-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update QEMU to v8.2.2 #63
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hmp_migrate() leaks @caps when qmp_migrate() fails. Plug the leak with g_autoptr(). Fixes: 967f2de (migration: Implement MigrateChannelList to hmp migration flow.) v8.2.0-rc0 Fixes: CID 1533125 Signed-off-by: Markus Armbruster <[email protected]> Link: https://lore.kernel.org/r/[email protected] [peterx: fix CID number as reported by Peter Maydell] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 918f620) Signed-off-by: Michael Tokarev <[email protected]>
We're currently allowing the process_incoming_migration_bh bottom-half to run without holding a reference to the 'current_migration' object, which leads to a segmentation fault if the BH is still live after migration_shutdown() has dropped the last reference to current_migration. In my system the bug manifests as migrate_multifd() returning true when it shouldn't and multifd_load_shutdown() calling multifd_recv_terminate_threads() which crashes due to an uninitialized multifd_recv_state. Fix the issue by holding a reference to the object when scheduling the BH and dropping it before returning from the BH. The same is already done for the cleanup_bh at migrate_fd_cleanup_schedule(). Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1969 Signed-off-by: Fabiano Rosas <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 27eb849) Signed-off-by: Michael Tokarev <[email protected]>
When doing device assignment of a physical device, MSI-X can be enabled with no vectors enabled and this sets the IRQ index to VFIO_PCI_MSIX_IRQ_INDEX. However, when MSI-X is disabled, the IRQ index is left untouched if no vectors are in use. Then, when INTx is enabled, the IRQ index value is considered incompatible (set to MSI-X) and VFIO_DEVICE_SET_IRQS fails. QEMU complains with : qemu-system-x86_64: vfio 0000:08:00.0: Failed to set up TRIGGER eventfd signaling for interrupt INTX-0: VFIO_DEVICE_SET_IRQS failure: Invalid argument To avoid that, unconditionaly clear the IRQ index when MSI-X is disabled. Buglink: https://issues.redhat.com/browse/RHEL-21293 Fixes: 5ebffa4 ("vfio/pci: use an invalid fd to enable MSI-X") Cc: Jing Liu <[email protected]> Cc: Alex Williamson <[email protected]> Reviewed-by: Alex Williamson <[email protected]> Signed-off-by: Cédric Le Goater <[email protected]> (cherry picked from commit d2b668f) Signed-off-by: Michael Tokarev <[email protected]>
'uri' argument should be optional, as 'uri' and 'channels' arguments are mutally exclusive in nature. Fixes: 074dbce (migration: New migrate and migrate-incoming argument 'channels') Signed-off-by: Het Gala <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 57fd4b4) Signed-off-by: Michael Tokarev <[email protected]>
The command line options `-ctrl-grab` and `-alt-grab` have been removed in QEMU 7.1. Instead, use the `-display sdl,grab-mod=<modifiers>` option to specify the grab modifiers. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2103 Signed-off-by: Yihuan Pan <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit db10137)
With GCC 14 the code failed to compile on i686 (and was wrong for any version of GCC): ../block/blkio.c: In function ‘blkio_file_open’: ../block/blkio.c:857:28: error: passing argument 3 of ‘blkio_get_uint64’ from incompatible pointer type [-Wincompatible-pointer-types] 857 | &s->mem_region_alignment); | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | size_t * {aka unsigned int *} In file included from ../block/blkio.c:12: /usr/include/blkio.h:49:67: note: expected ‘uint64_t *’ {aka ‘long long unsigned int *’} but argument is of type ‘size_t *’ {aka ‘unsigned int *’} 49 | int blkio_get_uint64(struct blkio *b, const char *name, uint64_t *value); | ~~~~~~~~~~^~~~~ Signed-off-by: Richard W.M. Jones <[email protected]> Message-id: [email protected] Signed-off-by: Stefan Hajnoczi <[email protected]> (cherry picked from commit 615eaea) Signed-off-by: Michael Tokarev <[email protected]>
Debug exceptions that target AArch32 Hyp mode are reported differently than on AAarch64. Internally, Qemu uses the AArch64 syndromes. Therefore such exceptions need to be either converted to a prefetch abort (breakpoints, vector catch) or a data abort (watchpoints). Cc: [email protected] Signed-off-by: Jan Klötzke <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit f670be1) Signed-off-by: Michael Tokarev <[email protected]>
Currently if the user passes multiple -serial options on the command line, we mostly treat those as applying to the different serial devices in order, so that for example -serial stdio -serial file:filename will connect the first serial port to stdio and the second to the named file. The exception to this is the '-serial none' serial device type. This means "don't allocate this serial device", but a bug means that following -serial options are not correctly handled, so that -serial none -serial stdio has the unexpected effect that stdio is connected to the first serial port, not the second. This is a very long-standing bug that dates back at least as far as commit 998bbd7 from 2009. Make the 'none' serial type move forward in the indexing of serial devices like all the other serial types, so that any subsequent -serial options are correctly handled. Note that if your commandline mistakenly had a '-serial none' that was being overridden by a following '-serial something' option, you should delete the unnecessary '-serial none'. This will give you the same behaviour as before, on QEMU versions both with and without this bug fix. Cc: [email protected] Reported-by: Bohdan Kostiv <[email protected]> Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected] Fixes: 998bbd7 ("default devices: core code & serial lines") Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit d2019a9) Signed-off-by: Michael Tokarev <[email protected]>
The -serial option documentation is a bit brief about '-serial none' and '-serial null'. In particular it's not very clear about the difference between them, and it doesn't mention that it's up to the machine model whether '-serial none' means "don't create the serial port" or "don't wire the serial port up to anything". Expand on these points. Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-id: [email protected] (cherry picked from commit 747bfaf) Signed-off-by: Michael Tokarev <[email protected]>
In commit 4315f7c we restructured the logic for creating the VFP related properties to avoid testing the aa32_simd_r32 feature on AArch64 CPUs. However in the process we accidentally stopped exposing the "vfp" QOM property on AArch32 TCG CPUs. This mostly hasn't had any ill effects because not many people want to disable VFP, but it wasn't intentional. Reinstate the property. Cc: [email protected] Fixes: 4315f7c ("target/arm: Restructure has_vfp_d32 test") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2098 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected] (cherry picked from commit 185e3fd) Signed-off-by: Michael Tokarev <[email protected]>
The latest version of qemu (v8.2.0-869-g7a1dc45af5) crashes when booting the mcimx7d-sabre emulation with Linux v5.11 and later. qemu-system-arm: ../system/memory.c:2750: memory_region_set_alias_offset: Assertion `mr->alias' failed. Problem is that the Designware PCIe emulation accepts the full value range for the iATU Viewport Register. However, both hardware and emulation only support four inbound and four outbound viewports. The Linux kernel determines the number of supported viewports by writing 0xff into the viewport register and reading the value back. The expected value when reading the register is the highest supported viewport index. Match that code by masking the supported viewport value range when the register is written. With this change, the Linux kernel reports imx6q-pcie 33800000.pcie: iATU: unroll F, 4 ob, 4 ib, align 0K, limit 4G as expected and supported. Fixes: d64e5ea ("pci: Add support for Designware IP block") Cc: Andrey Smirnov <[email protected]> Cc: Nikita Ostrenkov <[email protected]> Signed-off-by: Guenter Roeck <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 8a73152) Signed-off-by: Michael Tokarev <[email protected]>
Because there are more call clobbered registers than call saved registers, we begin with all registers as call clobbered and then reset those that are saved. This was missed when we introduced the LSX support. Cc: [email protected] Fixes: 16288de ("tcg/loongarch64: Lower basic tcg vec ops to LSX") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2136 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Song Gao <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 45bf0e7) Signed-off-by: Michael Tokarev <[email protected]>
Without this padding, an unwind through the signal handler will pick up the unwind info for the preceding syscall. This fixes gcc's 30_threads/thread/native_handle/cancel.cc. Cc: [email protected] Fixes: ee95fae ("linux-user/aarch64: Add vdso") Resolves: https://linaro.atlassian.net/browse/GNU-974 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 6400be0) Signed-off-by: Michael Tokarev <[email protected]>
When the maximum count of SCRIPTS instructions is reached, the code stops execution and returns, but fails to decrement the reentrancy counter. This effectively renders the SCSI controller unusable because on next entry the reentrancy counter is still above the limit. This bug was seen on HP-UX 10.20 which seems to trigger SCRIPTS loops. Fixes: b987718 ("hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)") Signed-off-by: Sven Schnelle <[email protected]> Message-ID: <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Tested-by: Helge Deller <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 8b09b7f) Signed-off-by: Michael Tokarev <[email protected]>
Creating an instance of the 'TestEnv' class will create a temporary directory. This dir is only deleted, however, in the __exit__ handler invoked by a context manager. In dry-run mode, we don't use the TestEnv via a context manager, so were leaking the temporary directory. Since meson invokes 'check' 5 times on each configure run, developers /tmp was filling up with empty temporary directories. Signed-off-by: Daniel P. Berrangé <[email protected]> Message-ID: <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit c645bac) Signed-off-by: Michael Tokarev <[email protected]>
If something goes wrong causing the iotests not to cleanup their temporary directory, it is useful if the dir had an identifying name to show what is to blame. Signed-off-by: Daniel P. Berrangé <[email protected]> Message-ID: <[email protected]> Revieved-by: Michael Tokarev <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit 7d2faf0) Signed-off-by: Michael Tokarev <[email protected]>
As of commit 38738f7 ("virtio-scsi: don't waste CPU polling the event virtqueue"), we only attach an io_read notifier for the virtio-scsi event virtqueue instead, and no polling notifiers. During operation, the event virtqueue is typically non-empty, but none of the buffers are intended to be used immediately. Instead, they only get used when certain events occur. Therefore, it makes no sense to continuously poll it when non-empty, because it is supposed to be and stay non-empty. We do this by using virtio_queue_aio_attach_host_notifier_no_poll() instead of virtio_queue_aio_attach_host_notifier() for the event virtqueue. Commit 766aa2d ("virtio-scsi: implement BlockDevOps->drained_begin()") however has virtio_scsi_drained_end() use virtio_queue_aio_attach_host_notifier() for all virtqueues, including the event virtqueue. This can lead to it being polled again, undoing the benefit of commit 38738f7. Fix it by using virtio_queue_aio_attach_host_notifier_no_poll() for the event virtqueue. Reported-by: Fiona Ebner <[email protected]> Fixes: 766aa2d ("virtio-scsi: implement BlockDevOps->drained_begin()") Reviewed-by: Stefan Hajnoczi <[email protected]> Tested-by: Fiona Ebner <[email protected]> Reviewed-by: Fiona Ebner <[email protected]> Signed-off-by: Hanna Czenczek <[email protected]> Message-ID: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit c42c383) Signed-off-by: Michael Tokarev <[email protected]>
During drain, we do not care about virtqueue notifications, which is why we remove the handlers on it. When removing those handlers, whether vq notifications are enabled or not depends on whether we were in polling mode or not; if not, they are enabled (by default); if so, they have been disabled by the io_poll_start callback. Because we do not care about those notifications after removing the handlers, this is fine. However, we have to explicitly ensure they are enabled when re-attaching the handlers, so we will resume receiving notifications. We do this in virtio_queue_aio_attach_host_notifier*(). If such a function is called while we are in a polling section, attaching the notifiers will then invoke the io_poll_start callback, re-disabling notifications. Because we will always miss virtqueue updates in the drained section, we also need to poll the virtqueue once after attaching the notifiers. Buglink: https://issues.redhat.com/browse/RHEL-3934 Signed-off-by: Hanna Czenczek <[email protected]> Message-ID: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit 5bdbaeb) Signed-off-by: Michael Tokarev <[email protected]>
Requests that complete in an IOThread use irqfd to notify the guest while requests that complete in the main loop thread use the traditional qdev irq code path. The reason for this conditional is that the irq code path requires the BQL: if (s->ioeventfd_started && !s->ioeventfd_disabled) { virtio_notify_irqfd(vdev, req->vq); } else { virtio_notify(vdev, req->vq); } There is a corner case where the conditional invokes the irq code path instead of the irqfd code path: static void virtio_blk_stop_ioeventfd(VirtIODevice *vdev) { ... /* * Set ->ioeventfd_started to false before draining so that host notifiers * are not detached/attached anymore. */ s->ioeventfd_started = false; /* Wait for virtio_blk_dma_restart_bh() and in flight I/O to complete */ blk_drain(s->conf.conf.blk); During blk_drain() the conditional produces the wrong result because ioeventfd_started is false. Use qemu_in_iothread() instead of checking the ioeventfd state. Cc: [email protected] Buglink: https://issues.redhat.com/browse/RHEL-15394 Signed-off-by: Stefan Hajnoczi <[email protected]> Message-ID: <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit bfa3680) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: fixup for v8.2.0-809-g3cdaf3dd4a "virtio-blk: rename dataplane to ioeventfd")
The commit in the fixes line mistakenly modified the channels and transport compatibility check logic so it now checks multi-channel support only for socket transport type. Thus, running multifd migration using a transport other than socket that is incompatible with multi-channels (such as "exec") would lead to a segmentation fault instead of an error message. For example: (qemu) migrate_set_capability multifd on (qemu) migrate -d "exec:cat > /tmp/vm_state" Segmentation fault (core dumped) Fix it by checking multi-channel compatibility for all transport types. Cc: qemu-stable <[email protected]> Fixes: d95533e ("migration: modify migration_channels_and_uri_compatible() for new QAPI syntax") Signed-off-by: Avihai Horon <[email protected]> Reviewed-by: Peter Xu <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 3205beb) Signed-off-by: Michael Tokarev <[email protected]>
The 'isa' char pointer isn't being freed after use. Issue detected by Valgrind: ==38752== 128 bytes in 1 blocks are definitely lost in loss record 3,190 of 3,884 ==38752== at 0x484280F: malloc (vg_replace_malloc.c:442) ==38752== by 0x5189619: g_malloc (gmem.c:130) ==38752== by 0x51A5BF2: g_strconcat (gstrfuncs.c:628) ==38752== by 0x6C1E3E: riscv_isa_string_ext (cpu.c:2321) ==38752== by 0x6C1E3E: riscv_isa_string (cpu.c:2343) ==38752== by 0x6BD2EA: build_rhct (virt-acpi-build.c:232) ==38752== by 0x6BD2EA: virt_acpi_build (virt-acpi-build.c:556) ==38752== by 0x6BDC86: virt_acpi_setup (virt-acpi-build.c:662) ==38752== by 0x9C8DC6: notifier_list_notify (notify.c:39) ==38752== by 0x4A595A: qdev_machine_creation_done (machine.c:1589) ==38752== by 0x61E052: qemu_machine_creation_done (vl.c:2680) ==38752== by 0x61E052: qmp_x_exit_preconfig.part.0 (vl.c:2709) ==38752== by 0x6220C6: qmp_x_exit_preconfig (vl.c:2702) ==38752== by 0x6220C6: qemu_init (vl.c:3758) ==38752== by 0x425858: main (main.c:47) Fixes: ebfd392 ("hw/riscv/virt: virt-acpi-build.c: Add RHCT Table") Signed-off-by: Daniel Henrique Barboza <[email protected]> Reviewed-by: Alistair Francis <[email protected]> Message-ID: <[email protected]> Signed-off-by: Alistair Francis <[email protected]> (cherry picked from commit 1a49762) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: context fixup)
Avocado needs sqlite3: Failed to load plugin from module "avocado.plugins.journal": ImportError("Module 'sqlite3' is not installed. Use: sudo zypper install python311 to install it") >From 'zypper info python311': "This package supplies rich command line features provided by readline, and sqlite3 support for the interpreter core, thus forming a so called "extended" runtime." Include the appropriate package in the lcitool mappings which will guarantee the dockerfile gets properly updated when lcitool is run. Also include the updated dockerfile. Signed-off-by: Fabiano Rosas <[email protected]> Suggested-by: Andrea Bolognani <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 7485508) Signed-off-by: Michael Tokarev <[email protected]>
Commit 39fb3cf ("configure: clean up plugin option handling", 2023-10-18) dropped the CONFIG_PLUGIN line from tests/tcg/config-host.mak, due to confusion caused by the shadowing of $config_host_mak. However, TCG tests were still expecting it. Oops. Put it back, in the meanwhile the shadowing is gone so it's clear that it goes in the tests/tcg configuration. Cc: <[email protected]> Fixes: 39fb3cf ("configure: clean up plugin option handling", 2023-10-18) Signed-off-by: Paolo Bonzini <[email protected]> Message-Id: <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 15cc103) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: context fixup)
qemu_smbios_type11_opts did not have the list terminator and that resulted in out-of-bound memory access. It also needs to have an element for the type option. Cc: [email protected] Fixes: 2d6dcbf ("smbios: support setting OEM strings table") Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Reviewed-by: Ani Sinha <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit cd8a35b)
qemu_smbios_type8_opts did not have the list terminator and that resulted in out-of-bound memory access. It also needs to have an element for the type option. Cc: [email protected] Fixes: fd8caa2 ("hw/smbios: support for type 8 (port connector)") Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Reviewed-by: Ani Sinha <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 196578c)
Netbsd isn't able to detect a link on the emulated tulip card. That's because netbsd reads the Chip Status Register of the Phy (address 0x14). The default phy data in the qemu tulip driver is all zero, which means no link is established and autonegotation isn't complete. Therefore set the register to 0x3b40, which means: Link is up, Autonegotation complete, Full Duplex, 100MBit/s Link speed. Also clear the mask because this register is read only. Signed-off-by: Sven Schnelle <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Helge Deller <[email protected]> Tested-by: Helge Deller <[email protected]> Signed-off-by: Helge Deller <[email protected]> (cherry picked from commit 9b60a3e) Signed-off-by: Michael Tokarev <[email protected]>
We need values 0-3 for TCG_TYPE_I128 on 32-bit hosts. Cc: [email protected] Fixes: 43eef72 ("tcg: Add temp allocation for TCGv_i128") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2159 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Tested-by: Michael Tokarev <[email protected]> (cherry picked from commit c0e6881) Signed-off-by: Michael Tokarev <[email protected]>
Correct arithmetic for separating high and low on a large negative number. Cc: [email protected] Fixes: 79ffece ("tcg/arm: Implement direct branch for goto_tb") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1714 Signed-off-by: Richard Henderson <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> (cherry picked from commit e41f182) Signed-off-by: Michael Tokarev <[email protected]>
There is no "size" field in vring address structure. Remove it. Fixes: 5fc0e00 ("Add vhost-user protocol documentation") Signed-off-by: Andrey Ignatov <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> (cherry picked from commit aa05bd9) Signed-off-by: Michael Tokarev <[email protected]>
The callback for building CDAT tables may return negative error codes. This was previously unhandled and will result in potentially huge allocations later on in ct3_build_cdat() Detect the negative error code and defer cdat building. Fixes: f5ee741 ("hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange") Cc: Huai-Cheng Kuo <[email protected]> Reviewed-by: Dave Jiang <[email protected]> Reviewed-by: Fan Ni <[email protected]> Signed-off-by: Ira Weiny <[email protected]> Signed-off-by: Jonathan Cameron <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> (cherry picked from commit c62926f) Signed-off-by: Michael Tokarev <[email protected]>
In `qemu_console_resize()`, the old surface of the console is keeped if the new console size is the same as the old one. If the old surface is a placeholder, and the new size of console is the same as the placeholder surface (640*480), the surface won't be replace. In this situation, the surface's `QEMU_PLACEHOLDER_FLAG` flag is still set, so the console won't be displayed in SDL display mode. This patch fixes this problem by forcing a new surface if the old one is a placeholder. Signed-off-by: Tianlan Zhou <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-ID: <[email protected]> (cherry picked from commit 95b08fe) Signed-off-by: Michael Tokarev <[email protected]>
dbusaudio needs dbus_display1_dep. Fixes: 739362d ("audio: add "dbus" audio backend") Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]> (cherry picked from commit d676119) Signed-off-by: Michael Tokarev <[email protected]>
Explicitly specify dbus-display1.h as a dependency so that files depending on it will not get compiled too early. Fixes: 1222070 ("meson: ensure dbus-display generated code is built before other units") Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 7aee57d) Signed-off-by: Michael Tokarev <[email protected]>
It ensures dbus-display1.c will not be recompiled. Signed-off-by: Akihiko Odaki <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 186acfb) Signed-off-by: Michael Tokarev <[email protected]>
When running "configure" with "--without-default-devices", building of qemu-system-hppa currently fails with: /usr/bin/ld: libqemu-hppa-softmmu.fa.p/hw_hppa_machine.c.o: in function `machine_HP_common_init_tail': hw/hppa/machine.c:399: undefined reference to `usb_bus_find' /usr/bin/ld: hw/hppa/machine.c:399: undefined reference to `usb_create_simple' /usr/bin/ld: hw/hppa/machine.c:400: undefined reference to `usb_bus_find' /usr/bin/ld: hw/hppa/machine.c:400: undefined reference to `usb_create_simple' collect2: error: ld returned 1 exit status ninja: build stopped: subcommand failed. make: *** [Makefile:162: run-ninja] Error 1 And after fixing this, the qemu-system-hppa binary refuses to run due to the missing 'pci-ohci' and 'pci-serial' devices. Let's add the right config switches to fix these problems. Signed-off-by: Thomas Huth <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 04b86cc) Signed-off-by: Michael Tokarev <[email protected]>
Input grab key should be Ctrl-Alt-g, not just Ctrl-Alt. Fixes: f8d2c93 ("sdl: use ctrl-alt-g as grab hotkey") Signed-off-by: Tianlan Zhou <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 4a20ac4) Signed-off-by: Michael Tokarev <[email protected]>
Input grab key should be Ctrl-Alt-g, not just Ctrl-Alt. Fixes: f8d2c93 ("sdl: use ctrl-alt-g as grab hotkey") Signed-off-by: Tianlan Zhou <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Michael Tokarev <[email protected]> Signed-off-by: Michael Tokarev <[email protected]> (cherry picked from commit 1853111) Signed-off-by: Michael Tokarev <[email protected]>
MSYS2 is dropping support for 32-bit Windows. This shows up for us as various packages we were using in our CI job no longer being available to install, which causes the job to fail. In commit 8e31b74 we dropped the dependency on libusb and spice, but the dtc package has also now been removed. For us as QEMU upstream, "32 bit x86 hosts for system emulation" have already been deprecated as of QEMU 8.0, so we are ready to drop them anyway. Drop the msys2-32bit CI job, as the first step in doing this. This is cc'd to stable, because this job will also be broken for CI on the stable branches. We can't drop 32-bit support entirely there, but we will still be covering at least compilation for 32-bit Windows via the cross-win32-system job. Cc: [email protected] Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Daniel P. Berrangé <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Message-id: [email protected] (cherry picked from commit 5cd3ae4) Signed-off-by: Michael Tokarev <[email protected]>
The move to decodetree flipped the inequality test for the VEC / VSX MSR facility check. This caused application crashes under Linux, where these facility unavailable interrupts are used for lazy-switching of VEC/VSX register sets. Getting the incorrect interrupt would result in wrong registers being loaded, potentially overwriting live values and/or exposing stale ones. Cc: [email protected] Reported-by: Joel Stanley <[email protected]> Fixes: 70426b5 ("target/ppc: moved stxvx and lxvx from legacy to decodtree") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769 Reviewed-by: Harsh Prateek Bora <[email protected]> Tested-by: Harsh Prateek Bora <[email protected]> Reviewed-by: Cédric Le Goater <[email protected]> Tested-by: Cédric Le Goater <[email protected]> Signed-off-by: Nicholas Piggin <[email protected]> (cherry picked from commit 2cc0e44) Signed-off-by: Michael Tokarev <[email protected]>
is_prefix_insn_excp() loads the first word of the instruction address which caused an exception, to determine whether or not it was prefixed so the prefix bit can be set in [H]SRR1. This works if the instruction image can be loaded, but if the exception was caused by an ifetch, this load could fail and cause a recursive exception and crash. Machine checks caused by ifetch are not excluded from the prefix check and can crash (see issue 2108 for an example). Fix this by excluding machine checks caused by ifetch from the prefix check. Cc: [email protected] Acked-by: Cédric Le Goater <[email protected]> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2108 Fixes: 55a7fa3 ("target/ppc: Machine check on invalid real address access on POWER9/10") Fixes: 5a5d3b2 ("target/ppc: Add SRR1 prefix indication to interrupt handlers") Signed-off-by: Nicholas Piggin <[email protected]> (cherry picked from commit c8fd966) Signed-off-by: Michael Tokarev <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]> (cherry picked from commit 9c996f3) Signed-off-by: Michael Tokarev <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]> (cherry picked from commit 658178c) Signed-off-by: Michael Tokarev <[email protected]>
numcntl is one byte and so is max_vfs. Using cpu_to_le16 on big endian hosts results in numcntl being set to 0. Fix by dropping the endian conversion. Fixes: 99f48ae ("hw/nvme: Add support for Secondary Controller List") Reported-by: Kevin Wolf <[email protected]> Signed-off-by: Klaus Jensen <[email protected]> Reviewed-by: Minwoo Im <[email protected]> Message-ID: <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> (cherry picked from commit d2b5bb8) Signed-off-by: Michael Tokarev <[email protected]>
The PL031 allows you to read RTCLR, which is meant to give you the last value written. PL031State has an lr field which is used when reading from RTCLR, and is present in the VM migration state, but we never actually update it, so it always reads as its initial 0 value. Cc: [email protected] Signed-off-by: Jessica Clarke <[email protected]> Reviewed-by: Alex Bennée <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit 4d28d57) Signed-off-by: Michael Tokarev <[email protected]>
CR3 bits 63:32 are ignored in 32-bit mode (either legacy 2-level paging or PAE paging). Do this in mmu_translate() to remove the last where get_physical_address() meaningfully drops the high bits of the address. Cc: [email protected] Suggested-by: Richard Henderson <[email protected]> Fixes: 4a1e9d4 ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 68fb78d) Signed-off-by: Michael Tokarev <[email protected]>
MSR_VM_HSAVE_PA bits 0-11 are reserved, as are the bits above the maximum physical address width of the processor. Setting them to 1 causes a #GP (see "15.30.4 VM_HSAVE_PA MSR" in the AMD manual). The same is true of VMCB addresses passed to VMRUN/VMLOAD/VMSAVE, even though the manual is not clear on that. Cc: [email protected] Fixes: 4a1e9d4 ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit d09c790) Signed-off-by: Michael Tokarev <[email protected]>
The address translation logic in get_physical_address() will currently truncate physical addresses to 32 bits unless long mode is enabled. This is incorrect when using physical address extensions (PAE) outside of long mode, with the result that a 32-bit operating system using PAE to access memory above 4G will experience undefined behaviour. The truncation code was originally introduced in commit 33dfdb5 ("x86: only allow real mode to access 32bit without LMA"), where it applied only to translations performed while paging is disabled (and so cannot affect guests using PAE). Commit 9828198 ("target/i386: Add MMU_PHYS_IDX and MMU_NESTED_IDX") rearranged the code such that the truncation also applied to the use of MMU_PHYS_IDX and MMU_NESTED_IDX. Commit 4a1e9d4 ("target/i386: Use atomic operations for pte updates") brought this truncation into scope for page table entry accesses, and is the first commit for which a Windows 10 32-bit guest will reliably fail to boot if memory above 4G is present. The truncation code however is not completely redundant. Even though the maximum address size for any executed instruction is 32 bits, helpers for operations such as BOUND, FSAVE or XSAVE may ask get_physical_address() to translate an address outside of the 32-bit range, if invoked with an argument that is close to the 4G boundary. Likewise for processor accesses, for example TSS or IDT accesses, when EFER.LMA==0. So, move the address truncation in get_physical_address() so that it applies to 32-bit MMU indexes, but not to MMU_PHYS_IDX and MMU_NESTED_IDX. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2040 Fixes: 4a1e9d4 ("target/i386: Use atomic operations for pte updates", 2022-10-18) Cc: [email protected] Co-developed-by: Michael Brown <[email protected]> Signed-off-by: Michael Brown <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit b166180) Signed-off-by: Michael Tokarev <[email protected]> (Mjt: drop unrelated change in target/i386/cpu.c)
If ptw_translate() does a MMU_PHYS_IDX access, the A20 mask is already applied in get_physical_address(), which is called via probe_access_full() and x86_cpu_tlb_fill(). If ptw_translate() on the other hand does a MMU_NESTED_IDX access, the A20 mask must not be applied to the address that is looked up in the nested page tables; it must be applied only to the addresses that hold the NPT entries (which is achieved via MMU_PHYS_IDX, per the previous paragraph). Therefore, we can remove A20 masking from the computation of the page table entry's address, and let get_physical_address() or mmu_translate() apply it when they know they are returning a host-physical address. Cc: [email protected] Fixes: 4a1e9d4 ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit a28fe7d) Signed-off-by: Michael Tokarev <[email protected]>
The A20 mask is only applied to the final memory access. Nested page tables are always walked with the raw guest-physical address. Unlike the previous patch, in this one the masking must be kept, but it was done too early. Cc: [email protected] Fixes: 4a1e9d4 ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit b5a9de3) Signed-off-by: Michael Tokarev <[email protected]>
The old links are dead so even if we have the ISO cached we can't finish the install. Update to the current stable and tweak the install strings. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2192 Tested-by: Thomas Huth <[email protected]> Reviewed-by: Thomas Huth <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 8467ac7) Signed-off-by: Michael Tokarev <[email protected]>
The main problem is that "check-venv" is a .PHONY target will always evaluate and trigger a full re-build of the VM images. While its tempting to drop it from the dependencies that does introduce a breakage on freshly configured builds. Fortunately we do have the otherwise redundant --force flag for the script which up until now was always on. If we make the usage of --force conditional on dependencies other than check-venv triggering the update we can avoid the costly rebuild and still run cleanly on a fresh checkout. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2118 Reviewed-by: Thomas Huth <[email protected]> Signed-off-by: Alex Bennée <[email protected]> Message-Id: <[email protected]> (cherry picked from commit 151b7db) Signed-off-by: Michael Tokarev <[email protected]>
Python is transitioning to a world where you're not allowed to use 'pip install' outside of a virutal env by default. The rationale is to stop use of pip clashing with distro provided python packages, which creates a major headache on distro upgrades. All our CI environments, however, are 100% disposable so the upgrade headaches don't exist. Thus we can undo the python defaults to allow pip to work. Signed-off-by: Daniel P. Berrangé <[email protected]> Tested-by: Philippe Mathieu-Daudé <[email protected]> Tested-by: Thomas Huth <[email protected]> Message-id: [email protected] Signed-off-by: Peter Maydell <[email protected]> (cherry picked from commit a8bf9de) Signed-off-by: Michael Tokarev <[email protected]>
When using "--without-default-devices", the ARM_GICV3_TCG and ARM_GIC_KVM settings currently get disabled, though the arm virt machine is only of very limited use in that case. This also causes the migration-test to fail in such builds. Let's make sure that we always keep the GIC switches enabled in the --without-default-devices builds, too. Message-ID: <[email protected]> Tested-by: Fabiano Rosas <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 8bd3f84) Signed-off-by: Michael Tokarev <[email protected]>
Since Windows text files use CRLFs for all \n, the Windows version of QEMU inserts a CR in the PCAP stream when a LF is encountered when using USB PCAP files. This is due to the fact that the PCAP file is opened as TEXT instead of BINARY. To show an example, when using a very common protocol to USB disks, the BBB protocol uses a 10-byte command packet. For example, the READ_CAPACITY(10) command will have a command block length of 10 (0xA). When this 10-byte command (part of the 31-byte CBW) is placed into the PCAP file, the Windows file manager inserts a 0xD before the 0xA, turning the 31-byte CBW into a 32-byte CBW. Actual CBW: 0040 55 53 42 43 01 00 00 00 08 00 00 00 80 00 0a 25 USBC...........% 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... PCAP CBW 0040 55 53 42 43 01 00 00 00 08 00 00 00 80 00 0d 0a USBC............ 0050 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 %.............. I believe simply opening the PCAP file as BINARY instead of TEXT will fix this issue. Resolves: https://bugs.launchpad.net/qemu/+bug/2054889 Signed-off-by: Benjamin David Lunt <[email protected]> Message-ID: <[email protected]> [thuth: Break long line to avoid checkpatch.pl error] Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 5e02a4f) Signed-off-by: Michael Tokarev <[email protected]>
test-util-sockets leaves the temporary socket files around in the temporary files folder. Let's better remove them at the end of the testing. Fixes: 4d3a329 ("tests/util-sockets: add abstract unix socket cases") Message-ID: <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit f0cb682) Signed-off-by: Michael Tokarev <[email protected]>
… backend Commit ffda5db ("io/channel-tls: fix handling of bigger read buffers") changed the behavior of the TLS io channels to schedule a second reading attempt if there is still incoming data pending. This caused a regression with backends like the sclpconsole that check in their read function that the sender does not try to write more bytes to it than the device can currently handle. The problem can be reproduced like this: 1) In one terminal, do this: mkdir qemu-pki cd qemu-pki openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem # enter some dummy value for the cert openssl genrsa 2048 > server-key.pem openssl req -new -x509 -nodes -days 365000 -key server-key.pem \ -out server-cert.pem # enter some other dummy values for the cert gnutls-serv --echo --x509cafile ca-cert.pem --x509keyfile server-key.pem \ --x509certfile server-cert.pem -p 8338 2) In another terminal, do this: wget https://download.fedoraproject.org/pub/fedora-secondary/releases/39/Cloud/s390x/images/Fedora-Cloud-Base-39-1.5.s390x.qcow2 qemu-system-s390x -nographic -nodefaults \ -hda Fedora-Cloud-Base-39-1.5.s390x.qcow2 \ -object tls-creds-x509,id=tls0,endpoint=client,verify-peer=false,dir=$PWD/qemu-pki \ -chardev socket,id=tls_chardev,host=localhost,port=8338,tls-creds=tls0 \ -device sclpconsole,chardev=tls_chardev,id=tls_serial QEMU then aborts after a second or two with: qemu-system-s390x: ../hw/char/sclpconsole.c:73: chr_read: Assertion `size <= SIZE_BUFFER_VT220 - scon->iov_data_len' failed. Aborted (core dumped) It looks like the second read does not trigger the chr_can_read() function to be called before the second read, which should normally always be done before sending bytes to a character device to see how much it can handle, so the s->max_size in tcp_chr_read() still contains the old value from the previous read. Let's make sure that we use the up-to-date value by calling tcp_chr_read_poll() again here. Fixes: ffda5db ("io/channel-tls: fix handling of bigger read buffers") Buglink: https://issues.redhat.com/browse/RHEL-24614 Reviewed-by: "Daniel P. Berrangé" <[email protected]> Message-ID: <[email protected]> Reviewed-by: Antoine Damhet <[email protected]> Tested-by: Antoine Damhet <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Signed-off-by: Thomas Huth <[email protected]> (cherry picked from commit 462945c) Signed-off-by: Michael Tokarev <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
v8.2.2 release
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.