xeC+5sTiXzZSkSMnBOLnXMjsF4RxbNfdhspQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620648;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KSX2EuakFpesHalP6H1qnAeA83Evy6iwTKaDXddY8AE=;
	b=eyPEM2PY1keU2n0vA34Dt70XyGlb7T2RSdH7CH+j95XTdWidmUAZ08E0s8HtPgMrvMS1xUfdOvHiUOgYG+36JdL4F1ghRrJFuBSpPs9b7IYZ5usUr1wq2tASnxbWX0Gt3s/oIExbPq6XUS7ZY8b0V2GV0/u4oJV2bTvbpqCShRo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620648131956.6522922879112;
 Tue, 12 May 2026 14:17:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPS-0005jU-Bd; Tue, 12 May 2026 17:12:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP9-0004j3-4w; Tue, 12 May 2026 17:12:40 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP5-0004rV-GF; Tue, 12 May 2026 17:12:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 29DC01AA380;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 338683ABCEF;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=xcmbAb679+u1NHzSjARVhUGbo4dVqE2enyKyDONBdjA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=vPt4vDpqg3my3Uw+QiI4CYh0g1GjQsIu+JSWyuDVIXMJrYvGbh+QSSO23x3g+Bj7R
 O0iqT6dRTICojaSt5pA1gQE5tViUrt09h4l02kDFW577+dd52VZHrw+RbgzG9Mm/Cf
 byzKqNU/iyqJGzHedDMK/ZIEVqRihFb8/AEMcTYZg2599AzlED0MuSNymb2WL0RmMv
 NFCyAxquiiXB7kfSonOpYDl6WYsCRdbjmeep7dmeDv58GiolYCBgdTeDud7oddNykF
 I4wdN9b62miRQ+Z/vZFqdM4a4tK0m387kRClYDZQ8CPU0TcfNPTmFA1h1ypxS0IL6H
 ESvAsmXrARdtg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Bernhard Beschow <shentey@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 066/117] util/cutils: Fix heap corruption under
 Windows
Date: Tue, 12 May 2026 23:54:08 +0300
Message-ID: <20260512205503.361097-66-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620648613158500

From: Bernhard Beschow <shentey@gmail.com>

Under Windows, QEMU would only sporadically start successfully. In the
G_OS_WIN32 case, get_relocated_path() first determines a cursor
to the end of the "result" string and then increases its size with
g_string_set_size(). Since g_string_set_size() may reallocate, the
cursor may become dangling. Windows may detect this and crash the QEMU
process with the following message:

  HEAP: Free Heap block 000000000499B640 modified at 000000000499B684 after=
 it was freed

Furthermore, QEMU crashes spontaneously, even long after the guest has
booted. For example, it presumably crashes due to the guest setting a
new cursor icon which may be a result of the heap corruption.

Fix this by determining the cursor on the resized string.

Fixes: cf60ccc3306c ("cutils: Introduce bundle mechanism")
Cc: qemu-stable@nongnu.org
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-id: 20260414114033.2360-1-shentey@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f1b1db98cc3b7212d7efffab516d38d0a913f432)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/util/cutils.c b/util/cutils.c
index 9803f11a59..76a9442085 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -1165,9 +1165,10 @@ char *get_relocated_path(const char *dir)
=20
         PCWSTR wdir_skipped_root;
         if (PathCchSkipRoot(wdir, &wdir_skipped_root) =3D=3D S_OK) {
+            char *cursor;
             size =3D wcsrtombs(NULL, &wdir_skipped_root, 0, &(mbstate_t){0=
});
-            char *cursor =3D result->str + result->len;
             g_string_set_size(result, result->len + size);
+            cursor =3D result->str + result->len - size;
             wcsrtombs(cursor, &wdir_skipped_root, size + 1, &(mbstate_t){0=
});
         } else {
             g_string_append(result, dir);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620675; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OTQOZzgBKumm9Eyl4xxEPNWg5GWb+Bl4rP/wcI2p3bhr4kTdu1P2IdVqysusTNAhQUpXFO365JWjgLwGP5Eipgvl0Xna+Q4IGMcahYZc1mhahnKvfoExk0RJRCsrfKHj9BbQl2Ho/GHwBI7FsO/ty898BOvkTjFKx7XdnbHcJLE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620675;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kXSkwgKwkB19yhXjRTO41PQicmA2wtHXRYJaF+66HEA=;
	b=WOsAnPm+xi7SKK5BdXh+7EXvs+cTWGGe3XXZz9ET9ESUiyNBx+ObyHYbi1tD+VQ22Ue4xDwYEiPWBPGxT4wHjQStN24UkHcCdYzaPu+xJO+qf6yoWfIptEOiWLanYcGWd+maB8ueka6L72pTCYkO1FPXDpcANViyndR//peXo1g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620675680977.6874135456692;
 Tue, 12 May 2026 14:17:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPQ-0005c0-Sm; Tue, 12 May 2026 17:12:57 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPB-0004kQ-84; Tue, 12 May 2026 17:12:42 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuP7-0004ru-DD; Tue, 12 May 2026 17:12:39 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 382821AA381;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 4512D3ABCF0;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=/DhOdDmo58kzaSVRgr6oIR5Y2kl4p3blSN2ouY54oXU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=p644LW0XUW4PSQxk6q/D89CkU5ddZwdqsce32pCTIl05e/O5KOLaOJX5JLRbeQlN8
 pyOD+3XUr9bo8s3vqvTSVjv0QAUK4XWV68BryR+IH19ZZSukF/53Sj4uxU/7OLz2xE
 si+veRQR+TgGfca2esQxFHLclTK+cfUAlGjHmx3ZqxY1rOKhvsgOVAuaINlhfpUaR8
 rQ123GsSe2aNPHM7fdUGEUVEybM9H4pGxYpV7Mfe/KKJJdgLAivlgbMYjUyJeEEQCK
 uY57gjTlG38v6t+TRmSEcihjLAm3gejMi5I/4Pr3JmHN3v7DuT0Zcb8NNBwXhCXg/T
 1WCgpiBxgA4Rw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Werner de Carne <werner@carne.de>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 067/117] serial COM: windows serial COM PollingFunc
 don't sleep
Date: Tue, 12 May 2026 23:54:09 +0300
Message-ID: <20260512205503.361097-67-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620677045158500

From: Werner de Carne <werner@carne.de>

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1802
Signed-off-by: Werner de Carne <werner@carne.de>
[ Marc-Andr=C3=A9 - indentation fixes ]
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230807201443.2668-1-werner@carne.de>
(cherry picked from commit 7437b3eab6af1d31bb7fdfb3ac4e0a4de6ada50b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/chardev/char-win.c b/chardev/char-win.c
index fef45e83aa..e194242c9f 100644
--- a/chardev/char-win.c
+++ b/chardev/char-win.c
@@ -28,7 +28,7 @@
 #include "qapi/error.h"
 #include "chardev/char-win.h"
=20
-static void win_chr_read(Chardev *chr, DWORD len)
+static int win_chr_read(Chardev *chr, DWORD len)
 {
     WinChardev *s =3D WIN_CHARDEV(chr);
     int max_size =3D qemu_chr_be_can_write(chr);
@@ -40,7 +40,7 @@ static void win_chr_read(Chardev *chr, DWORD len)
         len =3D max_size;
     }
     if (len =3D=3D 0) {
-        return;
+        return 0;
     }
=20
     ZeroMemory(&s->orecv, sizeof(s->orecv));
@@ -56,6 +56,8 @@ static void win_chr_read(Chardev *chr, DWORD len)
     if (size > 0) {
         qemu_chr_be_write(chr, buf, size);
     }
+
+    return size > 0 ? 1 : 0;
 }
=20
 static int win_chr_serial_poll(void *opaque)
@@ -67,8 +69,9 @@ static int win_chr_serial_poll(void *opaque)
=20
     ClearCommError(s->file, &comerr, &status);
     if (status.cbInQue > 0) {
-        win_chr_read(chr, status.cbInQue);
-        return 1;
+        if (win_chr_read(chr, status.cbInQue)) {
+            return 1;
+        }
     }
     return 0;
 }
@@ -147,8 +150,9 @@ int win_chr_pipe_poll(void *opaque)
=20
     PeekNamedPipe(s->file, NULL, 0, NULL, &size, NULL);
     if (size > 0) {
-        win_chr_read(chr, size);
-        return 1;
+        if (win_chr_read(chr, size)) {
+            return 1;
+        }
     }
     return 0;
 }
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620506; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fqZCn6FMUxbEqXS2fjhVo+FgAbEAHQe9m6CgR4xuUXZj4vjnlq+Cjc0Ta/J9GzE76RB1H5sfGB+OjXk1mfcUH3P40y5gP+5NE2BQCiz4lTnP/hLHmOPKT+ntaP/Plla4vEqzcASBjA7F+c4EcX7LTxau8rLg7bhMk6PZVDeed5s=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620506;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=YjOQ+CquWri5YY4ivCzRGZafdv51eVYp4LkVBnuIUeA=;
	b=Q++02Y/A5nXNMnvXME3m6H3qUDGARNdYF3JL7NMMAsaP/3DsAmE947fAfMuvMr7KE5PTE+eauWUwk+grnRV4FsmanaF9V/goylURbOzHsKHc2Qxyal7nQvh6NEUhowFw7e2D2GU3tHrqB/sOA2GkUN2/CPG3T86wp1DOAYjzHXc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620506520167.185598772317;
 Tue, 12 May 2026 14:15:06 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPU-00065G-Sr; Tue, 12 May 2026 17:13:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPD-0004nO-Qr; Tue, 12 May 2026 17:12:46 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPB-0004sa-7J; Tue, 12 May 2026 17:12:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 45B331AA382;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5314C3ABCF1;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=wYWtEK1tjqFchx33AehVsXTtD+HQnhFPDEG1tvss9jA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=e6LyK7xw5yWC39RVFHLStkdX+p1501ztsPX8ZIbHd7W9t6OTiAqnUGGIaJCjo2OKm
 z96RFx424S0Wwqee7I7VhLbj7xnvP0CkGo7bwHUQXhlvqFQ4SZPo2fF+82WEe8OVE/
 JtV5aqGS2F/GrwgFBBdDMT/H6o7aqDtu9mQyVjmigmyNlcKNR41pLEfpeBs0sDXpjL
 xsQU3fQInvBzQbVJX2b9WKGBZipfAR7Crg4JhQZLxq67tKyDBEPAvSxKMaAiDsw3vZ
 /omTraO/F4iVumPu0I+FiAuCWGqI09lECJYM5sLP+8ZKJsUGqH+ZAU9O0xoXwEXnC2
 1ZS3zHHawK7Ig==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, GuoHan Zhao <zhaoguohan@kylinos.cn>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 068/117] ui/spice-app: detect runtime directory
 creation failures
Date: Tue, 12 May 2026 23:54:10 +0300
Message-ID: <20260512205503.361097-68-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620507520158500

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

spice_app_display_early_init() creates the per-VM runtime directory
with g_mkdir_with_parents() before setting up the Spice socket. The
code checks for "< -1", but g_mkdir_with_parents() returns -1 on
failure, so the error path is never taken.

This lets spice-app continue after a directory creation failure and
defers the problem to later setup steps.

Check for "< 0" instead so the failure is reported immediately and
spice-app exits before using an invalid runtime directory.

Fixes: d8aec9d9f129 ("display: add -display spice-app launching a Spice cli=
ent")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Message-ID: <20260408031725.641417-1-zhaoguohan@kylinos.cn>
(cherry picked from commit 52cf667ed2285aa2d08db6abed46cdba5c14f9aa)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/spice-app.c b/ui/spice-app.c
index 24f78f305c..6abea0d5b6 100644
--- a/ui/spice-app.c
+++ b/ui/spice-app.c
@@ -153,7 +153,7 @@ static void spice_app_display_early_init(DisplayOptions=
 *opts)
     if (qemu_name) {
         app_dir =3D g_build_filename(g_get_user_runtime_dir(),
                                    "qemu", qemu_name, NULL);
-        if (g_mkdir_with_parents(app_dir, S_IRWXU) < -1) {
+        if (g_mkdir_with_parents(app_dir, S_IRWXU) < 0) {
             error_report("Failed to create directory %s: %s",
                          app_dir, strerror(errno));
             exit(1);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620881; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nQrfX2rpi01+81eAVzGKMF2TwjGdPXEdAFlBM9/0AAPvyvnsLwdSBc7DNWk9UY4bY3k9cSTaurdAc1VH75BKdH/L/See0HfXyV7Ql71bmwWBcX7AGG/wPZbhoESAge4ziKSQpefBVBX2oD27SBsmjUZybYC4pa9Gwlo2L/PHI8s=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620881;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=+Svow8o1PDTA5XPcZC/x/rnMREtgqBCUCUpLCaME9vI=;
	b=ejwqilxhQ6ThrBBXCloqgTZMHnzy3LaRojKJvSSoe49WTGks7Sd2/TozF9J8PIUSW2oYlZfXjmywSj4umpbgEdOqVK2JL73k56Ru5dcOFT6aB4jVvNUzXaRq9Xjwo0vkQdgQgzh7U5iprMB2OzB2FhFgZ8cRkAyRSuj5yh8XRyY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620881531196.72682176880392;
 Tue, 12 May 2026 14:21:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPh-0006qY-1g; Tue, 12 May 2026 17:13:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPY-0006ZC-GR; Tue, 12 May 2026 17:13:05 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPW-0004t0-Ib; Tue, 12 May 2026 17:13:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5F1BD1AA383;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 60CA23ABCF2;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=XoR2I0ePUXnBe84itAvihwGQ7mK09SiGw0FoTqAxv6o=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=hTKgWGDbcZkLt/zkiZ3k+3PFmL3ptvDNqy5Of1mNNKafkABlY11w1PGgvoGFeCZIN
 x2DsPvFL6JaWQhX/KIpe4j2cVXUbbgf2Jjw9b+VkgQsbs8DVMQtfuP5dWB0e0/umHK
 VIaL2i4R17EG/oZogq3LsdLeuNfrn5MO2WWuYdCgo+d0wrbqs4tsdcXYHilV/G++KN
 n8fLLQLoWisMU5vLOVpP3LvDcvor4OqJXYsLZJYaVtEH79fIHzgyHoV+VTNhPVFPQ9
 B9FZ3iESH/bbFRWdj0QBniC+gpX/mDdYjyg5CXBSdBvy8a2fYqyhSFKCJDYHTKvQ4W
 Lgg3EUuQseIXQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 069/117] ui/console-vc: fix off-by-one in CSI J 2
 (clear entire screen)
Date: Tue, 12 May 2026 23:54:11 +0300
Message-ID: <20260512205503.361097-69-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620884211154100

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

The loop condition used `y <=3D s->height` instead of `y < s->height`,
causing vc_clear_xy() to be called with y =3D=3D s->height. This clears
a row in the scrollback buffer beyond the visible screen.

Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
(cherry picked from commit 181fdf8a7e13c0460a26777ff9301e0ecdca3784)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/ui/console-vc.c b/ui/console-vc.c
index 830842064d..6b9d643a24 100644
--- a/ui/console-vc.c
+++ b/ui/console-vc.c
@@ -899,7 +899,7 @@ static void vc_putchar(VCChardev *vc, int ch)
                     break;
                 case 2:
                     /* clear entire screen */
-                    for (y =3D 0; y <=3D s->height; y++) {
+                    for (y =3D 0; y < s->height; y++) {
                         for (x =3D 0; x < s->width; x++) {
                             vc_clear_xy(vc, x, y);
                         }
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620758; cv=none;
	d=zohomail.com; s=zohoarc;
	b=moxAbbJkPijFs0BvZ1QRNo6APABy/vo9mwY6LJIJsdMYh8ZIxlZ7EoNdMsoJF3k2enJb5GFdBo/C98blDfduUKAx7jLTIoWyI5LiMGJMrmOu6oV3xtaovYLj0eg/oldjN/ut6AixesP7fT8UCL4MXaHDEC97K6ljtJpmYKAU4KU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620758;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=aVxIrSJPsuJpk0NDfTsdkz5lqP6idSS8gXzGYSHfMcU=;
	b=ZDbYU4ty58Qqa771NZ78dIfjGy6HnxZSb9dzfv+smsi2zKYtfgh/8Gga6kUfDUi+H/N2Mbwgiypnh1EOs0nky+9Sn24noEJudqL4w4QaPGFXxWATW8CwfE2YrBjrZdm0eFUwS9Ydk7p7BQ1GLvt6LyjHa6ESZLDOSdRSbp1Sojs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620758390567.4111693087503;
 Tue, 12 May 2026 14:19:18 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPi-0006uS-OW; Tue, 12 May 2026 17:13:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPa-0006ai-TK; Tue, 12 May 2026 17:13:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPZ-0004tc-EP; Tue, 12 May 2026 17:13:06 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 79DF21AA384;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7A2E93ABCF3;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=ul1dScsPEhNq6f2NnhAIsVJw5M/JaAdrtBO2WNyiq7s=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=UOwFJ3dHUQFSzcOhCANI2gLrHi2VUMNT4o/m8yApXxrkHbHhjV4J8iap53BoDAvlt
 ZYrYkwPxrl2/i4K3oOoat49lDb6d67HQ5vyQ6guDKJ/z9W25oK6doqdE4lgQxbQ/QK
 Mw+6XxxGRs5WUAoapVJbNcqLS6ql1yl6xJ7c5QtE8XLr5XZXc2Qr55DgAAXHXIEgS3
 W9T4w6UeX58SozN8obJZIbRW1Jy2C85pP6n5BcBi1lidkpD1SmNF2T5xh/FkzTcv+m
 nsNQqrnxkV+pUzR3OhdQB1GluIRjnm88glU7LfkOYyJpycbRiflKYIB8uq9ypW8vkl
 xNtTK+TgrT3hw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 070/117] target/arm/tcg/translate.c: remove MO_TE
 usage
Date: Tue, 12 May 2026 23:54:12 +0300
Message-ID: <20260512205503.361097-70-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620759389158500
Content-Type: text/plain; charset="utf-8"

From: Pierrick Bouvier <pierrick.bouvier@linaro.org>

dc->be_data is already set just above in the same function:
```
    dc->be_data =3D EX_TBFLAG_ANY(tb_flags, BE_DATA) ? MO_BE : MO_LE;
```

Cc: qemu-stable@nongnu.org
Fixes: a729a46b05a ("target/arm: Add wrapper macros for accessing tbflags")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260407222208.271838-12-pierrick.bouvier@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 027ad866bd2984a8fc50b41d235aabf14711df3e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index 63735d9789..0a92300f9b 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -6327,7 +6327,6 @@ static void arm_tr_init_disas_context(DisasContextBas=
e *dcbase, CPUState *cs)
=20
     if (arm_feature(env, ARM_FEATURE_M)) {
         dc->vfp_enabled =3D 1;
-        dc->be_data =3D MO_TE;
         dc->v7m_handler_mode =3D EX_TBFLAG_M32(tb_flags, HANDLER);
         dc->v8m_secure =3D EX_TBFLAG_M32(tb_flags, SECURE);
         dc->v8m_stackcheck =3D EX_TBFLAG_M32(tb_flags, STACKCHECK);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620775; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lQ0nGVUrWDs/9qaXV2ociLhbf5KRvO4Aoiyp58yNBjnJn2MAEeBIXNXqru26FuPYnjxnscjL/vZ8jNkgJHA8MwgJLvjh3qHoCUEck9ItwBln5kxq59RLeLu22XzUZA679WcHJocylAqzME5fe03SOG2wy+XR2jmwDOAvyW8NyxQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620775;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=eBkBnjp+JbmDoCka6Y8S3agW1CGUhk93B3jQq6fPrCU=;
	b=HR0y07+DmGcRtLLITj9ZjUK7iKJOr6NKn3eGzgCxPgHw5c8VragiHXZK/m1dAuLYPKnX0zIhTeWnOGu3Ms2SoEInlc5CeOAkVTkE4M/pt0nGgcbr5O9Ih0nF5WDxn69RkGy/aeg4/hd0qhFnwI43CZXzXY2sx8sWau4YkP/5V9Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620775757306.7784788614771;
 Tue, 12 May 2026 14:19:35 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPi-0006so-0I; Tue, 12 May 2026 17:13:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPc-0006cX-3v; Tue, 12 May 2026 17:13:09 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPa-0004ve-1E; Tue, 12 May 2026 17:13:07 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 918851AA385;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 94FDF3ABCF4;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=wEG2k5xflWQBbQEgbDfUbFo6yWNIc9+vb7dgsAgcLN8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=YW7IqyAHYxjwygCIMWEsUmbfee0B5aw1/6oP7kSsbuQR5EQ7Ze+y7nleMpTMlSJKp
 rBaqG+RTwE8RsMg43bOl+ufHjgAj+ZuDkDSqZ64YMQ/U8BRhYQxXe67iCPBQ60aVro
 JVpHtIVaCTboF4mB1UpmGT8WzCKAUcJR2vUL0orr/gR5ZDqK6nxBF/Iuwk5KJc4ee8
 WLwxFzu2zqOU+qDBRmhdqF50qV3Q0DvYjHHYbC9Twn1SoocTZyclKp9kGJgRrvtBBD
 oP5Skb3iftwoAEBzZJA453LU5+5nBfiIoppa6o1/WExw2Obm1SrOfD9AZL8gl0YBKw
 m+YsLYZEKNKkw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 071/117] target/i386: fix strList leak in
 x86_cpu_get_unavailable_features
Date: Tue, 12 May 2026 23:54:13 +0300
Message-ID: <20260512205503.361097-71-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620778459154100

From: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>

The result list built by x86_cpu_list_feature_names() was never freed
after being visited, causing a memory leak detected by ASan.
(the getter visitor is VISITOR_OUTPUT kind and doesn't own data)

Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property")
Signed-off-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@r=
edhat.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index fca6238f55..be9d25a73a 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -7275,6 +7275,7 @@ static void x86_cpu_get_unavailable_features(Object *=
obj, Visitor *v,
=20
     x86_cpu_list_feature_names(xc->filtered_features, &result);
     visit_type_strList(v, "unavailable-features", &result, errp);
+    qapi_free_strList(result);
 }
=20
 /* Print all cpuid feature names in featureset
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620468; cv=none;
	d=zohomail.com; s=zohoarc;
	b=A1OOTtsj6hVUxDmBU83Vb3j1P93rE3cWFZc44GNZ/q66aQ+cDCdB9khXLnLTqgk6hKAk52apXEo1NyhU75d0ziLjcnT3DhcvmlMAUoHzZP78kePJUs5wECFKVL1FTGMkioqzPwdQBkuCnjle5aHbZjgCq3T85mU3b8c7lmImVZ0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620468;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=nKxyOxCQgACho096i6aGa+Zx/yPlcmz6ZHsbKOM2sFc=;
	b=KGgUviXw9TQbjHOipzw6d/3C4TklRQUpoNP7qUMhuVx0wB4Mab8WViH+g0pTu3Qp2w6qKS2gRmcdHJkGhIiVaHnktapBxydfP+qERT8/NhgWzvfFoWI6YUGVUPtWpl3I2mQml4hM6mSDg34+lA44qlVqdhGLyCaWqGy96mhURNw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620468619664.402657070068;
 Tue, 12 May 2026 14:14:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPj-00071h-N5; Tue, 12 May 2026 17:13:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPe-0006dh-6L; Tue, 12 May 2026 17:13:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPc-0004w6-Cd; Tue, 12 May 2026 17:13:09 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9EE631AA386;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AC8523ABCF5;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=zT9TgF6o4TXyWanO3UNHzIF7RjU5cf9pufPgvf2Y+8g=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=duGQcyo2PEIPDAV9IuXF0F2rfxqu6+tQ4uc3RZXT08ZKXYE2z2MbJ7nnECyIhhkb/
 A2UIL6LoSwiRf+8GT+jEkPL++jYufXoLAHyC+bUr2tqlGMToFhjxUp9J5vbqay0NV7
 QdQcQvx0L3jQ6I0uPOfTvGTxY2o7JCTzROmOhUauELRE3uSYk6WciM1Wy1jh6M5DJ9
 /odzUQAOkauggbP1+tTo5cxIqd9EFBps6vl6O1346mwNjBe1UzPS3lAxFqnaJntJOy
 aA2hdVtWpAsVBkAHhDf3n3fuEhE1fVkSJAtwOz7gQBGTNNTxvD8nzK+AWda7yGBzqV
 c/eF6j0lVjmWA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Simon Scherer <scherer.simon89@gmail.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 072/117] target/i386: fix missing PF_INSTR in SIGSEGV
 context
Date: Tue, 12 May 2026 23:54:14 +0300
Message-ID: <20260512205503.361097-72-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620468896158500
Content-Type: text/plain; charset="utf-8"

From: Simon Scherer <scherer.simon89@gmail.com>

When running linux-user emulation, the SIGSEGV handler does not
correctly set the 4th bit (PF_INSTR) in the error_code variable of
the context argument (context->uc_mcontext.gregs[REG_ERR]).

Because this bit is never set, guest applications cannot distinguish
if a fault was due to missing executable permissions. This patch
ensures that when a page fault occurs during an instruction fetch,
the PF_INSTR flag is properly populated in the signal context.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384
Signed-off-by: Simon Scherer <scherer.simon89@gmail.com>
Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gma=
il.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp=
_helper.c
index 98fab4cbc3..6c5df5e0e8 100644
--- a/target/i386/tcg/user/excp_helper.c
+++ b/target/i386/tcg/user/excp_helper.c
@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr,
      * signal and set exception_index to EXCP_INTERRUPT.
      */
     env->cr[2] =3D addr;
-    env->error_code =3D ((access_type =3D=3D MMU_DATA_STORE) << PG_ERROR_W=
_BIT)
-                    | (maperr ? 0 : PG_ERROR_P_MASK)
-                    | PG_ERROR_U_MASK;
+    env->error_code =3D (maperr ? 0 : PG_ERROR_P_MASK)
+                    | ((access_type =3D=3D MMU_DATA_STORE) << PG_ERROR_W_B=
IT)
+                    | PG_ERROR_U_MASK
+                    | ((access_type =3D=3D MMU_INST_FETCH) ? PG_ERROR_I_D_=
MASK : 0);
     cs->exception_index =3D EXCP0E_PAGE;
=20
     /* Disable do_interrupt_user. */
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621940; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LopcQwXpfpL/Nj2C/F2Fky4XKbvH5H8UHg7b+qN6SS/5Ry9HH06waHg6SS/g/SIMDFAoEV9xRyn3KUTZevT4V2SX8BtrqJlhO8rDiZ4clVw7o7SlDqXPahuh5+lyixXJKxJ2XTc4riOn/sV0GKVyTe4eBnXw6eqyjTECKgJxOSs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621940;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=T55U/DqlMMfgzvFRkcaYgLv4AHui2UYibpVZLc/2+oI=;
	b=PbnXQmJqhiANW/8k55iHYplMVWqmTkEGP9w1i7VN0IZwZLRpjJUGkcJqX59IOG1m7YTxibMQRsZFArYiFbnzNenj3Amj2RDcU0qKb1+52ghgYD5X+xqWchmOEeziNxT4JZfgU0yOyLR0ieFovw36Q2RHVtRNOtXEf3sQLbI7Cho=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862194049073.76702882379618;
 Tue, 12 May 2026 14:39:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuPn-0007de-DV; Tue, 12 May 2026 17:13:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPf-0006kn-Df; Tue, 12 May 2026 17:13:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPd-0004xC-K1; Tue, 12 May 2026 17:13:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id AC6221AA387;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B9B5E3ABCF6;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=7jJ2/RUb1fCDP3vT7vKEJ0UUdHp/sz3gvcscPlJxDN4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PpKlmDNOqqHcyQ9D16UbuGDVylbQz3wOWQEkmwXFCt0FfqGq7fKHlsa9KAXARJ5F9
 /Pmcla9kkyu5cO2TdrLhrCr+4jhG2aCv6BU/b08Z+fY7pWyzS1X267Iw9pQiaJowd8
 AlKPt9Rqe7r9/Yvr+l7K1iX2yqyDzASvVIUZWrxuFbzwibo802L2LAUkqaA3FBiW7B
 YjGcXC2m6ML7tE1Z4tjYcGDsiql+I3Ad0ImfkUmNvymsY1IX0veyfM+J8zowhF+v6t
 8w16Su9silm2dzO/tSsfU3FCZDxIP3EwAJPJUlRktqfX3gp0lUrxtCpqsfBqda5ckw
 znxpmpRFBo/oA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 073/117] target/i386/tcg: fix decoding of MOVBE and
 CRC32 in 16-bit mode
Date: Tue, 12 May 2026 23:54:15 +0300
Message-ID: <20260512205503.361097-73-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621942284154100
Content-Type: text/plain; charset="utf-8"

From: Paolo Bonzini <pbonzini@redhat.com>

Table A-4 of the SDM shows

                    F0                     F1
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
--------------------------------------------------------
     NP           MOVBE Gy,My           MOVBE My,Gy
     66           MOVBE Gw,Mw           MOVBW Mw,Gw
     F2           CRC32 Gd,Eb           CRC32 Gd,Ey
  66+F2           CRC32 Gd,Eb           CRC32 Gd,Ew

However, this is incorrect.  Both MOVBE and (for 0xF1) CRC32
take Gv, Ev or Mv operands.  In 16-bit mode therefore the
operand is of 16-bit size without prefix and 32-bit mode
with 0x66 (the data size override).

For example, with NASM you get:

                                 bits 16
   67 0F 38 F0 02                movbe ax, [edx]
   66 67 0F 38 F0 02             movbe eax, [edx]

   67 F2 0F 38 F1 02             crc32 ax, word [edx]
   66 67 F2 0F 38 F1 02          crc32 eax, dword [edx]

versus

                                 bits 32
   66 0F 38 F0 02                movbe ax, [edx]
   0F 38 F0 02                   movbe eax, [edx]

   66 F2 0F 38 F1 02             crc32 eax, word [edx]
   F2 0F 38 F1 02                crc32 eax, dword [edx]

The instruction is listed correctly in the APX documentation
as "SCALABLE" (which means it has v-size operands).

Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.=
c.inc
index 0462429cf1..999362f213 100644
--- a/target/i386/tcg/decode-new.c.inc
+++ b/target/i386/tcg/decode-new.c.inc
@@ -751,19 +751,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] =3D {
=20
 /* five rows for no prefix, 66, F3, F2, 66+F2  */
 static const X86OpEntry opcodes_0F38_F0toFF[16][5] =3D {
+    /*
+     * MOVBE and CRC32 are incorrectly listed as always doing 32-bit opera=
tion
+     * without prefix and 16-bit operation with 0x66.
+     */
     [0] =3D {
-        X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)),
-        X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)),
         {},
         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
         X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)),
     },
     [1] =3D {
-        X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)),
-        X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
+        X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)),
         {},
-        X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)),
-        X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)),
+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
+        X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)),
     },
     [2] =3D {
         X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)),
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620838; cv=none;
	d=zohomail.com; s=zohoarc;
	b=R3s6nlk9aiHTmwV9i3k2IcfdGWt1aTR0MoDl/Sr5H4wi7AFAVW4VbR8MaShb4r0HIhbZRnbjDWNFWfLyLoOuuMC54liiCzjXi9p5egJ9VwQ4HhOWxopGg7OqSSCCddFLeRlYd25KdfVSFYrN/Mx2vN0zw0SfY4EkP40YnuFHiBI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620838;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=VHlO2cRXOzsdGNiQ9ajhagLLoZvYIcQzYBx4P3mADvk=;
	b=WJO4csdCjqJyLaamfGWHOExQMCUr0yenz/2ACfkVSn0swIfVleNHkXl0U2T2wZ74koJdyn/KvVWte/IROaytlGQsy80cJFfoT0OvbCHHgB24SPxVvQIpMy9WD82XiuDGZ4OBh9r6cIyHuU8oleIbJiYwZdpBGNx7whn70z4ZYhU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620838895369.82234393288525;
 Tue, 12 May 2026 14:20:38 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQZ-0001xz-0M; Tue, 12 May 2026 17:14:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ3-0001Ia-Ji; Tue, 12 May 2026 17:13:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuPz-00050U-LU; Tue, 12 May 2026 17:13:35 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C73641AA388;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C765D3ABCF7;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=XjSNUKZ7g2A4ZQaafhzVVdB6xqtjKB5uLNMj1eJOMZQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=eWX8QsBOVsWB2T7XVqTTpeBUUiYYypXTNE4FhP1PvsO1+qhaVVfr2UP20KSO0DrA8
 XJ2FOvAJtr95PrfH3JH4xjxWXTrpKY2iLYgjsW7xVkS1bhIe3q4RtmtBiuYnoCrgH8
 AOU/FbZIB31n/1Em71wkM58C09Dr7JEBkTPIs5fRXC7HMNP86Tez0doequ+7lNmLC3
 U6/7hP8G0AJ94by5aECXrVj47Jp/4+MBZ9wjhjfI83C9lsfA9fBHtj1r/9a5NCU8Cg
 UieX1IQZ/qRtwTt7+rA6FL8oNFfMJCvlPGCripOFQYkEJqUo4k6d/AOJoGwMIpzG8e
 zyVOTbVLOyq7g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Stepan Popov <Stepan.Popov@kaspersky.com>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 074/117] meson: add missing semicolon in
 pthread_condattr_setclock test
Date: Tue, 12 May 2026 23:54:16 +0300
Message-ID: <20260512205503.361097-74-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620839964158500

From: Stepan Popov <Stepan.Popov@kaspersky.com>

The test code was missing a semicolon after the pthread_condattr_t
variable declaration.

Signed-off-by: Stepan Popov <Stepan.Popov@kaspersky.com>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Fixes: 657ac98b58c ("thread-posix: use monotonic clock for QemuCond and Qem=
uSemaphore", 2022-02-22)
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
Link: https://lore.kernel.org/r/20260330131406.87080-1-Stepan.Popov@kaspers=
ky.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 79bc1771867723cb70dac0fae8f2c26fda1a635d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/meson.build b/meson.build
index 5c8fa456e9..5ba29bc07d 100644
--- a/meson.build
+++ b/meson.build
@@ -2887,7 +2887,7 @@ config_host_data.set('CONFIG_PTHREAD_CONDATTR_SETCLOC=
K', cc.links(osdep_prefix +
=20
   int main(void)
   {
-    pthread_condattr_t attr
+    pthread_condattr_t attr;
     pthread_condattr_init(&attr);
     pthread_condattr_setclock(&attr, CLOCK_MONOTONIC);
     return 0;
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622422; cv=none;
	d=zohomail.com; s=zohoarc;
	b=gw8+ZQKa2QKG245ncRzWSqt3vsitXyONMerVNRfG/OhuBgt1EcWrjtDH7+Ew47xDAVmFfJpZUN66b/HtuOnX6++BtvIWNfqNILrPd4CmSxhzMWSqZ3sa1fWQ8jHM0E86OItV86lRJID4s+hyWqAng6RTkqG4wI8Vr/I67ow0VjE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622422;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=f5VH6AJUJQvfQ4ChziFRujmWubhAPWLI9OPPgj1lFoo=;
	b=OEFED/CGRCphw9XZ7AVSy/a8U2JuDRHn17Cb0dNJZpRq7a+/+rfu77ZQp9Ulv4mKhFMMd0EkxyY9bxtHSMKdbCcZ1J3EvUGuISwOV4ZxfXs6B6NVF02VgtcNItZ2BP41VXcwIl0ODKBszkiGVBRDd8Zh1D+5ZgPMytvTjIYsCvY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622422483538.9546009003287;
 Tue, 12 May 2026 14:47:02 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQL-0001Uw-AZ; Tue, 12 May 2026 17:13:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ3-0001IZ-Cs; Tue, 12 May 2026 17:13:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ1-00052r-0H; Tue, 12 May 2026 17:13:35 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D713A1AA389;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E240B3ABCF8;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=bFrGBlkmH6aFbgNTbb9BiSuyGa48vPJ6QbTexp53UaQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=E49jRWHjGO2ZOt42H43AU4GtGZtg2WRhgQGGvwj8gO43HqffOOV2nEml027BiD6UA
 KpPu+YrzW04Z+wTV3fSZBuT+G24u943d9s9ORJx+G3FFPsEb6aZtUXd7i+L/P3RKmo
 Sc9G4DLPdlkXVvjYcmLT06r5kUfvKwBsbPrRmfz5Jk+phFwa638QgzIxWaAauPnQvn
 wGw33nPz8nyMnkyy1i8GpPti5RpuuB6il1rxw6BKyM4WXN6ttuPG7dmGLfrnCVrU+d
 mmpGvekJF0qLdE+9FEdqyrKtPVZKK1aJLY5EQoKZlr5JtBL8FP2rX+JaTmQruit2QE
 sBwsfJzQKTUDA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Manos Pitsidianakis <manos.pitsidianakis@linaro.org>,
 Dmitry Osipenko <dmitry.osipenko@collabora.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 075/117] hw/display: don't accidentally autofree
 existing virgl resources
Date: Tue, 12 May 2026 23:54:17 +0300
Message-ID: <20260512205503.361097-75-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622423583158500

From: Alex Benn=C3=A9e <alex.bennee@linaro.org>

While sanity checking a create blob operation the use of the auto
freed res variable could lead to inadvertently freeing an existing
blob.

Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
the value is not needed anyway.

While at it add a comment to the end and use g_steal_pointer to make
it clearer the object lifetime exceeds the function bounds if we pass
all the checks.

Fixes: CVE-2026-6502
Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Cc: qemu-stable@nongnu.org
Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
Signed-off-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index 1129301d91..03f3235d14 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -712,8 +712,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
         return;
     }
=20
-    res =3D virtio_gpu_virgl_find_resource(g, cblob.resource_id);
-    if (res) {
+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
                       __func__, cblob.resource_id);
         cmd->error =3D VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
@@ -766,8 +765,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
=20
     res->base.dmabuf_fd =3D info.fd;
=20
+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
-    res =3D NULL;
+    g_steal_pointer(&res);
 }
=20
 static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622104; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fSr6lWCRshppcUoqwZc3h+T+8gdCgZZ0nq34dWBjWaCqn79RA7/ds83M7s9hE88yl+yCEVcInTXWh/be+NpiAZGiyv7pCJnY8AVbBHgXOqJYEYd9a2ERT1RT8FXpEu4Kv2JwmHTNXOImiPWbGCcD9zrFs7UUIJR1x60RhUdcuWo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622104;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=s/wI6ivCe2HP90t+xl1pB2a15wGnHMhOGqHbWaBYkIw=;
	b=Pb0dvkKjYt6/Fnm2QsO136AFp0MyPf38EXA73qgXZVyeUf6PeHElihtWTgICpX3MW+5QaAjYV1CZ0XT+jqMFjf58kBJx+oa2c0v0Gfvt8n0+wDTAxyvkyv/ot0vb9tdgXVOx8rq50pSbpTjXRDamWBIprKE3EmzHqIYl0XbG6lM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622104283243.98260371272136;
 Tue, 12 May 2026 14:41:44 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQg-0002GE-IX; Tue, 12 May 2026 17:14:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ9-0001Kf-6c; Tue, 12 May 2026 17:13:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ7-0005IC-2n; Tue, 12 May 2026 17:13:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E63191AA38A;
 Tue, 12 May 2026 23:55:04 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id F18583ABCF9;
 Tue, 12 May 2026 23:55:08 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619304; bh=6bpVwPgBT8xb2Rf00Ig1uckenO4aE6GImxQGwKbTjS8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=O0/vFy19AOW1Y7NI9yGNfhBjjmpmabYY+HxwRHc4lDdFJTaUCitBYYav12VN8+m2T
 fC4jyi7q+2HZ/NKbQLrYPUwsAZ55mxXtQDvgtyXgEs4zyz0uYyiQtMZzFe+0Sjv4KU
 Se04N0Wb/2JLu9LD7x7j+s4ojPQJJWhw/m7ewOHu0iKqbkmdNrXlSpgA8LDa3ukziE
 UgY4QlrK49rfeF+dJ/z6MEzXUEEI+igS6916DLIWkcyhd06JlXGqNkM67N7AIrrq2p
 wViyYyWeDZu1Khy8AG7hDu90bdSIZ7aMu0oDVXMXhLoGZOoCvGWtIgZNaiEvtIx2NH
 HO1xKtCTkEUUg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>,
 Fabiano Rosas <farosas@suse.de>, Peter Xu <peterx@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 076/117] migration: vmstate_save_state_v: fix double
 error_setg
Date: Tue, 12 May 2026 23:54:18 +0300
Message-ID: <20260512205503.361097-76-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622105352158500
Content-Type: text/plain; charset="utf-8"

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

We may call error_setg twice on same errp if inner
vmstate_save_state_v() or vmstate_save_state() call fails. Next we will
crash on assertion in error_setv().

Fixes: 848a0503422d043 "migration: Update error description outside migrati=
on.c"
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov=
@yandex-team.ru
Signed-off-by: Fabiano Rosas <farosas@suse.de>
(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/migration/vmstate.c b/migration/vmstate.c
index 4d28364f7b..fccd030dfd 100644
--- a/migration/vmstate.c
+++ b/migration/vmstate.c
@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDesc=
ription *vmsd,
                 } else {
                     ret =3D inner_field->info->put(f, curr_elem, size,
                                                  inner_field, vmdesc_loop);
+                    if (ret < 0) {
+                        error_setg(errp, "put failed");
+                    }
                 }
=20
                 written_bytes =3D qemu_file_transferred(f) - old_offset;
@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDesc=
ription *vmsd,
                 }
=20
                 if (ret) {
-                    error_setg(errp, "Save of field %s/%s failed",
-                                vmsd->name, field->name);
+                    error_prepend(errp, "Save of field %s/%s failed: ",
+                                  vmsd->name, field->name);
                     if (vmsd->post_save) {
                         vmsd->post_save(opaque);
                     }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620695; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BZCH5jPbJD0B3DmsupqR+iYtx397FqyIuHR7fPFTYCqniSEWTh/qj5Q84XLQFJ9oLdEx7yDD2xwN2SagS4WGbUM/h28gUmXZR9xzVkcXI/m1mv45EuSNmWx1rvg8ar1cnlNoN3tInN6z2k59xqClGBjdX8u6YUS3fKUMyWO+rzI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620695;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=XAW6jbOZqEAG69r/GOgTMGwsKX64RCUrfgO5TDvqr/0=;
	b=mSO/TVmOIsjKgKL2Bg11QWSPkgP52ArrcjSkCHsHsJ54hHNvnQPblsyYFD8maRjX/aSkDFBIudin0N37J0d9y21PE6WmlaLgjHRgaPxtaxy+oXGvSi+x7U3hkyTC9thSFGiHZJVAEAGGYXblVV2efTIc8XRlYhEFhJhzlJneHvk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620695775952.5508115607403;
 Tue, 12 May 2026 14:18:15 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQR-0001f4-Au; Tue, 12 May 2026 17:14:01 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ9-0001Kg-6i; Tue, 12 May 2026 17:13:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQ7-0005IF-2p; Tue, 12 May 2026 17:13:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 00BD11AA38B;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0C4303ABCFA;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=+i6u9YJWr9cf1ClWfn3S6u3zsdjbknlUbsnPUcMjf+E=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=boHFVJbvZaTDi1xAITMsCkfDdt6DEPbxjydzMzi9uLEy4M+maQlrVivNzRoSw4Ajc
 NVSCJwOuEzTPS9OWADkNH7ttyYEHAL+QSF6yU/iFsTKw8QTolHx8yzbRk7hOUQ5ncn
 A/2xLbsZY+lJshHJTCCxE53IGq8OosbwuRo6pVmAjtTLGlRktnWW7/GJs4JsffDPJ3
 lGy9ujZwvia8MtfmErutOLFV+mfB+igp3XALl28NbImT0oBOFUBScttY8hmIRccGXy
 /XBNvfK1Jz1pJELGPpm+wEWzUsSpGCTBnoINFeWNDV0yL5d49QDlcND1nQHYJvCEUC
 V9VLxWis1Dwgw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Thomas Huth <thuth@redhat.com>,
 Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 077/117] hw/misc: Fix the valid access size to the
 avr-power device
Date: Tue, 12 May 2026 23:54:19 +0300
Message-ID: <20260512205503.361097-77-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620696954158500

From: Thomas Huth <thuth@redhat.com>

Accessing the device with in non-single byte mode currently causes
QEMU to abort:

 $ echo "writew 0x800064 0x4142" | \
   ./qemu-system-avr -M mega2560 -display none -qtest stdio -accel qtest
 [I 0.000000] OPENED
 [R +0.001784] writew 0x800064 0x4142
 qemu-system-avr: ../../devel/qemu/hw/misc/avr_power.c:58: avr_mask_write:
  Assertion `offset =3D=3D 0' failed.
 Aborted                    (core dumped)

Set the valid max access size to 1 to fix the problem.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3393
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260421082935.85995-1-thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit c0306d2b8f45a708f7ab45c846bb24851d6e17f2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/avr_power.c b/hw/misc/avr_power.c
index 411f016c99..9a8fc24cf6 100644
--- a/hw/misc/avr_power.c
+++ b/hw/misc/avr_power.c
@@ -73,6 +73,9 @@ static const MemoryRegionOps avr_mask_ops =3D {
     .impl =3D {
         .max_access_size =3D 1,
     },
+    .valid =3D {
+        .max_access_size =3D 1,
+    },
 };
=20
 static void avr_mask_init(Object *dev)
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620828; cv=none;
	d=zohomail.com; s=zohoarc;
	b=oDWczB+TWgSrq5iRflMmRuPdgDvXfLpwsYLWMi1QE4AgVGbcNUHEWWwHESqOIXkmx8k7o7q9lYYVXj9DKxeAHWTyNkw2JjExuWayHvZK+9MRRCXj0HUJo2cPtoCCm0UtYOVRTi8OVAhG0w+5MlojJVckREtzf/J1GO1D98iOuvE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620828;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=hFqJqKQp719xmmkw3fKurh5gRNcnkoJSwcdnIbxN+lc=;
	b=MG7OQFtHEeTRhC/XuefNFSXh1g0VxN3Z7H/CmouRVFf1zKLYUZ/cqtuQHQBOS2zExoEj8tL1ZBbJUhtebgTbXytBEl4e+F1AyuGMQ3IKPDF2jOvXaHeG7YbcmpuMz0hk0iTLUU9uR7kEnJIojLHhCbFaKzvgnp2irSoH5rN0BBQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620828889143.84814853280193;
 Tue, 12 May 2026 14:20:28 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQi-0002XS-Vh; Tue, 12 May 2026 17:14:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQE-0001MD-PX; Tue, 12 May 2026 17:13:49 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQA-0005NF-Lt; Tue, 12 May 2026 17:13:45 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0DFBF1AA38C;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1B21D3ABCFB;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=663adPU+m3mgRjg9rPiLj3BMr5p2hNhKt3lFk86PrCU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=kV4Ldj7+MX6SWRTFHwxnxnWeBIJSFc4CBPLGJJ21N/jaJ647SlIfgPn0dk/WjKMQp
 7JW7vdoJp8YJCi3Yo+jkLt8M+e4oHUY5XBeAfm3yGL4e1JcLpV35UxgWFdjvPVRPAe
 5MvccUUkP3+3G/BWRHlz/28usD/PDQhT6YQ+VMjf/pFT+e5JsuPbH+cn2n60ssozuL
 UIs36YuGVKodpWBDmH04AuYHtnaqAsmv+kEoNqmhcyivLZlrxZAxhsVhcvQt50b20e
 Y9i8DV+CYt7VB/OMlva/AiVBbp1qhQ+9oSQlZNJDmU/8iNhh0jwe9lGKuv6zzL02Ej
 +Yoka3i3FbsmQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Thomas Huth <thuth@redhat.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 078/117] hw/sh4/sh7750: Remove forgotten abort() in
 the MM_ITLB_DATA handler
Date: Tue, 12 May 2026 23:54:20 +0300
Message-ID: <20260512205503.361097-78-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620829900158500

From: Thomas Huth <thuth@redhat.com>

QEMU currently aborts when the guest writes to the MM_ITLB_DATA register:

 echo "writel 0xf3000000 0x11223344" | \
  ./qemu-system-sh4 -M r2d -display none -accel qtest -qtest stdio
 [I 0.000000] OPENED
 [R +0.004476] writel 0xf3000000 0x11223344
 Aborted                    (core dumped)

Looking at the history of the code, the abort() here has likely just
been forgotten when the register handler had been implemented (it used
to be a reminder about unimplemented functionality initially):

 https://gitlab.com/qemu-project/qemu/-/commit/9f97309a70f12df5f9104f1f

Thus simply remove the abort() now to get rid of the problem.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3420
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-ID: <20260422075429.341409-1-thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 3ab47a47d716f8f2b7686cc06c8312db2e6fc2d4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/sh4/sh7750.c b/hw/sh4/sh7750.c
index 300eabc595..ba75392e11 100644
--- a/hw/sh4/sh7750.c
+++ b/hw/sh4/sh7750.c
@@ -687,7 +687,6 @@ static void sh7750_mmct_write(void *opaque, hwaddr addr,
         break;
     case MM_ITLB_DATA:
         cpu_sh4_write_mmaped_itlb_data(&s->cpu->env, addr, mem_value);
-        abort();
         break;
     case MM_OCACHE_ADDR:
     case MM_OCACHE_DATA:
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622162; cv=none;
	d=zohomail.com; s=zohoarc;
	b=E/g1KREpvKE9gvSEX2fLbVxaIa+0wkzozzZvJsg+FS4F0XHubNRk3MrPFC2L+FR03o/VvtzqsvKaGHf7c3fmehe63OYIcRi3+2ojIY4lPwMZkJj2IucLcZM8FocgjrrNm6kKQHQt4aRBw/oZVbnmKcJ2/LQt0bXW61urdCnSZjU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622162;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=1B1DbiYMv9G9AXAfmaeN75IjSzK+9a69S0ZajcvLJRU=;
	b=f4Sx3P0KzcLLX2QVzVzKRJ8fq2oQmL8gyfeCaaegWQAxxsPxeQuvi0GqvYGTEW0h4bebkb+HIXXIs+jWsh37nKhLo8KWsFtRgzyvx1tf1cIRP1oqJDd8pyTt6cLRsSV2lW/JhvSwxcsq2xeKuzJn8EtZOZQlc8iLe8SiwS8kD2g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622161998645.8820513131255;
 Tue, 12 May 2026 14:42:41 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQn-0002uJ-9w; Tue, 12 May 2026 17:14:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQW-0001y1-DV; Tue, 12 May 2026 17:14:05 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQU-0005NK-Nw; Tue, 12 May 2026 17:14:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1CD9D1AA38D;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 287AA3ABCFC;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=RI10+5zPGhJ/aOzuzHvVJ9FNHtrl/IeqoVNJcNULtVs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Pme2mriTuWJg3H6ymBTrtBYuVvjyN+3PBhPKQY7D6gVpQ8cOTO90Sxc229fg5fWGb
 I8NkY2PcZym5V+96cGVf6w544XkeT2DlcWbGanJo/ZzIM/+pzyrzLurtOcL2OPHhcT
 5Uhbfjp/3jC1AfbdACVAC3kSEfqHJ06TrTVP2CYMpffBG3FYhBRdFsTvzsgGgXqXKy
 4iCJ+6Yq3x/KyWn0NFn+QoqZ4PZMj1akvxXzFhQQt1E7lFVYUlWPkrv7c/tBsaKNMt
 ChadnX+HylGy/m1XzfbM6iD2wUTaMvc3LwJnSfJye4QkL9NhZKit/lfW3Lnm4HqTyo
 nX+gYuhFuV7jg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Matt Turner <mattst88@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 079/117] linux-user/ppc: Fix ppc64 rt_sigframe stack
 offset
Date: Tue, 12 May 2026 23:54:21 +0300
Message-ID: <20260512205503.361097-79-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622164537154100
Content-Type: text/plain; charset="utf-8"

From: Matt Turner <mattst88@gmail.com>

The kernel's 64-bit signal delivery (signal_64.c) uses:

    newsp =3D frame - __SIGNAL_FRAMESIZE

while the 32-bit path (signal_32.c) uses:

    newsp =3D frame - (__SIGNAL_FRAMESIZE + 16)

The extra 16 bytes in the 32-bit case is to place siginfo and ucontext
at the same offsets as older kernels (see the comment in signal_32.c).
The 64-bit rt_sigframe starts with ucontext directly and does not need
this adjustment.

QEMU's setup_rt_frame() unconditionally used (SIGNAL_FRAMESIZE + 16)
for both 32-bit and 64-bit, placing the handler's SP 16 bytes too low
on ppc64. Signal delivery and return still worked because do_rt_sigreturn
had the matching wrong offset, but the vDSO DWARF unwind info encodes
the correct kernel offset. This caused any DWARF unwinder (libunwind,
libgcc, etc.) to compute a CFA that is 16 bytes off, reading garbage
register values from the signal frame.

Define RT_SIGFRAME_ADJUST (0 on ppc64, 16 on ppc32) and use it in both
setup_rt_frame and do_rt_sigreturn to match the kernel.

This was verified by A/B testing with libunwind's test suite:

  ppc64le: Gtest-bt, Ltest-bt, Gtest-concurrent, Ltest-concurrent,
           and Ltest-sig-context all change from FAIL to PASS.
  ppc64be: Gtest-bt, Ltest-bt, and Ltest-sig-context all change
           from FAIL to PASS.

Signed-off-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 654dce6c523612d38e8d53818dbc7c03cbe535a3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/ppc/signal.c b/linux-user/ppc/signal.c
index 24e5a02a78..a9c10e0987 100644
--- a/linux-user/ppc/signal.c
+++ b/linux-user/ppc/signal.c
@@ -210,6 +210,18 @@ QEMU_BUILD_BUG_ON(offsetof(struct target_rt_sigframe, =
uc.tuc_mcontext)
=20
 #endif
=20
+#ifdef TARGET_PPC64
+#define RT_SIGFRAME_ADJUST 0
+#else
+/*
+ * For 32-bit rt sigframes we have an extra 16 bytes of gap
+ * on top of __SIGNAL_FRAMESIZE; this is to get the siginfo
+ * and ucontext in the same positions as in older kernels.
+ * See Linux's arch/powerpc/kernel/signal_32.c.
+ */
+#define RT_SIGFRAME_ADJUST 16
+#endif
+
 #if defined(TARGET_PPC64)
=20
 struct target_func_ptr {
@@ -525,7 +537,7 @@ void setup_rt_frame(int sig, struct target_sigaction *k=
a,
     env->fpscr =3D 0;
=20
     /* Create a stack frame for the caller of the handler.  */
-    newsp =3D rt_sf_addr - (SIGNAL_FRAMESIZE + 16);
+    newsp =3D rt_sf_addr - (SIGNAL_FRAMESIZE + RT_SIGFRAME_ADJUST);
     err |=3D put_user(env->gpr[1], newsp, target_ulong);
=20
     if (err)
@@ -641,7 +653,7 @@ long do_rt_sigreturn(CPUPPCState *env)
     struct target_rt_sigframe *rt_sf =3D NULL;
     target_ulong rt_sf_addr;
=20
-    rt_sf_addr =3D env->gpr[1] + SIGNAL_FRAMESIZE + 16;
+    rt_sf_addr =3D env->gpr[1] + SIGNAL_FRAMESIZE + RT_SIGFRAME_ADJUST;
     if (!lock_user_struct(VERIFY_READ, rt_sf, rt_sf_addr, 1))
         goto sigsegv;
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621954; cv=none;
	d=zohomail.com; s=zohoarc;
	b=YJi8ex5T4pF0NJLHNKZdFZgJLu/CIRe2+t4NUHouJdftjbALLtj6+pV4bnY1h94D0kPx9HMq5eJjzxNnZnsOaiFxX0MFJXsS4M9yyC6ZzDJMeDIEHIeiLbTaLM8urg5kWx7DC6+A+Gbgy5PtBU/QonOXp6oFAzWKRlusSkvW9gw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621954;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=pN5w0CUJFFXZwiYUkJ1acdmG6yN3rUdrN1JDLjq33l4=;
	b=fCwFPmfaKoJsSlRVcUGwxsYd3EAuTwiS9ZXdiPRWIsYDs2rDSPFE7P/mHK/Gb623+Ta6GWS8U2gfxrdJUCMQZLtA50jbilVOCVRTVxehREnbtMZ7excuzb8nQjkEX0YveiICYDDk1y2WBMKbL96gIF9bQK3iHqpH2amVWeHcWs4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621954193637.57253830169;
 Tue, 12 May 2026 14:39:14 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQn-0002pg-0I; Tue, 12 May 2026 17:14:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQc-00024y-4C; Tue, 12 May 2026 17:14:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQa-0005Uc-7W; Tue, 12 May 2026 17:14:09 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 2D55C1AA38E;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 37B403ABCFD;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=Q5smFhmGfV1eJoYo0hYO8uCEZYCYBG7+b+hXPxKbpaY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=p1l9JCsnkntechqSzMvuXjbbGy5GOjA1Mlu6LqEGs0SQIImfZrsywZIJ26bcEi1rU
 Ndgwd+nppSsT3ijj6TnFBSeFshOhdmSJzazv9czZD3hBQ+542ncN2jztTtGK8ArCiL
 kSZk4YpmOHoehqU2Tni2IqYzgyyeiJmhsnYiQpRfI7V9/Czzbb88TAUWFoxiKqSRJ4
 LaDJnJlIxoQs/ypuVr6xuT0/El29xcAqugcVfTSwBo7it3++bAJdPYCArehcGvXkIS
 gXXLCl/r2FU4OxLqmfiC8E7bctvvI64ntfb3Be5CTNZk30BK5qalAbTLsY4256LHDn
 m3EyPqOU8oAVw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Yixin Wei <easonwei1998@gmail.com>,
 Yixin Wei <yixinwei@meta.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 080/117] linux-user: fix off-by-one in
 host_to_target_for_each_rtattr()
Date: Tue, 12 May 2026 23:54:22 +0300
Message-ID: <20260512205503.361097-80-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621955558158502

From: Yixin Wei <easonwei1998@gmail.com>

host_to_target_for_each_rtattr() uses "len > sizeof(struct rtattr)"
as its loop condition. When the last rtattr in a netlink message has
exactly sizeof(struct rtattr) (4) bytes remaining, the loop exits
without byte-swapping its rta_len and rta_type. A big-endian guest
then reads rta_len in the wrong byte order and fails validation.

The companion function target_to_host_for_each_rtattr() correctly
uses ">=3D" (added in commit fa2229dbf8). The kernel's RTA_OK macro
also uses ">=3D". Fix the host_to_target direction to match.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2485
Signed-off-by: Yixin Wei <yixinwei@meta.com>
Fixes: 6c5b5645ae0 ("linux-user: add rtnetlink(7) support")
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 029f10e852780da846d3e7f1691c495474683b73)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/fd-trans.c b/linux-user/fd-trans.c
index f83d1f79d5..1045ae7b1a 100644
--- a/linux-user/fd-trans.c
+++ b/linux-user/fd-trans.c
@@ -482,7 +482,7 @@ static abi_long host_to_target_for_each_rtattr(struct r=
tattr *rtattr,
     unsigned short aligned_rta_len;
     abi_long ret;
=20
-    while (len > sizeof(struct rtattr)) {
+    while (len >=3D sizeof(struct rtattr)) {
         rta_len =3D rtattr->rta_len;
         if (rta_len < sizeof(struct rtattr) ||
             rta_len > len) {
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620647; cv=none;
	d=zohomail.com; s=zohoarc;
	b=InjFn/5W6+AeCyp7QITPJGuw4YJS1UxT0iszAbiQV7HgMr1jL9Il3eC+kq0B75+U693/ObAWAtdQazpq0nq0sxvfzA/Klf0gNvICi4WR2LwZ5m4WwmTGrHx1+2A4OBOVU9ggdgmVpxXtvvAFxPWHCMtaLch+/pCwPa2HbhuP4yQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620647;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=MhqDCoDW6jWTRnDYAG9wi4dF1sbdw6Gsk7UB6Y6B/cc=;
	b=hjY7XZ78qo0sboDyPbhAJjV8l3mD2DJM7L3LmYLqgxN7lwswA4uJE4KoiV29JI7eNPxA53A0Z8DZkp7v8VQeE0rzMeI5jzoB5VHPc3KTirT/Psl5rDyC0I4ro7gDTkC5l2ZMuqCq8zK2xSB71qZXKORweYyQxsLHpA8fa9OX6SI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862064791031.137100285514407;
 Tue, 12 May 2026 14:17:27 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQo-0003Dk-NO; Tue, 12 May 2026 17:14:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQa-00021K-02; Tue, 12 May 2026 17:14:08 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQY-0005gt-8P; Tue, 12 May 2026 17:14:07 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3E3151AA38F;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 485933ABCFE;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=nW+QjqzugVx5zltjTAhVg+YQpKEuym/TQXd55CGi+TU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=PjV4rROAHe0iXQNsfurO7W5iZhtA54s8H/NxcC6jU+f3x3rXTz+Ut291rcgzb9CiH
 oSIY3dKiMLpBEg4LDjhBNFXnaa56+5XPhsEmGm7Oql2H229PT/LuHkOs2yqVnkJY4n
 2O/biDqJD0/x5dpOZk/ModmoRJCPpKJtYrChT4JcqXkpk/xbIc5uhXPikjFlYMIcgK
 fWZTSa/GH702H7xUbwbbAuYHg94enEhMIcNyDCBVdynq5XX1uSMik6XzjSdrdm9+NX
 62usksHFcMqNJ/lEhYseHoJQL58KyiEpND93diTe01L89qEW+10Jiz+aAMpgz3bwDo
 rGMJQGfCHyn5Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gyorgy Tamasi <gyorgy.tamasi@gmail.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 081/117] linux-user: Don't define target_stat64 struct
 for loongarch64
Date: Tue, 12 May 2026 23:54:23 +0300
Message-ID: <20260512205503.361097-81-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620648614158500
Content-Type: text/plain; charset="utf-8"

From: Gyorgy Tamasi <gyorgy.tamasi@gmail.com>

The kernel defines 'struct stat64' only if
__BITS_PER_LONG !=3D 64 || defined(__ARCH_WANT_STAT64).
loongarch64 doesn't set __ARCH_WANT_STAT64, and it isn't 32-bit,
so it won't get this struct.

QEMU incorrectly does define a target_stat64 struct. However this
isn't causing any guest-visible problems, because defining the
target_stat64 struct and TARGET_HAS_STRUCT_STAT64 affects these
syscalls:
 TARGET_NR_stat64
 TARGET_NR_lstat64
 TARGET_NR_fstat64
 TARGET_NR_fstatat64
 TARGET_NR_newfstatat

For loongarch64 the only one of those we provide is newfstatat,
and that is actually a separate QEMU bug, because the kernel does
not provide that syscall for this architecture. No real guest
code will be using a syscall that doesn't exist in the ABI.

(Some of these syscalls are present in the loongarch64 "ABI1.0",
but that ABI was never accepted in the upstream kernel, and
QEMU does not model that ABI, only the "ABI2.0".)

Stop defining TARGET_HAS_STRUCT_STAT64 anyway, for consistency
with the kernel and to avoid confusion.

Note:
Commit message suggested by Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Gyorgy Tamasi <gyorgy.tamasi@gmail.com>
Tested-by: Gyorgy Tamasi <gyorgy.tamasi@gmail.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 93484c768f2b66947a91d6372f408ae01c83e8c6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index a2470856be..55443ff965 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2005,7 +2005,7 @@ struct target_stat {
     abi_uint __unused5;
 };
=20
-#if !defined(TARGET_RISCV64)
+#if !defined(TARGET_RISCV64) && !defined(TARGET_LOONGARCH64)
 #define TARGET_HAS_STRUCT_STAT64
 struct target_stat64 {
     abi_ullong st_dev;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620582; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GTqKR8RX1PYBiO4byHB2DPSJQ1YaRL14JpBy2cSM3R+SY+9iuFY1j+WuqLzmH4IJzf4qQ6T3BR9l3EInOdPjsCFZF0Cdm3XL2hDB5y7G7hkx6k9E1gKl3mgw2uu1dAhz8R5uwSao+cu5NzglOP1Z375JiaRGkbLsp7I8Ejy+fsI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620582;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=zODrh19r9GOanTMftiVxCZajHRjRPi5NSWU+iOa/9dQ=;
	b=I5oEu/37zPonkHzSRBnXDXJPB2K/IKCuw79K3SizU4oW7Ap4S/FfDctw0qGLnb8Hlj3oduNABvZw4jfS2nzX5l97kwODZDZUWLha726h5SJ0xjebuDsfO8dfXcE4rj6NFnad2dTjQl9dr/srQkkeOAs6Fyr2i7rdToJlUAC2nec=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620582719846.5591739701601;
 Tue, 12 May 2026 14:16:22 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQi-0002U6-8W; Tue, 12 May 2026 17:14:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQe-0002Cr-Oy; Tue, 12 May 2026 17:14:12 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQc-0005hA-6Y; Tue, 12 May 2026 17:14:11 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4EAF01AA390;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 59B373ABCFF;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=3DiB7yUXUzTu1sqpTflWUQN4GiALmw0QsJAnQxZB+vo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=OKlIlEh80TPQlsuhpkrydfCzaB/zmuSgOgkhuKlEsbd2STV4L/w1h+nKqRtWfo5f2
 qfOXc2zFk1IMCkQblwyNzxxY7LhJ2JE8OhW9wJRb8B32Z0PKHg0Nz7J7FngE5vvSXT
 wlV96Dil/povqYr/Mb4f5B6g41y6fTxjrd6slMO9/6LWxOosRrYyFGqSb3hya5VHWy
 Hr4vUoaN4JgKm2DST/2eMnOKikCbxW7nAbeF71OkjwWZHrQu819Pc3+xP3NruxL05T
 hI5Fb5tqz/WvWCYgCYXqSRf3ri2Zv2nutn+pZIo3PAHvb+KcgPWF5zkfWKWCXZSaXz
 uiMmPjZ/7UEXA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 082/117] linux-user/arm/nwfpe: Replace user_registers
 with current_cpu
Date: Tue, 12 May 2026 23:54:24 +0300
Message-ID: <20260512205503.361097-82-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620583808158500

From: Richard Henderson <richard.henderson@linaro.org>

Use the thread-local variable current_cpu instead of
a global variable to access the general registers.
This also means we don't need to pass env to EmulateAll.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit c8ea1759009a248cf331b275854d8b272e0f7d8a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/arm/cpu_loop.c b/linux-user/arm/cpu_loop.c
index cd89b7d6f5..60de1e4b1b 100644
--- a/linux-user/arm/cpu_loop.c
+++ b/linux-user/arm/cpu_loop.c
@@ -232,7 +232,7 @@ static bool insn_is_linux_bkpt(uint32_t opcode, bool is=
_thumb)
 static bool emulate_arm_fpa11(CPUARMState *env, uint32_t opcode)
 {
     TaskState *ts =3D get_task_state(env_cpu(env));
-    int rc =3D EmulateAll(opcode, &ts->fpa, env);
+    int rc =3D EmulateAll(opcode, &ts->fpa);
     int raise, enabled;
=20
     if (rc =3D=3D 0) {
diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
index 0f1afbd91d..44783934b2 100644
--- a/linux-user/arm/nwfpe/fpa11.c
+++ b/linux-user/arm/nwfpe/fpa11.c
@@ -30,7 +30,6 @@
=20
=20
 FPA11* qemufpa =3D NULL;
-CPUARMState* user_registers;
=20
 /* Reset the FPA11 chip.  Called to initialize and reset the emulator. */
 void resetFPA11(void)
@@ -156,7 +155,7 @@ void SetRoundingPrecision(const unsigned int opcode)
=20
 /* Emulate the instruction in the opcode. */
 /* ??? This is not thread safe.  */
-unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qre=
gs)
+unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa)
 {
   unsigned int nRc =3D 0;
 //  unsigned long flags;
@@ -173,12 +172,6 @@ unsigned int EmulateAll(unsigned int opcode, FPA11* qf=
pa, CPUARMState* qregs)
   }
=20
   qemufpa=3Dqfpa;
-  user_registers=3Dqregs;
-
-#if 0
-  fprintf(stderr,"emulating FP insn 0x%08x, PC=3D0x%08x\n",
-          opcode, qregs[ARM_REG_PC]);
-#endif
   fpa11 =3D GET_FPA11();
=20
   if (fpa11->initflag =3D=3D 0)		/* good place for __builtin_expect */
diff --git a/linux-user/arm/nwfpe/fpa11.h b/linux-user/arm/nwfpe/fpa11.h
index d459c5da02..20f9d2eb81 100644
--- a/linux-user/arm/nwfpe/fpa11.h
+++ b/linux-user/arm/nwfpe/fpa11.h
@@ -25,15 +25,6 @@
=20
 #define GET_FPA11() (qemufpa)
=20
-/*
- * The processes registers are always at the very top of the 8K
- * stack+task struct.  Use the same method as 'current' uses to
- * reach them.
- */
-extern CPUARMState *user_registers;
-
-#define GET_USERREG() (user_registers)
-
 /* Need task_struct */
 //#include <linux/sched.h>
=20
@@ -91,25 +82,25 @@ void SetRoundingPrecision(const unsigned int);
=20
 static inline unsigned int readRegister(unsigned int reg)
 {
-    return (user_registers->regs[(reg)]);
+    CPUARMState *env =3D cpu_env(current_cpu);
+    return env->regs[reg];
 }
=20
 static inline void writeRegister(unsigned int x, unsigned int y)
 {
-#if 0
-	printf("writing %d to r%d\n",y,x);
-#endif
-        user_registers->regs[(x)]=3D(y);
+    CPUARMState *env =3D cpu_env(current_cpu);
+    env->regs[x] =3D y;
 }
=20
 static inline void writeConditionCodes(unsigned int x)
 {
-    cpsr_write(user_registers, x, CPSR_NZCV, CPSRWriteByInstr);
+    CPUARMState *env =3D cpu_env(current_cpu);
+    cpsr_write(env, x, CPSR_NZCV, CPSRWriteByInstr);
 }
=20
 #define ARM_REG_PC 15
=20
-unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qre=
gs);
+unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa);
=20
 unsigned int EmulateCPDO(const unsigned int);
 unsigned int EmulateCPDT(const unsigned int);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621891; cv=none;
	d=zohomail.com; s=zohoarc;
	b=U8A+TZCTKUzTYLlRB6nVA/Ft4RtLO7VM1S+S3JrkYiBsZWwpkxshtGnpve0k/+fpY6zQLcAaABiVX7YdYIySyyYFHI/+kpK7QAPJM1hr4AG8gwRCuBpL2nFq37B6UOkQ+2YjgXOJH2Fd9xRozc9xqum0TRFOuLH2pf04QDphDdo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621891;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=H4FIuXYNcXhcICyJotPi6hepQlNWKb0yCqilF49UBa0=;
	b=ly63NSamU0NpHCHjPReCdvQA1wekA1JlXAq2NaGNUSe4VhBnvFpxhpu3rBeHHqAOmBr6o3Cyd3s3J8la+MPMBwzRL6E+nxh9W2Hil3VPcHqoMMKaEr8jJEPcuu/fpBCZuiUR4T1owZdDCPZrt0HaRW4CqL8fEekfZZnTFdwTP8g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621891431793.4360131028242;
 Tue, 12 May 2026 14:38:11 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuQq-0003af-SV; Tue, 12 May 2026 17:14:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQg-0002N0-GB; Tue, 12 May 2026 17:14:14 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuQe-0005hX-Qf; Tue, 12 May 2026 17:14:14 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5E5D31AA391;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 693BB3ABD00;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=IV1KOOsP62EAMhURr/iHTfOhWJ/M086I5KB7WEGlK5c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=YrFQXiAk244r3Imnc2sB1Vvr7kcXQFNI14yIc004aoSJFVSJtpWaj5xhBFFTF21o+
 9G8qCRtRvJ6g325mjHZCTWCJVigwVPNlk2zyvFxAqlJ8RG3OvyYx64aWE8QZe3s9qT
 UNNVm40kcfYMzFqRUZSHY5ge72iqJaHYS9h/7lvoyurXnk/eV140EYIbqLcUKrCmnW
 HHyt/DCalJsl63LR6a2khDy+9x3TJclX+NiZYGPojEcvenf0xzUSpffTy/AwmbN6jG
 75B7luANPRnbWun+j2S0ahQi/AJTLOjSCDFWUh3TOwJCfGMe+uSws5A9Mtiegythbi
 JscdPN/EIemrQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 083/117] linux-user/arm/nwfpe: Use thread-local
 storage for qemufpa
Date: Tue, 12 May 2026 23:54:25 +0300
Message-ID: <20260512205503.361097-83-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621893052158500

From: Richard Henderson <richard.henderson@linaro.org>

Fix the thread safety of the emulation by not storing a
pointer in global storage.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 784f1dde90df1ed57de0697adcd8ebfe7c342f58)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
index 44783934b2..15888463f7 100644
--- a/linux-user/arm/nwfpe/fpa11.c
+++ b/linux-user/arm/nwfpe/fpa11.c
@@ -29,7 +29,7 @@
 //#include <asm/system.h>
=20
=20
-FPA11* qemufpa =3D NULL;
+__thread FPA11* qemufpa =3D NULL;
=20
 /* Reset the FPA11 chip.  Called to initialize and reset the emulator. */
 void resetFPA11(void)
@@ -154,7 +154,6 @@ void SetRoundingPrecision(const unsigned int opcode)
 }
=20
 /* Emulate the instruction in the opcode. */
-/* ??? This is not thread safe.  */
 unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa)
 {
   unsigned int nRc =3D 0;
diff --git a/linux-user/arm/nwfpe/fpa11.h b/linux-user/arm/nwfpe/fpa11.h
index 20f9d2eb81..659d38ae3a 100644
--- a/linux-user/arm/nwfpe/fpa11.h
+++ b/linux-user/arm/nwfpe/fpa11.h
@@ -74,7 +74,7 @@ typedef struct tagFPA11 {
     float_status fp_status;      /* QEMU float emulator status */
 } FPA11;
=20
-extern FPA11* qemufpa;
+extern __thread FPA11* qemufpa;
=20
 void resetFPA11(void);
 void SetRoundingMode(const unsigned int);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622523; cv=none;
	d=zohomail.com; s=zohoarc;
	b=mlYHJRe96RzzfuD+d/cEQ3xQrMd6KNypgbCKmrnbtVhYSPhPt80fqjNl50juq5eLP0QXc85K2ggDGyxDXeWcN2vrcRDeMnWmh6Cz6Od5AhWmpvMI7VvYilWWEhUpTq3H6LQcssa0sExes7adrRkaYwC04IdIUac3hL/1Oq39U2Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622523;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=UK4/2OmlZTz0w07BSrXpQlwexAfDiKFnj6kNbJAgr1o=;
	b=aD7jECasGfcGJ00aBx+5VfFStHiYRfyd8yEF/ecGwYYfw/KApLANdXACpSX5MHb56285trueZVXV7mXaHE/pt5hrXlajmyWdZ0IOnQmGqtxBlEE+ygP3Ri1kbAhWlf9UwDjYNHAQSrv0BmDeXA0Sa/S2ZhxMsj7hImYEF9Rujxo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622523926178.8954928035041;
 Tue, 12 May 2026 14:48:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRJ-0005Yl-Cf; Tue, 12 May 2026 17:14:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR1-0005Ar-Sz; Tue, 12 May 2026 17:14:38 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR0-0005iD-AW; Tue, 12 May 2026 17:14:35 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6E84A1AA392;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 79B5C3ABD01;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=xQ0tfYZJImVR/Vx9+Xggt87X5l9btilef0bKAkoTapc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=m8C5R675P7Tz/j1IoUgS0SNsqGvPG5b5Eo9F6TOplkEfhXoIJ+1uMCz5DaOoIQqvq
 r1UeAoPqRMg3gahVpPeaTLegf10Oxi4tH7s2Q4HhYcLgfYGDfXqBP6Xpa7dnlGkIBv
 kwwVdtNNVsmIoW4EiNQhVBRNQiUZN2afTLRWBaqp0/TqlL3Qb8gLbhRz0yE0dqoN+r
 pJ8H51fA0Vc7Zia+GQYK05382BCO7zFlVlpkXowizLYV0XlO2oeLYBzdXWTx+JO75W
 uVD9lne9AyHQMy+p6HbsjJb3nLndqIkXJqACiP0qLQtzMBzXDCTp20PrPcrOK3tcuD
 V+uK7kud0VjSg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Nutty Liu <nutty.liu@hotmail.com>, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 084/117] linux-user/strace: Use pointer type for read
 and write values
Date: Tue, 12 May 2026 23:54:26 +0300
Message-ID: <20260512205503.361097-84-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622524283158500
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

The stack pointer is being truncated as 32-bits for qemu-riscv64, so
let's use %p to print the syscall pointer argument.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3238
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 1730e6f33f9732658b88c2e4eda257f50531ef0e)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/strace.list b/linux-user/strace.list
index 51b5ead969..eb1a414004 100644
--- a/linux-user/strace.list
+++ b/linux-user/strace.list
@@ -1114,7 +1114,7 @@
 { TARGET_NR_quotactl, "quotactl" , NULL, NULL, NULL },
 #endif
 #ifdef TARGET_NR_read
-{ TARGET_NR_read, "read" , "%s(%d,%#x,%d)", NULL, NULL },
+{ TARGET_NR_read, "read" , "%s(%d,%p,%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_readahead
 { TARGET_NR_readahead, "readahead" , NULL, NULL, NULL },
@@ -1674,7 +1674,7 @@
                      print_syscall_ret_waitpid },
 #endif
 #ifdef TARGET_NR_write
-{ TARGET_NR_write, "write" , "%s(%d,%#x,%d)", NULL, NULL },
+{ TARGET_NR_write, "write" , "%s(%d,%p,%d)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_writev
 { TARGET_NR_writev, "writev" , "%s(%d,%p,%#x)", NULL, NULL },
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620701; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GbuFuahgIDa7mI3ukjyuF7AcwIXl3479mRxpd3yCVhtC86a9hCqUR76luJoHJJxOAxDxXFGzdTfs/ZeQl9YcYgld9ixJ3CBWGalXEO9IWkAF2E0iYMIlH8snjBDubzN6vt7g9muKwCp097ec7RDikxW3E2PKHGIy4PM3hjhns+M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620701;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=gP4NaC7NQ0SbPYKYEApQznKc5w3fE2hviiS6At2scKE=;
	b=Po36ZuADfV3MWdAQjQn2+DsJ9fa5/0zy16mwNq3RA2E7WMAOTEJm9heQzAC8ul8whFdXEkvgUlwEo3r3xH0wMTj37vX4DlSOMrMGlVlIJkQhBGERpr3S1yAjmCiEXEKi11RfXSO+N4HlveYCrY6wNS/HyUs5Uhfy4hRSrP2NaUk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786207014767.275865353010545;
 Tue, 12 May 2026 14:18:21 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRF-0005Kt-LK; Tue, 12 May 2026 17:14:51 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR3-0005BS-Sk; Tue, 12 May 2026 17:14:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR2-0005iT-30; Tue, 12 May 2026 17:14:37 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 7E98D1AA393;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 89CF73ABD02;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=Re9h9iKEengeEyzIXX22uCpUR2K67K75BdjmELrCjnA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=W852sIafW1Kze/bixXe71YQQ3gL19XGF5AcdV+6c/G7nd7O2C6+OVkx1Q8tsum2dW
 ENz57ig6jUqfuSPFftfyDmkKln2J6nl1qTbzZy27YItDOH+h+oLpXRHzYcGm2N2Zkp
 2xH8Tng2FfxNFo09HvpxnVUMxJQZ4QMpbkYVoA4SnSAVfj935hNPWDgrKKf63+gWcN
 Hcxn6M7Q/nanS5AXdNkGFp0RNGmdnfbuNBfaSUuywIJrI5gUMFeX+NN/Xlr9MG0NrO
 ppjSeghAVL8MaOzrWnLKWUR8iIphzErXvkqN9fLybT/oDmpL9DvEeUF6y/Ry/KH9Wn
 A3UnQP0zoIXtA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, James Hilliard <james.hilliard1@gmail.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Helge Deller <deller@gmx.de>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 085/117] linux-user/mips: sync k0 TLS for
 EF_MIPS_MACH_OCTEON userlands
Date: Tue, 12 May 2026 23:54:27 +0300
Message-ID: <20260512205503.361097-85-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620703240154100
Content-Type: text/plain; charset="utf-8"

From: James Hilliard <james.hilliard1@gmail.com>

Cavium Octeon userspace is not following a generic MIPS Linux TLS
ABI rule here. Older Octeon glibc uses the k0 register as the fast
thread pointer, while newer Octeon2 and Octeon3 glibc variants use
the normal rdhwr $29 path.

linux-user already updates CP0_UserLocal for cpu_set_tls() and
TARGET_NR_set_thread_area, but it does not keep gpr[26]
synchronized. That leaves EF_MIPS_MACH_OCTEON userlands able to
complete set_thread_area() and still reach pthread startup or
pthread_self() with a stale k0 value.

Use the existing MIPS ELF machine flags from linux-user/elfload.c and
mirror CP0_UserLocal into gpr[26] only for EF_MIPS_MACH_OCTEON.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 4c681ba3b82d9a9f00a3f361399a1bb7612f3535)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 59b543f740..0e757787d2 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -1476,6 +1476,9 @@ static void load_elf_image(const char *image_name, co=
nst ImageSource *src,
     /* Usual start for brk is after all sections of the main executable. */
     info->brk =3D TARGET_PAGE_ALIGN(hiaddr + load_bias);
     info->elf_flags =3D ehdr->e_flags;
+#ifdef TARGET_MIPS
+    info->use_k0_tls =3D (ehdr->e_flags & EF_MIPS_MACH) =3D=3D EF_MIPS_MAC=
H_OCTEON;
+#endif
=20
     prot_exec =3D PROT_EXEC;
 #ifdef TARGET_AARCH64
diff --git a/linux-user/mips/target_cpu.h b/linux-user/mips/target_cpu.h
index c375616c55..2bbd0a81c5 100644
--- a/linux-user/mips/target_cpu.h
+++ b/linux-user/mips/target_cpu.h
@@ -35,7 +35,12 @@ static inline void cpu_clone_regs_parent(CPUMIPSState *e=
nv, unsigned flags)
=20
 static inline void cpu_set_tls(CPUMIPSState *env, target_ulong newtls)
 {
+    TaskState *ts =3D get_task_state(env_cpu(env));
+
     env->active_tc.CP0_UserLocal =3D newtls;
+    if (ts->info->use_k0_tls) {
+        env->active_tc.gpr[26] =3D newtls;
+    }
 }
=20
 static inline abi_ulong get_sp_from_cpustate(CPUMIPSState *state)
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index cfe5f45fc4..7f98fb2607 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -65,6 +65,7 @@ struct image_info {
         uint32_t        note_flags;
=20
 #ifdef TARGET_MIPS
+        bool            use_k0_tls;
         int             fp_abi;
         int             interp_fp_abi;
 #endif
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 0261f2fc5c..7b6343deba 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -13205,7 +13205,7 @@ static abi_long do_syscall1(CPUArchState *cpu_env, =
int num, abi_long arg1,
 #ifdef TARGET_NR_set_thread_area
     case TARGET_NR_set_thread_area:
 #if defined(TARGET_MIPS)
-      cpu_env->active_tc.CP0_UserLocal =3D arg1;
+      cpu_set_tls(cpu_env, arg1);
       return 0;
 #elif defined(TARGET_I386) && defined(TARGET_ABI32)
       return do_set_thread_area(cpu_env, arg1);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622479; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Vx4/QDsV1dhbgra2U97y/nQhiPi/Tzckk5PaFNafMPQYd8ojISG2Px00kA05f4Z19Ins5UiGZk3noYibhbRUxZbKiJqv+KhEIkwH2BSI00ScRXsQnO1v/WU8OkkmZX+p19L6aLgTzQmmzMxocS71RvaVz5HSQb3EfNFuMSUe5ns=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622479;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=kR9RqGYAWYjZrvVSJalUG1JIkK8JgdhAwmLj9ZnB/Ak=;
	b=C2GFfsj1dIZBCkLBQ7L+nVB19KlldSk8nrOmVjveT14IbDeebFeV5Te1YuDAqZywWD3kh7k6xRsf9WhvmkRwD38lJBYokzNS908gADFpZMtwfdNHu+6DBir0lfZP6gh6c5xQcxwwCCrLriLyCSTg71037ObudcEqtwUx/Xm6Shs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622479913692.212803854959;
 Tue, 12 May 2026 14:47:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRL-0005jM-38; Tue, 12 May 2026 17:14:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR5-0005Cq-Nv; Tue, 12 May 2026 17:14:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR3-0005kw-Av; Tue, 12 May 2026 17:14:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8BD041AA394;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 999C33ABD03;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=3SPDU/MzEED/in/FPcMMdlRMZaMC11Nee7F0BCRqMtM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=I4GV9AxF7suLI02Z3KEUm2XwLDzfqf0RxrNDzZ2XAdn3Bd/yH09xhPX+1RL47RWA4
 067yTId3Gf5a/gFnBX+iVqtSD1/vaVu6L6gilsd0NHfIXJ+5vGtvZ9xkbNtZR25IWk
 YIIaz8h5czqDqrbpHlukvBSCi0mRLkcIgv27n58SQYQ9zTIyLNu/4Z1Nxg3mbT3Wh1
 uGNHx0WgOPtHFEhVaSpnQg4jfA2rPDq8YzS4XjnTpZO7jcqIkFJhh47zrnyUoQZzYo
 Gs0sCKgvX9EWCD9kyLjyTx5LiHf+Nz9+TGMS4pUI7LTjuycNdJSXq7D86G0zAGkRFN
 qG8dlaVtrL1nw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 086/117] linux-user: Define SO_TIMESTAMP*_NEW and
 SO_RCVTIMEIO_NEW
Date: Tue, 12 May 2026 23:54:28 +0300
Message-ID: <20260512205503.361097-86-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622481749154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Define the entries which always use the 64-bit timestamps.

Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 8b60ed835478a787dd60e0f7308a65f6d35b0268)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/alpha/sockbits.h b/linux-user/alpha/sockbits.h
index d54dc98c09..0201ab9374 100644
--- a/linux-user/alpha/sockbits.h
+++ b/linux-user/alpha/sockbits.h
@@ -75,6 +75,13 @@
 /* Instruct lower device to use last 4-bytes of skb data as FCS */
 #define TARGET_SO_NOFCS     43
=20
+#define TARGET_SO_TIMESTAMP_NEW        63
+#define TARGET_SO_TIMESTAMPNS_NEW      64
+#define TARGET_SO_TIMESTAMPING_NEW     65
+
+#define TARGET_SO_RCVTIMEO_NEW         66
+#define TARGET_SO_SNDTIMEO_NEW         67
+
 /* TARGET_O_NONBLOCK clashes with the bits used for socket types.  Therefo=
re we
  * have to define SOCK_NONBLOCK to a different value here.
  */
diff --git a/linux-user/generic/sockbits.h b/linux-user/generic/sockbits.h
index b3b4a8e44c..33e6c3a572 100644
--- a/linux-user/generic/sockbits.h
+++ b/linux-user/generic/sockbits.h
@@ -58,4 +58,12 @@
=20
 #define TARGET_SO_PROTOCOL             38
 #define TARGET_SO_DOMAIN               39
+
+#define TARGET_SO_TIMESTAMP_NEW        63
+#define TARGET_SO_TIMESTAMPNS_NEW      64
+#define TARGET_SO_TIMESTAMPING_NEW     65
+
+#define TARGET_SO_RCVTIMEO_NEW         66
+#define TARGET_SO_SNDTIMEO_NEW         67
+
 #endif
diff --git a/linux-user/hppa/sockbits.h b/linux-user/hppa/sockbits.h
index 23f69a3293..2304dbbf79 100644
--- a/linux-user/hppa/sockbits.h
+++ b/linux-user/hppa/sockbits.h
@@ -67,6 +67,13 @@
=20
 #define TARGET_SO_CNX_ADVICE           0x402E
=20
+#define TARGET_SO_TIMESTAMP_NEW        0x4038
+#define TARGET_SO_TIMESTAMPNS_NEW      0x4039
+#define TARGET_SO_TIMESTAMPING_NEW     0x403A
+
+#define TARGET_SO_RCVTIMEO_NEW         0x4040
+#define TARGET_SO_SNDTIMEO_NEW         0x4041
+
 /* TARGET_O_NONBLOCK clashes with the bits used for socket types.  Therefo=
re we
  * have to define SOCK_NONBLOCK to a different value here.
  */
diff --git a/linux-user/mips/sockbits.h b/linux-user/mips/sockbits.h
index 562cad88e2..1f479d54aa 100644
--- a/linux-user/mips/sockbits.h
+++ b/linux-user/mips/sockbits.h
@@ -71,6 +71,13 @@
 #define TARGET_SO_RCVBUFFORCE          33
 #define TARGET_SO_PASSSEC              34
=20
+#define TARGET_SO_TIMESTAMP_NEW        63
+#define TARGET_SO_TIMESTAMPNS_NEW      64
+#define TARGET_SO_TIMESTAMPING_NEW     65
+
+#define TARGET_SO_RCVTIMEO_NEW         66
+#define TARGET_SO_SNDTIMEO_NEW         67
+
 /** sock_type - Socket types
  *
  * Please notice that for binary compat reasons MIPS has to
diff --git a/linux-user/sparc/sockbits.h b/linux-user/sparc/sockbits.h
index 0a822e3e1f..42ecfdc8f9 100644
--- a/linux-user/sparc/sockbits.h
+++ b/linux-user/sparc/sockbits.h
@@ -61,6 +61,13 @@
 #define TARGET_SO_TIMESTAMPING         0x0023
 #define TARGET_SCM_TIMESTAMPING        TARGET_SO_TIMESTAMPING
=20
+#define TARGET_SO_TIMESTAMP_NEW        0x0046
+#define TARGET_SO_TIMESTAMPNS_NEW      0x0042
+#define TARGET_SO_TIMESTAMPING_NEW     0x0043
+
+#define TARGET_SO_RCVTIMEO_NEW         0x0044
+#define TARGET_SO_SNDTIMEO_NEW         0x0045
+
 #define TARGET_SO_RXQ_OVFL             0x0024
=20
 #define TARGET_SO_WIFI_STATUS          0x0025
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622562; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JuqTvKILRgDHTSk6rSsP1Pd2oFh8jRf1FVGsMPt9TV7FCNVr8OqSGq9o+QRTOpg2MGzU71v2dpiySaGSRLudb0bD5OM4DopCxEbMtYl+WsrZXuogbZ7A5weM7TAqnZ7ckwQ5Oeo+yIGkmNX9XDJOwM7st7TtAl13thyg72zTI4k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622562;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=J3ZED15s5/aiXi+GTxTDi4hxdmuGAV8sIy5tl9oKPwo=;
	b=lzFZa00LAx2ZB/LgBTEeqF4g5sM8Ap8CCIN1M/qlG39oHNJPPZFkYc/yueYrKyB7k8PzrYdN3qupw+rizbniG8hX3QT20yGfg0OZcOn+qxWUxbZw6sJoY9ZO3uv2mf0A77xitTQ+BaXDxm2jQXk91gGyqiyWCctibhT/P/cFpA8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622562883312.07040744553353;
 Tue, 12 May 2026 14:49:22 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRJ-0005YL-5k; Tue, 12 May 2026 17:14:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR9-0005H5-MW; Tue, 12 May 2026 17:14:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuR5-0005lH-Ot; Tue, 12 May 2026 17:14:42 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9915B1AA395;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A6FD73ABD04;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=Iq7AvRL41QbAMGLDrkEu0XpE/z2gpbxwVEz9XBvyepM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rbpsbz9NjYdJOgXSDKJLA/XIbsuZbpzn3qJ4auPQgfeBMlFEnL7EteTnGjEuTp6rL
 4ChfLC2GAayi5/SdhRmIwYGmfqsB43rUMjJ8v6T8uXiHkrBDQmcLiw6aWNtLfD9Lvw
 oq55AFyIfCXrZcOLmjcUck6ZMYqAHwinhp4itgqVGA5EV55m1N9nagUGf78+FSTUDc
 ornQXCxO5vXGg/SgI/F35SnrTIXp1uQSgim5MZI0h3+n8faGI2chFrd5C4Z390QehI
 mJFQvyK1mGN6HpjFcsC2wvgwSGO1d/VR54uQgfjki2tg/tzp6Rh8LhIzJaPkITcJhU
 PTnv6yLbpU21w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 087/117] linux-user: Add setsockopt() for
 SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
Date: Tue, 12 May 2026 23:54:29 +0300
Message-ID: <20260512205503.361097-87-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622564488158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Add handlers for both sockopts which use 64-bit time_t from userspace.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/885
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit edb4588309a753dea40f338fb8e02e3cfc2eed70)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7b6343deba..c7251ae7bc 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1146,7 +1146,6 @@ static inline abi_long copy_to_user_timeval(abi_ulong=
 target_tv_addr,
     return 0;
 }
=20
-#if defined(TARGET_NR_clock_adjtime64) && defined(CONFIG_CLOCK_ADJTIME)
 static inline abi_long copy_from_user_timeval64(struct timeval *tv,
                                                 abi_ulong target_tv_addr)
 {
@@ -1163,7 +1162,6 @@ static inline abi_long copy_from_user_timeval64(struc=
t timeval *tv,
=20
     return 0;
 }
-#endif
=20
 static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
                                               const struct timeval *tv)
@@ -2394,6 +2392,25 @@ static abi_long do_setsockopt(int sockfd, int level,=
 int optname,
                                 &tv, sizeof(tv)));
                 return ret;
         }
+        case TARGET_SO_RCVTIMEO_NEW:
+        case TARGET_SO_SNDTIMEO_NEW:
+        {
+                struct timeval tv;
+
+                if (optlen !=3D sizeof(struct target__kernel_sock_timeval)=
) {
+                    return -TARGET_EINVAL;
+                }
+
+                if (copy_from_user_timeval64(&tv, optval_addr)) {
+                    return -TARGET_EFAULT;
+                }
+
+                ret =3D get_errno(setsockopt(sockfd, SOL_SOCKET,
+                                optname =3D=3D TARGET_SO_RCVTIMEO_NEW ?
+                                    SO_RCVTIMEO : SO_SNDTIMEO,
+                                &tv, sizeof(tv)));
+                return ret;
+        }
         case TARGET_SO_ATTACH_FILTER:
         {
                 struct target_sock_fprog *tfprog;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620531; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ASjjsJrTOM2pii9bxW2jMk3vDgzP/7HlXnuZ1euBFH7jKRaTasoKWEE+oWypIM3qw84sRvg619XkOrpORN5omPLOC5SsA8RgSpmT4EqFca201OS8fFt/BKTdccJdrALi3RJmNlBBP5FEBlM6st1JRdA45ZjSwddkxReDTqjdD/4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620531;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=fzi3PoqHTm3f4joH70P4upSvZ9W1RNrQQPL4ztwUNmM=;
	b=bJXCn47HsswJ/wPYmht9vIAmxMv9EY44CALG11DUGWBFmZQaCM5qWydXN8mZlIdC6mqoQ2bZVE8VDifJ5eumsaF9zUsDB+v0OsoDYtkofksXQ4laRoUxhUwaMh9rVrt460bhYbjAw0KI9Dxudpcj3rqqsS65QgY1J5YBsizM3xw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620530996365.91337618249815;
 Tue, 12 May 2026 14:15:30 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRV-0007NK-V0; Tue, 12 May 2026 17:15:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRT-00070y-7J; Tue, 12 May 2026 17:15:03 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRR-0005lv-9v; Tue, 12 May 2026 17:15:02 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A5D6F1AA396;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B3CFC3ABD05;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=Uroh9pHtvOM9eDF2ORxlxMyk6KdAXCchkEYCuRCo61E=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=r9JNbPA7l7GBrNldqTPhriN2aherS+wwkpDIsueNhwjAfUDcy5qahxLoKH15RIE71
 TmhMnHBPckUgiMWMCPmHJ//RbkqBAmEY21i2EDwu4yGoHGJQEI9YHsvjoHvTfehDDe
 50LD8C4eUpSsV3o+4ZAooKScUUaJC0SBL9RM9E9PcYXk0unPSnwRrADBvU0IoQbP9h
 JNv65THKjOeQ2FjwiH4xldYjFwDxPbdeKomVn1B0LRuWLyESf7m2JMZaCctw6bGp8x
 UTrx89GWzm40CIkZRG8FRG0sS0BBmK9pFfuuAMCO35skVCreQilN7qn8zORqh5hyp6
 QqcRcuOwRo43w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 088/117] linux-user: Add getsockopt() for
 SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
Date: Tue, 12 May 2026 23:54:30 +0300
Message-ID: <20260512205503.361097-88-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620532137154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Add handlers for both sockopts which use 64-bit time_t from userspace.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/885
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 07c7decaa54a83bd1656b2645074380714b83374)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index c7251ae7bc..61f45adb52 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2624,7 +2624,8 @@ static abi_long do_getsockopt(int sockfd, int level, =
int optname,
         /* These don't just return a single integer */
         case TARGET_SO_PEERNAME:
             goto unimplemented;
-        case TARGET_SO_RCVTIMEO: {
+        case TARGET_SO_RCVTIMEO:
+        case TARGET_SO_RCVTIMEO_NEW: {
             struct timeval tv;
             socklen_t tvlen;
=20
@@ -2644,11 +2645,17 @@ get_timeout:
             if (ret < 0) {
                 return ret;
             }
-            if (len > sizeof(struct target_timeval)) {
-                len =3D sizeof(struct target_timeval);
-            }
-            if (copy_to_user_timeval(optval_addr, &tv)) {
-                return -TARGET_EFAULT;
+            if (len =3D=3D sizeof(struct target__kernel_sock_timeval)) {
+                if (copy_to_user_timeval64(optval_addr, &tv)) {
+                    return -TARGET_EFAULT;
+                }
+            } else {
+                if (len >=3D sizeof(struct target_timeval)) {
+                    len =3D sizeof(struct target_timeval);
+                    if (copy_to_user_timeval(optval_addr, &tv)) {
+                        return -TARGET_EFAULT;
+                    }
+                }
             }
             if (put_user_u32(len, optlen)) {
                 return -TARGET_EFAULT;
@@ -2656,6 +2663,7 @@ get_timeout:
             break;
         }
         case TARGET_SO_SNDTIMEO:
+        case TARGET_SO_SNDTIMEO_NEW:
             optname =3D SO_SNDTIMEO;
             goto get_timeout;
         case TARGET_SO_PEERCRED: {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622068; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ckriiggI+X5bHrgeoYt9XU2Adr/Ar41cJRa8HTraTMjNuNT3eh3tlS3z0QGtxcZF8DzA7YSWVfkwVgnaXVeU5Z1nJN3PGzoAJgfmrZXjjSFlslLiMYGX9RFpI80ZTfKKaM7b7lA/lEFJ9OSWKb1juIOWgDiP1Ym3Qkeaf9Tv+No=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622068;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=E80ARctmuvdcWXcXmBDyIe+zPp9tB5X5ymWQFrRt/oM=;
	b=a9iz7P1dAoB4kituvkrfR/TzkhJolCnF8jP8xCWl0HEzBVlU2QQDkWbkV142aF5HcGSGB0xqPIg6cmKp3+7Lh//78kl1h6K9ykAuoML7bA90dP1cb7a5dnuLuoNhgS1z0Hon3tEz9O5iCoi5SoSVN7U8fkJdaGvUjTzW5zRYKvQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622068721185.1771103453617;
 Tue, 12 May 2026 14:41:08 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRb-0008KK-Ld; Tue, 12 May 2026 17:15:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRX-0007ku-H7; Tue, 12 May 2026 17:15:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRV-0005me-9i; Tue, 12 May 2026 17:15:07 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B54541AA397;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C169C3ABD06;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=e0JvL3sYEJU/mCoOrF3i36zOFFzZB0pnd1VNTPwPu8s=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=qt+kTIeFmiUzmcKWHiGsklDZv10uM/2REMDtcXsTyz59ObhirxlJ4C8Jbgl513N04
 g+s4uuulSZrr8l9thlgxsBCSnYxfK+6Ep7h15gCLL9q/jKy59Uf9kNKkRQ7iasN8Ac
 5cYyesN1GbbYZzw3f64e8h0lTcKdq67hzrrJQ657KnBEAjIVhn4Lnb51Df6U80N4FY
 cNiZKaBNog74eOgEMjdK833BPG92Lok7dLcupdqYDsMwNbK+uQAUIr8/Y968E1IrWH
 Xin2c7KlbYnVDS0n6gJH0akKbrhahrGMd3mEi8c5+VfUcVpQp7nac+p23Oaoh++ozj
 x6X5frtUQt3/A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 089/117] linux-user: Fix CLONE_PARENT_SETTID when
 using fork-like clone
Date: Tue, 12 May 2026 23:54:31 +0300
Message-ID: <20260512205503.361097-89-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622070847158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

The CLONE_PARENT_SETTID option requires the implementation to store the
child thread ID at the location pointed to by parent_tid in the parent's
memory.

Fix our implementation and move the code from the client side (where
fork returned 0), to the parent side and store the return value from the
fork call (which is the client TID) in the parent_tid pointer.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3340
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit b03a6ac6fa5d7775b9f912fa5c39f7b92388c6a2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 61f45adb52..755304d604 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7053,8 +7053,6 @@ static int do_fork(CPUArchState *env, unsigned int fl=
ags, abi_ulong newsp,
                the child process gets its own copy of the lock.  */
             if (flags & CLONE_CHILD_SETTID)
                 put_user_u32(sys_gettid(), child_tidptr);
-            if (flags & CLONE_PARENT_SETTID)
-                put_user_u32(sys_gettid(), parent_tidptr);
             ts =3D get_task_state(cpu);
             if (flags & CLONE_SETTLS)
                 cpu_set_tls (env, newtls);
@@ -7062,6 +7060,8 @@ static int do_fork(CPUArchState *env, unsigned int fl=
ags, abi_ulong newsp,
                 ts->child_tidptr =3D child_tidptr;
         } else {
             cpu_clone_regs_parent(env, flags);
+            if (flags & CLONE_PARENT_SETTID)
+                put_user_u32(ret, parent_tidptr);
             if (flags & CLONE_PIDFD) {
                 int pid_fd =3D 0;
 #if defined(__NR_pidfd_open) && defined(TARGET_NR_pidfd_open)
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620793; cv=none;
	d=zohomail.com; s=zohoarc;
	b=H/uGkeOeVLti4iraUytVFlxcdLDTQ6Prki+z5Txym+PAEzxN7bXnp4TSj2rOauDIXU2akzarTicYxwzLssF4WZTHJwb63TDdMrNdYunoRsk9E2Si67BkuuZWPJgBwvnE2+QJRrKiF/xtbinokoRNm3acIzlk8TfJZnsZENJzVEk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620793;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=uSlhqd/0OaGev8DBEgNELDwO3HwhsWwe7O7oF8Ys6lo=;
	b=aOT7PRmuMwIe+pKq4gdCQpqZTP7hvyddzGmag7BKNawErChRhEDU2Krg3nZcwdYsgVXuvzb4MEdYNZhRe7z8bbnKEgZhcJYktKLaSsy+ZOkhwsIXU3PlzD5rwY0c6LVGt8XjCJiteNwgXzvUM3/Ye6WYv3XGoN8HLZXA0ePXpX8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620793086932.7986398868346;
 Tue, 12 May 2026 14:19:53 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRZ-00084A-B9; Tue, 12 May 2026 17:15:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRW-0007b5-WD; Tue, 12 May 2026 17:15:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRU-0005vP-RI; Tue, 12 May 2026 17:15:06 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C3D0F1AA398;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D07563ABD07;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=OqpCMFDriJq7bLue/i+En3QGZ4ydXZjQ0P+n8gzci4k=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=bXeRf9CT0inEKaZsOmubjK+6H6Vmwf1cr5QB8bGt8uXeid4R2HvgGkH3xrjMVQoCt
 CXg9JxNk7xS7s0Q2xx9pwYSBWqd82c+YohNP29P4ssHUzqsrbWl6f/5r9l0tZfZYbX
 eoyeVpZPJr5cixoUOVBdyqNE0LS+jyhc/AuWSfGvNjvAAxwfbxf8zkWpE3T9S1KIvp
 QuY28s+XQtQrjSU+k4xN33mc4jJbGqwwOuGuGWleRvu/dDHS3nqtJmL0KmjwB6aDjj
 F5/JvpB0OPK3hWSbYUDwJUSWOyfY7Pgm9puONM6a3A/8YxXfK6jLHU77dKlpLhM/eS
 B19aKyc0pyP5g==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Peter Hartley <peter@talesfromthearmchair.net>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 090/117] linux-user: Use abi_int for imr_ifindex in
 ip_mreqn struct
Date: Tue, 12 May 2026 23:54:32 +0300
Message-ID: <20260512205503.361097-90-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620794922154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Peter Hartley noticed, that in the qemu code the imr_ifindex member of
struct target_ip_mreq needs to be of type "int" instead of "long", which
is what the Linux kernel uses on all architectures.

Adjust the type accordingly, and add a QEMU_BUILD_BUG_ON() checker to
prevent such issues in the future.

This change should fix multicast issues when using hosts and guests with
different endianess or bit size.

Reported-by: Peter Hartley <peter@talesfromthearmchair.net>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2553
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit e2af3eadc09b3672017c650e0abfd29a08521921)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 755304d604..47270eb15e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2164,6 +2164,8 @@ static abi_long do_setsockopt(int sockfd, int level, =
int optname,
=20
             QEMU_BUILD_BUG_ON(sizeof(struct ip_mreq) !=3D
                               sizeof(struct target_ip_mreq));
+            QEMU_BUILD_BUG_ON(sizeof(struct ip_mreqn) !=3D
+                              sizeof(struct target_ip_mreqn));
=20
             if (optname =3D=3D IP_MULTICAST_IF) {
                 min_size =3D sizeof(struct in_addr);
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 55443ff965..be68c54c90 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -210,7 +210,7 @@ struct target_ip_mreq {
 struct target_ip_mreqn {
     struct target_in_addr imr_multiaddr;
     struct target_in_addr imr_address;
-    abi_long imr_ifindex;
+    abi_int imr_ifindex;
 };
=20
 struct target_ip_mreq_source {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620646; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hYhGK7FhhjWQuZ/AO6uWyinstAjOVYhAjAoHrOSvl1Y54Hni1fcDhcELoTUeBBYWF5rlkKWMnA1DqXPUAuUWxTWyaOHXDsBj7qYV8d5xCxt5erNk/1/Ihqme3F4A14gi4fCo9L08ZW3tb4C4blN9F59fVqOJa9Be8a7OgBw1Z7M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620646;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KstXk0gPCtQlp+7sNDvOD3TK6Hit78DCu+e04YWxpLk=;
	b=I4ZtrlWhIsyTed+5b405jyr/aVNcmrCuniX+ze3i9fAFv5CsYDo+81DzMF3ItQ1FJRPbid2t6A3Pw45qk0cHk8RbFJbP+14taLR6/FdqCYrKchfBQRMbbzdVp8nMk1kQWrSghHfaLIC/n7u1T64BKHywO5cmY1dD6iS2FL0wNuk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620646696125.16299867423061;
 Tue, 12 May 2026 14:17:26 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRe-00007u-3I; Tue, 12 May 2026 17:15:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRb-0008Kp-3P; Tue, 12 May 2026 17:15:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRZ-00066z-1j; Tue, 12 May 2026 17:15:10 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DAA671AA399;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id DF0923ABD08;
 Tue, 12 May 2026 23:55:09 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=zFDJf8yIYUB/twmcIlBtgTln1mnhH3QL8rKuTxLxqGY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=r8QUS+3N7/P3w590RBUqIka0IqjmiaUwc8EYGtxl50FwnFm6HL1RSRzEGd4JBPQIX
 r80p2DsToHgtXcKRrBKXEOJEsaeSWEkKo5d4F6mlfmRHBVmVzsncRBdLbE4STuSwMR
 HlPWKP7Wn3Kenl0iPDKlbNVda91qQpJ6RBdcsGAxxRC9iw5sX0cHspUWc7vWdv3te4
 Di0dRzo3r5V5fdi7KTnNeNamH0goCJqnbP1hlrbZ8Ik38haFDDUkqLHj9JrGH1NeLQ
 befY8W7jU06v990SWNeUcmik5q6/79d1uZzdK2JIQiMRPPwbgVBlyeKr6D3j8lDH62
 5jl2qTsMW3Sbw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 091/117] linux-user: Flush errors by using exit()
 instead of _exit() in error path
Date: Tue, 12 May 2026 23:54:33 +0300
Message-ID: <20260512205503.361097-91-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620648289154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Qemu user mode does not properly flushes error messages related to bad
arguments when exiting (at least when the output is piped to a file
instead of running on a terminal).
Ensure that we always flush by using exit() instead of _exit().

Reported by: Tobias Bergkvist
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2544
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 9e7734ead149d73f1d25f61d0b7f075d4b2cb07d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/main.c b/linux-user/main.c
index c49d1e91d2..84e110dfe9 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -767,7 +767,7 @@ int main(int argc, char **argv, char **envp)
         execfd =3D open(exec_path, O_RDONLY);
         if (execfd < 0) {
             printf("Error while loading %s: %s\n", exec_path, strerror(err=
no));
-            _exit(EXIT_FAILURE);
+            exit(EXIT_FAILURE);
         }
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621479; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fWlg5Hdx5AvVDtNXqphlkWFglml8EIL9P+2cGe9Gg3RG85hKM0jmnRtYfPotcUpwEVIHvrYDGWc6qyUekmN9wy7Spk0PaZHmFBfMzUN2EQHSKQt3lP/BlmfGUJ/nTn9t33kRaZNyo+nE5nerC2cHH6oRg1H0vKvaGbik8T1fVTE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621479;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=5JkYt3csFgJEn5S8Cap8h+ykRuPMyBPgQ1tn4m273UM=;
	b=MkLJjVi/c8sNFkALeCiXW9kmsRIu6FJR93dDH9m/KDBtJQ5r9YxdVC+CmopwYnJSTxO9zuZdD+ENuFNPnLN7mvRG5tPZZRcpf6876IVpmbqOuDuBV+LLjgKi4O7WW8GEuA3pvbhCXJW0V4BXAosW2nUUffDOOfU0EK9ispuJD0Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621479474662.7239642648232;
 Tue, 12 May 2026 14:31:19 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuRh-0000Vm-S5; Tue, 12 May 2026 17:15:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRb-0008Mt-Br; Tue, 12 May 2026 17:15:11 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRZ-00067K-9P; Tue, 12 May 2026 17:15:10 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ECF7B1AA39A;
 Tue, 12 May 2026 23:55:05 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0228E3ABD09;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619305; bh=dm3H42c1x7JUzSv5Jkh42Fx0cbWalHn8RfvTCoAk7zE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=erj9h2HgcEyRiSCIHdYo6gN1Ith3/XZHcRkPGiyAbf4CVuopxWMmZm3S3AjAFtqGR
 q9zPSa6+sw/ZWNvL4ZXWHxelbFcE9Mmsatl54h9yykU8tzbtgglES74u1P24ChSYET
 kuKo0COXVINNZ1VSrGHgwQG76ZglNyJzR5g3zh8W1iqUIqt3e3fBFXXHM11AlVqizm
 yepy7tdzlGOGfzSCHXwHXgA43tKGj0wobUh608GahOWvrXTRQakYc01X1pxOo1o07o
 9ctIH6ELLIbr3sv4B5vPj8GQ9vWoMQVCcgXOtpQm1crEWHWWkPB3vx5kgOzyEG/CJb
 SO02VjJs1K85w==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Yicong Yang <yang.yicong@picoheart.com>,
 Andrew Jones <andrew.jones@oss.qualcomm.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 092/117] hw/riscv/virt-acpi-build.c: Use kvm timer
 frequency when kvm enabled
Date: Tue, 12 May 2026 23:54:34 +0300
Message-ID: <20260512205503.361097-92-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621482704154100
Content-Type: text/plain; charset="utf-8"

From: Yicong Yang <yang.yicong@picoheart.com>

The timer frequency is decided by the host(kvm) rather than a fixed
RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ on kvm accelerated VM. So build
RCHT with KVM provided timer frequency if KVM is enabled, just like
how we build the timer node on DT based VM.

Fixes: ebfd39289370 ("hw/riscv/virt: virt-acpi-build.c: Add RHCT Table")
Signed-off-by: Yicong Yang <yang.yicong@picoheart.com>
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-ID: <20260325081314.57089-1-yang.yicong@picoheart.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 4cb2f91773e8ec9511002de851734820f7ba64fe)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/riscv/virt-acpi-build.c b/hw/riscv/virt-acpi-build.c
index f1406cb683..fd6ca5dbc4 100644
--- a/hw/riscv/virt-acpi-build.c
+++ b/hw/riscv/virt-acpi-build.c
@@ -35,9 +35,11 @@
 #include "hw/riscv/virt.h"
 #include "hw/riscv/numa.h"
 #include "hw/virtio/virtio-acpi.h"
+#include "kvm/kvm_riscv.h"
 #include "migration/vmstate.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
+#include "system/kvm.h"
 #include "system/reset.h"
=20
 #define ACPI_BUILD_TABLE_SIZE             0x20000
@@ -296,7 +298,10 @@ static void build_rhct(GArray *table_data,
=20
     /* Time Base Frequency */
     build_append_int_noprefix(table_data,
-                              RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ, 8);
+                              kvm_enabled() ?
+                              kvm_riscv_get_timebase_frequency(&s->soc->ha=
rts[0]) :
+                              RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ,
+                              8);
=20
     /* ISA + N hart info */
     num_rhct_nodes =3D 1 + ms->smp.cpus;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620636; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WBYmn4OQTgpIIo3Nwi9qfCFhfRKSj0OxQekJVFzp5G/Oq38WZRDcy+RAvgL6LQD4on8jnvZOIr4VOfX5NXqDR9SK26P6D0/HF15QY99ZcXIuL4x+pg9e7kWeP8cmRvXTONsR0u0jKxC0n0JuBSuzPtbegZr4EMQ/t327icQAwgg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620636;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=FEGmmdzrM2O8/WS3gmdLmpAe/BJ0TQQiTVVtjfA9eMU=;
	b=nndRelj4TPNenkIGrUyr7h51oFemlbfLHay6zwJoubqaX0785m9ia0XSMKzekqqYVPfEQbuO21RkGyjiugro1Hy0dcEEUI9HY2y+Cv893TKDZSgFzPH/GwR7dNHk8IeCgQQtTflV+TLFKiYuFlDZjlRoaRsBvecYgNAx+ylIf6c=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620636080181.14723076112568;
 Tue, 12 May 2026 14:17:16 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuSe-0001Tl-IR; Tue, 12 May 2026 17:16:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS1-0001MJ-7z; Tue, 12 May 2026 17:15:41 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuRw-00069I-OE; Tue, 12 May 2026 17:15:34 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 04D771AA39B;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 11CDC3ABD0A;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=Kug+ZyqorJpJ8ZFK0wFL9pstQdA9KMyT4IH4axrv41s=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=jEcqCZkeSlNAdUCHBGfeEQopgYts4V3BiSRA+YFmuqxjsX6W0QGucyeTkvMZ931cw
 +uXkWugZXuZvTe2RcykftiiLAYkRNipx7o8/507mj08MZlOu0OpCoY9WR7KSzJgLPv
 OnZjh9KEyhOb5bTpNwV5r5vPtTtlRS8oLQGC5siE781ZDO1HnI3SQ/2BZZ0llNE3CV
 gVlsMBl6rnESX56nN2DSntVBKEGp4Wu3u5wjELNUnC3MktaE+Xs5G324gorAFlreyP
 y0RSJzGX8wMU+vLrbJpD29j3ckBq2bweGBE5ZcYHnbFOeTP3yD0cJ39cejSj76BtE7
 rpi73iTX/SfjA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Sebasti=C3=A1n=20Alba=20Vives?= <sebasjosue84@gmail.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 093/117] target/riscv: fix stale ptshift and base on
 page walk restart
Date: Tue, 12 May 2026 23:54:35 +0300
Message-ID: <20260512205503.361097-93-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620636263158500

From: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>

When the atomic compare-and-swap for updating A/D bits in the page
table entry fails due to a concurrent PTE modification by another
vCPU, get_physical_address() jumps to the 'restart' label to re-walk
the page table from the root.

However, neither 'ptshift' nor 'base' are re-initialized before the
restart. After the walk completes, ptshift has been decremented to
its final value and base has been overwritten with an inner PTE PPN.
On goto restart, the for loop resets i=3D0 but ptshift and base remain
stale, causing the restarted walk to compute incorrect PTE addresses.

In an SMP guest with MTTCG and Svadu active, this can result in
incorrect physical address mappings or guest crashes.

Fix by saving the root base address and re-initializing both ptshift
and base on each restart.

Fixes: 0c3e702aca ("RISC-V CPU Helpers")
Signed-off-by: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-1-sebasjosue84@gmail.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit b2e874bfec59f6150b49a70df0529458efa0726b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index c4fb68b5de..024213fb4b 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1316,12 +1316,15 @@ static int get_physical_address(CPURISCVState *env,=
 hwaddr *physical,
         adue =3D adue && (env->henvcfg & HENVCFG_ADUE);
     }
=20
-    int ptshift =3D (levels - 1) * ptidxbits;
+    int ptshift;
     target_ulong pte;
     hwaddr pte_addr;
+    const hwaddr base_root =3D base;
     int i;
=20
  restart:
+    ptshift =3D (levels - 1) * ptidxbits;
+    base =3D base_root;
     for (i =3D 0; i < levels; i++, ptshift -=3D ptidxbits) {
         target_ulong idx;
         if (i =3D=3D 0) {
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620829; cv=none;
	d=zohomail.com; s=zohoarc;
	b=G1/VT0y5XvPkz0oUCtsSmLZu5/RdP0LfIiKXfTtVaEv3m/yYycghVDAw/PxngyuP9uV2gPn+urryjnHpfbuRMNkzkpt8mFd6OXVNmim9mli8o3i2+6M16bVJgGcP0VG6zvE5aPR6IMeIsrsHagLA/lT4WsXP5Olplsn/8kyN5fI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620829;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=821qdMmjeJ7nk03ejZnqTPQZe8kKgUULW6S4fHFO7nw=;
	b=JV1/GxF94FMLTQBwoCD1ojyGrxPEBAsJ27JFo5rLT9jwG11pgewONkQDc65gsYfkNqn8abBAvDT61uxG8mbBpzb1uszJfYK0St1iZLhySt0wTc2EuUWDMCe7BT5vlignSr/PpzogZnaXXG6DXscc+YMmnMmvZC6iZaZuHF6Oe5k=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620829703235.02660732149445;
 Tue, 12 May 2026 14:20:29 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuT2-0001nQ-3t; Tue, 12 May 2026 17:16:45 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS9-0001Mv-3v; Tue, 12 May 2026 17:15:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS7-00069P-DZ; Tue, 12 May 2026 17:15:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 159191AA39C;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 205423ABD0B;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=NXvvGB+sQX3oEtbuQZJ7RswhfKOeUtLNpmBZ1vb3LXs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=NNdzjrlxhj/LtKsCvB93RU5PTsb4NH9PeqFNg+0fS0a5g0xBpOckq/czZGhBNGhwq
 79Ck8ybLabTrA+1slCQtSJDeA/lGvLLvRngBrNx93cBpcJD3F1WMB5DoStqmz1O6be
 DdYR9jD5gycyZ+9LZ2UQcK0oSowx9/9tdo6llo2whus8jPs3dcu7H4JMjntw8CVKbG
 /RSctLbZ4G0ev7ulC3IuvOaZsWLsJRxFPNszv7AWFTyaVeD715Q0jEYo4XCUv4ltKE
 Pl3+eyh4mQbguGZt0hp4svizFLUXHaVU7hYXiGic9wTeuAd+FSa00dN6CyOrETqIuI
 XnLrLS4lwtPbw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Sebasti=C3=A1n=20Alba=20Vives?= <sebasjosue84@gmail.com>,
 qemu-security@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 094/117] hw/intc: fix heap OOB in ACLINT MTIMER
 multi-socket
Date: Tue, 12 May 2026 23:54:36 +0300
Message-ID: <20260512205503.361097-94-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620829927158500

From: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>

The MMIO read/write handlers index timecmp[] with the absolute hartid
(hartid_base + offset) but the array is allocated with num_harts
elements. In multi-socket configurations with hartid_base > 0 this
causes heap OOB access in the QEMU process.

Fix by using the relative offset for array indexing.

Cc: qemu-security@nongnu.org
Signed-off-by: Sebasti=C3=A1n Alba Vives <sebasjosue84@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-2-sebasjosue84@gmail.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit d5b33fc180f557ee3574cef9c64650174d0ef5dd)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/intc/riscv_aclint.c b/hw/intc/riscv_aclint.c
index c6f13f647e..bd6b9ae586 100644
--- a/hw/intc/riscv_aclint.c
+++ b/hw/intc/riscv_aclint.c
@@ -131,6 +131,7 @@ static uint64_t riscv_aclint_mtimer_read(void *opaque, =
hwaddr addr,
         addr < (mtimer->timecmp_base + (mtimer->num_harts << 3))) {
         size_t hartid =3D mtimer->hartid_base +
                         ((addr - mtimer->timecmp_base) >> 3);
+        size_t hartid_offset =3D hartid - mtimer->hartid_base;
         CPUState *cpu =3D cpu_by_arch_id(hartid);
         CPURISCVState *env =3D cpu ? cpu_env(cpu) : NULL;
         if (!env) {
@@ -138,11 +139,11 @@ static uint64_t riscv_aclint_mtimer_read(void *opaque=
, hwaddr addr,
                           "aclint-mtimer: invalid hartid: %zu", hartid);
         } else if ((addr & 0x7) =3D=3D 0) {
             /* timecmp_lo for RV32/RV64 or timecmp for RV64 */
-            uint64_t timecmp =3D mtimer->timecmp[hartid];
+            uint64_t timecmp =3D mtimer->timecmp[hartid_offset];
             return (size =3D=3D 4) ? (timecmp & 0xFFFFFFFF) : timecmp;
         } else if ((addr & 0x7) =3D=3D 4) {
             /* timecmp_hi */
-            uint64_t timecmp =3D mtimer->timecmp[hartid];
+            uint64_t timecmp =3D mtimer->timecmp[hartid_offset];
             return (timecmp >> 32) & 0xFFFFFFFF;
         } else {
             qemu_log_mask(LOG_UNIMP,
@@ -174,6 +175,7 @@ static void riscv_aclint_mtimer_write(void *opaque, hwa=
ddr addr,
         addr < (mtimer->timecmp_base + (mtimer->num_harts << 3))) {
         size_t hartid =3D mtimer->hartid_base +
                         ((addr - mtimer->timecmp_base) >> 3);
+        size_t hartid_offset =3D hartid - mtimer->hartid_base;
         CPUState *cpu =3D cpu_by_arch_id(hartid);
         CPURISCVState *env =3D cpu ? cpu_env(cpu) : NULL;
         if (!env) {
@@ -182,7 +184,7 @@ static void riscv_aclint_mtimer_write(void *opaque, hwa=
ddr addr,
         } else if ((addr & 0x7) =3D=3D 0) {
             if (size =3D=3D 4) {
                 /* timecmp_lo for RV32/RV64 */
-                uint64_t timecmp_hi =3D mtimer->timecmp[hartid] >> 32;
+                uint64_t timecmp_hi =3D mtimer->timecmp[hartid_offset] >> =
32;
                 riscv_aclint_mtimer_write_timecmp(mtimer, RISCV_CPU(cpu), =
hartid,
                     timecmp_hi << 32 | (value & 0xFFFFFFFF));
             } else {
@@ -193,7 +195,7 @@ static void riscv_aclint_mtimer_write(void *opaque, hwa=
ddr addr,
         } else if ((addr & 0x7) =3D=3D 4) {
             if (size =3D=3D 4) {
                 /* timecmp_hi for RV32/RV64 */
-                uint64_t timecmp_lo =3D mtimer->timecmp[hartid];
+                uint64_t timecmp_lo =3D mtimer->timecmp[hartid_offset];
                 riscv_aclint_mtimer_write_timecmp(mtimer, RISCV_CPU(cpu), =
hartid,
                     value << 32 | (timecmp_lo & 0xFFFFFFFF));
             } else {
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621706; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VAeLA1G+Xatusq89wdd07bJHJtK6epR1OLiQ/CxIevcMHHZOUFaMZ2093cn/qV7IH44NOcHv55lsJbyOwltW2dYQtr30KrvWr36OGcMKASncFnheMs6epOysopdgY2pKWDhyhqTshyIGlKttIEQjja0T3UmLeCBTooBwxHb6L9k=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621706;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=OL7AXT4rARbM/FRXvikmgjZC50MltXOfBlqcXfKEDxE=;
	b=RJqzqafX+L6Y+OLcyPvsfbwxo0WMjj1Vobt/FHhLz0Kw3HcfLKrmFlxX4yP0o7mqDDSSABKRqg0kMtA320E6CLXAcxrjZ9gqi+rH5LQkmlSwMR9zC4BV70g/fC735WjVS9rU+ywHkqbCoF/3XYPLzpsXpWYbhj1HKTAnP4XxuDs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621706825166.5551920702036;
 Tue, 12 May 2026 14:35:06 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuSi-0001W7-SM; Tue, 12 May 2026 17:16:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS4-0001MZ-JB; Tue, 12 May 2026 17:15:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS2-0006Qr-Nv; Tue, 12 May 2026 17:15:40 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 27E0C1AA39D;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 30D583ABD0C;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=eBPT1q89J6i/GDeeoxJoub33TMtUAp4ObwmFTP1oaes=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=XbJAH0X/JDpQfJK7UhG+UJ8IkfybAfGoL47yBrnw7DlDFpCbi6tfMlrhPGs2smCot
 IqVzmkyoa4lExX39LWnYKqwvXQUQ1EzklXKeveI7qmHth2wNzjrk//cousks6INXh5
 J3puYPmhJeGcdCEneidUglaZdsRg+LIIzy0okECMIdukhl5SRusNceYZx7Ax5zF99B
 TUsHdJAtf4nOLi0Hi1YXN+S2iW8iAeF0mVhEbmC1oUwun8+67RBuv1lUum7klHg9Pe
 ASCQsswTdFctlTfXYJmxsG2RNOgCRdb044Z4c92BYkCo6Iu3/RD6n/uz53gx92PO2o
 bUN+X9uIuKDAQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com>,
 Alistair Francis <alistair.francis@wdc.com>,
 Tao Tang <tangtao1634@phytium.com.cn>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 095/117] riscv_htif: reject invalid signature ranges
 (end <= begin)
Date: Tue, 12 May 2026 23:54:37 +0300
Message-ID: <20260512205503.361097-95-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621707935158500

From: Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com>

Prevents huge allocations and crashes caused by malformed HTIF signature
addresses.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3205
Signed-off-by: Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251209085349.61510-1-munkhuu0825@gmail.com>
[ Squashed with following commit to fix build failures
    hw/char/riscv_htif: Fix format specifier for uint64_t

    Message-ID: <20260415134826.1742308-1-chao.liu.zevorn@gmail.com>
    Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
]
Tested-by: Tao Tang <tangtao1634@phytium.com.cn>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 14808578ccbcd17d474c98bb53b60452888f8529)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/char/riscv_htif.c b/hw/char/riscv_htif.c
index a78ea9b01c..9a0049063f 100644
--- a/hw/char/riscv_htif.c
+++ b/hw/char/riscv_htif.c
@@ -170,6 +170,12 @@ static void htif_handle_tohost_write(HTIFState *s, uin=
t64_t val_written)
                  * begin/end_signature symbols exist.
                  */
                 if (sig_file && begin_sig_addr && end_sig_addr) {
+                    if (end_sig_addr <=3D begin_sig_addr) {
+                        error_report("Invalid HTIF signature range:"
+                                     " begin=3D0x%" PRIx64 " end=3D0x%" PR=
Ix64,
+                                     begin_sig_addr, end_sig_addr);
+                        return;
+                    }
                     uint64_t sig_len =3D end_sig_addr - begin_sig_addr;
                     char *sig_data =3D g_malloc(sig_len);
                     dma_memory_read(&address_space_memory, begin_sig_addr,
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622101; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lY9HA06t6LT4c/WSPiKPmo2e70vvfuH9NVGgga5Jm/PJDK9++0+Xf7Xo7YdaSkLG0G0ZsJB7RcWfCSBwQaPoqFQYAZUKmvrrHmbaDI6ieHe+ilTlaVs9C975d6hwVZ3cLhKW+Tp2gel6F2dLOlMs6SvZidMFDuVxc3KfIl4IcCE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622101;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=H8NRV8Hp4vaYtCzbYkZ4nzQ+iPudBYE+8g/JGbSLt7o=;
	b=AixlOmWdn3Gok/5utTTav7SC+gXkc00qxdoMadTp800BNluS5VAw48JDWfzEHfInL1fOLMt0CammgaYkfkknpqH+HErg6r3c6Kae3ScNQuFjb77qZIzGFgm6F/3PNXHHM5pF92ecYpXowOw+pBdPns+t6P28Jtz+yCkPq1ybbGc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622101357651.8864800668492;
 Tue, 12 May 2026 14:41:41 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTa-0003PT-Bs; Tue, 12 May 2026 17:17:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS8-0001Mq-5r; Tue, 12 May 2026 17:15:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS6-0006Rr-2x; Tue, 12 May 2026 17:15:43 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 388A71AA39E;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 438CC3ABD0D;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=QtZMv/eUNp00lZGF+Ax8EVZrxLcKxZLVCasWZm66xAY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=XKXRa0CEqUcBqvZD4lxsJVAP4/+jwcG/CVxOVxaC4hK7IycZpVVo8FlgB2uLPIBo5
 zB/vLzWB1cdij28FqY9EQ7St+pheTWfXr1s0WpVECSgAoVuiF9v029pEYylXB2ozSW
 SjKOgX/PcLtnoeIiDcCrxvlGXTogebrCc1yBjOa9Ao7gi8LDvJ/3p1oc92V+6hmZ4l
 7uEetQpY8LQSu498B2gEu98HKaAbKDneRjYN0mqLA5sZX1WAdp8M9/XJiLGVU2EqQm
 Jyd2n+Yq09eNxUywJmogm+PNUyD+uHNwtmjwuJA/oACVode2JVLWL0l6jA//ySA6OY
 bSlPGI34zFz+A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 096/117] target/riscv: Generate access fault if sc
 comparison fails
Date: Tue, 12 May 2026 23:54:38 +0300
Message-ID: <20260512205503.361097-96-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622103083158500
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states:

"For the purposes of memory protection, a failed SC.W may be treated
like a store."

So if the comparison in sc.w fails we should still check for alignment
and do a probe access to check permissions.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260415233740.3027321-2-alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit d107b748072cea3f86089a4a7b2e83f1a62745f2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index b785456ee0..fa16ab2b82 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -1289,3 +1289,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_1(ssamoswap_disabled, void, env)
 #endif
+
+/* Zalrsc SC write probe */
+DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_tr=
ans/trans_rva.c.inc
index a7a3278d24..62c0fe673d 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, Mem=
Op mop)
      */
     TCGBar bar_strl =3D (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
     tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
+    /*
+     * "For the purposes of memory protection, a failed SC.W may be treated
+     * like a store." so let's check the write access permissions
+     */
+    gen_helper_sc_probe_write(tcg_env, src1,
+                              tcg_constant_tl(memop_size(mop)));
     gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));
=20
     gen_set_label(l2);
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index 6ccc127c30..b569366369 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -281,6 +281,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong=
 address)
     /* We don't emulate the cache-hierarchy, so we're done. */
 }
=20
+void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
+                           target_ulong size)
+{
+    uintptr_t ra =3D GETPC();
+    int mmu_idx =3D riscv_env_mmu_index(env, false);
+
+    if (addr & (size - 1)) {
+        env->badaddr =3D addr;
+        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
+    }
+
+    probe_write(env, addr, size, mmu_idx, ra);
+}
+
 #ifndef CONFIG_USER_ONLY
=20
 target_ulong helper_sret(CPURISCVState *env)
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622283; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XeswAn/yQcG8t5Y242t7/ndX61MYnzHjZZpU7dLLbSOwhgNFSymo8V+8EjTYUlNeOGVmd4a1mWyztrpDUBj/oX+ExUj42CB645rXS2Dq+LI2Mo78SFaZm9Ha6KnPLUraEW4IiSUGSVlgds6Prv4LWXR3yM1o7nwhmE3ALs4O4pU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622283;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=xfJ5lWhGzJI1s3RMUctF8ymVdM/1JbYy/cAvp0RKPO4=;
	b=OVpiWQPARlOWNPFeZA0EsGM8CBHb2IqrQUb8XY9A3J0VNpspIfQMclTg4G4lhENKGEtrxvGPYGOTFRQlX4bxOJKQkHkYrZUpwu8/BCbj3G78lk9e9PUe/aoVFvGMT1oErnwF3so8RDuzOwNz8jqeLtCAmcUd6+c/4l9dIBu6f14=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622283690774.7011104292056;
 Tue, 12 May 2026 14:44:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTU-0002nq-8I; Tue, 12 May 2026 17:17:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSB-0001Qm-MI; Tue, 12 May 2026 17:15:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuS9-0006S6-Nv; Tue, 12 May 2026 17:15:47 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 4A2971AA39F;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 5464F3ABD0E;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=cqb/dYWWMYJNM5jnC+pv404BZqGgkuEXn+lMJ8YMD+A=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=S9GiwiL2sic6ol21ifyrInw9d0dxzaqov5i67JUqGQDs6u5935zZ8nkW5D6dsr4yJ
 uWjOcPcrLV+jW8NGHVqGDqQ34W2fud6N7QF50jiAlCZUqwl4O7KLb2LDctTj699vp1
 fvPVOxs2QiWgrLAhx7dfpUfWwuOodhj373Y6JzkoAyRz8ttdl8qOMnPJ6YNKoViPTR
 VUp75DSzh3LAmCcCasRT+vfOuOpakWD3OX82YiPrYyWx1wpiw/DRPWmgQBz3HwmTG1
 /IvNir+Dh/WonZXmhY1a9l1nb9CEF9nILDaC3ogyNSZUU2KxIeqezjS5f/VJHFi667
 n2KlyWbmz7Asg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Nutty Liu <nutty.liu@hotmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 097/117] target/riscv: Don't OR mip.SEIP when mvien is
 one
Date: Tue, 12 May 2026 23:54:39 +0300
Message-ID: <20260512205503.361097-97-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622284561154100

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states that

"""
But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
is simply the supervisor external interrupt signal from the hart=E2=80=99s
external interrupt controller (APLIC or IMSIC).
"""

As such let's mark the mip.SEIP in rmw_mip64().

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Message-ID: <20260415233740.3027321-4-alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 175afdb0d155a7429e2ac0c568c1c807953444a4)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 5c91658c3d..6da5aa47da 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3695,6 +3695,14 @@ static RISCVException rmw_mip64(CPURISCVState *env, =
int csrno,
     uint64_t old_mip, mask =3D wr_mask & delegable_ints;
     uint32_t gin;
=20
+    /*
+     * When mvien[9]=3D1, mip.SEIP is read-only and reflects only
+     * the external interrupt signal from the interrupt controller.
+     */
+    if (env->mvien & MIP_SEIP) {
+        mask &=3D ~MIP_SEIP;
+    }
+
     if (mask & MIP_SEIP) {
         env->software_seip =3D new_val & MIP_SEIP;
         new_val |=3D env->external_seip * MIP_SEIP;
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620860; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SCTVdT+S5GeSBLwSvWy4pjm9iS2m9ITPItDOohpjt3RjFV1tqlw9zYgRquKG+CzawHyElReM3WbArtY1JtNY4faYqebHfwgqO70kd80TjL4RIxzhDBQ9/K++y0+XVYjafQ5JTMz5QYEjeRq5wNlEhS1E6B+9QjHGaTRdFXDICe8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620860;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=lunuRhPgpMVMSM3ELPn3z5ruHiG4+1H++NCJd2E8Joo=;
	b=RLyllCJfllbGlhsO+ow8YvusJbi3uz1oL0KALtpKJOWg8suWSnimIUfoOphKpqBESetk4dmKJWpToqc+73Yd13ov6pn5bKxbQdqUGzAv6Px8Wx7U6ZA11bOWsgvCGVkDOD4kGfT3ORsUXzb/ghSGczYGV3GwzaL39kURw0HyrKI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620860508343.2590574787257;
 Tue, 12 May 2026 14:21:00 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTc-0003fp-5q; Tue, 12 May 2026 17:17:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSC-0001Qs-D5; Tue, 12 May 2026 17:15:53 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSA-0006SF-If; Tue, 12 May 2026 17:15:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 5CF891AA3A0;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 659293ABD0F;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=J+Zpga7XieERCo9Al2g1OWFS+ZWADD7i5J4bcrupzy8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=KY5zTPNk/2NK+BisdulQCwaK1CZmHpXw74RZNxgN76Iehzq2JhkHcoU8WPUFzpK/S
 bNP1OOSTn8JwCf/m4SqfZTNefdssaM2cpwcUqZIXBn7Xu5wYJVpOS2zFA9tYAxFN25
 bxeDz6ZaE8s4g4V4ERvfjrD5P29RzNyo9DcwgkT7LUyTE4MJeexR8n71zO1H2VZcSg
 xVY3lmqsugb4jO+i35q2AQ+1Z4uPJ5jc2pT9xsYFBU8pGbOTYmi927GWC8KlhRm7Nd
 CX6t2wNRCQHa/kJsSjy2BOr9O3TaCjZWk8+YEsKoWyNoHZalPhXhKLLJASjH288NLD
 wH5meVMtU+CqA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Alistair Francis <alistair.francis@wdc.com>,
 Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>,
 LIU Zhiwei <zhiwei_liu@linux.alibaba.com>,
 Chao Liu <chao.liu.zevorn@gmail.com>, Max Chou <max.chou@sifive.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 098/117] target/riscv: Use ELEN for Fractional LMUL
 check
Date: Tue, 12 May 2026 23:54:40 +0300
Message-ID: <20260512205503.361097-98-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620862217158501
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair.francis@wdc.com>

The RISC-V spec states that

"""
For a given supported fractional LMUL setting, implementations
must support SEW settings between SEWMIN and LMUL * ELEN, inclusive.
"""

We were previously checking VLEN, instead of ELEN, so let's update to
check ELEN instead of VLEN for fractional scaling.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3196
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260415233740.3027321-5-alistair.francis@wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
(cherry picked from commit 5dcc64828dc79c2426905db5fae885f6ccf93347)
(Mjt: context fixup)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 6c0de3f82d..cb2c3148e5 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -47,18 +47,17 @@ target_ulong HELPER(vsetvl)(CPURISCVState *env, target_=
ulong s1,
     target_ulong reserved =3D s2 &
                             MAKE_64BIT_MASK(R_VTYPE_RESERVED_SHIFT,
                                             xlen - 1 - R_VTYPE_RESERVED_SH=
IFT);
-    uint16_t vlen =3D cpu->cfg.vlenb << 3;
     int8_t lmul;
=20
     if (vlmul & 4) {
         /*
          * Fractional LMUL, check:
          *
-         * VLEN * LMUL >=3D SEW
-         * VLEN >> (8 - lmul) >=3D sew
-         * (vlenb << 3) >> (8 - lmul) >=3D sew
+         * ELEN * LMUL >=3D SEW
+         * ELEN >> (8 - vlmul) >=3D sew
          */
-        if (vlmul =3D=3D 4 || (vlen >> (8 - vlmul)) < sew) {
+        if (vlmul =3D=3D 4 ||
+            (cpu->cfg.elen >> (8 - vlmul)) < sew) {
             vill =3D true;
         }
     }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620796; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Pk53d60WkwNAy1B19u4FPPRaicKlD6rsw58Z8EJQ6GSFfvx19wt1Vj/O3CP509KOhUIAW5pXm4kAP3RQP2reshCKOpJU5sOGMf89QJ7iXhdwGt/u5qfbIK0XWdoAVCmGxbSLt14LsmASnfh+tc7xLF1RnpJRQnw+UrAc5HlrP5M=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620796;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Kr69M++KAyvvMxp865C20nOin67IapzZm1S+6FNLhwA=;
	b=OtA5Nl73wmD2xX+zv36pgM6+Yz8ICDn81ayHg1NjyP7VGaNYjoDAbdAxATEh3EqlqerDElWBIUwA8HmqPXfJeXUz0rmhaNgR7Eks5sJzhUayw5kekSr3P3iWaAPDu4oADR1JTKSR10YvMRyr8cKapJTJc4W09prDvl0yb0Lvnkw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620796515830.5896448886418;
 Tue, 12 May 2026 14:19:56 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuT8-0001te-Qr; Tue, 12 May 2026 17:16:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSZ-0001Tg-B4; Tue, 12 May 2026 17:16:13 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSX-0006Sm-4y; Tue, 12 May 2026 17:16:10 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 693791AA3A1;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 779493ABD10;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=eCM7vXILxrJ1WoMGxOFmd/DjA6B0QwwTpBYgsE7b4/A=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=TNcWGhLDHr/2Uh4vJzTvN+OXskZerldkVJJWhwmc77y/NQbY4XAsfiq5VUV37usU6
 P4NPH69cYr/QEQgjbf+WfFk/tH2sYPP9DNMisB4cBEIb1Rx7IS1Fcd/HnhxztmxlTR
 4npVCNDUb7ExLTFvR39HkavgoKWOI+WabOjRAB7tE6tZhJ4zLd4LzKiNgypYXxxWA/
 E0GK0I6t2pvx6RM6ao80Ovs0EWOjoef0rZS/5KTcjWNqBf+zPkBeHF1Irt+LVx10+h
 SPBg6x09HmYEZRRomVRgLTlDcX9zeN491Zk5w6a4ABlnP1ZePK6+SviulWUzgS5c0n
 G6+pbDgBvGxgw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 099/117] linux-user: Add missing CDROM ioctls
Date: Tue, 12 May 2026 23:54:41 +0300
Message-ID: <20260512205503.361097-99-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 UPPERCASE_75_100=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620797647158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Add the missing CDROM ioctls and bring them in same order as
documentation.

Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit dcb6e96257eea926aef16854bed0871b0605a8b9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 5b7d00e92f..aa485ee6e5 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -416,19 +416,18 @@
 #endif
=20
   IOCTL(CDROMPAUSE, 0, TYPE_NULL)
-  IOCTL(CDROMSTART, 0, TYPE_NULL)
-  IOCTL(CDROMSTOP, 0, TYPE_NULL)
   IOCTL(CDROMRESUME, 0, TYPE_NULL)
-  IOCTL(CDROMEJECT, 0, TYPE_NULL)
-  IOCTL(CDROMEJECT_SW, 0, TYPE_INT)
-  IOCTL(CDROMCLOSETRAY, 0, TYPE_NULL)
-  IOCTL(CDROMRESET, 0, TYPE_NULL)
   IOCTL(CDROMPLAYMSF, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMPLAYTRKIND, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMREADTOCHDR, IOC_R, MK_PTR(TYPE_INT))
   IOCTL(CDROMREADTOCENTRY, IOC_RW, MK_PTR(TYPE_INT))
+  IOCTL(CDROMSTOP, 0, TYPE_NULL)
+  IOCTL(CDROMSTART, 0, TYPE_NULL)
+  IOCTL(CDROMEJECT, 0, TYPE_NULL)
   IOCTL(CDROMVOLCTRL, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMSUBCHNL, IOC_RW, MK_PTR(TYPE_INT))
+  IOCTL(CDROMEJECT_SW, IOC_W, TYPE_INT)
+  IOCTL(CDROMRESET, 0, TYPE_NULL)
   /* XXX: incorrect (need specific handling) */
   IOCTL(CDROMREADAUDIO, IOC_W, MK_PTR(MK_STRUCT(STRUCT_cdrom_read_audio)))
   IOCTL(CDROMREADCOOKED, IOC_RW, MK_PTR(TYPE_INT))
@@ -438,16 +437,22 @@
   IOCTL(CDROMREADALL, IOC_RW, MK_PTR(TYPE_INT))
   IOCTL(CDROMMULTISESSION, IOC_RW, MK_PTR(TYPE_INT))
   IOCTL(CDROM_GET_UPC, IOC_R, MK_PTR(TYPE_INT))
+  IOCTL(CDROM_LAST_WRITTEN, IOC_R, MK_PTR(TYPE_LONG))
   IOCTL(CDROMVOLREAD, IOC_R, MK_PTR(TYPE_INT))
   IOCTL(CDROMSEEK, IOC_W, MK_PTR(TYPE_INT))
   IOCTL(CDROMPLAYBLK, IOC_W, MK_PTR(TYPE_INT))
-  IOCTL(CDROM_MEDIA_CHANGED, 0, TYPE_NULL)
-  IOCTL(CDROM_SET_OPTIONS, 0, TYPE_INT)
-  IOCTL(CDROM_CLEAR_OPTIONS, 0, TYPE_INT)
-  IOCTL(CDROM_SELECT_SPEED, 0, TYPE_INT)
-  IOCTL(CDROM_SELECT_DISC, 0, TYPE_INT)
-  IOCTL(CDROM_DRIVE_STATUS, 0, TYPE_NULL)
+  IOCTL(CDROMCLOSETRAY, 0, TYPE_NULL)
+  IOCTL(CDROM_SET_OPTIONS, IOC_W, TYPE_INT)
+  IOCTL(CDROM_CLEAR_OPTIONS, IOC_W, TYPE_INT)
+  IOCTL(CDROM_SELECT_SPEED, IOC_W, TYPE_INT)
+  IOCTL(CDROM_SELECT_DISC, IOC_W, TYPE_INT)
+  IOCTL(CDROM_MEDIA_CHANGED, IOC_W, TYPE_INT)
+  IOCTL(CDROM_DRIVE_STATUS, IOC_W, TYPE_INT)
   IOCTL(CDROM_DISC_STATUS, 0, TYPE_NULL)
+  IOCTL(CDROM_CHANGER_NSLOTS, 0, TYPE_NULL)
+  IOCTL(CDROM_LOCKDOOR, IOC_W, TYPE_INT)
+  IOCTL(CDROM_DEBUG, IOC_W, TYPE_INT)
+  IOCTL(CDROM_GET_CAPABILITY, 0, TYPE_NULL)
   IOCTL(CDROMAUDIOBUFSIZ, 0, TYPE_INT)
=20
 #if 0
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622511; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DijWNstsSyUG6MweFi9s9gtEt38jrEZP+JUVhXkkHz9oWBqNWGlxFfFYLT0qXcnvyCya2mp5XfhR3SeS83r1JvKapeXyuUMwAxxrXHytUL/GAgHKPl3ljAsQM9m8PkwIlnFoUBii+LxHuNwG60GMGmU2YyoGh0miuaWs6t8UZO8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622511;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=KXAtSxShiDbI9hWaO/H7Uej8ahT+PrryczpHmWhHQdg=;
	b=TWJBlZoAlx2Qy/PE9ASfKGb3S7e0DicysAC6ygI3wolGKrfTmS00z1E2TW2DWGfUm+aHW7C7AqrHBhRJw8yzuXddGJGPFj77wzEc2Nh2dVAeXI0M87OweedmC27HSUqR5G2bPmLwNRJ+5SNnZC1+MwpcwqwBbjrAmOxzJBJGY6g=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622511969378.92105501210165;
 Tue, 12 May 2026 14:48:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTV-0002sV-AS; Tue, 12 May 2026 17:17:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSa-0001Tn-IR; Tue, 12 May 2026 17:16:16 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSX-0006Sw-Vu; Tue, 12 May 2026 17:16:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 813141AA3A2;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 841743ABD11;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=F1ZjrKYiZq3Jun8XhqtVGKKyZHugcUCPVem+L/R0zQ4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=jtd7rAsJtPZpYTNu/rmxrrAN/8Lz0hdHZFPEibOBOyHth8i8E7QPq6ZO7XTVIAsA5
 ECvuERSP8h2u9TxQhgywzvCOF7ZdJwSAQi7DbNeZNZ/3Wele9mSGuYUq5ip2i9Th/D
 w6h9KcX+i0HYtVGUIbKmpFFvnS6tFOj4qplt3oMPoEVvcgvxg/Y+bLbYvv7W2XcOn7
 aZfDlQjzujI5qxGpJhZ1QKZa6Hhz1sX/puaABy85eKimjN1iw93tajVqiAu3ZAF7aj
 nKpDGpFH+ZzAQzJPkZOIyMk8HYIqHL/NxGe1qSEK3vet7fw2NKgCUWkgYe1Ao+yvb9
 BVUn1SHSPDnbQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Warner Losh <imp@bsdimp.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 100/117] linux-user: Flush errors by using exit()
 instead of _exit() in error path
Date: Tue, 12 May 2026 23:54:42 +0300
Message-ID: <20260512205503.361097-100-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622514373154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Similiar to previous patch - ensure that we always flush I/O by using
exit() instead of _exit().

Reported by: Tobias Bergkvist <tobias@bergkv.ist>
Reviewed-by: Warner Losh <imp@bsdimp.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2544
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 9fb681792d65fa570cb3e1a769945c10bf276d25)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/main.c b/linux-user/main.c
index 84e110dfe9..86d04cca3c 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -975,7 +975,7 @@ int main(int argc, char **argv, char **envp)
                       info, &bprm);
     if (ret !=3D 0) {
         printf("Error while loading %s: %s\n", exec_path, strerror(-ret));
-        _exit(EXIT_FAILURE);
+        exit(EXIT_FAILURE);
     }
=20
     for (wrk =3D target_environ; *wrk; wrk++) {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622179; cv=none;
	d=zohomail.com; s=zohoarc;
	b=aLENvJx7JEdAA7g7BWX8R8E+2e5CL2rbi16FOwRNV3lxOLlUormN9fv/6yq7Q+F3Kh5GGY2OOwSX5ZlB+Yt2suxsSXYZ8afaQsQaFiyzJF4FuECs1kO8fA2N7zPhm6W/3mwgsIGX92qxM+t/Q4BT6XfSA0pMf+snjK54oRIk8z4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622179;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=wqveuj4jZiHg/W4cFKwCSKRwo/EtjugKDFLpu7svGEs=;
	b=auAwhBlKKWS+NfH/EFeIBDH4a9250y3EfVP1xJzakoDTufOZWXn0vlE2KmdRSvdeGtfMUTBqV5rw0MXQGF2p+ZZoOT4nSIK19zMFDSW7+KvVeIeFLK6A6UWbgiXGzDOw+guDxD18XU6MRZnoq2XfuIwGzrCvgyKRud47DM/O9ag=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622179008187.2103791415343;
 Tue, 12 May 2026 14:42:59 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTb-0003cJ-3p; Tue, 12 May 2026 17:17:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSd-0001U7-3p; Tue, 12 May 2026 17:16:16 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSa-0006gR-Qv; Tue, 12 May 2026 17:16:14 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8FD651AA3A3;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 9C28F3ABD12;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=LYceuFNVfZlI3NhGxh42KxX3L2UXzJjeyydXziuX29E=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=OVMNmk6ObnKSJnmuZ2xPAS9sf7EVxzey9QjTRbdkjRdTsHrsuHMYfdQZ6PiVTFz5Q
 vOoGhX4mgbKU4utUKUszS6a6u2cq/QrX3ilkWmMukYAqZejthPgJSh+EPNjn+XI0hZ
 zuGzrudIKSlh42CR7FsaKa6oKc/zTKaR5PT3hnJVicVRl2AoV0D8cmbBIEQM//lh0O
 sszD4dS1C5PgoiiZTtIKcOrs8J7ZzRHbYT/6VrtoC1iyCM8KxPUkmZZEUVE1B/MUNK
 ZVDL2qUhk+eWU2I+NexAAQ7qj6N38N4CfEpjUryVpdTBHapKREeqnnrRSneNp7AEI8
 yEpoPyiZ2zN2Q==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 101/117] linux-user: Allow getsockopt() with NULL
 optval address
Date: Tue, 12 May 2026 23:54:43 +0300
Message-ID: <20260512205503.361097-101-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622179751158500
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Some programs test availability of socket options by asking for the
value with an NULL optval address, which currenrly always trigger an
EFAULT in qemu.  Fix it by allowing a NULL address, in the same manner
as the Linux kernel on physical machines.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2390
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
(cherry picked from commit 08dc3e240fc00213c0eb29b71569dc0ca9301337)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 47270eb15e..8934aa9514 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2647,6 +2647,10 @@ get_timeout:
             if (ret < 0) {
                 return ret;
             }
+            /* special case: destination address is NULL, return 0 */
+            if (optval_addr) {
+                len =3D 0;
+            }
             if (len =3D=3D sizeof(struct target__kernel_sock_timeval)) {
                 if (copy_to_user_timeval64(optval_addr, &tv)) {
                     return -TARGET_EFAULT;
@@ -2847,7 +2851,10 @@ get_timeout:
         }
         if (len > lv)
             len =3D lv;
-        if (len =3D=3D 4) {
+        if (!optval_addr) {
+            /* writing to NULL does not give error */
+            len =3D 0;
+        } else if (len =3D=3D 4) {
             if (put_user_u32(val, optval_addr))
                 return -TARGET_EFAULT;
         } else {
@@ -2880,18 +2887,24 @@ get_timeout:
                 return -TARGET_EINVAL;
             lv =3D sizeof(lv);
             ret =3D get_errno(getsockopt(sockfd, level, optname, &val, &lv=
));
+write_ret:
             if (ret < 0)
                 return ret;
-            if (len < sizeof(int) && len > 0 && val >=3D 0 && val < 255) {
+            if (!optval_addr) {
+                len =3D 0;
+            } else if (len < sizeof(int) && len > 0 && val >=3D 0 && val <=
 255) {
                 len =3D 1;
-                if (put_user_u32(len, optlen)
-                    || put_user_u8(val, optval_addr))
+                if (put_user_u8(val, optval_addr)) {
                     return -TARGET_EFAULT;
+                }
             } else {
                 if (len > sizeof(int))
                     len =3D sizeof(int);
-                if (put_user_u32(len, optlen)
-                    || put_user_u32(val, optval_addr))
+                if (put_user_u32(val, optval_addr)) {
+                    return -TARGET_EFAULT;
+                }
+            }
+            if (put_user_u32(len, optlen)) {
                     return -TARGET_EFAULT;
             }
             break;
@@ -2942,20 +2955,7 @@ get_timeout:
                 return -TARGET_EINVAL;
             lv =3D sizeof(lv);
             ret =3D get_errno(getsockopt(sockfd, level, optname, &val, &lv=
));
-            if (ret < 0)
-                return ret;
-            if (len < sizeof(int) && len > 0 && val >=3D 0 && val < 255) {
-                len =3D 1;
-                if (put_user_u32(len, optlen)
-                    || put_user_u8(val, optval_addr))
-                    return -TARGET_EFAULT;
-            } else {
-                if (len > sizeof(int))
-                    len =3D sizeof(int);
-                if (put_user_u32(len, optlen)
-                    || put_user_u32(val, optval_addr))
-                    return -TARGET_EFAULT;
-            }
+            goto write_ret;
             break;
         default:
             ret =3D -TARGET_ENOPROTOOPT;
@@ -2989,8 +2989,14 @@ get_timeout:
             if (ret < 0) {
                 return ret;
             }
-            if (put_user_u32(lv, optlen)
-                || put_user_u32(val, optval_addr)) {
+            if (optval_addr) {
+                if (put_user_u32(val, optval_addr)) {
+                    return -TARGET_EFAULT;
+                }
+            } else {
+                lv =3D 0;
+            }
+            if (put_user_u32(lv, optlen)) {
                 return -TARGET_EFAULT;
             }
             break;
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621804; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NmsJHFzPGTsX32pD9L7S0AR2v011k+G3NfBsO0HdVm4uSQi9I5oRk8OPNFyJpRlTCA863WmocAhoFhj4d1uGwtq/3dnl6eRO7JrQWbECbEZ939smbOJJcGsaHYWsUNG3vBCU5Upm9dU1LEm2iuFSBp9dh6huOWxkkrIaSJzchV8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621804;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=fgnFKty/NAp08b2NpKssn6jLlAMypcgr9xvAIFoQTTw=;
	b=dx7dRQb5twGwn0ddLAX8aLI3UD+0s5JWiioNEo7QTTnxGhhsFxwMEindsOYKbel615O5T/pDwzD6uAYBH2ksXaaxPBacfLdIRDySm4UMgG3Dgt5y3DaN2UeKhoH3E6bravhElH/89LasFJuX6ph95ysz/CqkEAXW/XoeenNQsQ8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786218044894.546633402289785;
 Tue, 12 May 2026 14:36:44 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTc-0003gJ-5V; Tue, 12 May 2026 17:17:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSd-0001U9-Iq; Tue, 12 May 2026 17:16:16 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSc-0006gb-1G; Tue, 12 May 2026 17:16:15 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 9C2701AA3A4;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id AA6363ABD13;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=VlZqLHHTvpomm2hntvJQOW5VrdmG1HeMDRNVrfzqF5M=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lY/HKamX8u+17cShEMgW5h9aKbSas3msMRGwaaOAJBm9taMjqRX08XfAhe3OHLbDV
 +096o/6gn+v36bdJQNTsUa6muIUoo8lQNOjNtBtfyhzHutrb8hdvHabrQFAYmHyKT7
 ZEGHcn3dT11MRLcD08yt11YPDKgCYURMxRyjhtjJ2FXZqeCA/dLXXYNuSiKvSn7kTW
 hAFmgTWPzwfHf9aUPAfv67UJpKQkAPKoVHrwIwRRZ+bxOU16zAoHqCC3cpBJWwtIyp
 PLRFEekNUnnM9A4UBGNHrPeQVZjnj2qlehejHr/CUwy5y5dkAvbWPH9WpMSWKJxaH7
 eLOHDzlRpGzlQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Helge Deller <deller@gmx.de>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 102/117] linux-user: Translate errno in IP_RECVERR and
 IPV6_RECVERR
Date: Tue, 12 May 2026 23:54:44 +0300
Message-ID: <20260512205503.361097-102-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621805892154100
Content-Type: text/plain; charset="utf-8"

From: Helge Deller <deller@gmx.de>

Translate host error codes of IP_RECVERR and IPV6_RECVERR control messages =
to
target error codes before returning to the caller.
For example, this is important for architectures (e.g. hppa, alpha, sparc,
mips) on which the value of ECONNREFUSED is different to the value on a x86=
_64
host.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/602
Signed-off-by: Helge Deller <deller@gmx.de>
(cherry picked from commit 9667bf3249256788245c6ca07bc12106f3e4fa22)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8934aa9514..bb818f35d9 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2011,7 +2011,8 @@ static inline abi_long host_to_target_cmsg(struct tar=
get_msghdr *target_msgh,
                     tgt_len !=3D sizeof(struct errhdr_t)) {
                     goto unimplemented;
                 }
-                __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno);
+                __put_user(host_to_target_errno(errh->ee.ee_errno),
+                           &target_errh->ee.ee_errno);
                 __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin);
                 __put_user(errh->ee.ee_type,  &target_errh->ee.ee_type);
                 __put_user(errh->ee.ee_code, &target_errh->ee.ee_code);
@@ -2065,7 +2066,8 @@ static inline abi_long host_to_target_cmsg(struct tar=
get_msghdr *target_msgh,
                     tgt_len !=3D sizeof(struct errhdr6_t)) {
                     goto unimplemented;
                 }
-                __put_user(errh->ee.ee_errno, &target_errh->ee.ee_errno);
+                __put_user(host_to_target_errno(errh->ee.ee_errno),
+                           &target_errh->ee.ee_errno);
                 __put_user(errh->ee.ee_origin, &target_errh->ee.ee_origin);
                 __put_user(errh->ee.ee_type,  &target_errh->ee.ee_type);
                 __put_user(errh->ee.ee_code, &target_errh->ee.ee_code);
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621664; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Qyqu5lxYzVWw2o8y7aTkI9YpIckb70rD7sQVZ9v4qfHwhcrliDUgCrHFhUo1IVJW/A8+xIiyR3dGHo/m8haz3XETM/W+wjn9R7KTsJfHxMy3QNUGwgx6fhyVbzQrAggOz/MACpHvBsgbwGmBKkSWtSU9mVzo6SROCyWuUaoSGFQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621664;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=oBf0dKLpOHO2N/FOOXM53zLFh/Sx20CKTYkNpOBoKhY=;
	b=G6bAQhoXrT8+c40KvHUXZXtEdRoJ6EIQJbftJvtr0u/q6XkDTHs5c685TbiF8BPbR4eu9uDCzmwJGoCi1RsQp33lC5gD9CDy5Kni3pvXOputGAJTYjsaoAk79o4dsz31AoiSMZgzWe+eaEDHH7TbzgBw5FhytSxVDwF9RRF9Z7U=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621664234832.2132203534995;
 Tue, 12 May 2026 14:34:24 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTd-0003mR-Lt; Tue, 12 May 2026 17:17:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSg-0001WR-G8; Tue, 12 May 2026 17:16:19 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSe-0006gq-Hx; Tue, 12 May 2026 17:16:18 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id ADAF41AA3A5;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id B79C13ABD14;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=/18hG5HPoAxJTkndAlIldyOwxO4KKwlIeNPw3UW0GrU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Bb+UqGfhfmNGj8bUNoVobwuMwuupGLTHh61liotrwfUnFYocczbNhcKqjPTmQDUOL
 yGNQOlMW1FuGkYjvQ/9qbBoVugXfSGhttkK9s8SCBjjimIk4XS9GeNONnMVR53Q6Q2
 bi6Z66bs7qyxV+4i60bsvFi0DOvdfRudLPGtVYH9GaniR5rUpXKS1GocDG5CyqXl+i
 TuH2tt8YscdhieFt7ZJPzLwSHh1A3i2TSK1uaPVTchZDO2fIyI5P3TCeeeRDE2Dccu
 ibeSKLLIqL5CSUZZlRUhBKZNXme5u1kBXI82L0lzdig0+NL/eeMN5rE9WXKPBV8B/H
 +WvWMo9ecMLKg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, kiki <Chan9Yan9@gmail.com>,
 Zexiang Zhang <chan9yan9@gmail.com>,
 Gautam Menghani <gautam@linux.ibm.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Harsh Prateek Bora <harshpb@linux.ibm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 103/117] hw/intc/xics: Add a check for an invalid
 server id
Date: Tue, 12 May 2026 23:54:45 +0300
Message-ID: <20260512205503.361097-103-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621665659158500

From: kiki <Chan9Yan9@gmail.com>

A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.

Fix this by validating the server id before using it and ignoring
invalid values.

Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3324
Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260428103645.50617-1-Gautam.Meng=
hani@ibm.com
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
(cherry picked from commit 1aee8067fce95d15061eca8fbb6772d8a90ea699)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index 200710eb6c..c7312d166f 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -26,6 +26,7 @@
  */
=20
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "qapi/error.h"
 #include "trace.h"
 #include "qemu/timer.h"
@@ -222,6 +223,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_=
t priority)
=20
     trace_xics_icp_irq(server, nr, priority);
=20
+    if (!icp) {
+        qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x=
%x\n",
+                      server, nr);
+        ics_reject(ics, nr);
+        return;
+    }
+
     if ((priority >=3D CPPR(icp))
         || (XISR(icp) && (icp->pending_priority <=3D priority))) {
         ics_reject(ics, nr);
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621904; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QIuUBbg3MYZu4so1LMZ4jEVbTHt35BAavbrcVN67Hz19CVNbx8/6jAP3mgaD46pkQpy75mrgTJna+fZPL3IHOT05/DnaPXtVw1Obt07qJ4FxJbNMHWSy2XV4i3t3YlNILZN7QacpE5uzeZaPriDuytPXOXWcw+EnEeFVIUvLlW4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621904;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=arIhjlEmQ8cmkb9xgc1T0HBjBchaYnkDM33P0FCipt8=;
	b=JKBDlVWEGS5FBN5PcOITQGfyN4RvLxVyQxPKD/Ad10+SHu6Z6J4kVHkaPLk9atlecUL7/TuTYASWPiB2lxNLHoiLyNDr3EtleIYbRTTfLPKW1ZYzylcsQkgWlGGZZ317aB0rYzq7x90FjS22YK7xFkVysI18Mjglh9DX44u+j20=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621904399411.33209476790125;
 Tue, 12 May 2026 14:38:24 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTY-0003IE-UG; Tue, 12 May 2026 17:17:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT0-0001tO-OW; Tue, 12 May 2026 17:16:42 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuSz-0006gw-3d; Tue, 12 May 2026 17:16:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id BB8451AA3A6;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C7F8D3ABD15;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=Q3lCuv4X+Ag/LDgtUcJpyEVJ8Rrvluf+nuqZHXrk1hg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=gPTdktTSXNXouWmJFuHhN0e3BzILB+ZrXjbHWHQl6saBXsIwyvJRwQnNOVFggianB
 iPGOCGapEuIptJ+iiE9ut+idYK511aga9SWgzbvhpsHTgQnXUvZlVTyDZ3Hvei07CL
 HZn+4+aXxKHOKSuU4rE7fknSeFZzsr3WCpWNvIMxxoaCeBPdGW1oK772aNxZ0Ov2nX
 enY/Cev6xzuNb6t5W5gPc7hadWJxiRgTbbFJQbwHDUK1f7uHfMklt/OrQzJS0hWeLH
 IQG1u/etxIn87ecTOxbnfL0ilxuGFLasFzlyDAhZaXRy2+iscqiTHY91U0VnCCqz6H
 FBTSttqN+i7TQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 104/117] tests/rcutorture: Fix build error
Date: Tue, 12 May 2026 23:54:46 +0300
Message-ID: <20260512205503.361097-104-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621907686154102

From: C=C3=A9dric Le Goater <clg@redhat.com>

Newer gcc compiler (version 16.0.0 20260103 (Red Hat 16.0.0-0) (GCC))
detects an unused variable error:

  ../tests/unit/rcutorture.c: In function =E2=80=98rcu_read_stress_test=E2=
=80=99:
  ../tests/unit/rcutorture.c:251:18: error: variable =E2=80=98garbage=E2=80=
=99 set but not used [-Werror=3Dunused-but-set-variable=3D]
    251 |     volatile int garbage =3D 0;
        |                  ^~~~~~~

Since the 'garbage' variable is used to generate memory reads from the
CPU while holding the RCU lock, it can not be removed. Tag it as
((unused)) instead to silence the compiler warnings/errors.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Link: https://lore.kernel.org/qemu-devel/20260112163350.1251114-1-clg@redha=
t.com
Signed-off-by: C=C3=A9dric Le Goater <clg@redhat.com>
(cherry picked from commit 7a05be8c70bb789c23076b1ca2563ed7d87c6fb8)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/tests/unit/rcutorture.c b/tests/unit/rcutorture.c
index 7662081683..2f19d479a3 100644
--- a/tests/unit/rcutorture.c
+++ b/tests/unit/rcutorture.c
@@ -248,7 +248,7 @@ static void *rcu_read_stress_test(void *arg)
     int pc;
     long long n_reads_local =3D 0;
     long long rcu_stress_local[RCU_STRESS_PIPE_LEN + 1] =3D { 0 };
-    volatile int garbage =3D 0;
+    volatile int garbage __attribute__ ((unused)) =3D 0;
=20
     rcu_register_thread();
=20
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620791; cv=none;
	d=zohomail.com; s=zohoarc;
	b=aG6+FPXjSF9lic0jiMsruY0AFKAAGmphdkHGtoXaqaFyGiQEyMOFAcoEc5jOyfjn57CDylvKYOstwLrEwbtETU89qQ928Euz/2qJrul201Wf8j+lG/i/tBF7D9eLM2D9cj0lHjqNBWMkHv2XitNhpVNKYzYihVQN5iK+3Y96HK4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620791;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=jqhx7Bk+BsI2o2uZWqIRl1kpXjeXUlh1GspOIq+3+M0=;
	b=JNBmklL2nFQluFPmpZnxkmrvTW3c0jI8nNbeIlps+9RoRu7Drv0Z05kRzZrp4IRbFx6+GZagXP5dFLWfRwINDFXi0qAaUFIdmTo08cDaGnw0cVaLVJTZJ1v3QTX3bNDocPzxpzhsdjS9vFRMYuinLVAaRwsTwrwo5q76Zvir3KU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620791542737.8195765155514;
 Tue, 12 May 2026 14:19:51 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTe-0003wg-Dv; Tue, 12 May 2026 17:17:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT3-00021L-NE; Tue, 12 May 2026 17:16:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT1-0006hR-VT; Tue, 12 May 2026 17:16:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id CA8F51AA3A7;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id D5D0B3ABD16;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=7TgTBGNirwcAKQHMK9QxyC+hBOJhJrnx/tbrLDGi1W0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=sZr7J3dK7jb5bBPhmDwIrobdNdALjU10ZJhaT4RbwZjG4Mf39SRZknUc9Bcbe5jiT
 OcVfQIfTRre8SkzXTNfUYv8jspZQcekl1ejcXU8UUtQf40yYESk7V6lkHs2SHyS6Td
 1ndhYJtRUG6jciSQjGqLaJYXQYZ5t3hPusT1Exqo5Iy3rWm1EpwLqqo6I3HYQIAMvu
 m0n/U1K2PdN/w1VrSJsXmKMsgQZjj5Uru66PjnL+c8xCbJeblGtJmG8794f1TAvNvy
 Q7u2WrnS98MtO0SzIOvtgUVaswvIw0QdtFN6tcicXfDcRJMwRUv0drSvD58IACbmAF
 4FR04jGrT0OCQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Vivien LEGER <vivien.leger@gmail.com>,
 Bernhard Beschow <shentey@gmail.com>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 105/117] hw/ppc/e500: fix bus-frequency property
 hardcoded to zero in CPU FDT node
Date: Tue, 12 May 2026 23:54:47 +0300
Message-ID: <20260512205503.361097-105-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620793578158500

From: Vivien LEGER <vivien.leger@gmail.com>

The bus-frequency property in the CPU FDT node was hardcoded to 0.
This is incorrect - it should reflect the actual platform bus clock
frequency, as firmware and RTOSes use it to derive peripheral clock
rates.

Notably, the RTEMS QorIQ BSP uses bus-frequency to program the MPIC
global timer interval. With bus-frequency=3D0, the timer interval
overflows to ~85 seconds, preventing any clock interrupts from firing.

Fix by adding a bus_freq field to PPCE500MachineClass and using it in
the FDT generator. Set bus_freq =3D PLATFORM_CLK_FREQ_HZ (400MHz) for
existing machines, matching the existing clock_freq value.

Signed-off-by: Vivien LEGER <vivien.leger@gmail.com>
Reviewed-by: Bernhard Beschow <shentey@gmail.com>
Message-ID: <20260411154535.1451361-1-vivien.leger@gmail.com>
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
(cherry picked from commit 774e6f5c1533aba9e04f95cb8cfba64d8329fcb0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 8842f7f6b8..bde8a928f9 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -517,7 +517,7 @@ static int ppce500_load_device_tree(PPCE500MachineState=
 *pms,
                               env->icache_line_size);
         qemu_fdt_setprop_cell(fdt, cpu_name, "d-cache-size", 0x8000);
         qemu_fdt_setprop_cell(fdt, cpu_name, "i-cache-size", 0x8000);
-        qemu_fdt_setprop_cell(fdt, cpu_name, "bus-frequency", 0);
+        qemu_fdt_setprop_cell(fdt, cpu_name, "bus-frequency", pmc->bus_fre=
q);
         if (cpu->cpu_index) {
             qemu_fdt_setprop_string(fdt, cpu_name, "status", "disabled");
             qemu_fdt_setprop_string(fdt, cpu_name, "enable-method",
diff --git a/hw/ppc/e500.h b/hw/ppc/e500.h
index 00f490519c..858684d569 100644
--- a/hw/ppc/e500.h
+++ b/hw/ppc/e500.h
@@ -40,6 +40,7 @@ struct PPCE500MachineClass {
     hwaddr pci_mmio_bus_base;
     hwaddr spin_base;
     uint32_t clock_freq;
+    uint32_t bus_freq;
     uint32_t tb_freq;
 };
=20
diff --git a/hw/ppc/e500plat.c b/hw/ppc/e500plat.c
index 4f1d659e72..dab9e32b96 100644
--- a/hw/ppc/e500plat.c
+++ b/hw/ppc/e500plat.c
@@ -94,6 +94,7 @@ static void e500plat_machine_class_init(ObjectClass *oc, =
const void *data)
     pmc->pci_mmio_bus_base =3D 0xE0000000ULL;
     pmc->spin_base =3D 0xFEF000000ULL;
     pmc->clock_freq =3D PLATFORM_CLK_FREQ_HZ;
+    pmc->bus_freq =3D PLATFORM_CLK_FREQ_HZ;
     pmc->tb_freq =3D PLATFORM_CLK_FREQ_HZ;
=20
     mc->desc =3D "generic paravirt e500 platform";
diff --git a/hw/ppc/mpc8544ds.c b/hw/ppc/mpc8544ds.c
index 582698559d..d022761cb6 100644
--- a/hw/ppc/mpc8544ds.c
+++ b/hw/ppc/mpc8544ds.c
@@ -56,6 +56,7 @@ static void mpc8544ds_machine_class_init(ObjectClass *oc,=
 const void *data)
     pmc->pci_pio_base =3D 0xE1000000ULL;
     pmc->spin_base =3D 0xEF000000ULL;
     pmc->clock_freq =3D PLATFORM_CLK_FREQ_HZ;
+    pmc->bus_freq =3D PLATFORM_CLK_FREQ_HZ;
     pmc->tb_freq =3D PLATFORM_CLK_FREQ_HZ;
=20
     mc->desc =3D "mpc8544ds";
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621621; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HNR1WvrVOhhgtIaEY0zYZijIHZdYFWQfXPokiNAg1ScSLN7d78HLQ7mzD4gODM8u4rBlHI4wq2QKfBgxIL0EL4ptNhX9+EzN/dCu9cSrZduqjjkSDcBqD+b6doOPFULjdZrBDpvAYhK3GHUst+I5yd5MWYpLwCFrA2DgDSwHsm0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621621;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=PG4s/KX/s9663pp4CQKi7sbOKGhSFN4WRyp1nu9UoT0=;
	b=Uhzg2WJjxcxbRh4VDvWKQQC+zd/oGIOu1ey2hOaDeYyamfGNyeZA1rH893J5ugUbgZ0CysX9ps5olxZHoxAVfVPcVwnVKCMCv3NWOOQ5z+nYG4aIHp8BlynrI2V31EJsP5QxwQt+JcEeDCXTv2WJ75RpEN8K+Yi2Nu0rhYTkbb0=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621621814985.242041928003;
 Tue, 12 May 2026 14:33:41 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTf-00047E-UA; Tue, 12 May 2026 17:17:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT4-00021N-G2; Tue, 12 May 2026 17:16:44 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT2-0006j3-7b; Tue, 12 May 2026 17:16:41 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id D827D1AA3A8;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id E56E33ABD17;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=l1KR96xyNj+NKF/aW1Gstxcyrzn+GA3PyPYJ/QGBQG8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=QJSVX9WgwkuSIJ0z+JVcNFrXr8To5NRUwR/ASKCfnt9+XovjfMho5+IGqmV47mdX1
 n4T6+ezXmKckIGhsSCQbq0+KCYV7Pt3tn4kjt62ACNZ9firfoO4U+oRmIY5V0rFoXe
 tepI+axlepMH+eZm82WLKsfIbwx4ghe99HOBQRBvr9QCkvNg8maaPa1MChKoNZGj7W
 aJxZtw9bXPA6J/3xCstMevGlGAHalgUadqvsLjP7qc2ratbSUUfoqX/gH6t9Nj6Tlk
 2cWGpcwKKWQg98IW6orFi1VLqPpu1lPCEnq/9VV5U5LtwZakXOmMc1EERCA8B68wwy
 Rxzf5mMVLFi3A==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@member.fsf.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 106/117] hw/net/allwinner-sun8i-emac: Flush queued
 packets when rx is enabled
Date: Tue, 12 May 2026 23:54:48 +0300
Message-ID: <20260512205503.361097-106-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621623457154100

From: =E5=AE=8B=E6=96=87=E6=AD=A6 <iyzsong@member.fsf.org>

The RX_CTL_0 register includes the RX_EN receive-enable bit,
which allwinner_sun8i_emac_can_receive() checks. That means that
if the guest sets it we need to call qemu_flush_queued_packets()
as we might now be able to handle them.

This fixes a bug where networking didn't work in u-boot on the
orangepi-pc machine.

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3459
Signed-off-by: =E5=AE=8B=E6=96=87=E6=AD=A6 <iyzsong@member.fsf.org>
Message-id: 20260430040753.3337-1-iyzsong@envs.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: expanded commit message, removed unneeded RX_EN test]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit a7f27d6903b30bcea21c46986cb7507edcbc970c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
index 30a81576b4..9d73a99f54 100644
--- a/hw/net/allwinner-sun8i-emac.c
+++ b/hw/net/allwinner-sun8i-emac.c
@@ -727,6 +727,9 @@ static void allwinner_sun8i_emac_write(void *opaque, hw=
addr offset,
         break;
     case REG_RX_CTL_0:          /* Receive Control 0 */
         s->rx_ctl0 =3D value;
+        if (allwinner_sun8i_emac_can_receive(nc)) {
+            qemu_flush_queued_packets(nc);
+        }
         break;
     case REG_RX_CTL_1:          /* Receive Control 1 */
         s->rx_ctl1 =3D value | RX_CTL1_RX_MD;
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620797; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Mu8dDd8n0EKk+GkLuTDJNLl4hJlPuzinG0LNNKo8A1AQipEWdOW+7HEq5xKIVvxTgyKTMOTzS2N10sOGgOP8oeYOcGlKhNWyWk7wh8uXik/M5eT9flLeYy5XQV4IgCUIzqO1MyuKhwLX+gRzAArh7UYmtmFUvsWsKFA8wOp3QOI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620797;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=v9D5mm0ApSLznQa5JGT+rtI69dxSWmqNk5TTzrRQHps=;
	b=YL8svxL9FTwAvo+E1K2G/FadsNkJ5dTatNxzyfk4GmsTE15oBkOCe3BetIHmdbZqQx8R9/ge0in8qmiDo57m4aQQNCpRP5buf+zIKCNXL4EVhmvLivulWN7jVB4XKBupOaiWpJt6n9UYB0VICiCJWcBXFOgOFhcKGvl7mi9Lsj8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620797368371.3843764970443;
 Tue, 12 May 2026 14:19:57 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTh-0004DI-De; Tue, 12 May 2026 17:17:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT7-000224-3k; Tue, 12 May 2026 17:16:47 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuT5-0006jH-7Y; Tue, 12 May 2026 17:16:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id E82511AA3A9;
 Tue, 12 May 2026 23:55:06 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id F3E3D3ABD18;
 Tue, 12 May 2026 23:55:10 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619306; bh=wiIxSKLWjGp/hnmDgWgykvj99Y/kdybHqbX062AqeJ8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=HL5IOjYk5JWTdsanmZm9kooVbt1Po2U4Cv5Y5ODc8MQZpsv/aijDNDEJChWK6EGhO
 B9ff1JqIM51fJvGR2Jwapv2kcJhwkfauKlqG84CGQU1Wh5bshcogg/UdGpJyjHekFM
 mw86/5JJQIxDQ3PNCJ6W27PSIFLiR0Df6FcpgZNyjEVwVKNS2O4T50ML9HuMS5dBBw
 UVm0JmKp3XSWLdLRGNDKb9jGJO2vf1tneLvh874M7/CC9t14fpkNMUGW4u3kq7bqo1
 c/kdxt6oQCGapXY/Z+5KfIEe+eojPKI2LEwvdwElHd7j2BGCU+869Zlocnljst35oj
 HP34E98aF0btg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, liugan1 <liugan1@lixiang.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 107/117] hw/intc/arm_gicv3: Fix NS write to
 ICC_AP1Rn_EL1 when prebits < 7
Date: Tue, 12 May 2026 23:54:49 +0300
Message-ID: <20260512205503.361097-107-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620797673158500
Content-Type: text/plain; charset="utf-8"

From: liugan1 <liugan1@lixiang.com>

The existing code uses a blanket `regno < 2` check to make
ICC_AP1R0_EL1 and ICC_AP1R1_EL1 writes from Non-secure code WI
(Write Ignore) when EL3 is present. This is intended to prevent
NS code from claiming active interrupts in the Secure priority
range, which could block Secure interrupt delivery.

However, that check assumes prebits=3D7 (4 APR registers), where the
NS priority range (128..255) maps entirely to AP1R2/AP1R3. Since
commit 39f29e599355 ("hw/intc/arm_gicv3: Use correct number of
priority bits for the CPU", first in 7.1), all QEMU AArch64 CPUs
are initialised with gic_pribits=3D5 (one APR register), so NS
priorities map to AP1R0 bits [16:31]. Blanket WI of the entire
AP1R0 register prevents NS code from clearing its own NS active
priority bits. Machines using hw_compat_7_0 (e.g. virt-7.0) still
force pribits=3D8 via force-8-bit-prio and are therefore unaffected.

A concrete consequence observed in virtualisation scenarios: when
a guest VM acknowledges an SPI interrupt but does not perform EOI,
is force-killed and restarted, the new guest's attempt to clear
the residual active state by writing ICC_AP1R0_EL1=3D0 is silently
ignored. The running priority (RPR) remains stuck at the old
interrupt's priority, preventing all equal-or-lower priority
interrupts (including timer interrupts) from being delivered, and
hanging the guest.

Fix this by computing the exact Secure/NS boundary within the APR
bank based on prebits. For registers entirely in the Secure range,
keep the WI behaviour. For the register that straddles the
boundary, preserve only the Secure bits while allowing NS bits to
be modified. For registers entirely in the NS range, allow full
write access.

The new logic produces identical behaviour to the old code when
prebits=3D7, preserving existing behaviour for machines that use
force-8-bit-prio.

Fixes: 39f29e599355 ("hw/intc/arm_gicv3: Use correct number of priority bit=
s for the CPU")
Cc: qemu-stable@nongnu.org
Signed-off-by: liugan1 <liugan1@lixiang.com>
Message-id: 20260428083119.1400110-1-gs_liugan@163.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit f35f0f1ca121fb4931fe98570cda3aeb06b7a87f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index 2e6c1f778a..5b15e4ff1e 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -1869,9 +1869,40 @@ static void icc_ap_write(CPUARMState *env, const ARM=
CPRegInfo *ri,
      * at a priority outside the Non-secure range (128..255), since this
      * would otherwise allow malicious NS code to block delivery of S inte=
rrupts
      * by writing a bad value to these registers.
+     *
+     * The NS priority range (128..255) maps to APR bits starting at
+     * aprbit =3D 0x80 >> (8 - prebits). Depending on prebits, this bounda=
ry
+     * may fall within AP1R0 or AP1R1, so we cannot simply WI the entire
+     * register. Instead we calculate which bits within each register
+     * correspond to the Secure range and preserve those, while allowing
+     * NS code to modify only the NS range bits.
+     *
+     *   prebits=3D4: num_aprs=3D1, NS starts at AP1R0[8]
+     *   prebits=3D5: num_aprs=3D1, NS starts at AP1R0[16]
+     *   prebits=3D6: num_aprs=3D2, NS starts at AP1R1[0]
+     *   prebits=3D7: num_aprs=3D4, NS starts at AP1R2[0]
      */
-    if (grp =3D=3D GICV3_G1NS && regno < 2 && arm_feature(env, ARM_FEATURE=
_EL3)) {
-        return;
+    if (grp =3D=3D GICV3_G1NS && arm_feature(env, ARM_FEATURE_EL3)) {
+        int ns_start_bit =3D 0x80 >> (8 - cs->prebits);
+        int ns_start_regno =3D ns_start_bit / 32;
+        int ns_start_regbit =3D ns_start_bit % 32;
+
+        if (regno < ns_start_regno) {
+            /* This entire register is in the Secure range: WI */
+            return;
+        } else if (regno =3D=3D ns_start_regno && ns_start_regbit > 0) {
+            /*
+             * This register is split: low bits are Secure, high bits are =
NS.
+             * Preserve the Secure bits (below ns_start_regbit) from the
+             * current value, and take the NS bits (at and above
+             * ns_start_regbit) from the written value.
+             */
+            uint32_t secure_mask =3D MAKE_64BIT_MASK(0, ns_start_regbit);
+
+            value =3D (cs->icc_apr[grp][regno] & secure_mask) |
+                    (value & ~secure_mask);
+        }
+        /* else: regno > ns_start_regno, entire register is NS: allow writ=
e */
     }
=20
     if (cs->nmi_support) {
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621893; cv=none;
	d=zohomail.com; s=zohoarc;
	b=EFZjEF66NZHIlK7usXprarlV05LASy0iIEHO9m86UTg5dc5XFoDFVNH04r99na2YkTKapPUU7A7voNNrA5emY46Az6g9LcN4viS9/dGiUrGWAJ0bn1ekgbFW5OYuesfwNINoyPwqmDgYD498FRoQE95tfeBmBj6T7nu5SnsVWBY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621893;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ijNRxk7tfn4rv+f4QHW5OVuiqB5ax8HCUk0o6KGpHFk=;
	b=LKc6+8tejVaWjrwnMMp0sw08zlYyL7ZHebRkKsXD0jqQA053msMJNjEwkudNpJx3gzRmV1RalmiIcii14hx6p+kS1l0PcpOMUEwUcLzxvwrRl4chl0cGWs+7bgSlXlV86OqGkHmkfSuvA7wCoyBiXioTA++7Pt9UaK6Nh1BSzO4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621893419679.0347109879439;
 Tue, 12 May 2026 14:38:13 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTj-0004U8-7g; Tue, 12 May 2026 17:17:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTS-0002kw-05; Tue, 12 May 2026 17:17:07 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTP-0006jc-Vh; Tue, 12 May 2026 17:17:05 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 0257D1AA3AA;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 0F4923ABD19;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=t1J8WMNyiECT8S8oMriALLHVngmgly+xsrMf1JZklI0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=rFiVnNyql0U+K9BaodyB4lyy2WlrLGAB11+6qfGLQgMVdKmBzp9nv11e+HOw12/7J
 Te4YhNZinIqv7RwHy8yvLzY459nNsA0yQXYwiTNrYw5MOLmCi3TqeXWQLhf/WeS3B4
 TOSazT7AzHwhvHwP4AgqKWy0XnkgYhP1qDhEUGtyQGTMdXK7ScpFWHgM5K4aigVlDy
 lkk+/xkoUCf25PiK+cEjOrHWwXTP554AULC8j50gINe47mgog/ZWap211SqIedQe7p
 vNDZF6EcHCB0FHGdGqcpGp8KUmipVDB52DdRpijxQr0p/Yda8U8kIGBVxbjWWs0Q1C
 akAVdB6o13mpw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Xu <peterx@redhat.com>,
 Juraj Marcin <jmarcin@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 108/117] migration: Fix low possibility downtime
 violation
Date: Tue, 12 May 2026 23:54:50 +0300
Message-ID: <20260512205503.361097-108-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621895413154100
Content-Type: text/plain; charset="utf-8"

From: Peter Xu <peterx@redhat.com>

When QEMU queried the estimated version of pending data and thinks it's
ready to converge, it'll send another accurate query to make sure of it.
It is needed to make sure we collect the latest reports and that equation
still holds true.

However we missed one tiny little difference here on "<" v.s. "<=3D" when
comparing pending_size (A) to threshold_size (B)..

QEMU src only re-query if A<B, but will kickoff switchover if A<=3DB.

I think it means it is possible to happen if A (as an estimate only so far)
accidentally equals to B, then re-query won't happen and switchover will
proceed without considering new dirtied data.

It turns out it was an accident in my commit 7aaa1fc072 when refactoring
the code around.  Fix this by using the same equation in both places.

Fixes: 7aaa1fc072 ("migration: Rewrite the migration complete detect logic")
Cc: qemu-stable@nongnu.org
Reviewed-by: Juraj Marcin <jmarcin@redhat.com>
Link: https://lore.kernel.org/r/20260421202110.306051-3-peterx@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 455a6167f25416ce97ea966d6e8301df9fda9a47)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/migration/migration.c b/migration/migration.c
index b316ee01ab..5daf0d84e4 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -3510,7 +3510,7 @@ static MigIterateState migration_iteration_run(Migrat=
ionState *s)
          * postcopy started, so ESTIMATE should always match with EXACT
          * during postcopy phase.
          */
-        if (pending_size < s->threshold_size) {
+        if (pending_size <=3D s->threshold_size) {
             qemu_savevm_state_pending_exact(&must_precopy, &can_postcopy);
             pending_size =3D must_precopy + can_postcopy;
             trace_migrate_pending_exact(pending_size, must_precopy,
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621927; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jzo/b1YRkj2Aigr4+Y/laUVt4aRadF10BYiHt9hGom+zXYxZS9EJ5bd+KTLYPYWm0wjn+D1qd6PfvvOUm2mhUIbo0J3DwnyN2guj1kMNSEaKNT66Lx8MPsNwjRkLMJD+K8Tfyb6Fhnb88fMzqqogK2cHwrkVS0IuZWx3odlTGTo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621927;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=fFt2DVrJqhp7xh9emB/wPpGJIoKbN9d5GNummhol57o=;
	b=EwMcVJekiA80VPRxSKh4FzLdtoQ96vinAlqR74QpG2hF1PtGGxGhR3EPiFMmk5Cswg1kElqvUNS2m3HRmufgLEjAKHstFvh5DUMOQt5h97+QKpFyipaR63cwddyulfie4rQBhtQef9RqhMqqFJOPTgMkCi2OUikKAR/JF+VpZ9s=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621927253904.6199749024871;
 Tue, 12 May 2026 14:38:47 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTn-0005CV-0w; Tue, 12 May 2026 17:17:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTU-0002t6-VJ; Tue, 12 May 2026 17:17:09 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTS-0006k7-K6; Tue, 12 May 2026 17:17:08 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 11BF11AA3AB;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 1D9D03ABD1A;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=6ttS+OBwVuSJGHZkrgJNbxyeLpBThZnjePJjP1+Z0zg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=xYQQdMhAVmJ1y6jPYK6aA6USiumBjR4uK2gyhsJr2CosZsDlU0rpQSvl3l8Wa5jv6
 vJx++gK6old589OtSxQ/QSbFD+FMgpGNvti7mAuXJCSlVfVu6IlUYRCR/8Xu5xEw7j
 e8tCgXkfaGma5Poq4QiIdmwCSqDIQoxu4rxZwb+ZZes1/78P+DyAn3nHmFirPrcMvb
 usOs8K6/OADXzn2U3rJwGRBBXEEvEPLhkvqkI6wDlp4PpBiRr7DnpS8QI4kWPsktaz
 Ef6a5pCCGr6YQff2wKx8RF4CMkUiUdmJJ/is2hQai6ygMhh3JN5KXzbjm9lE94MO+s
 M+u8nRBb929kw==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 109/117] target/microblaze: Fix endianness used to
 disassemble
Date: Tue, 12 May 2026 23:54:51 +0300
Message-ID: <20260512205503.361097-109-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621930002154100

From: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>

MicroBlaze CPU model has a "little-endian" property, pointing to
the @endi internal field. Commit c36ec3a9655 ("hw/microblaze:
Explicit CPU endianness") took care of having all MicroBlaze
boards with an explicit default endianness (similarly with
commit 91fc6d8101d for linux-user binaries), so later commit
415aae543ed ("target/microblaze: Consider endianness while
translating code") could infer the endianness at runtime from
the @endi field, and not a compile time via the TARGET_BIG_ENDIAN
definition. Doing so, we forgot to propagate that runtime change
to the disassemble_info structure. Do it now to display the
opcodes in correct endianness order.

Cc: qemu-stable@nongnu.org
Fixes: 415aae543ed ("target/microblaze: Consider endianness while translati=
ng code")
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-Id: <20260423100612.27278-3-philmd@linaro.org>
(cherry picked from commit 41c417290df91c31a70adeb8f5271896a8c5f802)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/microblaze/cpu.c b/target/microblaze/cpu.c
index 22231f09e6..965eedbfaf 100644
--- a/target/microblaze/cpu.c
+++ b/target/microblaze/cpu.c
@@ -237,8 +237,8 @@ static void mb_disas_set_info(CPUState *cpu, disassembl=
e_info *info)
 {
     info->mach =3D bfd_arch_microblaze;
     info->print_insn =3D print_insn_microblaze;
-    info->endian =3D TARGET_BIG_ENDIAN ? BFD_ENDIAN_BIG
-                                     : BFD_ENDIAN_LITTLE;
+    info->endian =3D MICROBLAZE_CPU(cpu)->cfg.endi ? BFD_ENDIAN_LITTLE
+                                                 : BFD_ENDIAN_BIG;
 }
=20
 static void mb_cpu_realizefn(DeviceState *dev, Error **errp)
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620953; cv=none;
	d=zohomail.com; s=zohoarc;
	b=NDKTQJhWKHAhi1Imd+60gEXYClUF0Z1YaLyRucidd4qLRv3Rszynv0KGGUSjVsajpmNwzJuWOggwkvztMJYbLVVK4gVpLjNv7Bv/tg2CF6X4tvzPjesWy5y/O9HVJpDvOxBs1tF44p4zfqZZnxRmq4ngKNvpRGPS6Y3BQdUsIpg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620953;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=38Lo4Zy8Mg+8gOn95xN3O5l+yPgwkGOFAdMBsTjYxSA=;
	b=A/6XohzNsGYw/dhoneUxt3c5WQhPBCyszpOsC1XYxoNOmQwwfK5HBmNOdiTdqdu1ui6OT0Y3gPw1ONcluxjlzhYulgVlHK8ElAfzAhpQNI93rDb+3WTustxetWo2KU6yYspYADI+GgVe+MtA1hGVNGnIvYJbX61jU91sQh+kKvk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620953033515.289223870901;
 Tue, 12 May 2026 14:22:33 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTm-00059J-GW; Tue, 12 May 2026 17:17:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTV-0002zq-Ul; Tue, 12 May 2026 17:17:10 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTT-0006mE-ET; Tue, 12 May 2026 17:17:09 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 224081AA3AC;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 2D0423ABD1B;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=Q9IaUrQ8GBoIzQb0JDHPhBgvBuj9NSR3QyVLqxaJLok=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=TphRkbOyFki2H+KExg48E4S47Rf10YpmZhXvQh15E/7J34EPd5ER8USGJ3MRpIcWt
 Dx8dQ4dvjDOOlCrl1ZH+LIrtewcUN8x43qvV4MX6kUFxBfQ+uqK272LtjyheTfJYp7
 ho0ooQBdMv3tEqzPc8fKBMG7trVpFP+RsHl3om00clHLIVi2xNrtbZGrFiivnLHoN8
 UDKDwXnAvqPjFh2uQtsHr8cCT0xkZb36PuGf29tgdgJr2jsAxwHOWPNabEVj78OA4d
 LjrRoTbUbR8Q6PgUH9BU07SYv186auFQMANd6FVYYcYtGyU+jDugjQVFJh5M3ngazx
 Ovv/F/p8xD0RA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 110/117] target/arm: Report IL=0 for Thumb 16-bit BKPT
 insn
Date: Tue, 12 May 2026 23:54:52 +0300
Message-ID: <20260512205503.361097-110-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620955323154100

From: Peter Maydell <peter.maydell@linaro.org>

The Thumb BKPT insn is 16-bit, and the ESR_ELx syndrome register
definition requires that we set the IL bit to 0 for this, and 1 for
the 32-bit A32 and A64 BKPT/BRK.

We used to do this correctly, but accidentally lost it in the
conversion to decodetree, because we converted the A32 BKPT first,
and then when we converted the T16 BKPT we forgot that trans_BKPT()
was unconditionally setting IL=3D1.

Pass the right value for syn_aa32_bkpt()'s is_16bit argument.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3474
Fixes: 43f7e42c7d515f ("target/arm: Convert T16, Miscellaneous 16-bit instr=
uctions")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Reviewed-by: Alex Benn=C3=A9e <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260505103726.419195-1-peter.maydell@linaro.org
(cherry picked from commit f443b687636205b7f70029692b244f1f90532cf2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index 0a92300f9b..bca278daf0 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -3562,7 +3562,7 @@ static bool trans_BKPT(DisasContext *s, arg_BKPT *a)
         (a->imm =3D=3D 0xab)) {
         gen_exception_internal_insn(s, EXCP_SEMIHOST);
     } else {
-        gen_exception_bkpt_insn(s, syn_aa32_bkpt(a->imm, false));
+        gen_exception_bkpt_insn(s, syn_aa32_bkpt(a->imm, curr_insn_len(s) =
=3D=3D 2));
     }
     return true;
 }
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622103; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ahYMENeNVaFS0mXlRiCEqNlIxKTGBmJclLL+1YGyFBM26JiWUuQCaSmEoxujSv/rRD5vl6YoyMZ0JTwmwwXc8U6ZCo/2wLub+9VBqhY1AykcRbNPcVAmn3KRraDyQwHs+kFARlRuKXM3bm9ju5nm8VXeqrsE/lcFRkbxY/lveFY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622103;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=VHflSMu20nKdvHOnxmUNyotqTmIFf2QXZ6PIwo+aYSw=;
	b=GSc+U+w/WJF5dW+cqYOagRPQw/rCMMoAFgQgO+Bv2y4BqppMGajU/c/BGLcoQfL9OCGZZo+aSI8NDckKJyHX501P4r4dwVVq0tdr1UVXD/npjSMXgmU+0vNLWpRJwhvcx7ayzNB25/Fvc0JPTTVvg5Rh5t/cTftFZ6JVd2ih+A8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622103649926.1997643565193;
 Tue, 12 May 2026 14:41:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTk-0004oL-WF; Tue, 12 May 2026 17:17:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTY-0003Gs-Ag; Tue, 12 May 2026 17:17:12 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTW-0006mh-ED; Tue, 12 May 2026 17:17:12 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3A9381AA3AD;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 3D33A3ABD1C;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=xmHfeUJz0ZcDqeB1vL/AXC1QJ6Wf1Lm11pgd52X7R5w=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=lTuKZtPKS6LSxBdLiVZ8hyR87SnOGRIpUkkH9DBNgcZyiDur+VDIB6Sz1Ge0vMm+u
 e2zsmZTX2lRFbXczkV/4XMqAiXOnBGO4uijpOaPWmX9kikghLwnpiGTXbxDAsYv/aj
 /gOujy0mzjVWLIHsJdTkxyYZOxPNbTDRitETCOBg573545ZnDuhAuRypxfzk1VuQjx
 mCiBO+mQg3tb8PSppYMyCHMwTlubRkO58Lj1Wqcyu+2ES7xguRlcGNocYwFhC56oyx
 sC4Ds4mVvftWRiJsvhR4R/kwQE//Fx1W9XGunO/zWCKPv8wHURQ8BJ11THecChJL1j
 8RQ8C7pQJlabg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Peter Maydell <peter.maydell@linaro.org>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 111/117] hw/misc/bcm2835_rng: Specify valid memory
 access sizes
Date: Tue, 12 May 2026 23:54:53 +0300
Message-ID: <20260512205503.361097-111-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622105613154100

From: Peter Maydell <peter.maydell@linaro.org>

The BCM2835 RNG has 32-bit registers only; specify this in
the MemoryRegionOps so wrong-sized accesses are rejected rather
than getting to the assertions in the read and write functions,
and for clarity add the matching .impl constraints.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3394
Fixes: 54a5ba13a9f ("target-arm: Implement BCM2835 hardware RNG")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@linaro.org>
Message-id: 20260501162700.4092512-1-peter.maydell@linaro.org
(cherry picked from commit 18b664c90085b0d2be9c2ad8c747e00a7a733402)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/bcm2835_rng.c b/hw/misc/bcm2835_rng.c
index e4d2c224c8..4492e325b4 100644
--- a/hw/misc/bcm2835_rng.c
+++ b/hw/misc/bcm2835_rng.c
@@ -93,6 +93,10 @@ static const MemoryRegionOps bcm2835_rng_ops =3D {
     .read =3D bcm2835_rng_read,
     .write =3D bcm2835_rng_write,
     .endianness =3D DEVICE_NATIVE_ENDIAN,
+    .impl.min_access_size =3D 4,
+    .impl.max_access_size =3D 4,
+    .valid.min_access_size =3D 4,
+    .valid.max_access_size =3D 4,
 };
=20
 static const VMStateDescription vmstate_bcm2835_rng =3D {
--=20
2.47.3


From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778621955; cv=none;
	d=zohomail.com; s=zohoarc;
	b=UUBc+CkBEi5v4UCmhW7gyXeUqNpw0Z7K4vMeQ859I5gzU5nev83AX1yan7fnLZ3I1v/DVeoWNsuPOJSeY4OtdIcO3ZUaHOqYj4jxSuCSSRF/ehuxVrEpYE1Lfuqz3iXyjSfvrx6APgpk4xXOc5OqYKfQJmE+q2/9lzOf/Btmx8A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778621955;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=ItG1ToYkJB3PevYUOYKu1sL4bPSCYHYssoYQVITk4aw=;
	b=fdibrRO9oCnDEukxOMehB2I//L/iLzNI5dHeHxMSwQ1doNfctMym4/KXb2z0HTLx4R8MmrHOABjF5rJrb4j1V1osOonZENYxLjx7PmrKa1Nrityx0BOe2YkebgDiigbGTToUhViWaj424mOLr6njQvmI95daawe03xumTpUUP9E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778621955667584.235290535983;
 Tue, 12 May 2026 14:39:15 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuTt-0006Al-4I; Tue, 12 May 2026 17:17:33 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTZ-0003PD-E5; Tue, 12 May 2026 17:17:14 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTX-0006mv-Iq; Tue, 12 May 2026 17:17:13 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 498B31AA3AE;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 55DDD3ABD1D;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=erVKkgu6SN0URtS1fq3517XQa4H8fWCE3nPMJLzIaZ4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=RWhEsuACZgWrYOlSRoiGppfGQ5ZwmBdYviZd/9nJE8I0arKktUyO2BUwdBLJ2D9Je
 G+XoBzpfcRjhHywh+Pw/JF56vqG7vxI1utYMnvLUinTo1nKpk0GytShRNRUUYsIBqE
 uikyqC6joNQPQYcgJvVyadOeF403ntFLWu/siGJCGtYq1Nr6L+06QjLVNgVBvU91lX
 e0D26GYRfqoE9X0kynpMdHbsTyvW+oNDu0AE7s7jyyD8b5QPgSepXhH+RjqjWKkNdz
 V2IApw65KgFC2yyTIIoVPXdlXptzoDDSEe+R0p0d2H6cyqWvjmIpJ1MtDTBB1gXkyT
 +LDrOfbkhFbkg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 112/117] hw/uefi: fix buffer overruns
Date: Tue, 12 May 2026 23:54:54 +0300
Message-ID: <20260512205503.361097-112-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778621957543158500
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

The buffer size checks do not consider the mm_header size, simliar to
CVE-2026-5744.  Factor out the repeated size check to a small helper
function, fix the check, update all places to use the new helper.

Fixes: CVE-2026-41435
Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-2-kraxel@redhat.com>
(cherry picked from commit f252769a23e67765f9b95d8944ca3da6c9edf58b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 5607763525..922f6dd963 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -260,6 +260,17 @@ static size_t uefi_vars_mm_error(mm_header *mhdr, mm_v=
ariable *mvar,
     return sizeof(*mvar);
 }
=20
+static bool check_buffer_size(uefi_vars_state *uv, uint64_t length)
+{
+    /* uefi_vars_cmd_mm() checks that */
+    g_assert(uv->buf_size >=3D sizeof(mm_header));
+
+    if (uv->buf_size - sizeof(mm_header) < length) {
+        return false;
+    }
+    return true;
+}
+
 static size_t uefi_vars_mm_get_variable(uefi_vars_state *uv, mm_header *mh=
dr,
                                         mm_variable *mvar, void *func)
 {
@@ -307,7 +318,7 @@ static size_t uefi_vars_mm_get_variable(uefi_vars_state=
 *uv, mm_header *mhdr,
     if (uadd64_overflow(length, va->data_size, &length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
@@ -377,7 +388,7 @@ uefi_vars_mm_get_next_variable(uefi_vars_state *uv, mm_=
header *mhdr,
     }
=20
     length =3D sizeof(*mvar) + sizeof(*nv) + var->name_size;
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
@@ -567,7 +578,7 @@ static size_t uefi_vars_mm_variable_info(uefi_vars_stat=
e *uv, mm_header *mhdr,
     uint64_t length;
=20
     length =3D sizeof(*mvar) + sizeof(*vi);
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
@@ -588,7 +599,7 @@ uefi_vars_mm_get_payload_size(uefi_vars_state *uv, mm_h=
eader *mhdr,
     uint64_t length;
=20
     length =3D sizeof(*mvar) + sizeof(*ps);
-    if (uv->buf_size < length) {
+    if (!check_buffer_size(uv, length)) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620783; cv=none;
	d=zohomail.com; s=zohoarc;
	b=PH5H7ZKRKMLhmYpxN3R83I8UbmChOYoH20vI/oH+uWaxWQ//L0H0XXgq3mLvLFotm66Rd7oifvrzeNIh5fKgttFh7i7/CI8WXMQF6bdq9D8vYKEj0/8zHAYtQv9T0/U1lw2xLg21rdlYE4239LjUKtY3ATh5i1M7zs/U51JYzBI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620783;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=7wIGD3kd3G2LVxViTnPl/r5+y+R9W/Bwo/4oGZsvPTE=;
	b=JQO7DLyuHeLyXx12nHbceVMH4gZxhPH7pZt+dwJtTDKv+z09ptbt4Q/tyb3dmEWD8GSPUY+QJp5utgVsBnjv1kRVBx0T1rir6kwbwxaOzdEW2uYH1OjlKJQsE+K9te6Zk2rHgQRU+kj91NPPyY5I5XeX/1kDTWiP7dcpVBjgTQo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 177862078365691.77254596066348;
 Tue, 12 May 2026 14:19:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuU9-0006d6-L1; Tue, 12 May 2026 17:17:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTv-0006QA-Ot; Tue, 12 May 2026 17:17:37 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTt-0006na-U1; Tue, 12 May 2026 17:17:35 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 639281AA3AF;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 65AB73ABD1E;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=usJebyXOwOn1hWsXzUOvUHyblNNQU6e+dFrR0SYBzcs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=ULpwL+hfmAh3X4eWBnE5L5dSYc+s6vIX7H0n+ubuTzloulUm61dMOKi0CD7ylbCjY
 gjavpKOxe6s3JtW0vLgvVwTUpiQVLCpk1gWfF7veuZbIx+7vOaBo2hxXCz9dq5BGff
 dzPu3dXlnE2e8de5Gz3rq27yh2IU5omcEUD+9dA6/JtOOrI+kvaWGJFKcqvVDe2WKp
 mSYISl1sROfXRpu4ORzVj3etBd3aByPydJgTK1UuzMy6wYVDZ6FAsYbz1+MXyOElJ4
 JFsrG1py+xjxUN7neS5EmfM1+aTUijrPpfiV5HXvgWtxLzMkW6zAr8ioqmripqOxn0
 Q1W8byBo7XSiQ==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 113/117] hw/uefi: verify pio_xfer_offset before
 calculating buffer checksum
Date: Tue, 12 May 2026 23:54:55 +0300
Message-ID: <20260512205503.361097-113-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620786608154100
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Without that it is possible to do trigger OOB reads by first
advancing offset, then making the buffer smaller, finally
asking for a checksum.

Fixes: CVE-2026-41436
Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-3-kraxel@redhat.com>
(cherry picked from commit 94d9a8b2c9e6962aa7f7673229d2db7b110cfac6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-core.c b/hw/uefi/var-service-core.c
index 91548e2f39..660ca2f9f8 100644
--- a/hw/uefi/var-service-core.c
+++ b/hw/uefi/var-service-core.c
@@ -229,6 +229,10 @@ static uint64_t uefi_vars_read(void *opaque, hwaddr ad=
dr, unsigned size)
         uv->pio_xfer_offset +=3D size;
         break;
     case UEFI_VARS_REG_PIO_BUFFER_CRC32C:
+        if (uv->pio_xfer_offset > uv->buf_size) {
+            retval =3D 0;
+            break;
+        }
         retval =3D crc32c(0xffffffff, uv->pio_xfer_buffer, uv->pio_xfer_of=
fset);
         break;
     case UEFI_VARS_REG_FLAGS:
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620772; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OY/VQt5dpvvvpr4A2vRE6XcW7NlvDmjml4oXyPrdc6ia5GKTYDXv3MzhKOB3/6p0ouCK1zUVQSKkVXnAnT+SK3p8xWm4CFjkswvmmW/7Vr1tdF4++LT5s3BiLn2a21b9fnni3AGQlnWtEmgRMRjGWkCJXPY3WqTp2Oww/BBYMM4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620772;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=zGw7nSNusu90GdlFNQmCioSIIlgEJtbJHM5dwt7gaKw=;
	b=mv1fMOnP2z4De0zoBolvK1qhQlhFmJeU025DBRC5z8nrDiMCvVpPDHrXOM1nh1YJ7AOQGNmwZmTLwzXx7oB16eGP2FOYH+gLi55yGqLTTR2NqoQonfMK0A1J0HXbqFrKNak6HfLbhItumY1yOckTm6kzuba9QNaPfgLGF8KcivM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620772810414.7628401730648;
 Tue, 12 May 2026 14:19:32 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuU9-0006dK-LB; Tue, 12 May 2026 17:17:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTw-0006QF-Uq; Tue, 12 May 2026 17:17:37 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTv-0006nu-0b; Tue, 12 May 2026 17:17:36 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 71CB01AA3B0;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 7E3DD3ABD1F;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=tGCFPzas1hHKzOl+cALrD/N2SyuwGyZAQXj2RFisqsM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=QtpBWJRghYCaRaTJBDbRiB+exmg15JB6y0Xxh+ph8g1iArrVN/R/d4Bb9cMgIvEC5
 OjtHomyJrkZCMCaNFQdFSYn+3QyZG/ax6oQU0p0gF7lP5jtmQ/hR0EmeqKLQ3nkCG0
 zq6GS88Dm1ZAgNfcrS5UnZ8Uzw6J+xtfHssJbpMysbtc4yZTUULfdh5mY1R65qdpn9
 AR9SZz1T3bn4eglMKhdrlx5Ovx8PtDYxJBYh9dkWostmlDETD/pEnkZc1H/N90GjUM
 STD9I4exnmI1JEw6Oo3NphAJjVUnEobUjCfk9i+BHB5rJ8GZjWB34oXhId2mUnuXZr
 129rlHvcTVCHg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 114/117] hw/uefi: fix ucs2 string helper functions
Date: Tue, 12 May 2026 23:54:56 +0300
Message-ID: <20260512205503.361097-114-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620774520154100
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

The length passed in is in bytes not characters.  Rename the
parameters to make that clear.  Calculate the number of chars
if needed.  Fix length checks to use the number of chars not
bytes to avoid OOB reads.

Fixes: CVE-2026-41437
Fixes: 1ebc319c8ca7 ("hw/uefi: add var-service-utils.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-4-kraxel@redhat.com>
(cherry picked from commit 5247b3034c23bdfd91a7f78587c3b3e37f90568c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-utils.c b/hw/uefi/var-service-utils.c
index 258013f436..489321a26c 100644
--- a/hw/uefi/var-service-utils.c
+++ b/hw/uefi/var-service-utils.c
@@ -19,13 +19,18 @@
  * sometimes when they are not (for example in variable policies).
  */
=20
-gboolean uefi_str_is_valid(const uint16_t *str, size_t len,
+gboolean uefi_str_is_valid(const uint16_t *str, size_t bytes,
                            gboolean must_be_null_terminated)
 {
+    size_t chars =3D bytes / 2;
     size_t pos =3D 0;
=20
+    if ((bytes % 2) !=3D 0) {
+        return false;
+    }
+
     for (;;) {
-        if (pos =3D=3D len) {
+        if (pos =3D=3D chars) {
             if (must_be_null_terminated) {
                 return false;
             } else {
@@ -47,12 +52,13 @@ gboolean uefi_str_is_valid(const uint16_t *str, size_t =
len,
     }
 }
=20
-size_t uefi_strlen(const uint16_t *str, size_t len)
+size_t uefi_strlen(const uint16_t *str, size_t bytes)
 {
+    size_t chars =3D bytes / 2;
     size_t pos =3D 0;
=20
     for (;;) {
-        if (pos =3D=3D len) {
+        if (pos =3D=3D chars) {
             return pos;
         }
         if (str[pos] =3D=3D 0) {
@@ -62,25 +68,25 @@ size_t uefi_strlen(const uint16_t *str, size_t len)
     }
 }
=20
-gboolean uefi_str_equal_ex(const uint16_t *a, size_t alen,
-                           const uint16_t *b, size_t blen,
+gboolean uefi_str_equal_ex(const uint16_t *a, size_t a_bytes,
+                           const uint16_t *b, size_t b_bytes,
                            gboolean wildcards_in_a)
 {
+    size_t a_chars =3D a_bytes / 2;
+    size_t b_chars =3D b_bytes / 2;
     size_t pos =3D 0;
=20
-    alen =3D alen / 2;
-    blen =3D blen / 2;
     for (;;) {
-        if (pos =3D=3D alen && pos =3D=3D blen) {
+        if (pos =3D=3D a_chars && pos =3D=3D b_chars) {
             return true;
         }
-        if (pos =3D=3D alen && b[pos] =3D=3D 0) {
+        if (pos =3D=3D a_chars && b[pos] =3D=3D 0) {
             return true;
         }
-        if (pos =3D=3D blen && a[pos] =3D=3D 0) {
+        if (pos =3D=3D b_chars && a[pos] =3D=3D 0) {
             return true;
         }
-        if (pos =3D=3D alen || pos =3D=3D blen) {
+        if (pos =3D=3D a_chars || pos =3D=3D b_chars) {
             return false;
         }
         if (a[pos] =3D=3D 0 && b[pos] =3D=3D 0) {
@@ -100,18 +106,18 @@ gboolean uefi_str_equal_ex(const uint16_t *a, size_t =
alen,
     }
 }
=20
-gboolean uefi_str_equal(const uint16_t *a, size_t alen,
-                        const uint16_t *b, size_t blen)
+gboolean uefi_str_equal(const uint16_t *a, size_t a_bytes,
+                        const uint16_t *b, size_t b_bytes)
 {
-    return uefi_str_equal_ex(a, alen, b, blen, false);
+    return uefi_str_equal_ex(a, a_bytes, b, b_bytes, false);
 }
=20
-char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_size)
+char *uefi_ucs2_to_ascii(const uint16_t *ucs2, uint64_t ucs2_bytes)
 {
-    char *str =3D g_malloc0(ucs2_size / 2 + 1);
+    char *str =3D g_malloc0(ucs2_bytes / 2 + 1);
     int i;
=20
-    for (i =3D 0; i * 2 < ucs2_size; i++) {
+    for (i =3D 0; i * 2 < ucs2_bytes; i++) {
         if (ucs2[i] =3D=3D 0) {
             break;
         }
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622103; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SpSIHeJzKXVtV6K97oM7CeBieDAvBgRMLyWOYcnXv0PbRV77x3iN+m7ZzNBhBh4qJW+9ejeAhIBobCvveoX21aKpcKYqxoXsJp3cNIs3tTpXA1YAkTW2nr+o9ADy29GFcyiVHGf+YkjFSCzrabaF604KPR3EFyTT0w1WveeY7Dc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622103;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=Wy48ihaQzXyDqd27VAOgiTI0BExEicnPsyGlI3B/DGY=;
	b=CZtPYrG9dIbx+ONf7qcVgVUCrK+5Fwgs8c6ZkS8GfXERNgZ31m4BvPWTgc+EyduxAGSV/r3LOyZtPHZuZus9HuJXuZnDRu6VpcUwAKwbc2d80iYKWGUqT9Ijidp6JjPaO2IrRsuwurH1WU68PaFdYzqi+7/TlVfD1fPk2B3SMS4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778622103512182.82492525229634;
 Tue, 12 May 2026 14:41:43 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuUZ-0007cf-25; Tue, 12 May 2026 17:18:15 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTz-0006Zx-IR; Tue, 12 May 2026 17:17:39 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTx-0006tP-63; Tue, 12 May 2026 17:17:39 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 8BE091AA3B1;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id 8D2003ABD20;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=JIKFRlQIwK1/FxLkJ2ppK44nheMtdlfIIxo/AMV79x0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=GQON7rJPH4EOiVf74zdcz9TYg57weScU7xlBtJKu2sou/H5PIqP+M1cjkhKxqUODK
 ZuMMt4xq53wC6P4XTILn4zjpMrTvWtC4uMZBEmOFpsTxy1fPuW2ah2yDcWeMXljtiK
 2KAtGQRl49c2K9625A8cPLCc2dbe9I6KI/tHrn8a3s2b9MymwNqkTMXTAE7en+f7SU
 zypL/1MCNxWsu3G6psK2Bp5OPIHA3PQ97F6QmvouHGfNu+PTZVepFbItS3DzLN7Ax/
 xzmAELqmQRqOkKsvbU/WYiNih3+an0KpV1D4TTNmIZPZJcZ4+7IGmsKx3mYWnPJDpx
 nDqiaKtCgF5Fg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 115/117] hw/uefi: add name_size check to
 uefi_vars_mm_lock_variable()
Date: Tue, 12 May 2026 23:54:57 +0300
Message-ID: <20260512205503.361097-115-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622105571154100
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Make sure the total variable_policy_entry size stays below
64k so the (16-bit) size field can not wrap.

Fixes: CVE-2026-41438
Fixes: db1ecfb473ac ("hw/uefi: add var-service-vars.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-5-kraxel@redhat.com>
(cherry picked from commit c45b460d16f991ff3f753623f3423e1adc4077a2)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-vars.c b/hw/uefi/var-service-vars.c
index 922f6dd963..d7187e006d 100644
--- a/hw/uefi/var-service-vars.c
+++ b/hw/uefi/var-service-vars.c
@@ -629,6 +629,9 @@ uefi_vars_mm_lock_variable(uefi_vars_state *uv, mm_head=
er *mhdr,
     if (mhdr->length < length) {
         return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
     }
+    if (sizeof(*pe) + lv->name_size > UINT16_MAX) {
+        return uefi_vars_mm_error(mhdr, mvar, EFI_BAD_BUFFER_SIZE);
+    }
=20
     uefi_trace_variable(__func__, lv->guid, name, lv->name_size);
=20
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778620789; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LAWKAGu0GrmBqs+ciAr+4AMkJALBeQUqT16epdrDJhXc0NZBSf2gU78HBVU58ATHII069721feBCCEyscVAHbGPKnM/LJNm68yboyMUA/uuiDybbUcfRCVhQQpIVbMTo2GR3UEhOd6pFPIw7z9wz36nFJcRVVsDSX4+wDCjoqBA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778620789;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=RALOQ1sONAPVBPsNYlKmR16ceV8GnLF36LNysNH/IP8=;
	b=bp/i2ijuja3+xyd48MWe9kY3WsR0H6UmZBWcGQlT1LkL80IjEdz4MytLFSn+mT8iy592LSJvtf998iU87+T3PNuxo3k/LVRTNNhRRX9EB+sAriZ0awihDK24TGwsJWkiexjbx8eSNoXRbIqe4ZYyYMu9oKutXAeHDu+KuhXidxE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1778620789975274.1578516203093;
 Tue, 12 May 2026 14:19:49 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuUT-0006yQ-N0; Tue, 12 May 2026 17:18:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuU0-0006dI-5O; Tue, 12 May 2026 17:17:45 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuTy-0006tg-Fo; Tue, 12 May 2026 17:17:39 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id A510A1AA3B2;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id A70293ABD21;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=6yNTHyY4n+czwCDJOviiZkYDpnz4dMyJaeqmCz/8sP8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=paRdmg182GFEhNbOsCPsyd8OaW1H9X5eYKIghYcYtD/pNhdXD6/zXhY5tFldAp3hz
 QcpY0Jrha+KYnIRgoOU83LgUoucL5U/4E0sEQsORNCOlpK9hGD5mM6NSk3wINWMg4r
 SvEm2ywooBetC2mJx9Aq58GhG5anYkzGdnAsVv5nFJuksLmFU41tuJ924nvMET8FGA
 WGOWmzo8ofAHxMjz6z+NZLXiB8sqjMiRQ1z3tjs1I7ZxOxf3DlfcZKY5xjC3uo13+s
 VOlfNpoaqTurOj6sqgJpmhQYq7gI2lTNLWzspLoPnsnioJ92UvpT28cbwCTYatRhZy
 HiYZxv7PVU2rg==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 116/117] hw/uefi: verify data size before accessing it
 in wrap_pkcs7
Date: Tue, 12 May 2026 23:54:58 +0300
Message-ID: <20260512205503.361097-116-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778620790727154100
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Fixes: CVE-2026-41439
Fixes: 3e33af2cb306 ("hw/uefi: add var-service-pkcs7.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-6-kraxel@redhat.com>
(cherry picked from commit 22b7b222d8f5428be8b5d4787f36efd0a0b75292)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index 32accf4e44..f17ad6872f 100644
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -73,7 +73,8 @@ static void wrap_pkcs7(gnutls_datum_t *pkcs7)
     };
     gnutls_datum_t wrap;
=20
-    if (pkcs7->data[4] =3D=3D 0x06 &&
+    if (pkcs7->size > 16 &&
+        pkcs7->data[4] =3D=3D 0x06 &&
         pkcs7->data[5] =3D=3D 0x09 &&
         memcmp(pkcs7->data + 6, signed_data_oid, sizeof(signed_data_oid)) =
=3D=3D 0 &&
         pkcs7->data[15] =3D=3D 0x0a &&
--=20
2.47.3
From nobody Sat May 30 17:45:57 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
ARC-Seal: i=1; a=rsa-sha256; t=1778622637; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JS1tovrCQw1NKsgnBAzV2PASIC6urtzkin/JMEZkFVcGln+3Nlg7OHgQjU+aJqWYbcy8UUF0Q/2CwgUzVbK1YunJEELcewLuS41NSpc8Nhe1PGzpnkkPsuRJfiryl4b/6f82yzLheCwZ4xF7NVSSz055gn7MIBwJkkSg8swsEVA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1778622637;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=M9bu+U3Hrsqqix84wJNlpaZbqtoIRpRWopYtEb7vdHk=;
	b=Cl01U0RgZddoz6UPbw2sPPophNyFokDaGV1vqwqAIfZGHl5kYLd10kmcbK9QHv/NwxzAP9A0/w9boeT/4MWJ4Xo4sKCgttkevknOk/xHaiVyxJ9Vn/sCzpe6Tc9dhgNbqOtdldQOfulwYmQrDuFLrxf+VxeEBt6XCo8+L/M7dMI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17786226377101013.8905000418899;
 Tue, 12 May 2026 14:50:37 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists1p.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1wMuUX-0007OS-6Z; Tue, 12 May 2026 17:18:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuUN-0006rz-0l; Tue, 12 May 2026 17:18:06 -0400
Received: from isrv.corpit.ru ([212.248.84.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1wMuUL-0006ut-56; Tue, 12 May 2026 17:18:02 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B38911AA3B3;
 Tue, 12 May 2026 23:55:07 +0300 (MSK)
Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146])
 by tsrv.corpit.ru (Postfix) with ESMTP id C00843ABD22;
 Tue, 12 May 2026 23:55:11 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602;
 t=1778619307; bh=qG6ii2l7hCb7dAKBoB+JAL6Fy6hY5WJKV7Caap/hyCY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=Qqz1MRYAV9JuZxVKn7XfWNPG8j4UXq88+EgJm7xd8cYG+jZ2EQ+FKlV7v/nCKQSxr
 lt6UaHq89ZP9nRBGsHorY2suGZNsFWRSJgdg2DhSRTSvFfxByCsEveA5PnvB96E342
 TBJTG6AFuXTwyLEPU8aCowpZVq0UNf6vHhulQcbqJPkWoLSrnilQNquY6G0TYBRKfW
 /PefZH8yzSzVaMJjs+AzKR2O7/ILlOuQWR3lNoG+F8hc24JcaB2VguvAZx01upHtdX
 /EkgpnTdn5zX41ieJwWUQ1zh27hgOpTw//fcfe7vIuGeHdCG4gqv9phtjPb/qbTrVL
 umyn3YJoZDwlA==
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>,
 Katherine Leaver <katherine.j.leaver@gmail.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-10.2.3 117/117] hw/uefi: avoid possibly unaligned
 variable_auth_2 struct field access
Date: Tue, 12 May 2026 23:54:59 +0300
Message-ID: <20260512205503.361097-117-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
References: <qemu-stable-10.2.3-20260512103849@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists1p.gnu.org;
Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -19
X-Spam_score: -2.0
X-Spam_bar: --
X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @tls.msk.ru)
X-ZM-MESSAGEID: 1778622639063158500
Content-Type: text/plain; charset="utf-8"

From: Gerd Hoffmann <kraxel@redhat.com>

Copy data to stack-allocated struct before accessing it
to make sure it is properly aligned.

Fixes: CVE-2026-41440
Fixes: f1488fac0584 ("hw/uefi: add var-service-auth.c")
Reported-by: Katherine Leaver <katherine.j.leaver@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260422092910.444997-7-kraxel@redhat.com>
(cherry picked from commit b4680c02b8e838c75691656ee2c4450b454d1ca7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c
index fba5a0956a..795f2f54e4 100644
--- a/hw/uefi/var-service-auth.c
+++ b/hw/uefi/var-service-auth.c
@@ -180,9 +180,10 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_=
state *uv,
                                             void *data,
                                             uint64_t data_offset)
 {
-    variable_auth_2 *auth =3D data;
+    variable_auth_2 auth;
     uefi_variable *siglist;
=20
+    memcpy(&auth, data, sizeof(auth));
     if (custom_mode_is_active(uv)) {
         /* no authentication in custom mode */
         return EFI_SUCCESS;
@@ -193,7 +194,7 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars_s=
tate *uv,
         return EFI_SUCCESS;
     }
=20
-    if (auth->hdr_length =3D=3D 24) {
+    if (auth.hdr_length =3D=3D 24) {
         /* no signature (auth->cert_data is empty) */
         return EFI_SECURITY_VIOLATION;
     }
@@ -218,23 +219,25 @@ static efi_status uefi_vars_check_auth_2_sb(uefi_vars=
_state *uv,
 efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, uefi_variable *var,
                                   mm_variable_access *va, void *data)
 {
-    variable_auth_2 *auth =3D data;
+    variable_auth_2 auth;
     uint64_t data_offset;
     efi_status status;
=20
-    if (va->data_size < sizeof(*auth)) {
+    if (va->data_size < sizeof(auth)) {
         return EFI_SECURITY_VIOLATION;
     }
-    if (uadd64_overflow(sizeof(efi_time), auth->hdr_length, &data_offset))=
 {
+    memcpy(&auth, data, sizeof(auth));
+
+    if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {
         return EFI_SECURITY_VIOLATION;
     }
     if (va->data_size < data_offset) {
         return EFI_SECURITY_VIOLATION;
     }
=20
-    if (auth->hdr_revision !=3D 0x0200 ||
-        auth->hdr_cert_type !=3D WIN_CERT_TYPE_EFI_GUID ||
-        !qemu_uuid_is_equal(&auth->guid_cert_type, &EfiCertTypePkcs7Guid))=
 {
+    if (auth.hdr_revision !=3D 0x0200 ||
+        auth.hdr_cert_type !=3D WIN_CERT_TYPE_EFI_GUID ||
+        !qemu_uuid_is_equal(&auth.guid_cert_type, &EfiCertTypePkcs7Guid)) {
         return EFI_UNSUPPORTED;
     }
=20
@@ -255,7 +258,7 @@ efi_status uefi_vars_check_auth_2(uefi_vars_state *uv, =
uefi_variable *var,
     }
=20
     /* checks passed, set variable data */
-    var->time =3D auth->timestamp;
+    var->time =3D auth.timestamp;
     if (va->data_size - data_offset > 0) {
         var->data =3D g_malloc(va->data_size - data_offset);
         memcpy(var->data, data + data_offset, va->data_size - data_offset);
diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index f17ad6872f..c859743e86 100644
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -21,17 +21,20 @@
  */
 static gnutls_datum_t *build_signed_data(mm_variable_access *va, void *dat=
a)
 {
-    variable_auth_2 *auth =3D data;
-    uint64_t data_offset =3D sizeof(efi_time) + auth->hdr_length;
+    variable_auth_2 auth;
+    uint64_t data_offset;
     uint16_t *name =3D (void *)va + sizeof(mm_variable_access);
     gnutls_datum_t *sdata;
     uint64_t pos =3D 0;
=20
+    memcpy(&auth, data, sizeof(auth));
+    data_offset =3D sizeof(efi_time) + auth.hdr_length;
+
     sdata =3D g_new(gnutls_datum_t, 1);
     sdata->size =3D (va->name_size - 2
                    + sizeof(QemuUUID)
                    + sizeof(va->attributes)
-                   + sizeof(auth->timestamp)
+                   + sizeof(auth.timestamp)
                    + va->data_size - data_offset);
     sdata->data =3D g_malloc(sdata->size);
=20
@@ -48,8 +51,8 @@ static gnutls_datum_t *build_signed_data(mm_variable_acce=
ss *va, void *data)
     pos +=3D sizeof(va->attributes);
=20
     /* TimeStamp */
-    memcpy(sdata->data + pos, &auth->timestamp, sizeof(auth->timestamp));
-    pos +=3D sizeof(auth->timestamp);
+    memcpy(sdata->data + pos, &auth.timestamp, sizeof(auth.timestamp));
+    pos +=3D sizeof(auth.timestamp);
=20
     /* Variable Content */
     memcpy(sdata->data + pos, data + data_offset, va->data_size - data_off=
set);
@@ -105,11 +108,12 @@ static void wrap_pkcs7(gnutls_datum_t *pkcs7)
=20
 static gnutls_datum_t *build_pkcs7(void *data)
 {
-    variable_auth_2 *auth =3D data;
+    variable_auth_2 auth;
     gnutls_datum_t *pkcs7;
=20
+    memcpy(&auth, data, sizeof(auth));
     pkcs7 =3D g_new(gnutls_datum_t, 1);
-    pkcs7->size =3D auth->hdr_length - 24;
+    pkcs7->size =3D auth.hdr_length - 24;
     pkcs7->data =3D g_malloc(pkcs7->size);
     memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
=20
--=20
2.47.3