Comparing changes

Commit 0be6bfa ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 8077b8e added: DEFINE_PROP_ARRAY("reserved-regions", VirtIOIOMMUPCI, vdev.nb_reserved_regions, vdev.reserved_regions, qdev_prop_reserved_region, ReservedRegion), but forgot to free the 'vdev.reserved_regions' array. Do it in the instance_finalize() handler. Cc: qemu-stable@nongnu.org Fixes: 8077b8e ("virtio-iommu-pci: Add array of Interval properties") # v5.1.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Message-id: 20231121174051.63038-3-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit c9a4aa0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixup hw/virtio/virtio-iommu-pci.c for before v8.1.0-2552-g41cc70cdf5, "virtio-iommu: Rename reserved_regions into prop_resv_regions" -- so now patch subject matches actual change again)

Commit 0be6bfa ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 4fb013a added: DEFINE_PROP_ARRAY("oscclk", MPS2SCC, num_oscclk, oscclk_reset, qdev_prop_uint32, uint32_t), but forgot to free the 'oscclk_reset' array. Do it in the instance_finalize() handler. Cc: qemu-stable@nongnu.org Fixes: 4fb013a ("hw/misc/mps2-scc: Support configurable number of OSCCLK values") # v6.0.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-4-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 896dd6f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Commit 0be6bfa ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 68fbcc3 added: DEFINE_PROP_ARRAY("read-only", XlnxEFuse, ro_bits_cnt, ro_bits, qdev_prop_uint32, uint32_t), but forgot to free the 'ro_bits' array. Do it in the instance_finalize handler. Cc: qemu-stable@nongnu.org Fixes: 68fbcc3 ("hw/nvram: Introduce Xilinx eFuse QOM") # v6.2.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-5-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 49b3e28) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Commit 0be6bfa ("qdev: Implement variable length array properties") added the DEFINE_PROP_ARRAY() macro with the following comment: * It is the responsibility of the device deinit code to free the * @_arrayfield memory. Commit 9e4aa1f added: DEFINE_PROP_ARRAY("pg0-lock", XlnxVersalEFuseCtrl, extra_pg0_lock_n16, extra_pg0_lock_spec, qdev_prop_uint16, uint16_t), but forgot to free the 'extra_pg0_lock_spec' array. Do it in the instance_finalize() handler. Cc: qemu-stable@nongnu.org Fixes: 9e4aa1f ("hw/nvram: Xilinx Versal eFuse device") # v6.2.0+ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-6-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 4f10c66) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

The VirtioPCIDeviceTypeInfo structure, added in commit a4ee4c8 ("virtio: Helper for registering virtio device types") got extended in commit 8ea90ee ("virtio: add class_size") with the @class_size field. Do similarly with the @instance_finalize field. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-id: 20231121174051.63038-2-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 837053a) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

If the text description file is larger than DESC_SIZE, we force the last byte in the buffer to be 0 and write it out. This results in a corruption. Try to allocate a big buffer in this case. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1923 Signed-off-by: Fam Zheng <fam@euphon.net> Message-ID: <20231124115654.3239137-1-fam@euphon.net> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 9fb7b35) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: fixups in block/vmdk.c due to missing-in-7.2 v8.0.0-2084-g28944f99c4 "vmdk: mark more functions as coroutine_fns and GRAPH_RDLOCK")

Booting a Linux kernel with the malta machine is currently broken on big endian hosts. The cpu_to_gt32 macro wants to byteswap a value for little endian targets only, but uses the wrong way to do this: cpu_to_[lb]e32 works the other way round on big endian hosts! Fix it by using the same ways on both, big and little endian hosts. Fixes: 0c8427b ("hw/mips/malta: Use bootloader helper to set BAR registers") Cc: qemu-stable@nongnu.org Message-Id: <20230330152613.232082-1-thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit dc96009) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: adjust context for before v7.2.0-677-g0e45355c5c)

After a relatively short time, there is an multiplication overflow when multiplying (now - buft_start) with hda_bytes_per_second(). While the uptime now - buft_start only overflows after 2**63 ns = 292.27 years, this happens hda_bytes_per_second() times faster with the multiplication. At 44100 samples/s * 2 channels * 2 bytes/channel = 176400 bytes/s that is 14.52 hours. After the multiplication overflow the affected audio stream stalls. Replace the multiplication and following division with muldiv64() to prevent a multiplication overflow. Fixes: 280c1e1 ("audio/hda: create millisecond timers that handle IO") Reported-by: M_O_Bz <m_o_bz@163.com> Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Message-Id: <20231105172552.8405-1-vr_qemu@t-online.de> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 74e8593) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

g_new() aborts if the allocation fails so it returns NULL only if the requested allocation size is zero. register_vfs() makes such an allocation if NumVFs is zero so it should not assert that g_new() returns a non-NULL value. Fixes: 7c0fa8d ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)") Buglink: https://issues.redhat.com/browse/RHEL-17209 Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20231123075630.12057-1-akihiko.odaki@daynix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Yanghang Liu<yanghliu@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 714a141) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

@errp

erst_realizefn() passes @errp to functions without checking for failure. If it runs into another failure, it trips error_setv()'s assertion. Use the ERRP_GUARD() macro and check *errp, as suggested in commit ae7c80a ("error: New macro ERRP_GUARD()"). Cc: qemu-stable@nongnu.org Fixes: f7e26ff ("ACPI ERST: support for ACPI ERST feature") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20231120130017.81286-1-philmd@linaro.org> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 20bc501) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

In the rollback in msix_set_vector_notifiers(), original patch forgot to undo msix_vector_poll_notifier pointer. Fixes: bbef882 ("msi: add API to get notified about pending bit poll") Signed-off-by: Robert Hoo <robert.hoo.linux@gmail.com> Message-Id: <20231113081349.1307-1-robert.hoo.linux@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 2d37fe9) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

The first time gd_egl_scanout_texture() is called, there's a possibility that the GTK drawing area might not be realized yet, in which case its associated GdkWindow is NULL. This means gd_egl_init() was also skipped and the EGLContext and EGLSurface stored in the VirtualGfxConsole are not valid yet. Continuing with the scanout in this conditions would result in hitting an assert in libepoxy: "Couldn't find current GLX or EGL context". A possible workaround is to just ignore the scanout request, giving the the GTK drawing area some time to finish its realization. At that point, the gd_egl_init() will succeed and the EGLContext and EGLSurface stored in the VirtualGfxConsole will be valid. Signed-off-by: Antonio Caggiano <quic_acaggian@quicinc.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231016123215.2699269-1-quic_acaggian@quicinc.com> (cherry picked from commit 6f189a0) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Commit 6f189a0 ("ui/gtk-egl: Check EGLSurface before doing scanout") introduced a regression when QEMU is running with a virtio-gpu-gl-device on a host under X11. After the guest has initialized the virtio-gpu-gl-device, the guest screen only shows "Display output is not active.". Commit 6f189a0 moved all function calls in gd_egl_scanout_texture() to a code path which is only called once after gd_egl_init() succeeds in gd_egl_scanout_texture(). Move all function calls in gd_egl_scanout_texture() back to the regular code path so they get always called if one of the gd_egl_init() calls was successful. Fixes: 6f189a0 ("ui/gtk-egl: Check EGLSurface before doing scanout") Signed-off-by: Volker Rümelin <vr_qemu@t-online.de> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231111104020.26183-1-vr_qemu@t-online.de> (cherry picked from commit 53a939f) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Commit d921fea ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still required, because it can happen that stream.avail_in becomes zero before coming across a return value of Z_STREAM_END in the loop. This fixes the host->guest direction of the clipboard with noVNC and TigerVNC as clients. Fixes: d921fea ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)") Reported-by: Friedrich Weber <f.weber@proxmox.com> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20231122125826.228189-1-f.ebner@proxmox.com> (cherry picked from commit ebfbf39) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

There is no architectural requirement that SME implies SVE, but our implementation currently assumes it. (FEAT_SME_FA64 does imply SVE.) So if you try to run a CPU with eg "-cpu max,sve=off" you quickly run into an assert when the guest tries to write to SMCR_EL1: #6 0x00007ffff4b38e96 in __GI___assert_fail (assertion=0x5555566e69cb "sm", file=0x5555566e5b24 "../../target/arm/helper.c", line=6865, function=0x5555566e82f0 <__PRETTY_FUNCTION__.31> "sve_vqm1_for_el_sm") at ./assert/assert.c:101 #7 0x0000555555ee33aa in sve_vqm1_for_el_sm (env=0x555557d291f0, el=2, sm=false) at ../../target/arm/helper.c:6865 #8 0x0000555555ee3407 in sve_vqm1_for_el (env=0x555557d291f0, el=2) at ../../target/arm/helper.c:6871 #9 0x0000555555ee3724 in smcr_write (env=0x555557d291f0, ri=0x555557da23b0, value=2147483663) at ../../target/arm/helper.c:6995 #10 0x0000555555fd1dba in helper_set_cp_reg64 (env=0x555557d291f0, rip=0x555557da23b0, value=2147483663) at ../../target/arm/tcg/op_helper.c:839 #11 0x00007fff60056781 in code_gen_buffer () Avoid this unsupported and slightly odd combination by disabling SME when SVE is not present. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2005 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20231127173318.674758-1-peter.maydell@linaro.org (cherry picked from commit f7767ca) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Using direct pointer dereferencing can allow for unaligned accesses, which was seen during execution with sanitizers enabled. Cc: qemu-stable@nongnu.org Reviewed-by: Chris Rauer <crauer@google.com> Reviewed-by: Peter Foley <pefoley@google.com> Signed-off-by: Patrick Venture <venture@google.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: David Hildenbrand <david@redhat.com> Message-ID: <20231116163633.276671-1-venture@google.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit 2b8fe81) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

MDCR_EL2.HPMN allows an hypervisor to limit the number of PMU counters available to EL1 and EL0 (to keep the others to itself). QEMU already implements this split correctly, except for PMCR_EL0.N reads: the number of counters read by EL1 or EL0 should be the one configured in MDCR_EL2.HPMN. Cc: qemu-stable@nongnu.org Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Message-id: 20231215144652.4193815-2-jean-philippe@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 6980c31) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Dec 20, 2023

This comparison is taking too long to generate.