From 6a4fa294ebe56aa09cf65430305c80415a4d73d9 Mon Sep 17 00:00:00 2001 From: Pierrick Bouvier Date: Mon, 9 Dec 2024 10:30:59 -0800 Subject: [PATCH 01/11] docs/devel: remove dead video link for sourcehut submit process Reviewed-by: Thomas Huth Reviewed-by: Richard Henderson Signed-off-by: Pierrick Bouvier Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- docs/devel/submitting-a-patch.rst | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/devel/submitting-a-patch.rst b/docs/devel/submitting-a-patch.rst index 10b062eec2..03b2ac298a 100644 --- a/docs/devel/submitting-a-patch.rst +++ b/docs/devel/submitting-a-patch.rst @@ -252,10 +252,7 @@ patches to the QEMU mailing list by following these steps: #. Send your patches to the QEMU mailing list using the web-based ``git-send-email`` UI at https://git.sr.ht/~USERNAME/qemu/send-email -`This video -`__ -shows the web-based ``git-send-email`` workflow. Documentation is -available `here +Documentation for sourcehut is available `here `__. .. _cc_the_relevant_maintainer: From f2ccc4149363ed52444efc975ed838d6757c775c Mon Sep 17 00:00:00 2001 From: Zhao Liu Date: Wed, 27 Nov 2024 00:30:45 +0800 Subject: [PATCH 02/11] hw/timer/hpet: Fix comment about capabilities register HPETState.capability stores the emulated value for "general capabilities and id register" instead of "main counter register". Fix the comment to accurately reflect this. Signed-off-by: Zhao Liu Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- hw/timer/hpet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c index 2a45410c0d..1c8c6c69ef 100644 --- a/hw/timer/hpet.c +++ b/hw/timer/hpet.c @@ -736,7 +736,7 @@ static void hpet_realize(DeviceState *dev, Error **errp) timer->state = s; } - /* 64-bit main counter; LegacyReplacementRoute. */ + /* 64-bit General Capabilities and ID Register; LegacyReplacementRoute. */ s->capability = 0x8086a001ULL; s->capability |= (s->num_timers - 1) << HPET_ID_NUM_TIM_SHIFT; s->capability |= ((uint64_t)(HPET_CLK_PERIOD * FS_PER_NS) << 32); From 11ea52fcbeebe2bbef24ef2eedcc64800f5eaa82 Mon Sep 17 00:00:00 2001 From: Zhao Liu Date: Wed, 27 Nov 2024 00:30:46 +0800 Subject: [PATCH 03/11] hw/timer/hpet: Drop the unused macro MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit HPET_TN_CFG_BITS_READONLY_OR_RESERVED is not used in any place since HPET_TN_CFG_WRITE_MASK has been already used to check and fix the writable bits in hpet_ram_write(). Drop this unused macro. Signed-off-by: Zhao Liu Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- include/hw/timer/hpet.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/hw/timer/hpet.h b/include/hw/timer/hpet.h index d17a8d4319..71e8c62453 100644 --- a/include/hw/timer/hpet.h +++ b/include/hw/timer/hpet.h @@ -58,7 +58,6 @@ #define HPET_TN_CFG_WRITE_MASK 0x7f4e #define HPET_TN_INT_ROUTE_SHIFT 9 #define HPET_TN_INT_ROUTE_CAP_SHIFT 32 -#define HPET_TN_CFG_BITS_READONLY_OR_RESERVED 0xffff80b1U struct hpet_fw_entry { From 0cb3ff7c22671aa1e1e227318799ccf6762c3bea Mon Sep 17 00:00:00 2001 From: Pierrick Bouvier Date: Wed, 4 Dec 2024 11:51:11 -0800 Subject: [PATCH 04/11] vvfat: fix ubsan issue in create_long_filename Found with test sbsaref introduced in [1]. [1] https://patchew.org/QEMU/20241203213629.2482806-1-pierrick.bouvier@linaro.org/ ../block/vvfat.c:433:24: runtime error: index 14 out of bounds for type 'uint8_t [11]' #0 0x56151a66b93a in create_long_filename ../block/vvfat.c:433 #1 0x56151a66f3d7 in create_short_and_long_name ../block/vvfat.c:725 #2 0x56151a670403 in read_directory ../block/vvfat.c:804 #3 0x56151a674432 in init_directories ../block/vvfat.c:964 #4 0x56151a67867b in vvfat_open ../block/vvfat.c:1258 #5 0x56151a3b8e19 in bdrv_open_driver ../block.c:1660 #6 0x56151a3bb666 in bdrv_open_common ../block.c:1985 #7 0x56151a3cadb9 in bdrv_open_inherit ../block.c:4153 #8 0x56151a3c8850 in bdrv_open_child_bs ../block.c:3731 #9 0x56151a3ca832 in bdrv_open_inherit ../block.c:4098 #10 0x56151a3cbe40 in bdrv_open ../block.c:4248 #11 0x56151a46344f in blk_new_open ../block/block-backend.c:457 #12 0x56151a388bd9 in blockdev_init ../blockdev.c:612 #13 0x56151a38ab2d in drive_new ../blockdev.c:1006 #14 0x5615190fca41 in drive_init_func ../system/vl.c:649 #15 0x56151aa796dd in qemu_opts_foreach ../util/qemu-option.c:1135 #16 0x5615190fd2b6 in configure_blockdev ../system/vl.c:708 #17 0x56151910a307 in qemu_create_early_backends ../system/vl.c:2004 #18 0x561519113fcf in qemu_init ../system/vl.c:3685 #19 0x56151a7e438e in main ../system/main.c:47 #20 0x7f72d1a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #21 0x7f72d1a46304 in __libc_start_main_impl ../csu/libc-start.c:360 #22 0x561517e98510 in _start (/home/user/.work/qemu/build/qemu-system-aarch64+0x3b9b510) The offset used can easily go beyond entry->name size. It's probably a bug, but I don't have the time to dive into vfat specifics for now. This change solves the ubsan issue, and is functionally equivalent, as anything written past the entry->name array would not be read anyway. Signed-off-by: Pierrick Bouvier Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- block/vvfat.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/block/vvfat.c b/block/vvfat.c index 8ffe8b3b9b..f2eafaa923 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -426,6 +426,10 @@ static direntry_t *create_long_filename(BDRVVVFATState *s, const char *filename) else if(offset<22) offset=14+offset-10; else offset=28+offset-22; entry=array_get(&(s->directory),s->directory.next-1-(i/26)); + /* ensure we don't write anything past entry->name */ + if (offset >= sizeof(entry->name)) { + continue; + } if (i >= 2 * length + 2) { entry->name[offset] = 0xff; } else if (i % 2 == 0) { From 916f50172baa91ddf0e669a9d6d2747055c0e610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 19 Dec 2024 16:02:01 +0100 Subject: [PATCH 05/11] docs: Correct '-runas' and '-fsdev/-virtfs proxy' indentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the same style for deprecated / removed commands. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Alex Bennée Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- docs/about/deprecated.rst | 2 +- docs/about/removed-features.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 267892b62f..d6809f94ea 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -75,7 +75,7 @@ marked deprecated since 9.0, users have to ensure that all the topology members described with -smp are supported by the target machine. ``-runas`` (since 9.1) ----------------------- +'''''''''''''''''''''' Use ``-run-with user=..`` instead. diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst index 9bebee795c..68fe0b47f9 100644 --- a/docs/about/removed-features.rst +++ b/docs/about/removed-features.rst @@ -518,7 +518,7 @@ and later do not support it because the virtio-scsi device was introduced for full SCSI support. Use virtio-scsi instead when SCSI passthrough is required. ``-fsdev proxy`` and ``-virtfs proxy`` (since 9.2) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +'''''''''''''''''''''''''''''''''''''''''''''''''' The 9p ``proxy`` filesystem backend driver was originally developed to enhance security by dispatching low level filesystem operations from 9p From b4859e8f33a7d9c793a60395f792c10190cb4f78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 19 Dec 2024 16:02:02 +0100 Subject: [PATCH 06/11] docs: Correct release of TCG trace-events removal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TCG trace-events were deprecated before the v6.2 release, and removed for v7.0. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Alex Bennée Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- docs/about/removed-features.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst index 68fe0b47f9..e3a87f3f55 100644 --- a/docs/about/removed-features.rst +++ b/docs/about/removed-features.rst @@ -1087,8 +1087,8 @@ processor IP (see `Intel discontinuance notification`_). TCG introspection features -------------------------- -TCG trace-events (since 6.2) -'''''''''''''''''''''''''''' +TCG trace-events (removed in 7.0) +''''''''''''''''''''''''''''''''' The ability to add new TCG trace points had bit rotted and as the feature can be replicated with TCG plugins it was removed. If From 1dd1a36de5b8651506f653aa27ba936ceed54c6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 19 Dec 2024 16:02:03 +0100 Subject: [PATCH 07/11] docs: Replace 'since' -> 'removed in' in removed-features.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Alex Bennée Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- docs/about/removed-features.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst index e3a87f3f55..cb1388049a 100644 --- a/docs/about/removed-features.rst +++ b/docs/about/removed-features.rst @@ -403,13 +403,13 @@ Sound card devices should be created using ``-device`` or ``-audio``. The exception is ``pcspk`` which can be activated using ``-machine pcspk-audiodev=``. -``-watchdog`` (since 7.2) -''''''''''''''''''''''''' +``-watchdog`` (removed in 7.2) +'''''''''''''''''''''''''''''' Use ``-device`` instead. -Hexadecimal sizes with scaling multipliers (since 8.0) -'''''''''''''''''''''''''''''''''''''''''''''''''''''' +Hexadecimal sizes with scaling multipliers (removed in 8.0) +''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Input parameters that take a size value should only use a size suffix (such as 'k' or 'M') when the base is written in decimal, and not when @@ -510,15 +510,15 @@ than zero. Removed along with the ``compression`` migration capability. -``-device virtio-blk,scsi=on|off`` (since 9.1) -'''''''''''''''''''''''''''''''''''''''''''''' +``-device virtio-blk,scsi=on|off`` (removed in 9.1) +''''''''''''''''''''''''''''''''''''''''''''''''''' The virtio-blk SCSI passthrough feature is a legacy VIRTIO feature. VIRTIO 1.0 and later do not support it because the virtio-scsi device was introduced for full SCSI support. Use virtio-scsi instead when SCSI passthrough is required. -``-fsdev proxy`` and ``-virtfs proxy`` (since 9.2) -'''''''''''''''''''''''''''''''''''''''''''''''''' +``-fsdev proxy`` and ``-virtfs proxy`` (removed in 9.2) +''''''''''''''''''''''''''''''''''''''''''''''''''''''' The 9p ``proxy`` filesystem backend driver was originally developed to enhance security by dispatching low level filesystem operations from 9p @@ -532,8 +532,8 @@ security model option, or switch to ``virtiofs``. The virtiofs daemon ``virtiofsd`` uses vhost to eliminate the high latency costs of the 9p ``proxy`` backend. -``-portrait`` and ``-rotate`` (since 9.2) -''''''''''''''''''''''''''''''''''''''''' +``-portrait`` and ``-rotate`` (removed in 9.2) +'''''''''''''''''''''''''''''''''''''''''''''' The ``-portrait`` and ``-rotate`` options were documented as only working with the PXA LCD device, and all the machine types using From 93dcc9390e5ad0696ae7e9b7b3a5b08c2d1b6de6 Mon Sep 17 00:00:00 2001 From: Han Han Date: Thu, 19 Dec 2024 16:51:38 +0800 Subject: [PATCH 08/11] target/i386/cpu: Fix notes for CPU models Fixes: 644e3c5d812 ("missing vmx features for Skylake-Server and Cascadelake-Server") Signed-off-by: Han Han Reviewed-by: Chenyi Qiang Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- target/i386/cpu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 660ddafc28..0b639848cd 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3692,6 +3692,7 @@ static const X86CPUDefinition builtin_x86_defs[] = { }, { .version = 4, + .note = "IBRS, EPT switching, no TSX", .props = (PropValue[]) { { "vmx-eptp-switching", "on" }, { /* end of list */ } @@ -3826,7 +3827,7 @@ static const X86CPUDefinition builtin_x86_defs[] = { }, }, { .version = 4, - .note = "ARCH_CAPABILITIES, no TSX", + .note = "ARCH_CAPABILITIES, EPT switching, no TSX", .props = (PropValue[]) { { "vmx-eptp-switching", "on" }, { /* end of list */ } From a8743193ff1ed221f42c0341182cada3d67793cc Mon Sep 17 00:00:00 2001 From: Daniel Henrique Barboza Date: Sun, 22 Dec 2024 18:45:07 -0300 Subject: [PATCH 09/11] hw/riscv/riscv-iommu-sys.c: fix duplicated 'table_size' Trivial fix for the following ticket: CID 1568580: Incorrect expression (EVALUATION_ORDER) In "table_size = table_size = n_vectors * 16U", "table_size" is written twice with the same value. Cc: qemu-trivial@nongnu.org Cc: Peter Maydell Resolves: Coverity CID 1568580 Fixes: 01c1caa9d1 ("hw/riscv/virt.c, riscv-iommu-sys.c: add MSIx support") Signed-off-by: Daniel Henrique Barboza Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- hw/riscv/riscv-iommu-sys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/riscv/riscv-iommu-sys.c b/hw/riscv/riscv-iommu-sys.c index 28153f38da..65b24fb07d 100644 --- a/hw/riscv/riscv-iommu-sys.c +++ b/hw/riscv/riscv-iommu-sys.c @@ -121,7 +121,7 @@ static void riscv_iommu_sysdev_init_msi(RISCVIOMMUStateSys *s, uint32_t n_vectors) { RISCVIOMMUState *iommu = &s->iommu; - uint32_t table_size = table_size = n_vectors * PCI_MSIX_ENTRY_SIZE; + uint32_t table_size = n_vectors * PCI_MSIX_ENTRY_SIZE; uint32_t table_offset = RISCV_IOMMU_REG_MSI_CONFIG; uint32_t pba_size = QEMU_ALIGN_UP(n_vectors, 64) / 8; uint32_t pba_offset = RISCV_IOMMU_REG_MSI_CONFIG + 256; From 8ee904b3a4b5638a0046ee3e1948d89ecb2e2668 Mon Sep 17 00:00:00 2001 From: ckf104 <1900011634@pku.edu.cn> Date: Tue, 17 Dec 2024 22:24:15 +0800 Subject: [PATCH 10/11] contrib/plugins/bbv.c: Start bb index from 1 Standard simpoint tool reqeusts that index of basic block index starts from 1. Signed-off-by: ckf104 <1900011634@pku.edu.cn> Reviewed-by: Pierrick Bouvier Reviewed-by: Michael Tokarev Signed-off-by: Michael Tokarev --- contrib/plugins/bbv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/plugins/bbv.c b/contrib/plugins/bbv.c index a5256517dd..b9da6f815e 100644 --- a/contrib/plugins/bbv.c +++ b/contrib/plugins/bbv.c @@ -109,7 +109,7 @@ static void vcpu_tb_trans(qemu_plugin_id_t id, struct qemu_plugin_tb *tb) bb = g_new(Bb, 1); bb->vaddr = vaddr; bb->count = qemu_plugin_scoreboard_new(sizeof(uint64_t)); - bb->index = g_hash_table_size(bbs); + bb->index = g_hash_table_size(bbs) + 1; g_hash_table_replace(bbs, &bb->vaddr, bb); } g_rw_lock_writer_unlock(&bbs_lock); From 1e3d4d9a1a32ac6835f0d295a5117851c421fb5d Mon Sep 17 00:00:00 2001 From: Laurent Vivier Date: Mon, 16 Dec 2024 18:09:14 +0100 Subject: [PATCH 11/11] qmp: update vhost-user protocol feature maps Add VHOST_USER_PROTOCOL_F_SHARED_OBJECT and VHOST_USER_PROTOCOL_F_DEVICE_STATE protocol feature maps to the virtio introspection. Cc: jonah.palmer@oracle.com Fixes: 160947666276 ("vhost-user: add shared_object msg") Cc: aesteve@redhat.com Fixes: cda83adc62b6 ("vhost-user: Interface for migration state transfer") Cc: hreitz@redhat.com Signed-off-by: Laurent Vivier Signed-off-by: Michael Tokarev --- hw/virtio/virtio-qmp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/virtio/virtio-qmp.c b/hw/virtio/virtio-qmp.c index cccc6fe761..8a32a3b105 100644 --- a/hw/virtio/virtio-qmp.c +++ b/hw/virtio/virtio-qmp.c @@ -121,6 +121,12 @@ static const qmp_virtio_feature_map_t vhost_user_protocol_map[] = { FEATURE_ENTRY(VHOST_USER_PROTOCOL_F_STATUS, \ "VHOST_USER_PROTOCOL_F_STATUS: Querying and notifying back-end " "device status supported"), + FEATURE_ENTRY(VHOST_USER_PROTOCOL_F_SHARED_OBJECT, \ + "VHOST_USER_PROTOCOL_F_SHARED_OBJECT: Backend shared object " + "supported"), + FEATURE_ENTRY(VHOST_USER_PROTOCOL_F_DEVICE_STATE, \ + "VHOST_USER_PROTOCOL_F_DEVICE_STATE: Backend device state transfer " + "supported"), { -1, "" } };