diff --git a/block-migration-Ensure-we-don-t-crash-during-migrati.patch b/block-migration-Ensure-we-don-t-crash-during-migrati.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff1918d893d1c6b25cf90df856f66f9cb7ba7089 --- /dev/null +++ b/block-migration-Ensure-we-don-t-crash-during-migrati.patch @@ -0,0 +1,67 @@ +From 98d4a8d9d5823d7d43ea816208a35372124a749f Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Sun, 10 Mar 2024 22:52:08 -0700 +Subject: [PATCH] block-migration: Ensure we don't crash during migration + cleanup + +We can fail the blk_insert_bs() at init_blk_migration(), leaving the +BlkMigDevState without a dirty_bitmap and BlockDriverState. Account +for the possibly missing elements when doing cleanup. + +Fix the following crashes: + +Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. +0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359 +359 BlockDriverState *bs = bitmap->bs; + +Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. +0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073 +7073 QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) { + +Signed-off-by: Fabiano Rosas +Message-id: 20230731203338.27581-1-farosas@suse.de> +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit f187609f27b261702a17f79d20bf252ee0d4f9cd) +Signed-off-by: zhujun2 +--- + migration/block.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/migration/block.c b/migration/block.c +index a950977855..391f8169fd 100644 +--- a/migration/block.c ++++ b/migration/block.c +@@ -376,7 +376,9 @@ static void unset_dirty_tracking(void) + BlkMigDevState *bmds; + + QSIMPLEQ_FOREACH(bmds, &block_mig_state.bmds_list, entry) { +- bdrv_release_dirty_bitmap(bmds->dirty_bitmap); ++ if (bmds->dirty_bitmap) { ++ bdrv_release_dirty_bitmap(bmds->dirty_bitmap); ++ } + } + } + +@@ -684,13 +686,18 @@ static int64_t get_remaining_dirty(void) + static void block_migration_cleanup_bmds(void) + { + BlkMigDevState *bmds; ++ BlockDriverState *bs; + AioContext *ctx; + + unset_dirty_tracking(); + + while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) { + QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry); +- bdrv_op_unblock_all(blk_bs(bmds->blk), bmds->blocker); ++ ++ bs = blk_bs(bmds->blk); ++ if (bs) { ++ bdrv_op_unblock_all(bs,bmds->blocker); ++ } + error_free(bmds->blocker); + + /* Save ctx, because bmds->blk can disappear during blk_unref. */ +-- +2.27.0 + diff --git a/block-parallels-Fix-buffer-based-write-call.patch b/block-parallels-Fix-buffer-based-write-call.patch new file mode 100644 index 0000000000000000000000000000000000000000..ac0b003e6cfeaba528eddf904c3499a524db1644 --- /dev/null +++ b/block-parallels-Fix-buffer-based-write-call.patch @@ -0,0 +1,48 @@ +From 38de3be1e41bff18bf21cbf16a1dc585359dd4bd Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 8 Mar 2024 05:39:12 +0000 +Subject: [PATCH] block/parallels: Fix buffer-based write call mainline + inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix + +--------------------------------------------------------------- + +Commit a4072543ccdddbd241d5962d9237b8b41fd006bf has changed the I/O here +from working on a local one-element I/O vector to just using the buffer +directly (using the bdrv_co_pread()/bdrv_co_pwrite() helper functions +introduced shortly before). + +However, it only changed the bdrv_co_preadv() call to bdrv_co_pread() - +the subsequent bdrv_co_pwritev() call stayed this way, and so still +expects a QEMUIOVector pointer instead of a plain buffer. We must +change that to be a bdrv_co_pwrite() call. + +Fixes: a4072543ccdddbd241d5962d ("block/parallels: use buffer-based io") +Signed-off-by: Hanna Reitz +Reviewed-by: Denis V. Lunev +Reviewed-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20220714132801.72464-2-hreitz@redhat.com> +Signed-off-by: Vladimir Sementsov-Ogievskiy + +Signed-off-by: tangbinzy +--- + block/parallels.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/parallels.c b/block/parallels.c +index 6ebad2a2bb..f3352b6aa7 100644 +--- a/block/parallels.c ++++ b/block/parallels.c +@@ -240,8 +240,8 @@ static int64_t allocate_clusters(BlockDriverState *bs, int64_t sector_num, + return ret; + } + +- ret = bdrv_co_pwritev(bs->file, s->data_end * BDRV_SECTOR_SIZE, +- nb_cow_bytes, buf, 0); ++ ret = bdrv_co_pwrite(bs->file, s->data_end * BDRV_SECTOR_SIZE, ++ nb_cow_bytes, buf, 0); + qemu_vfree(buf); + if (ret < 0) { + return ret; +-- +2.27.0 + diff --git a/block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch b/block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3e2b5d9acf9bee7aa279d833c2570f2fadf1a80 --- /dev/null +++ b/block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch @@ -0,0 +1,52 @@ +From 3e4478d7b2669063f7b2b1caf80c73535f35b5a4 Mon Sep 17 00:00:00 2001 +From: Luo Yifan +Date: Thu, 7 Mar 2024 17:51:57 +0800 +Subject: [PATCH] block/rbd: fix handling of holes in .bdrv_co_block_status + +cherry picked from commit 9e302f64bb407a9bb097b626da97228c2654cfee + +the assumption that we can't hit a hole if we do not diff against a snapshot was wrong. + +We can see a hole in an image if we diff against base if there exists an older snapshot +of the image and we have discarded blocks in the image where the snapshot has data. + +Fix this by simply handling a hole like an unallocated area. There are no callbacks +for unallocated areas so just bail out if we hit a hole. + +Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b +Suggested-by: Ilya Dryomov +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Lieven +Message-Id: <20220113144426.4036493-2-pl@kamp.de> +Reviewed-by: Ilya Dryomov +Reviewed-by: Stefano Garzarella +Signed-off-by: Kevin Wolf +Signed-off-by: Luo Yifan +--- + block/rbd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/block/rbd.c b/block/rbd.c +index ccb14efd55..6caf35cbba 100644 +--- a/block/rbd.c ++++ b/block/rbd.c +@@ -1281,11 +1281,11 @@ static int qemu_rbd_diff_iterate_cb(uint64_t offs, size_t len, + RBDDiffIterateReq *req = opaque; + + assert(req->offs + req->bytes <= offs); +- /* +- * we do not diff against a snapshot so we should never receive a callback +- * for a hole. +- */ +- assert(exists); ++ ++ /* treat a hole like an unallocated area and bail out */ ++ if (!exists) { ++ return 0; ++ } + + if (!req->exists && offs > req->offs) { + /* +-- +2.27.0 + diff --git a/chardev-char.c-fix-abstract-device-type-error-messag.patch b/chardev-char.c-fix-abstract-device-type-error-messag.patch new file mode 100644 index 0000000000000000000000000000000000000000..657052b78ef68fc8c79532a0cf825f213ed6a621 --- /dev/null +++ b/chardev-char.c-fix-abstract-device-type-error-messag.patch @@ -0,0 +1,37 @@ +From 3f9bed27de471be4d88ef9eb8270e1d362dccc4a Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Mon, 4 Mar 2024 02:02:23 -0800 +Subject: [PATCH] chardev/char.c: fix "abstract device type" error message + +Current error message: + +qemu-system-x86_64: -chardev spice,id=foo: Parameter 'driver' expects an abstract device type + +while in fact the meaning is in reverse, -chardev expects +a non-abstract device type. + +Fixes: 777357d758d9 ("chardev: qom-ify" 2016-12-07) +Signed-off-by: Michael Tokarev +Reviewed-by: Zhao Liu +(cherry picked from commit 4ad87cd4b2254197b7ac12e3da824854e6a90f8f) +Signed-off-by: zhujun2 +--- + chardev/char.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/chardev/char.c b/chardev/char.c +index 0169d8dde4..6bb99bd485 100644 +--- a/chardev/char.c ++++ b/chardev/char.c +@@ -519,7 +519,7 @@ static const ChardevClass *char_get_class(const char *driver, Error **errp) + + if (object_class_is_abstract(oc)) { + error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "driver", +- "an abstract device type"); ++ "a non-abstract device type"); + return NULL; + } + +-- +2.27.0 + diff --git a/configure-Add-missing-POSIX-required-space.patch b/configure-Add-missing-POSIX-required-space.patch new file mode 100644 index 0000000000000000000000000000000000000000..66fc46d4134567bdc52bb23b74658c386dafc9cb --- /dev/null +++ b/configure-Add-missing-POSIX-required-space.patch @@ -0,0 +1,44 @@ +From 466653e339135572946a31d212205078854500da Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 13 Mar 2024 03:11:08 +0000 +Subject: [PATCH] configure: Add missing POSIX-required space mainline + inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix + +--------------------------------------------------------------- + +In commit 7d7dbf9dc15be6e1 we added a line to the configure script +which is not valid POSIX shell syntax, because it is missing a space +after a '!' character. shellcheck diagnoses this: + +if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then + ^-- SC1035: You are missing a required space after the !. + +and the OpenBSD shell will not correctly handle this without the space. + +Fixes: 7d7dbf9dc15be6e1 ("configure: replace --enable/disable-git-update with --with-git-submodules") +Signed-off-by: Peter Maydell +Reviewed-by: Thomas Huth +Tested-by: Dr. David Alan Gilbert +Message-id: 20220720152631.450903-2-peter.maydell@linaro.org + +Signed-off-by: tangbinzy +--- + configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure b/configure +index d7a4502a8b..8c9abd0e6e 100755 +--- a/configure ++++ b/configure +@@ -3337,7 +3337,7 @@ else + cxx= + fi + +-if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then ++if ! (GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then + exit 1 + fi + +-- +2.27.0 + diff --git a/hw-block-hd-geometry-Do-not-override-specified-bios-.patch b/hw-block-hd-geometry-Do-not-override-specified-bios-.patch new file mode 100644 index 0000000000000000000000000000000000000000..2193ed3dd3111d6b9254134541acf6fab4a4a8e8 --- /dev/null +++ b/hw-block-hd-geometry-Do-not-override-specified-bios-.patch @@ -0,0 +1,63 @@ +From 0f13c505e833761a336bc4619b05afc373ebfdaa Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Thu, 21 Mar 2024 05:59:43 +0000 +Subject: [PATCH] hw/block/hd-geometry: Do not override specified + bios-chs-trans mainline inclusion commit + fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix + +--------------------------------------------------------------- + +For small disk images (<4 GiB), QEMU and SeaBIOS default to the +LARGE/ECHS disk translation method, but it is not uncommon for other +BIOS software to use LBA in these cases as well. Some operating +system boot loaders (e.g., NT 4) do not handle LARGE translations +outside of fixed configurations. See, e.g., Q154052: + +"When starting an x86 based computer, Ntdetect.com retrieves and +stores Interrupt 13 information. . . If the disk controller is using a +32 sector/64 head translation scheme, this boundary will be 1 GB. If +the controller uses 63 sector/255 head translation [AUTHOR: i.e., +LBA], the limit will be 4 GB." + +To accommodate these situations, hd_geometry_guess() now follows the +disk translation specified by the user even when the ATA disk geometry +is guessed. + +hd_geometry_guess(): +* Only set the disk translation when translation is AUTO. +* Show the soon-to-be active translation (*ptrans) in the trace rather + than what was guessed. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/56 +Buglink: https://bugs.launchpad.net/qemu/+bug/1745312 + +Signed-off-by: Lev Kujawski +Message-Id: <20220707204045.999544-1-lkujaw@member.fsf.org> +Signed-off-by: Kevin Wolf + +Signed-off-by: tangbinzy +--- + hw/block/hd-geometry.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/block/hd-geometry.c b/hw/block/hd-geometry.c +index dcbccee294..67462f1752 100644 +--- a/hw/block/hd-geometry.c ++++ b/hw/block/hd-geometry.c +@@ -150,7 +150,12 @@ void hd_geometry_guess(BlockBackend *blk, + translation = BIOS_ATA_TRANSLATION_NONE; + } + if (ptrans) { +- *ptrans = translation; ++ if (*ptrans == BIOS_ATA_TRANSLATION_AUTO) { ++ *ptrans = translation; ++ } else { ++ /* Defer to the translation specified by the user. */ ++ translation = *ptrans; ++ } + } + trace_hd_geometry_guess(blk, *pcyls, *pheads, *psecs, translation); + } +-- +2.27.0 + diff --git a/hw-display-bcm2835_fb-Fix-framebuffer-allocation-add.patch b/hw-display-bcm2835_fb-Fix-framebuffer-allocation-add.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ebc6f54170965da40e89db4d2a6a1aedf765fbc --- /dev/null +++ b/hw-display-bcm2835_fb-Fix-framebuffer-allocation-add.patch @@ -0,0 +1,53 @@ +From 5a8be2987986a0191b9d8a7a1a59f491e657ebad Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 8 Mar 2024 04:12:58 +0000 +Subject: [PATCH] hw/display/bcm2835_fb: Fix framebuffer allocation address + mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category: + bugfix + +--------------------------------------------------------------- + +This patch fixes the dedicated framebuffer mailbox interface by +removing an unneeded offset. This means that we pick the framebuffer +address in the same way that we do if the guest code uses the buffer +allocate mechanism of the bcm2835_property interface (case +0x00040001: /* Allocate buffer */ in bcm2835_property.c). + +The documentation of this mailbox interface doesn't say anything +about using parts of the request buffer address to affect the +chosen framebuffer address: +https://github.com/raspberrypi/firmware/wiki/Mailbox-framebuffer-interface + +Some baremetal applications like the Screen01/Screen02 examples from +Baking Pi tutorial[1] didn't work before this patch. + +[1] https://www.cl.cam.ac.uk/projects/raspberrypi/tutorials/os/screen01.html + +Signed-off-by: Alan Jian +Message-id: 20220725145838.8412-1-alanjian85@outlook.com +[PMM: tweaked commit message] +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +Signed-off-by: tangbinzy +--- + hw/display/bcm2835_fb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c +index 2be77bdd3a..ac17c472a5 100644 +--- a/hw/display/bcm2835_fb.c ++++ b/hw/display/bcm2835_fb.c +@@ -279,8 +279,7 @@ static void bcm2835_fb_mbox_push(BCM2835FBState *s, uint32_t value) + newconf.xoffset = ldl_le_phys(&s->dma_as, value + 24); + newconf.yoffset = ldl_le_phys(&s->dma_as, value + 28); + +- newconf.base = s->vcram_base | (value & 0xc0000000); +- newconf.base += BCM2835_FB_OFFSET; ++ newconf.base = s->vcram_base + BCM2835_FB_OFFSET; + + /* Copy fields which we don't want to change from the existing config */ + newconf.pixo = s->config.pixo; +-- +2.27.0 + diff --git a/hw-ide-core-set-ERR_STAT-in-unsupported-command-comp.patch b/hw-ide-core-set-ERR_STAT-in-unsupported-command-comp.patch new file mode 100644 index 0000000000000000000000000000000000000000..b41a3716cde3a7f7b86fa752cd1d414fb5773b4d --- /dev/null +++ b/hw-ide-core-set-ERR_STAT-in-unsupported-command-comp.patch @@ -0,0 +1,60 @@ +From c2fe51f5e42bbb95209318e8e766212fe832aa9b Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Sun, 10 Mar 2024 20:15:39 -0700 +Subject: [PATCH] hw/ide/core: set ERR_STAT in unsupported command completion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, the first time sending an unsupported command +(e.g. READ LOG DMA EXT) will not have ERR_STAT set in the completion. +Sending the unsupported command again, will correctly have ERR_STAT set. + +When ide_cmd_permitted() returns false, it calls ide_abort_command(). +ide_abort_command() first calls ide_transfer_stop(), which will call +ide_transfer_halt() and ide_cmd_done(), after that ide_abort_command() +sets ERR_STAT in status. + +ide_cmd_done() for AHCI will call ahci_write_fis_d2h() which writes the +current status in the FIS, and raises an IRQ. (The status here will not +have ERR_STAT set!). + +Thus, we cannot call ide_transfer_stop() before setting ERR_STAT, as +ide_transfer_stop() will result in the FIS being written and an IRQ +being raised. + +The reason why it works the second time, is that ERR_STAT will still +be set from the previous command, so when writing the FIS, the +completion will correctly have ERR_STAT set. + +Set ERR_STAT before writing the FIS (calling cmd_done), so that we will +raise an error IRQ correctly when receiving an unsupported command. + +Signed-off-by: Niklas Cassel +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20230609140844.202795-3-nks@flawful.org +Signed-off-by: John Snow +(cherry picked from commit c3461c6264a7c8ca15b117e91fe5da786924a784) +Signed-off-by: zhujun2 +--- + hw/ide/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 15138225be..0d925c5ca5 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -528,9 +528,9 @@ BlockAIOCB *ide_issue_trim( + + void ide_abort_command(IDEState *s) + { +- ide_transfer_stop(s); + s->status = READY_STAT | ERR_STAT; + s->error = ABRT_ERR; ++ ide_transfer_stop(s); + } + + static void ide_set_retry(IDEState *s) +-- +2.27.0 + diff --git a/hw-misc-mps2-scc-Free-MPS2SCC-oscclk-array-on-finali.patch b/hw-misc-mps2-scc-Free-MPS2SCC-oscclk-array-on-finali.patch new file mode 100644 index 0000000000000000000000000000000000000000..987d9a68662ee200ae9aa09a933837d683efd014 --- /dev/null +++ b/hw-misc-mps2-scc-Free-MPS2SCC-oscclk-array-on-finali.patch @@ -0,0 +1,63 @@ +From 8ae86aa13df2128b46b421df14f6000f81312795 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Mon, 4 Mar 2024 01:19:55 -0800 +Subject: [PATCH] hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 0be6bfac62 ("qdev: Implement variable length array properties") +added the DEFINE_PROP_ARRAY() macro with the following comment: + +* It is the responsibility of the device deinit code to free the +* @_arrayfield memory. + +Commit 4fb013afcc added: + +DEFINE_PROP_ARRAY("oscclk", MPS2SCC, num_oscclk, oscclk_reset, + qdev_prop_uint32, uint32_t), + +but forgot to free the 'oscclk_reset' array. Do it in the +instance_finalize() handler. + +Cc: qemu-stable@nongnu.org +Fixes: 4fb013afcc ("hw/misc/mps2-scc: Support configurable number of OSCCLK values") # v6.0.0+ +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20231121174051.63038-4-philmd@linaro.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry picked from commit 896dd6ff7b9f2575f1a908a07f26a70b58d8b675) +Signed-off-by: zhujun2 +--- + hw/misc/mps2-scc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c +index b3b42a792c..fe5034db14 100644 +--- a/hw/misc/mps2-scc.c ++++ b/hw/misc/mps2-scc.c +@@ -329,6 +329,13 @@ static void mps2_scc_realize(DeviceState *dev, Error **errp) + s->oscclk = g_new0(uint32_t, s->num_oscclk); + } + ++static void mps2_scc_finalize(Object *obj) ++{ ++ MPS2SCC *s = MPS2_SCC(obj); ++ ++ g_free(s->oscclk_reset); ++} ++ + static const VMStateDescription mps2_scc_vmstate = { + .name = "mps2-scc", + .version_id = 3, +@@ -385,6 +392,7 @@ static const TypeInfo mps2_scc_info = { + .parent = TYPE_SYS_BUS_DEVICE, + .instance_size = sizeof(MPS2SCC), + .instance_init = mps2_scc_init, ++ .instance_finalize = mps2_scc_finalize, + .class_init = mps2_scc_class_init, + }; + +-- +2.27.0 + diff --git a/hw-nvram-xlnx-efuse-Free-XlnxEFuse-ro_bits-array-on-.patch b/hw-nvram-xlnx-efuse-Free-XlnxEFuse-ro_bits-array-on-.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a4442689eaeb19bc7da7301ae42bc6a0ac72a47 --- /dev/null +++ b/hw-nvram-xlnx-efuse-Free-XlnxEFuse-ro_bits-array-on-.patch @@ -0,0 +1,64 @@ +From aec47cbfa3ad713883d783cd86d3d6fe3413a585 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Mon, 4 Mar 2024 01:26:37 -0800 +Subject: [PATCH] hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on + finalize() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 0be6bfac62 ("qdev: Implement variable length array properties") +added the DEFINE_PROP_ARRAY() macro with the following comment: + +* It is the responsibility of the device deinit code to free the +* @_arrayfield memory. + +Commit 68fbcc344e added: + +DEFINE_PROP_ARRAY("read-only", XlnxEFuse, ro_bits_cnt, ro_bits, + qdev_prop_uint32, uint32_t), + +but forgot to free the 'ro_bits' array. Do it in the instance_finalize +handler. + +Cc: qemu-stable@nongnu.org +Fixes: 68fbcc344e ("hw/nvram: Introduce Xilinx eFuse QOM") # v6.2.0+ +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20231121174051.63038-5-philmd@linaro.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry picked from commit 49b3e28b7bdfe771150d05c4b5860aa7854a4232) +Signed-off-by: zhujun2 +--- + hw/nvram/xlnx-efuse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c +index a0fd77b586..5b131e89b1 100644 +--- a/hw/nvram/xlnx-efuse.c ++++ b/hw/nvram/xlnx-efuse.c +@@ -217,6 +217,13 @@ static void efuse_realize(DeviceState *dev, Error **errp) + } + } + ++static void efuse_finalize(Object *obj) ++{ ++ XlnxEFuse *s = XLNX_EFUSE(obj); ++ ++ g_free(s->ro_bits); ++} ++ + static void efuse_prop_set_drive(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) + { +@@ -273,6 +280,7 @@ static const TypeInfo efuse_info = { + .name = TYPE_XLNX_EFUSE, + .parent = TYPE_DEVICE, + .instance_size = sizeof(XlnxEFuse), ++ .instance_finalize = efuse_finalize, + .class_init = efuse_class_init, + }; + +-- +2.27.0 + diff --git a/hw-nvram-xlnx-efuse-ctrl-Free-XlnxVersalEFuseCtrl-pg.patch b/hw-nvram-xlnx-efuse-ctrl-Free-XlnxVersalEFuseCtrl-pg.patch new file mode 100644 index 0000000000000000000000000000000000000000..67899193559b2d68426442f12ac837eadb76b1fe --- /dev/null +++ b/hw-nvram-xlnx-efuse-ctrl-Free-XlnxVersalEFuseCtrl-pg.patch @@ -0,0 +1,65 @@ +From d8685a2aca40ad07ecab1da84ec97f6384b26a66 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Mon, 4 Mar 2024 01:46:13 -0800 +Subject: [PATCH] hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] + "pg0-lock" array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 0be6bfac62 ("qdev: Implement variable length array properties") +added the DEFINE_PROP_ARRAY() macro with the following comment: + +* It is the responsibility of the device deinit code to free the +* @_arrayfield memory. + +Commit 9e4aa1fafe added: + +DEFINE_PROP_ARRAY("pg0-lock", + XlnxVersalEFuseCtrl, extra_pg0_lock_n16, + extra_pg0_lock_spec, qdev_prop_uint16, uint16_t), + +but forgot to free the 'extra_pg0_lock_spec' array. Do it in the +instance_finalize() handler. + +Cc: qemu-stable@nongnu.org +Fixes: 9e4aa1fafe ("hw/nvram: Xilinx Versal eFuse device") # v6.2.0+ +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20231121174051.63038-6-philmd@linaro.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry picked from commit 4f10c66077e39969940d928077560665e155cac8) +Signed-off-by: zhujun2 +--- + hw/nvram/xlnx-versal-efuse-ctrl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/nvram/xlnx-versal-efuse-ctrl.c b/hw/nvram/xlnx-versal-efuse-ctrl.c +index b35ba65ab5..2d2dc09526 100644 +--- a/hw/nvram/xlnx-versal-efuse-ctrl.c ++++ b/hw/nvram/xlnx-versal-efuse-ctrl.c +@@ -725,6 +725,13 @@ static void efuse_ctrl_init(Object *obj) + sysbus_init_irq(sbd, &s->irq_efuse_imr); + } + ++static void efuse_ctrl_finalize(Object *obj) ++{ ++ XlnxVersalEFuseCtrl *s = XLNX_VERSAL_EFUSE_CTRL(obj); ++ ++ g_free(s->extra_pg0_lock_spec); ++} ++ + static const VMStateDescription vmstate_efuse_ctrl = { + .name = TYPE_XLNX_VERSAL_EFUSE_CTRL, + .version_id = 1, +@@ -762,6 +769,7 @@ static const TypeInfo efuse_ctrl_info = { + .instance_size = sizeof(XlnxVersalEFuseCtrl), + .class_init = efuse_ctrl_class_init, + .instance_init = efuse_ctrl_init, ++ .instance_finalize = efuse_ctrl_finalize, + }; + + static void efuse_ctrl_register_types(void) +-- +2.27.0 + diff --git a/hw-smbios-Fix-OEM-strings-table-option-validation.patch b/hw-smbios-Fix-OEM-strings-table-option-validation.patch new file mode 100644 index 0000000000000000000000000000000000000000..08e51f6835ce5419683694ebc892a87c06cb6dbf --- /dev/null +++ b/hw-smbios-Fix-OEM-strings-table-option-validation.patch @@ -0,0 +1,51 @@ +From 7a332d757d2bec6d1c5433a807ceceb0cf96e00c Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 27 Feb 2024 10:22:18 +0800 +Subject: [PATCH] hw/smbios: Fix OEM strings table option validation + +cheery-pick from e8ddec58053e9361b2cc18ec6d17b6c95590bf3c + +qemu_smbios_type11_opts did not have the list terminator and that +resulted in out-of-bound memory access. It also needs to have an element +for the type option. + +Cc: qemu-stable@nongnu.org +Fixes: 2d6dcbf93fb0 ("smbios: support setting OEM strings table") +Signed-off-by: Akihiko Odaki +Reviewed-by: Michael Tokarev +Message-Id: <20240129-smbios-v2-1-9ee6fede0d10@daynix.com> +Reviewed-by: Ani Sinha +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: qihao_yewu +--- + hw/smbios/smbios.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c +index 66be9aee09..f73b9417c8 100644 +--- a/hw/smbios/smbios.c ++++ b/hw/smbios/smbios.c +@@ -332,6 +332,11 @@ static const QemuOptDesc qemu_smbios_type4_opts[] = { + }; + + static const QemuOptDesc qemu_smbios_type11_opts[] = { ++ { ++ .name = "type", ++ .type = QEMU_OPT_NUMBER, ++ .help = "SMBIOS element type", ++ }, + { + .name = "value", + .type = QEMU_OPT_STRING, +@@ -342,6 +347,7 @@ static const QemuOptDesc qemu_smbios_type11_opts[] = { + .type = QEMU_OPT_STRING, + .help = "OEM string data from file", + }, ++ { /* end of list */ } + }; + + static const QemuOptDesc qemu_smbios_type17_opts[] = { +-- +2.27.0 + diff --git a/hw-virtio-virtio-iommu-Enforce-power-of-two-notify-f.patch b/hw-virtio-virtio-iommu-Enforce-power-of-two-notify-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..1d33773e201a116a7975756f1004922e8d68264b --- /dev/null +++ b/hw-virtio-virtio-iommu-Enforce-power-of-two-notify-f.patch @@ -0,0 +1,113 @@ +From 89376545e23d5fa3b6e3f9d404edf0382c6f5ad3 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 13 Mar 2024 03:28:06 +0000 +Subject: [PATCH] hw/virtio/virtio-iommu: Enforce power-of-two notify for both + MAP and UNMAP mainline inclusion commit + 0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix + +--------------------------------------------------------------- + +Currently we only enforce power-of-two mappings (required by the QEMU +notifier) for UNMAP requests. A MAP request not aligned on a +power-of-two may be successfully handled by VFIO, and then the +corresponding UNMAP notify will fail because it will attempt to split +that mapping. Ensure MAP and UNMAP notifications are consistent. + +Fixes: dde3f08b5cab ("virtio-iommu: Handle non power of 2 range invalidations") +Reported-by: Tina Zhang +Signed-off-by: Jean-Philippe Brucker +Message-Id: <20220718135636.338264-1-jean-philippe@linaro.org> +Tested-by: Tina Zhang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Signed-off-by: tangbinzy +--- + hw/virtio/virtio-iommu.c | 47 ++++++++++++++++++++++++---------------- + 1 file changed, 28 insertions(+), 19 deletions(-) + +diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c +index ae33d93b11..190ec2579a 100644 +--- a/hw/virtio/virtio-iommu.c ++++ b/hw/virtio/virtio-iommu.c +@@ -125,6 +125,32 @@ static gint interval_cmp(gconstpointer a, gconstpointer b, gpointer user_data) + } + } + ++static void virtio_iommu_notify_map_unmap(IOMMUMemoryRegion *mr, ++ IOMMUTLBEvent *event, ++ hwaddr virt_start, hwaddr virt_end) ++{ ++ uint64_t delta = virt_end - virt_start; ++ ++ event->entry.iova = virt_start; ++ event->entry.addr_mask = delta; ++ ++ if (delta == UINT64_MAX) { ++ memory_region_notify_iommu(mr, 0, *event); ++ } ++ ++ while (virt_start != virt_end + 1) { ++ uint64_t mask = dma_aligned_pow2_mask(virt_start, virt_end, 64); ++ ++ event->entry.addr_mask = mask; ++ event->entry.iova = virt_start; ++ memory_region_notify_iommu(mr, 0, *event); ++ virt_start += mask + 1; ++ if (event->entry.perm != IOMMU_NONE) { ++ event->entry.translated_addr += mask + 1; ++ } ++ } ++} ++ + static void virtio_iommu_notify_map(IOMMUMemoryRegion *mr, hwaddr virt_start, + hwaddr virt_end, hwaddr paddr, + uint32_t flags) +@@ -143,19 +169,16 @@ static void virtio_iommu_notify_map(IOMMUMemoryRegion *mr, hwaddr virt_start, + + event.type = IOMMU_NOTIFIER_MAP; + event.entry.target_as = &address_space_memory; +- event.entry.addr_mask = virt_end - virt_start; +- event.entry.iova = virt_start; + event.entry.perm = perm; + event.entry.translated_addr = paddr; + +- memory_region_notify_iommu(mr, 0, event); ++ virtio_iommu_notify_map_unmap(mr, &event, virt_start, virt_end); + } + + static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start, + hwaddr virt_end) + { + IOMMUTLBEvent event; +- uint64_t delta = virt_end - virt_start; + + if (!(mr->iommu_notify_flags & IOMMU_NOTIFIER_UNMAP)) { + return; +@@ -167,22 +190,8 @@ static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start, + event.entry.target_as = &address_space_memory; + event.entry.perm = IOMMU_NONE; + event.entry.translated_addr = 0; +- event.entry.addr_mask = delta; +- event.entry.iova = virt_start; +- +- if (delta == UINT64_MAX) { +- memory_region_notify_iommu(mr, 0, event); +- } + +- +- while (virt_start != virt_end + 1) { +- uint64_t mask = dma_aligned_pow2_mask(virt_start, virt_end, 64); +- +- event.entry.addr_mask = mask; +- event.entry.iova = virt_start; +- memory_region_notify_iommu(mr, 0, event); +- virt_start += mask + 1; +- } ++ virtio_iommu_notify_map_unmap(mr, &event, virt_start, virt_end); + } + + static gboolean virtio_iommu_notify_unmap_cb(gpointer key, gpointer value, +-- +2.27.0 + diff --git a/i386-cpu-Clear-FEAT_XSAVE_XSS_LO-HI-leafs-when-CPUID.patch b/i386-cpu-Clear-FEAT_XSAVE_XSS_LO-HI-leafs-when-CPUID.patch new file mode 100644 index 0000000000000000000000000000000000000000..b82f3c9e4ff6f629110982bf159770cc036d0cce --- /dev/null +++ b/i386-cpu-Clear-FEAT_XSAVE_XSS_LO-HI-leafs-when-CPUID.patch @@ -0,0 +1,41 @@ +From fb069ba131d312e4f4008c95710d0150c4039acf Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Mon, 15 Jan 2024 04:13:24 -0500 +Subject: [PATCH] i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when + CPUID_EXT_XSAVE is not available + +commit 81f5cad3858f27623b1b14467926032d229b76cc upstream. + +Leaf FEAT_XSAVE_XSS_LO and FEAT_XSAVE_XSS_HI also need to be cleared +when CPUID_EXT_XSAVE is not set. + +Intel-SIG: commit 81f5cad3858f i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available +Backport i386/cpu bugfixes + +Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features") +Signed-off-by: Xiaoyao Li +Reviewed-by: Yang Weijiang +Message-ID: <20240115091325.1904229-2-xiaoyao.li@intel.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 9ab8ef3bd1..ba8a3f4f2f 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -6479,6 +6479,8 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu) + if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE)) { + env->features[FEAT_XSAVE_XCR0_LO] = 0; + env->features[FEAT_XSAVE_XCR0_HI] = 0; ++ env->features[FEAT_XSAVE_XSS_LO] = 0; ++ env->features[FEAT_XSAVE_XSS_HI] = 0; + return; + } + +-- +2.27.0 + diff --git a/i386-cpu-Mask-with-XCR0-XSS-mask-for-FEAT_XSAVE_XCR0.patch b/i386-cpu-Mask-with-XCR0-XSS-mask-for-FEAT_XSAVE_XCR0.patch new file mode 100644 index 0000000000000000000000000000000000000000..15e34d6a34af9b08adf5670d0f00d8463218c758 --- /dev/null +++ b/i386-cpu-Mask-with-XCR0-XSS-mask-for-FEAT_XSAVE_XCR0.patch @@ -0,0 +1,45 @@ +From a4497d44e8124a7a5ee4ae403fde058651155ca9 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Mon, 15 Jan 2024 04:13:25 -0500 +Subject: [PATCH] i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and + FEAT_XSAVE_XSS_HI leafs + +commit a11a365159b944e05be76f3ec3b98c8b38cb70fd upstream. + +The value of FEAT_XSAVE_XCR0_HI leaf and FEAT_XSAVE_XSS_HI leaf also +need to be masked by XCR0 and XSS mask respectively, to make it +logically correct. + +Intel-SIG: commit a11a365159b9 i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs +Backport i36/cpu bugfixes + +Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features") +Signed-off-by: Xiaoyao Li +Reviewed-by: Yang Weijiang +Message-ID: <20240115091325.1904229-3-xiaoyao.li@intel.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index ba8a3f4f2f..62ac5ed005 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -6499,9 +6499,9 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu) + } + + env->features[FEAT_XSAVE_XCR0_LO] = mask & CPUID_XSTATE_XCR0_MASK; +- env->features[FEAT_XSAVE_XCR0_HI] = mask >> 32; ++ env->features[FEAT_XSAVE_XCR0_HI] = (mask & CPUID_XSTATE_XCR0_MASK) >> 32; + env->features[FEAT_XSAVE_XSS_LO] = mask & CPUID_XSTATE_XSS_MASK; +- env->features[FEAT_XSAVE_XSS_HI] = mask >> 32; ++ env->features[FEAT_XSAVE_XSS_HI] = (mask & CPUID_XSTATE_XSS_MASK) >> 32; + } + + /***** Steps involved on loading and filtering CPUID data +-- +2.27.0 + diff --git a/i386-cpuid-Decrease-cpuid_i-when-skipping-CPUID-leaf.patch b/i386-cpuid-Decrease-cpuid_i-when-skipping-CPUID-leaf.patch new file mode 100644 index 0000000000000000000000000000000000000000..beb0cb164f7a1504dd9d53625f29c493f03f9ea3 --- /dev/null +++ b/i386-cpuid-Decrease-cpuid_i-when-skipping-CPUID-leaf.patch @@ -0,0 +1,41 @@ +From 3b70aff18c50fc36dde1a0d305acfd1872f57141 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Wed, 24 Jan 2024 21:40:14 -0500 +Subject: [PATCH] i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F + +commit 10f92799af8ba3c3cef2352adcd4780f13fbab31 upstream. + +Existing code misses a decrement of cpuid_i when skip leaf 0x1F. +There's a blank CPUID entry(with leaf, subleaf as 0, and all fields +stuffed 0s) left in the CPUID array. + +It conflicts with correct CPUID leaf 0. + +Intel-SIG: commit 10f92799af8b i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F +Backport i386/cpu bugfixes + +Signed-off-by: Xiaoyao Li +Reviewed-by:Yang Weijiang +Message-ID: <20240125024016.2521244-2-xiaoyao.li@intel.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/kvm/kvm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index e1601422bc..0927d1f515 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -1759,6 +1759,7 @@ int kvm_arch_init_vcpu(CPUState *cs) + } + case 0x1f: + if (env->nr_dies < 2) { ++ cpuid_i--; + break; + } + /* fallthrough */ +-- +2.27.0 + diff --git a/i386-cpuid-Move-leaf-7-to-correct-group.patch b/i386-cpuid-Move-leaf-7-to-correct-group.patch new file mode 100644 index 0000000000000000000000000000000000000000..93ea8dc711ca062565407d840eaea98bbb2fa4d7 --- /dev/null +++ b/i386-cpuid-Move-leaf-7-to-correct-group.patch @@ -0,0 +1,53 @@ +From 83beaa72ec488c7bb35fbca3efd84ecaa0d88071 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Wed, 24 Jan 2024 21:40:16 -0500 +Subject: [PATCH] i386/cpuid: Move leaf 7 to correct group + +commit 0729857c707535847d7fe31d3d91eb8b2a118e3c upstream. + +CPUID leaf 7 was grouped together with SGX leaf 0x12 by commit +b9edbadefb9e ("i386: Propagate SGX CPUID sub-leafs to KVM") by mistake. + +SGX leaf 0x12 has its specific logic to check if subleaf (starting from 2) +is valid or not by checking the bit 0:3 of corresponding EAX is 1 or +not. + +Leaf 7 follows the logic that EAX of subleaf 0 enumerates the maximum +valid subleaf. + +Intel-SIG: commit 0729857c7075 i386/cpuid: Move leaf 7 to correct group +Backport i386/cpu bugfixes + +Fixes: b9edbadefb9e ("i386: Propagate SGX CPUID sub-leafs to KVM") +Signed-off-by: Xiaoyao Li +Message-ID: <20240125024016.2521244-4-xiaoyao.li@intel.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/kvm/kvm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index 0927d1f515..99be7f6155 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -1800,7 +1800,6 @@ int kvm_arch_init_vcpu(CPUState *cs) + c = &cpuid_data.entries[cpuid_i++]; + } + break; +- case 0x7: + case 0x12: + for (j = 0; ; j++) { + c->function = i; +@@ -1820,6 +1819,7 @@ int kvm_arch_init_vcpu(CPUState *cs) + c = &cpuid_data.entries[cpuid_i++]; + } + break; ++ case 0x7: + case 0x14: + case 0x1d: + case 0x1e: { +-- +2.27.0 + diff --git a/ipmi-smbus-Add-a-check-around-a-memcpy.patch b/ipmi-smbus-Add-a-check-around-a-memcpy.patch new file mode 100644 index 0000000000000000000000000000000000000000..219260e209ad84f1c079b26dd1f2f49833f067bb --- /dev/null +++ b/ipmi-smbus-Add-a-check-around-a-memcpy.patch @@ -0,0 +1,47 @@ +From d9f1221c0f4ff778e5e11d71519dfe1fe2f37e28 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Thu, 21 Mar 2024 03:16:54 +0000 +Subject: [PATCH] ipmi:smbus: Add a check around a memcpy mainline inclusion + commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix + +--------------------------------------------------------------- + +In one case: + + memcpy(sid->inmsg + sid->inlen, buf, len); + +if len == 0 then sid->inmsg + sig->inlen can point to one past the inmsg +array if the array is full. We have to allow len == 0 due to some +vagueness in the spec, but we don't have to call memcpy. + +Found by Coverity. This is not a problem in practice, but the results +are technically (maybe) undefined. So make Coverity happy. + +Reported-by: Peter Maydell +Signed-off-by: Corey Minyard +Acked-by: Michael S. Tsirkin +Reviewed-by: Peter Maydell + +Signed-off-by: tangbinzy +--- + hw/ipmi/smbus_ipmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c +index 1fdf0a66b6..1591211a86 100644 +--- a/hw/ipmi/smbus_ipmi.c ++++ b/hw/ipmi/smbus_ipmi.c +@@ -280,7 +280,9 @@ static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len) + */ + send = true; + } +- memcpy(sid->inmsg + sid->inlen, buf, len); ++ if (len > 0) { ++ memcpy(sid->inmsg + sid->inlen, buf, len); ++ } + sid->inlen += len; + break; + } +-- +2.27.0 + diff --git a/linux-user-flatload.c-Fix-setting-of-image_info-end_.patch b/linux-user-flatload.c-Fix-setting-of-image_info-end_.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cb2793f0f1e177dd29752ce03bc1dbffef10bb8 --- /dev/null +++ b/linux-user-flatload.c-Fix-setting-of-image_info-end_.patch @@ -0,0 +1,47 @@ +From 28654c3906e23d26dd740a3a300832345c9e0325 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 13 Mar 2024 02:33:21 +0000 +Subject: [PATCH] linux-user/flatload.c: Fix setting of image_info::end_code + mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category: + bugfix + +--------------------------------------------------------------- + +The flatload loader sets the end_code field in the image_info struct +incorrectly, due to a typo. + +This is a very long-standing bug (dating all the way back to when +the bFLT loader was added in 2006), but has gone unnoticed because +(a) most people don't use bFLT binaries +(b) we don't actually do anything with the end_code field, except + print it in debugging traces and pass it to TCG plugins + +Fix the typo. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1119 +Signed-off-by: Peter Maydell +Reviewed-by: Richard Henderson +Message-Id: <20220728151406.2262862-1-peter.maydell@linaro.org> +Signed-off-by: Laurent Vivier + +Signed-off-by: tangbinzy +--- + linux-user/flatload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux-user/flatload.c b/linux-user/flatload.c +index e4c2f89a22..e99570ca18 100644 +--- a/linux-user/flatload.c ++++ b/linux-user/flatload.c +@@ -808,7 +808,7 @@ int load_flt_binary(struct linux_binprm *bprm, struct image_info *info) + + /* Stash our initial stack pointer into the mm structure */ + info->start_code = libinfo[0].start_code; +- info->end_code = libinfo[0].start_code = libinfo[0].text_len; ++ info->end_code = libinfo[0].start_code + libinfo[0].text_len; + info->start_data = libinfo[0].start_data; + info->end_data = libinfo[0].end_data; + info->start_brk = libinfo[0].start_brk; +-- +2.27.0 + diff --git a/linux-user-riscv-Align-signal-frame-to-16-bytes.patch b/linux-user-riscv-Align-signal-frame-to-16-bytes.patch new file mode 100644 index 0000000000000000000000000000000000000000..f975d609c5e06ac3478d67c85b6248d1fd63aa3a --- /dev/null +++ b/linux-user-riscv-Align-signal-frame-to-16-bytes.patch @@ -0,0 +1,39 @@ +From e011a861479e486201feb0760a5fd2f449270f4d Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Thu, 21 Mar 2024 05:38:28 +0000 +Subject: [PATCH] linux-user/riscv: Align signal frame to 16 bytes mainline + inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix + +--------------------------------------------------------------- + +Follow the kernel's alignment, as we already noted. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1093 +Signed-off-by: Richard Henderson +Reviewed-by: Alistair Francis +Message-Id: <20220729201942.30738-1-richard.henderson@linaro.org> +Signed-off-by: Alistair Francis + +Signed-off-by: tangbinzy +--- + linux-user/riscv/signal.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/linux-user/riscv/signal.c b/linux-user/riscv/signal.c +index a0f9542ce3..c50ac6d0aa 100644 +--- a/linux-user/riscv/signal.c ++++ b/linux-user/riscv/signal.c +@@ -64,9 +64,7 @@ static abi_ulong get_sigframe(struct target_sigaction *ka, + + /* This is the X/Open sanctioned signal stack switching. */ + sp = target_sigsp(sp, ka) - framesize; +- +- /* XXX: kernel aligns with 0xf ? */ +- sp &= ~3UL; /* align sp on 4-byte boundary */ ++ sp &= ~0xf; + + return sp; + } +-- +2.27.0 + diff --git a/load_elf-fix-iterator-s-type-for-elf-file-processing.patch b/load_elf-fix-iterator-s-type-for-elf-file-processing.patch new file mode 100644 index 0000000000000000000000000000000000000000..5c3383e2f4b4dc889241d1b76487d93ef8701339 --- /dev/null +++ b/load_elf-fix-iterator-s-type-for-elf-file-processing.patch @@ -0,0 +1,42 @@ +From 5ae048bf81cea4b992649fda03ebc7fa21effaa6 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Sun, 3 Mar 2024 23:06:14 -0800 +Subject: [PATCH] load_elf: fix iterator's type for elf file processing + +j is used while loading an ELF file to byteswap segments' +data. If data is larger than 2GB an overflow may happen. +So j should be elf_word. + +This commit fixes a minor bug: it's unlikely anybody is trying to +load ELF files with 2GB+ segments for wrong-endianness targets, +but if they did, it wouldn't work correctly. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Cc: qemu-stable@nongnu.org +Fixes: 7ef295ea5b ("loader: Add data swap option to load-elf") +Signed-off-by: Anastasia Belova +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry picked from commit 410c2a4d75f52f6a2fe978eda5a9b6f854afe5ea) +Signed-off-by: zhujun2 +--- + include/hw/elf_ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h +index 7c3b1d0f6c..ea17fe9fb5 100644 +--- a/include/hw/elf_ops.h ++++ b/include/hw/elf_ops.h +@@ -499,7 +499,7 @@ static ssize_t glue(load_elf, SZ)(const char *name, int fd, + } + + if (data_swab) { +- int j; ++ elf_word j; + for (j = 0; j < file_size; j += (1 << data_swab)) { + uint8_t *dp = data + j; + switch (data_swab) { +-- +2.27.0 + diff --git a/qemu-options.hx-Don-t-claim-serial-has-limit-of-4-se.patch b/qemu-options.hx-Don-t-claim-serial-has-limit-of-4-se.patch new file mode 100644 index 0000000000000000000000000000000000000000..25626c4b445abf1e32569ccea9e6f444b097558d --- /dev/null +++ b/qemu-options.hx-Don-t-claim-serial-has-limit-of-4-se.patch @@ -0,0 +1,41 @@ +From c80641ae418a782544304adf64260487ca581c19 Mon Sep 17 00:00:00 2001 +From: guping +Date: Wed, 6 Mar 2024 09:57:24 +0000 +Subject: [PATCH] qemu-options.hx: Don't claim "-serial" has limit of 4 serial + ports Before v2.12, the implementation of serial ports was limited to a value + of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for + serial ports, so this limit is no longer present, but the documentation for + the -serial options still reads: + + "This option can be used several times to simulate up to 4 serial ports." + +Update to "This option can be used several times to simulate +multiple serial ports." to avoid misleading. + +Signed-off-by: default avatarSteven Shen +Message-id: 20240305013016.2268-1-steven.shen@jaguarmicro.com +Reviewed-by: default avatarPeter Maydell +[PMM: tweaked commit message] +Signed-off-by: default avatarPeter Maydell + +Signed-off-by: guping +--- + qemu-options.hx | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/qemu-options.hx b/qemu-options.hx +index e25b76771d..d940b4aea5 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -3783,7 +3783,7 @@ SRST + default device is ``vc`` in graphical mode and ``stdio`` in non + graphical mode. + +- This option can be used several times to simulate up to 4 serial ++ This option can be used several times to simulate multiple serial + ports. + + Use ``-serial none`` to disable all serial ports. +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 9faf51e8855ef8ac9f26296f5fa28ba157b4fe95..66569a6441a16482e5b602eb83a307650099e0dc 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 89 +Release: 90 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -875,6 +875,38 @@ Patch0860: ui-clipboard-mark-type-as-not-available-when-there-i.patch Patch0861: virtio-net-correctly-copy-vnet-header-when-flushing-.patch Patch0862: hw-timer-fix-systick-trace-message.patch Patch0863: qga-win-Fix-guest-get-fsinfo-multi-disks-collection.patch +Patch0864: hw-smbios-Fix-OEM-strings-table-option-validation.patch +Patch0865: vl-Improve-error-message-for-conflicting-incoming-an.patch +Patch0866: block-parallels-Fix-buffer-based-write-call.patch +Patch0867: hw-display-bcm2835_fb-Fix-framebuffer-allocation-add.patch +Patch0868: usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch +Patch0869: qga-treat-get-guest-fsinfo-as-best-effort.patch +Patch0870: block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch +Patch0871: chardev-char.c-fix-abstract-device-type-error-messag.patch +Patch0872: hw-nvram-xlnx-efuse-ctrl-Free-XlnxVersalEFuseCtrl-pg.patch +Patch0873: hw-nvram-xlnx-efuse-Free-XlnxEFuse-ro_bits-array-on-.patch +Patch0874: hw-misc-mps2-scc-Free-MPS2SCC-oscclk-array-on-finali.patch +Patch0875: load_elf-fix-iterator-s-type-for-elf-file-processing.patch +Patch0876: linux-user-flatload.c-Fix-setting-of-image_info-end_.patch +Patch0877: hw-ide-core-set-ERR_STAT-in-unsupported-command-comp.patch +Patch0878: vga-fix-incorrect-line-height-in-640x200x2-mode.patch +Patch0879: configure-Add-missing-POSIX-required-space.patch +Patch0880: hw-virtio-virtio-iommu-Enforce-power-of-two-notify-f.patch +Patch0881: target-s390x-fix-handling-of-zeroes-in-vfmin-vfmax.patch +Patch0882: block-migration-Ensure-we-don-t-crash-during-migrati.patch +Patch0883: target-ppc-Modify-the-uncorrect-value-irq-to-n_IRQ.patch +Patch0884: qemu-options.hx-Don-t-claim-serial-has-limit-of-4-se.patch +Patch0885: tests-tcg-linux-test-Fix-random-hangs-in-test_socket.patch +Patch0886: ipmi-smbus-Add-a-check-around-a-memcpy.patch +Patch0887: linux-user-riscv-Align-signal-frame-to-16-bytes.patch +Patch0888: hw-block-hd-geometry-Do-not-override-specified-bios-.patch +Patch0889: target-i386-Add-kvm_get_one_msr-helper.patch +Patch0890: target-i386-Enable-support-for-XSAVES-based-features.patch +Patch0891: target-i386-Change-wrong-XFRM-value-in-SGX-CPUID-lea.patch +Patch0892: i386-cpu-Clear-FEAT_XSAVE_XSS_LO-HI-leafs-when-CPUID.patch +Patch0893: i386-cpu-Mask-with-XCR0-XSS-mask-for-FEAT_XSAVE_XCR0.patch +Patch0894: i386-cpuid-Decrease-cpuid_i-when-skipping-CPUID-leaf.patch +Patch0895: i386-cpuid-Move-leaf-7-to-correct-group.patch BuildRequires: flex BuildRequires: gcc @@ -1473,6 +1505,40 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Sat Mar 23 2024 - 10:6.2.0-90 +- i386/cpuid: Move leaf 7 to correct group +- i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F +- i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs +- i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available +- target/i386: Change wrong XFRM value in SGX CPUID leaf +- target/i386: Enable support for XSAVES based features +- target/i386: Add kvm_get_one_msr helper +- hw/block/hd-geometry: Do not override specified bios-chs-trans mainline inclusion commit fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix +- linux-user/riscv: Align signal frame to 16 bytes mainline inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix +- ipmi:smbus: Add a check around a memcpy mainline inclusion commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix +- tests/tcg/linux-test: Fix random hangs in test_socket mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category: bugfix +- qemu-options.hx: Don't claim "-serial" has limit of 4 serial ports Before v2.12, the implementation of serial ports was limited to a value of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for serial ports, so this limit is no longer present, but the documentation for the -serial options still reads: +- target/ppc: Modify the uncorrect value irq to n_IRQ +- block-migration: Ensure we don't crash during migration cleanup +- target/s390x: fix handling of zeroes in vfmin/vfmax mainline inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix +- hw/virtio/virtio-iommu: Enforce power-of-two notify for both MAP and UNMAP mainline inclusion commit 0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix +- configure: Add missing POSIX-required space mainline inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix +- vga: fix incorrect line height in 640x200x2 mode mainline inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix +- hw/ide/core: set ERR_STAT in unsupported command completion +- linux-user/flatload.c: Fix setting of image_info::end_code mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category: bugfix +- load_elf: fix iterator's type for elf file processing +- hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() +- hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize() +- hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array +- chardev/char.c: fix "abstract device type" error message +- block/rbd: fix handling of holes in .bdrv_co_block_status +- qga: treat get-guest-fsinfo as "best effort" mainline inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix +- usb/hcd-xhci: check slotid in xhci_wakeup_endpoint() mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category: bugfix +- hw/display/bcm2835_fb: Fix framebuffer allocation address mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category: bugfix +- block/parallels: Fix buffer-based write call mainline inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix +- vl: Improve error message for conflicting -incoming and -loadvm +- hw/smbios: Fix OEM strings table option validation + * Sat Mar 9 2024 - 10:6.2.0-89 - qga-win: Fix guest-get-fsinfo multi-disks collection - hw/timer: fix systick trace message diff --git a/qga-treat-get-guest-fsinfo-as-best-effort.patch b/qga-treat-get-guest-fsinfo-as-best-effort.patch new file mode 100644 index 0000000000000000000000000000000000000000..abbf2a4cb0e515adb09893ce62533b4076de54ed --- /dev/null +++ b/qga-treat-get-guest-fsinfo-as-best-effort.patch @@ -0,0 +1,56 @@ +From 2e6562a5c390407e89eb7ab903ab4cc09651bbcb Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 8 Mar 2024 02:48:34 +0000 +Subject: [PATCH] qga: treat get-guest-fsinfo as "best effort" mainline + inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +In some container environments, there may be references to block devices +witnessable from a container through /proc/self/mountinfo that reference +devices we simply don't have access to in the container, and cannot +provide information about. + +Instead of failing the entire fsinfo command, return stub information +for these failed lookups. + +This allows test-qga to pass under docker tests, which are in turn used +by the CentOS VM tests. + +Signed-off-by: John Snow +Reviewed-by: Marc-André Lureau +Message-Id: <20220708153503.18864-2-jsnow@redhat.com> +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + qga/commands-posix.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/qga/commands-posix.c b/qga/commands-posix.c +index 4e06271889..bee7a47ed2 100644 +--- a/qga/commands-posix.c ++++ b/qga/commands-posix.c +@@ -1201,7 +1201,15 @@ static void build_guest_fsinfo_for_device(char const *devpath, + + syspath = realpath(devpath, NULL); + if (!syspath) { +- error_setg_errno(errp, errno, "realpath(\"%s\")", devpath); ++ if (errno != ENOENT) { ++ error_setg_errno(errp, errno, "realpath(\"%s\")", devpath); ++ return; ++ } ++ ++ /* ENOENT: This devpath may not exist because of container config */ ++ if (!fs->name) { ++ fs->name = g_path_get_basename(devpath); ++ } + return; + } + +-- +2.27.0 + diff --git a/target-i386-Add-kvm_get_one_msr-helper.patch b/target-i386-Add-kvm_get_one_msr-helper.patch new file mode 100644 index 0000000000000000000000000000000000000000..f3b23616ae37c831a5a8029c6b2d37b9bca11bef --- /dev/null +++ b/target-i386-Add-kvm_get_one_msr-helper.patch @@ -0,0 +1,123 @@ +From 66d093c4b3fbb3dcb232b38852c47fe1d7d5e1c1 Mon Sep 17 00:00:00 2001 +From: Yang Weijiang +Date: Tue, 15 Feb 2022 14:52:53 -0500 +Subject: [PATCH] target/i386: Add kvm_get_one_msr helper + +commit 5a778a5f820fdd907b95e93560637a61f6ea3c71 upstream. + +When try to get one msr from KVM, I found there's no such kind of +existing interface while kvm_put_one_msr() is there. So here comes +the patch. It'll remove redundant preparation code before finally +call KVM_GET_MSRS IOCTL. + +No functional change intended. + +Intel-SIG: commit 5a778a5f820f target/i386: Add kvm_get_one_msr helper +Backport i386/cpu bugfixes + +Signed-off-by: Yang Weijiang +Message-Id: <20220215195258.29149-4-weijiang.yang@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/kvm/kvm.c | 46 ++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 20 deletions(-) + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index 54e48530ad..e1601422bc 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -138,6 +138,7 @@ static struct kvm_msr_list *kvm_feature_msrs; + + #define BUS_LOCK_SLICE_TIME 1000000000ULL /* ns */ + static RateLimit bus_lock_ratelimit_ctrl; ++static int kvm_get_one_msr(X86CPU *cpu, int index, uint64_t *value); + + int kvm_has_pit_state2(void) + { +@@ -208,28 +209,21 @@ static int kvm_get_tsc(CPUState *cs) + { + X86CPU *cpu = X86_CPU(cs); + CPUX86State *env = &cpu->env; +- struct { +- struct kvm_msrs info; +- struct kvm_msr_entry entries[1]; +- } msr_data = {}; ++ uint64_t value; + int ret; + + if (env->tsc_valid) { + return 0; + } + +- memset(&msr_data, 0, sizeof(msr_data)); +- msr_data.info.nmsrs = 1; +- msr_data.entries[0].index = MSR_IA32_TSC; + env->tsc_valid = !runstate_is_running(); + +- ret = kvm_vcpu_ioctl(CPU(cpu), KVM_GET_MSRS, &msr_data); ++ ret = kvm_get_one_msr(cpu, MSR_IA32_TSC, &value); + if (ret < 0) { + return ret; + } + +- assert(ret == 1); +- env->tsc = msr_data.entries[0].data; ++ env->tsc = value; + return 0; + } + +@@ -1529,21 +1523,14 @@ static int hyperv_init_vcpu(X86CPU *cpu) + * the kernel doesn't support setting vp_index; assert that its value + * is in sync + */ +- struct { +- struct kvm_msrs info; +- struct kvm_msr_entry entries[1]; +- } msr_data = { +- .info.nmsrs = 1, +- .entries[0].index = HV_X64_MSR_VP_INDEX, +- }; ++ uint64_t value; + +- ret = kvm_vcpu_ioctl(cs, KVM_GET_MSRS, &msr_data); ++ ret = kvm_get_one_msr(cpu, HV_X64_MSR_VP_INDEX, &value); + if (ret < 0) { + return ret; + } +- assert(ret == 1); + +- if (msr_data.entries[0].data != hyperv_vp_index(CPU(cpu))) { ++ if (value != hyperv_vp_index(CPU(cpu))) { + error_report("kernel's vp_index != QEMU's vp_index"); + return -ENXIO; + } +@@ -2766,6 +2753,25 @@ static int kvm_put_one_msr(X86CPU *cpu, int index, uint64_t value) + return kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf); + } + ++static int kvm_get_one_msr(X86CPU *cpu, int index, uint64_t *value) ++{ ++ int ret; ++ struct { ++ struct kvm_msrs info; ++ struct kvm_msr_entry entries[1]; ++ } msr_data = { ++ .info.nmsrs = 1, ++ .entries[0].index = index, ++ }; ++ ++ ret = kvm_vcpu_ioctl(CPU(cpu), KVM_GET_MSRS, &msr_data); ++ if (ret < 0) { ++ return ret; ++ } ++ assert(ret == 1); ++ *value = msr_data.entries[0].data; ++ return ret; ++} + void kvm_put_apicbase(X86CPU *cpu, uint64_t value) + { + int ret; +-- +2.27.0 + diff --git a/target-i386-Change-wrong-XFRM-value-in-SGX-CPUID-lea.patch b/target-i386-Change-wrong-XFRM-value-in-SGX-CPUID-lea.patch new file mode 100644 index 0000000000000000000000000000000000000000..9affcbf68ed792f918b6c5927e15964d61dbb50e --- /dev/null +++ b/target-i386-Change-wrong-XFRM-value-in-SGX-CPUID-lea.patch @@ -0,0 +1,46 @@ +From ad727933a766e952b5054bfd53c93ad43fdb6dec Mon Sep 17 00:00:00 2001 +From: Yang Zhong +Date: Thu, 6 Apr 2023 02:40:41 -0400 +Subject: [PATCH] target/i386: Change wrong XFRM value in SGX CPUID leaf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 72497cff896fecf74306ed33626c30e43633cdd6 upstream. + +The previous patch wrongly replaced FEAT_XSAVE_XCR0_{LO|HI} with +FEAT_XSAVE_XSS_{LO|HI} in CPUID(EAX=12,ECX=1):{ECX,EDX}. As a result, +SGX enclaves only supported SSE and x87 feature (xfrm=0x3). + +Intel-SIG: commit 72497cff896f target/i386: Change wrong XFRM value in SGX CPUID leaf +Backport i386/cpu bugfixes + +Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features") +Signed-off-by: Yang Zhong +Reviewed-by: Yang Weijiang +Reviewed-by: Kai Huang +Message-Id: <20230406064041.420039-1-yang.zhong@linux.intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 6b098cc832..9ab8ef3bd1 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -5951,8 +5951,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + } else { + *eax &= env->features[FEAT_SGX_12_1_EAX]; + *ebx &= 0; /* ebx reserve */ +- *ecx &= env->features[FEAT_XSAVE_XSS_LO]; +- *edx &= env->features[FEAT_XSAVE_XSS_HI]; ++ *ecx &= env->features[FEAT_XSAVE_XCR0_LO]; ++ *edx &= env->features[FEAT_XSAVE_XCR0_HI]; + + /* FP and SSE are always allowed regardless of XSAVE/XCR0. */ + *ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK; +-- +2.27.0 + diff --git a/target-i386-Enable-support-for-XSAVES-based-features.patch b/target-i386-Enable-support-for-XSAVES-based-features.patch new file mode 100644 index 0000000000000000000000000000000000000000..41cc0dbd3bf9d4b28cb3ec151aede46379d05219 --- /dev/null +++ b/target-i386-Enable-support-for-XSAVES-based-features.patch @@ -0,0 +1,286 @@ +From 0a83478189efce4e6775977dc3c76a5750b52fb4 Mon Sep 17 00:00:00 2001 +From: Yang Weijiang +Date: Tue, 15 Feb 2022 14:52:54 -0500 +Subject: [PATCH] target/i386: Enable support for XSAVES based features + +commit 301e90675c3fed6cdc48682021a1ab42bc0e0d76 upstream. + +There're some new features, including Arch LBR, depending +on XSAVES/XRSTORS support, the new instructions will +save/restore data based on feature bits enabled in XCR0 | XSS. +This patch adds the basic support for related CPUID enumeration +and meanwhile changes the name from FEAT_XSAVE_COMP_{LO|HI} to +FEAT_XSAVE_XCR0_{LO|HI} to differentiate clearly the feature +bits in XCR0 and those in XSS. + +Intel-SIG: commit 301e90675c3f target/i386: Enable support for XSAVES based features +Backport i386/cpu bugfixes + +Signed-off-by: Yang Weijiang +Message-Id: <20220215195258.29149-5-weijiang.yang@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 104 +++++++++++++++++++++++++++++++++++----------- + target/i386/cpu.h | 14 ++++++- + 2 files changed, 92 insertions(+), 26 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 53a7484ca8..6b098cc832 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -977,6 +977,34 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + }, + .tcg_features = TCG_XSAVE_FEATURES, + }, ++ [FEAT_XSAVE_XSS_LO] = { ++ .type = CPUID_FEATURE_WORD, ++ .feat_names = { ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ }, ++ .cpuid = { ++ .eax = 0xD, ++ .needs_ecx = true, ++ .ecx = 1, ++ .reg = R_ECX, ++ }, ++ }, ++ [FEAT_XSAVE_XSS_HI] = { ++ .type = CPUID_FEATURE_WORD, ++ .cpuid = { ++ .eax = 0xD, ++ .needs_ecx = true, ++ .ecx = 1, ++ .reg = R_EDX ++ }, ++ }, + [FEAT_6_EAX] = { + .type = CPUID_FEATURE_WORD, + .feat_names = { +@@ -992,7 +1020,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .cpuid = { .eax = 6, .reg = R_EAX, }, + .tcg_features = TCG_6_EAX_FEATURES, + }, +- [FEAT_XSAVE_COMP_LO] = { ++ [FEAT_XSAVE_XCR0_LO] = { + .type = CPUID_FEATURE_WORD, + .cpuid = { + .eax = 0xD, +@@ -1005,7 +1033,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK | + XSTATE_PKRU_MASK, + }, +- [FEAT_XSAVE_COMP_HI] = { ++ [FEAT_XSAVE_XCR0_HI] = { + .type = CPUID_FEATURE_WORD, + .cpuid = { + .eax = 0xD, +@@ -1422,6 +1450,9 @@ static const X86RegisterInfo32 x86_reg_info_32[CPU_NB_REGS32] = { + }; + #undef REGISTER + ++/* CPUID feature bits available in XSS */ ++#define CPUID_XSTATE_XSS_MASK (0) ++ + ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = { + [XSTATE_FP_BIT] = { + /* x87 FP state component is always enabled if XSAVE is supported */ +@@ -1464,15 +1495,18 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = { + }, + }; + +-static uint32_t xsave_area_size(uint64_t mask) ++static uint32_t xsave_area_size(uint64_t mask, bool compacted) + { ++ uint64_t ret = x86_ext_save_areas[0].size; ++ const ExtSaveArea *esa; ++ uint32_t offset = 0; + int i; +- uint64_t ret = 0; + +- for (i = 0; i < ARRAY_SIZE(x86_ext_save_areas); i++) { +- const ExtSaveArea *esa = &x86_ext_save_areas[i]; ++ for (i = 2; i < ARRAY_SIZE(x86_ext_save_areas); i++) { ++ esa = &x86_ext_save_areas[i]; + if ((mask >> i) & 1) { +- ret = MAX(ret, esa->offset + esa->size); ++ offset = compacted ? ret : esa->offset; ++ ret = MAX(ret, offset + esa->size); + } + } + return ret; +@@ -1483,10 +1517,10 @@ static inline bool accel_uses_host_cpuid(void) + return kvm_enabled() || hvf_enabled(); + } + +-static inline uint64_t x86_cpu_xsave_components(X86CPU *cpu) ++static inline uint64_t x86_cpu_xsave_xcr0_components(X86CPU *cpu) + { +- return ((uint64_t)cpu->env.features[FEAT_XSAVE_COMP_HI]) << 32 | +- cpu->env.features[FEAT_XSAVE_COMP_LO]; ++ return ((uint64_t)cpu->env.features[FEAT_XSAVE_XCR0_HI]) << 32 | ++ cpu->env.features[FEAT_XSAVE_XCR0_LO]; + } + + /* Return name of 32-bit register, from a R_* constant */ +@@ -1498,6 +1532,12 @@ static const char *get_register_name_32(unsigned int reg) + return x86_reg_info_32[reg].name; + } + ++static inline uint64_t x86_cpu_xsave_xss_components(X86CPU *cpu) ++{ ++ return ((uint64_t)cpu->env.features[FEAT_XSAVE_XSS_HI]) << 32 | ++ cpu->env.features[FEAT_XSAVE_XSS_LO]; ++} ++ + /* + * Returns the set of feature flags that are supported and migratable by + * QEMU, for a given FeatureWord. +@@ -4940,8 +4980,8 @@ static const char *x86_cpu_feature_name(FeatureWord w, int bitnr) + /* XSAVE components are automatically enabled by other features, + * so return the original feature name instead + */ +- if (w == FEAT_XSAVE_COMP_LO || w == FEAT_XSAVE_COMP_HI) { +- int comp = (w == FEAT_XSAVE_COMP_HI) ? bitnr + 32 : bitnr; ++ if (w == FEAT_XSAVE_XCR0_LO || w == FEAT_XSAVE_XCR0_HI) { ++ int comp = (w == FEAT_XSAVE_XCR0_HI) ? bitnr + 32 : bitnr; + + if (comp < ARRAY_SIZE(x86_ext_save_areas) && + x86_ext_save_areas[comp].bits) { +@@ -5831,25 +5871,36 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + } + + if (count == 0) { +- *ecx = xsave_area_size(x86_cpu_xsave_components(cpu)); +- *eax = env->features[FEAT_XSAVE_COMP_LO]; +- *edx = env->features[FEAT_XSAVE_COMP_HI]; ++ *ecx = xsave_area_size(x86_cpu_xsave_xcr0_components(cpu), false); ++ *eax = env->features[FEAT_XSAVE_XCR0_LO]; ++ *edx = env->features[FEAT_XSAVE_XCR0_HI]; + /* + * The initial value of xcr0 and ebx == 0, On host without kvm + * commit 412a3c41(e.g., CentOS 6), the ebx's value always == 0 + * even through guest update xcr0, this will crash some legacy guest + * (e.g., CentOS 6), So set ebx == ecx to workaroud it. + */ +- *ebx = kvm_enabled() ? *ecx : xsave_area_size(env->xcr0); ++ *ebx = kvm_enabled() ? *ecx : xsave_area_size(env->xcr0, false); + } else if (count == 1) { ++ uint64_t xstate = x86_cpu_xsave_xcr0_components(cpu) | ++ x86_cpu_xsave_xss_components(cpu); ++ + *eax = env->features[FEAT_XSAVE]; ++ *ebx = xsave_area_size(xstate, true); ++ *ecx = env->features[FEAT_XSAVE_XSS_LO]; ++ *edx = env->features[FEAT_XSAVE_XSS_HI]; + } else if (count < ARRAY_SIZE(x86_ext_save_areas)) { +- if ((x86_cpu_xsave_components(cpu) >> count) & 1) { +- const ExtSaveArea *esa = &x86_ext_save_areas[count]; ++ const ExtSaveArea *esa = &x86_ext_save_areas[count]; ++ ++ if (x86_cpu_xsave_xcr0_components(cpu) & (1ULL << count)) { + *eax = esa->size; + *ebx = esa->offset; + *ecx = esa->ecx & + (ESA_FEATURE_ALIGN64_MASK | ESA_FEATURE_XFD_MASK); ++ } else if (x86_cpu_xsave_xss_components(cpu) & (1ULL << count)) { ++ *eax = esa->size; ++ *ebx = 0; ++ *ecx = 1; + } + } + break; +@@ -5900,8 +5951,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + } else { + *eax &= env->features[FEAT_SGX_12_1_EAX]; + *ebx &= 0; /* ebx reserve */ +- *ecx &= env->features[FEAT_XSAVE_COMP_LO]; +- *edx &= env->features[FEAT_XSAVE_COMP_HI]; ++ *ecx &= env->features[FEAT_XSAVE_XSS_LO]; ++ *edx &= env->features[FEAT_XSAVE_XSS_HI]; + + /* FP and SSE are always allowed regardless of XSAVE/XCR0. */ + *ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK; +@@ -6306,6 +6357,9 @@ static void x86_cpu_reset(DeviceState *dev) + } + for (i = 2; i < ARRAY_SIZE(x86_ext_save_areas); i++) { + const ExtSaveArea *esa = &x86_ext_save_areas[i]; ++ if (!((1 << i) & CPUID_XSTATE_XCR0_MASK)) { ++ continue; ++ } + if (env->features[esa->feature] & esa->bits) { + xcr0 |= 1ull << i; + } +@@ -6423,8 +6477,8 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu) + static bool request_perm; + + if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE)) { +- env->features[FEAT_XSAVE_COMP_LO] = 0; +- env->features[FEAT_XSAVE_COMP_HI] = 0; ++ env->features[FEAT_XSAVE_XCR0_LO] = 0; ++ env->features[FEAT_XSAVE_XCR0_HI] = 0; + return; + } + +@@ -6442,8 +6496,10 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu) + request_perm = true; + } + +- env->features[FEAT_XSAVE_COMP_LO] = mask; +- env->features[FEAT_XSAVE_COMP_HI] = mask >> 32; ++ env->features[FEAT_XSAVE_XCR0_LO] = mask & CPUID_XSTATE_XCR0_MASK; ++ env->features[FEAT_XSAVE_XCR0_HI] = mask >> 32; ++ env->features[FEAT_XSAVE_XSS_LO] = mask & CPUID_XSTATE_XSS_MASK; ++ env->features[FEAT_XSAVE_XSS_HI] = mask >> 32; + } + + /***** Steps involved on loading and filtering CPUID data +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 32ecec5fa7..e8322a928b 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -565,6 +565,14 @@ typedef enum X86Seg { + #define ESA_FEATURE_XFD_MASK (1U << ESA_FEATURE_XFD_BIT) + + ++/* CPUID feature bits available in XCR0 */ ++#define CPUID_XSTATE_XCR0_MASK (XSTATE_FP_MASK | XSTATE_SSE_MASK | \ ++ XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | \ ++ XSTATE_BNDCSR_MASK | XSTATE_OPMASK_MASK | \ ++ XSTATE_ZMM_Hi256_MASK | \ ++ XSTATE_Hi16_ZMM_MASK | XSTATE_PKRU_MASK | \ ++ XSTATE_XTILE_CFG_MASK | XSTATE_XTILE_DATA_MASK) ++ + /* CPUID feature words */ + typedef enum FeatureWord { + FEAT_1_EDX, /* CPUID[1].EDX */ +@@ -583,8 +591,8 @@ typedef enum FeatureWord { + FEAT_SVM, /* CPUID[8000_000A].EDX */ + FEAT_XSAVE, /* CPUID[EAX=0xd,ECX=1].EAX */ + FEAT_6_EAX, /* CPUID[6].EAX */ +- FEAT_XSAVE_COMP_LO, /* CPUID[EAX=0xd,ECX=0].EAX */ +- FEAT_XSAVE_COMP_HI, /* CPUID[EAX=0xd,ECX=0].EDX */ ++ FEAT_XSAVE_XCR0_LO, /* CPUID[EAX=0xd,ECX=0].EAX */ ++ FEAT_XSAVE_XCR0_HI, /* CPUID[EAX=0xd,ECX=0].EDX */ + FEAT_ARCH_CAPABILITIES, + FEAT_CORE_CAPABILITY, + FEAT_PERF_CAPABILITIES, +@@ -601,6 +609,8 @@ typedef enum FeatureWord { + FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */ + FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */ + FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */ ++ FEAT_XSAVE_XSS_LO, /* CPUID[EAX=0xd,ECX=1].ECX */ ++ FEAT_XSAVE_XSS_HI, /* CPUID[EAX=0xd,ECX=1].EDX */ + FEAT_7_1_EDX, /* CPUID[EAX=7,ECX=1].EDX */ + FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */ + FEATURE_WORDS, +-- +2.27.0 + diff --git a/target-ppc-Modify-the-uncorrect-value-irq-to-n_IRQ.patch b/target-ppc-Modify-the-uncorrect-value-irq-to-n_IRQ.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb6b40c8eb377fcf97adf3961c8ffc601a7838f3 --- /dev/null +++ b/target-ppc-Modify-the-uncorrect-value-irq-to-n_IRQ.patch @@ -0,0 +1,28 @@ +From 7ccba831f3a42e95eb06e997b9b85fddf3cd724c Mon Sep 17 00:00:00 2001 +From: JianChunfu +Date: Fri, 15 Mar 2024 14:22:45 +0800 +Subject: [PATCH] target/ppc: Modify the uncorrect value irq to n_IRQ + +Modify the uncorrect value "irq" to "n_IRQ" submitted before. + +Signed-off-by: JianChunfu +--- + hw/ppc/ppc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c +index 6396bbe523..dedd56263d 100644 +--- a/hw/ppc/ppc.c ++++ b/hw/ppc/ppc.c +@@ -67,7 +67,7 @@ void ppc_set_irq(PowerPCCPU *cpu, int n_IRQ, int level) + + if (old_pending != env->pending_interrupts) { + if (kvm_enabled()) { +- kvmppc_set_interrupt(cpu, irq, level); ++ kvmppc_set_interrupt(cpu, n_IRQ, level); + } + } + +-- +2.27.0 + diff --git a/target-s390x-fix-handling-of-zeroes-in-vfmin-vfmax.patch b/target-s390x-fix-handling-of-zeroes-in-vfmin-vfmax.patch new file mode 100644 index 0000000000000000000000000000000000000000..d6d29f0167e9b5c21bd59fad2c241daeb01d9dd0 --- /dev/null +++ b/target-s390x-fix-handling-of-zeroes-in-vfmin-vfmax.patch @@ -0,0 +1,51 @@ +From 81d20b4ec93e9689bff056a0a8bf6ff260da0c68 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 13 Mar 2024 05:40:28 +0000 +Subject: [PATCH] target/s390x: fix handling of zeroes in vfmin/vfmax mainline + inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix + +--------------------------------------------------------------- + +vfmin_res() / vfmax_res() are trying to check whether a and b are both +zeroes, but in reality they check that they are the same kind of zero. +This causes incorrect results when comparing positive and negative +zeroes. + +Fixes: da4807527f3b ("s390x/tcg: Implement VECTOR FP (MAXIMUM|MINIMUM)") +Co-developed-by: Ulrich Weigand +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Richard Henderson +Reviewed-by: David Hildenbrand +Message-Id: <20220713182612.3780050-2-iii@linux.ibm.com> +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + target/s390x/tcg/vec_fpu_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/s390x/tcg/vec_fpu_helper.c b/target/s390x/tcg/vec_fpu_helper.c +index 1a77993471..d1249706f9 100644 +--- a/target/s390x/tcg/vec_fpu_helper.c ++++ b/target/s390x/tcg/vec_fpu_helper.c +@@ -794,7 +794,7 @@ static S390MinMaxRes vfmin_res(uint16_t dcmask_a, uint16_t dcmask_b, + default: + g_assert_not_reached(); + } +- } else if (unlikely(dcmask_a & dcmask_b & DCMASK_ZERO)) { ++ } else if (unlikely((dcmask_a & DCMASK_ZERO) && (dcmask_b & DCMASK_ZERO))) { + switch (type) { + case S390_MINMAX_TYPE_JAVA: + return neg_a ? S390_MINMAX_RES_A : S390_MINMAX_RES_B; +@@ -844,7 +844,7 @@ static S390MinMaxRes vfmax_res(uint16_t dcmask_a, uint16_t dcmask_b, + default: + g_assert_not_reached(); + } +- } else if (unlikely(dcmask_a & dcmask_b & DCMASK_ZERO)) { ++ } else if (unlikely((dcmask_a & DCMASK_ZERO) && (dcmask_b & DCMASK_ZERO))) { + const bool neg_a = dcmask_a & DCMASK_NEGATIVE; + + switch (type) { +-- +2.27.0 + diff --git a/tests-tcg-linux-test-Fix-random-hangs-in-test_socket.patch b/tests-tcg-linux-test-Fix-random-hangs-in-test_socket.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6f3986cfbad99c395dd9123258436ef7ee2937a --- /dev/null +++ b/tests-tcg-linux-test-Fix-random-hangs-in-test_socket.patch @@ -0,0 +1,41 @@ +From e4bfb1b17a1e548bdc96228a80e85c97eedf0299 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Thu, 21 Mar 2024 02:57:07 +0000 +Subject: [PATCH] tests/tcg/linux-test: Fix random hangs in test_socket + mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category: + bugfix + +--------------------------------------------------------------- + +test_socket hangs randomly in connect(), especially when run without +qemu. Apparently the reason is that linux started treating backlog +value of 0 literally instead of rounding it up since v4.4 (commit +ef547f2ac16b). + +So set it to 1 instead. + +Signed-off-by: Ilya Leoshkevich +Message-Id: <20220725144251.192720-1-iii@linux.ibm.com> +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + tests/tcg/multiarch/linux/linux-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/tcg/multiarch/linux/linux-test.c b/tests/tcg/multiarch/linux/linux-test.c +index 78c68540ef..64f57cb287 100644 +--- a/tests/tcg/multiarch/linux/linux-test.c ++++ b/tests/tcg/multiarch/linux/linux-test.c +@@ -263,7 +263,7 @@ static int server_socket(void) + sockaddr.sin_port = htons(0); /* choose random ephemeral port) */ + sockaddr.sin_addr.s_addr = 0; + chk_error(bind(fd, (struct sockaddr *)&sockaddr, sizeof(sockaddr))); +- chk_error(listen(fd, 0)); ++ chk_error(listen(fd, 1)); + return fd; + + } +-- +2.27.0 + diff --git a/usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch b/usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch new file mode 100644 index 0000000000000000000000000000000000000000..c8178eb5f58771411eee181cb6d7de1ffe7e063f --- /dev/null +++ b/usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch @@ -0,0 +1,39 @@ +From d43f2a9725a1211a0db657b9911a54d58ba26b36 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 8 Mar 2024 03:10:14 +0000 +Subject: [PATCH] usb/hcd-xhci: check slotid in xhci_wakeup_endpoint() + mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category: + bugfix + +--------------------------------------------------------------- + +This prevents an OOB read (followed by an assertion failure in +xhci_kick_ep) when slotid > xhci->numslots. + +Reported-by: Soul Chen +Signed-off-by: Mauro Matteo Cascella +Message-Id: <20220705174734.2348829-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +Signed-off-by: tangbinzy +--- + hw/usb/hcd-xhci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 40300e1bcd..29636795be 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3288,7 +3288,8 @@ static void xhci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep, + + DPRINTF("%s\n", __func__); + slotid = ep->dev->addr; +- if (slotid == 0 || !xhci->slots[slotid-1].enabled) { ++ if (slotid == 0 || slotid > xhci->numslots || ++ !xhci->slots[slotid - 1].enabled) { + DPRINTF("%s: oops, no slot for dev %d\n", __func__, ep->dev->addr); + return; + } +-- +2.27.0 + diff --git a/vga-fix-incorrect-line-height-in-640x200x2-mode.patch b/vga-fix-incorrect-line-height-in-640x200x2-mode.patch new file mode 100644 index 0000000000000000000000000000000000000000..48451c159b45c960d2c7d2aeece0ce5fdf4df2ba --- /dev/null +++ b/vga-fix-incorrect-line-height-in-640x200x2-mode.patch @@ -0,0 +1,45 @@ +From d996226ded0190b96cce09169291cc696a390832 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 13 Mar 2024 02:51:28 +0000 +Subject: [PATCH] vga: fix incorrect line height in 640x200x2 mode mainline + inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix + +--------------------------------------------------------------- + +When in CGA modes, QEMU wants to ignore the maximum scan field (bits 0..4) of +the maximum scan length register in the CRTC. It is not clear why this is +needed---for example, Bochs ignores bit 7 instead. The issue is that the +CGA modes are not detected correctly, and in particular mode 6 results in +multi_scan==3 according to how SeaBIOS programs it. The right way to check +for CGA graphics modes is to check whether bit 13 of the address is special +cased by the CRT controller to achieve line interleaving, i.e. whether bit 0 +of the CRTC mode control register is clear. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1020 +Reported-by: Korneliusz Osmenda +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + hw/display/vga.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 9d1f66af40..33765148d9 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1514,9 +1514,10 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + force_shadow = true; + } + ++ /* bits 5-6: 0 = 16-color mode, 1 = 4-color mode, 2 = 256-color mode. */ + shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3; + double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7); +- if (shift_control != 1) { ++ if (s->cr[VGA_CRTC_MODE] & 1) { + multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan) + - 1; + } else { +-- +2.27.0 + diff --git a/vl-Improve-error-message-for-conflicting-incoming-an.patch b/vl-Improve-error-message-for-conflicting-incoming-an.patch new file mode 100644 index 0000000000000000000000000000000000000000..31615396e7d5f0298c65377f6b22091e42c6384d --- /dev/null +++ b/vl-Improve-error-message-for-conflicting-incoming-an.patch @@ -0,0 +1,47 @@ +From 2971bbb88efe921f7b3e1ee80295e16ae5954e67 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Sun, 3 Mar 2024 22:41:52 -0800 +Subject: [PATCH] vl: Improve error message for conflicting -incoming and + -loadvm + +Currently, the conflict between -incoming and -loadvm is only detected +when loading the snapshot fails because the image is still inactive for +the incoming migration. This results in a suboptimal error message: + +$ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer +qemu-system-x86_64: Device 'ide0-hd0' is writable but does not support snapshots + +Catch the situation already in qemu_validate_options() to improve the +message: + +$ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer +qemu-system-x86_64: 'incoming' and 'loadvm' options are mutually exclusive + +Signed-off-by: Kevin Wolf +Message-ID: <20231201142520.32255-3-kwolf@redhat.com> +Signed-off-by: Kevin Wolf +(cherry picked from commit 5a7f21efaf99c60614fe1967be1c0f9aa46c526e) + +Signed-off-by: zhujun2 +--- + softmmu/vl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/softmmu/vl.c b/softmmu/vl.c +index e34c8a0646..9dcbc3b266 100644 +--- a/softmmu/vl.c ++++ b/softmmu/vl.c +@@ -2474,6 +2474,10 @@ static void qemu_validate_options(const QDict *machine_opts) + } + } + ++ if (loadvm && incoming) { ++ error_report("'incoming' and 'loadvm' options are mutually exclusive"); ++ exit(EXIT_FAILURE); ++ } + if (loadvm && preconfig_requested) { + error_report("'preconfig' and 'loadvm' options are " + "mutually exclusive"); +-- +2.27.0 +