packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 6.2.0-103:

Browse Source 
- Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
- intel_iommu: Add missed sanity check for 256-bit invalidation queue
- linux-user: use 'max' instead of 'qemu32' / 'qemu64' by default
- chardev/baum: Use definitions to avoid dynamic stack allocation
- ui/console: Get tab completion working again in the SDL monitor vc
- s390x/tcg: Fix opcode for lzrf
- virtiofsd: use g_date_time_get_microsecond to get subsecond
- ui/curses: Avoid dynamic stack allocation
- target/m68k: always call gen_exit_tb() after writes to SR
- target/m68k: Perform writback before modifying SR
- target/m68k: Fix MACSR to CCR
- target/m68k: Implement atomic test-and-set
- block/nvme: nvme_process_completion() fix bound for cid
- hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure
- target/ppc: Zero second doubleword of VSR registers for FPR insns
- target/ppc: Set OV32 when OV is set
- target/ppc: Zero second doubleword for VSX madd instructions
- target/ppc: Set result to QNaN for DENBCD when VXCVI occurs
- hw/pci: Add parenthesis to PCI_BUILD_BDF macro
- intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL
- acpi: cpuhp: fix guest-visible maximum access size to the legacy reg block
- acpi: ged: Add macro for acpi sleep control register
- hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge
- ui/vnc: fix handling of VNC_FEATURE_XVP
- s390/sclp: fix SCLP facility map
- docs/tools/qemu-img.rst: fix typo (sumarizes)
- chardev/char: fix qemu_chr_is_busy() check
- edu: fix DMA range upper bound check
- platform-bus: fix refcount leak
- hw/net/virtio-net: fix qemu set used ring flag even vhost started
- hw/net/can/sja1000: fix bug for single acceptance filter and standard frame
- tests/avocado: fix typo in replay_linux
- util/userfaultfd: Remove unused uffd_poll_events
- hw/core/ptimer: fix timer zero period condition for freq > 1GHz
- hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero
- tests/unit/test-vmstate: Avoid dynamic stack allocation
- hw/usb/hcd-ohci: Use definition to avoid dynamic stack allocation
- hw/i386/multiboot: Avoid dynamic stack allocation
- hw/ppc/spapr: Fix code style problems reported by checkpatch
- chardev/baum: Replace magic values by X_MAX / Y_MAX definitions
- hw/intc/xics: Avoid dynamic stack allocation
- hw/net/e1000e_core: Use definition to avoid dynamic stack allocation
- intel_iommu: Fix invalidation descriptor type field
- configs: Fix typo in the sh4-softmmu devices config file

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit 9813ed21ec2499c50cb58ac5fb114a1641708eb2)
This commit is contained in:
Jiabo Feng 2024-11-30 09:13:10 +08:00 committed by openeuler-sync-bot
parent 0a0923bb48
commit 7bb77ea74f
45 changed files with 2999 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

341
Introduce-the-SM4-cipher-algorithms-OSCCA-GB-T-32907.patch Normal file
View File

@ -0,0 +1,341 @@
From b8752afb94b20ec6ea0892260a689cfedbf6f1a5 Mon Sep 17 00:00:00 2001
From: gaochuanji <gaochuanji@inspur.com>
Date: Thu, 19 Sep 2024 10:56:42 +0800
Subject: [PATCH] Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SM4 (GBT.32907-2016) is a cryptographic standard issued by the
Organization of State Commercial Administration of China (OSCCA)
as an authorized cryptographic algorithms for the use within China.
Detect the SM4 cipher algorithms and enable the feature silently
if it is available.
Signed-off-by: Hyman Huang <yong.huang@smartx.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: cheliequan <cheliequan@inspur.com>
---
crypto/block-luks.c | 11 ++++++++
crypto/cipher-gcrypt.c.inc | 8 ++++++
crypto/cipher-nettle.c.inc | 49 +++++++++++++++++++++++++++++++++
crypto/cipher.c | 6 ++++
meson.build | 49 +++++++++++++++++++++++++++++++++
qapi/crypto.json | 5 +++-
tests/unit/test-crypto-cipher.c | 13 +++++++++
7 files changed, 140 insertions(+), 1 deletion(-)
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index fe8f04ffb2..0626092739 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -126,12 +126,23 @@ qcrypto_block_luks_cipher_size_map_twofish[] = {
{ 0, 0 },
};
+#ifdef CONFIG_CRYPTO_SM4
+static const QCryptoBlockLUKSCipherSizeMap
+qcrypto_block_luks_cipher_size_map_sm4[] = {
+ { 16, QCRYPTO_CIPHER_ALG_SM4},
+ { 0, 0 },
+};
+#endif
+
static const QCryptoBlockLUKSCipherNameMap
qcrypto_block_luks_cipher_name_map[] = {
{ "aes", qcrypto_block_luks_cipher_size_map_aes },
{ "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
{ "serpent", qcrypto_block_luks_cipher_size_map_serpent },
{ "twofish", qcrypto_block_luks_cipher_size_map_twofish },
+#ifdef CONFIG_CRYPTO_SM4
+ { "sm4", qcrypto_block_luks_cipher_size_map_sm4},
+#endif
};
diff --git a/crypto/cipher-gcrypt.c.inc b/crypto/cipher-gcrypt.c.inc
index a6a0117717..1377cbaf14 100644
--- a/crypto/cipher-gcrypt.c.inc
+++ b/crypto/cipher-gcrypt.c.inc
@@ -35,6 +35,9 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_SERPENT_256:
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+#endif
break;
default:
return false;
@@ -219,6 +222,11 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
gcryalg = GCRY_CIPHER_TWOFISH;
break;
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+ gcryalg = GCRY_CIPHER_SM4;
+ break;
+#endif
default:
error_setg(errp, "Unsupported cipher algorithm %s",
QCryptoCipherAlgorithm_str(alg));
diff --git a/crypto/cipher-nettle.c.inc b/crypto/cipher-nettle.c.inc
index 24cc61f87b..42b39e18a2 100644
--- a/crypto/cipher-nettle.c.inc
+++ b/crypto/cipher-nettle.c.inc
@@ -33,6 +33,9 @@
#ifndef CONFIG_QEMU_PRIVATE_XTS
#include <nettle/xts.h>
#endif
+#ifdef CONFIG_CRYPTO_SM4
+#include <nettle/sm4.h>
+#endif
static inline bool qcrypto_length_check(size_t len, size_t blocksize,
Error **errp)
@@ -426,6 +429,30 @@ DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
twofish_encrypt_native, twofish_decrypt_native)
+#ifdef CONFIG_CRYPTO_SM4
+typedef struct QCryptoNettleSm4 {
+ QCryptoCipher base;
+ struct sm4_ctx key[2];
+} QCryptoNettleSm4;
+
+static void sm4_encrypt_native(void *ctx, size_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ struct sm4_ctx *keys = ctx;
+ sm4_crypt(&keys[0], length, dst, src);
+}
+
+static void sm4_decrypt_native(void *ctx, size_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ struct sm4_ctx *keys = ctx;
+ sm4_crypt(&keys[1], length, dst, src);
+}
+
+DEFINE_ECB(qcrypto_nettle_sm4,
+ QCryptoNettleSm4, SM4_BLOCK_SIZE,
+ sm4_encrypt_native, sm4_decrypt_native)
+#endif
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode)
@@ -443,6 +470,9 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_192:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+#endif
break;
default:
return false;
@@ -701,6 +731,25 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
return &ctx->base;
}
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+ {
+ QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1);
+
+ switch (mode) {
+ case QCRYPTO_CIPHER_MODE_ECB:
+ ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb;
+ break;
+ default:
+ goto bad_cipher_mode;
+ }
+
+ sm4_set_encrypt_key(&ctx->key[0], key);
+ sm4_set_decrypt_key(&ctx->key[1], key);
+
+ return &ctx->base;
+ }
+#endif
default:
error_setg(errp, "Unsupported cipher algorithm %s",
diff --git a/crypto/cipher.c b/crypto/cipher.c
index 74b09a5b26..5f512768ea 100644
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -38,6 +38,9 @@ static const size_t alg_key_len[QCRYPTO_CIPHER_ALG__MAX] = {
[QCRYPTO_CIPHER_ALG_TWOFISH_128] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_192] = 24,
[QCRYPTO_CIPHER_ALG_TWOFISH_256] = 32,
+#ifdef CONFIG_CRYPTO_SM4
+ [QCRYPTO_CIPHER_ALG_SM4] = 16,
+#endif
};
static const size_t alg_block_len[QCRYPTO_CIPHER_ALG__MAX] = {
@@ -53,6 +56,9 @@ static const size_t alg_block_len[QCRYPTO_CIPHER_ALG__MAX] = {
[QCRYPTO_CIPHER_ALG_TWOFISH_128] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_192] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_256] = 16,
+#ifdef CONFIG_CRYPTO_SM4
+ [QCRYPTO_CIPHER_ALG_SM4] = 16,
+#endif
};
static const bool mode_need_iv[QCRYPTO_CIPHER_MODE__MAX] = {
diff --git a/meson.build b/meson.build
index 45bc69bf0c..1a225b51f3 100644
--- a/meson.build
+++ b/meson.build
@@ -1010,6 +1010,7 @@ endif
# gcrypt over nettle for performance reasons.
gcrypt = not_found
nettle = not_found
+crypto_sm4 = not_found
xts = 'none'
if get_option('nettle').enabled() and get_option('gcrypt').enabled()
@@ -1035,6 +1036,17 @@ if not gnutls_crypto.found()
gcrypt,
cc.find_library('gpg-error', required: true, kwargs: static_kwargs)])
endif
+ crypto_sm4 = gcrypt
+ # SM4 ALG is available in libgcrypt >= 1.9
+ if gcrypt.found() and not cc.links('''
+ #include <gcrypt.h>
+ int main(void) {
+ gcry_cipher_hd_t handler;
+ gcry_cipher_open(&handler, GCRY_CIPHER_SM4, GCRY_CIPHER_MODE_ECB, 0);
+ return 0;
+ }''', dependencies: gcrypt)
+ crypto_sm4 = not_found
+ endif
endif
if (not get_option('nettle').auto() or have_system) and not gcrypt.found()
nettle = dependency('nettle', version: '>=3.4',
@@ -1044,6 +1056,18 @@ if not gnutls_crypto.found()
if nettle.found() and not cc.has_header('nettle/xts.h', dependencies: nettle)
xts = 'private'
endif
+ crypto_sm4 = nettle
+ # SM4 ALG is available in nettle >= 3.9
+ if nettle.found() and not cc.links('''
+ #include <nettle/sm4.h>
+ int main(void) {
+ struct sm4_ctx ctx;
+ unsigned char key[16] = {0};
+ sm4_set_encrypt_key(&ctx, key);
+ return 0;
+ }''', dependencies: nettle)
+ crypto_sm4 = not_found
+ endif
endif
endif
@@ -1411,6 +1435,17 @@ if get_option('virtfs').enabled()
elif not have_system
error('virtio-9p (virtfs) needs system emulation support')
endif
+ crypto_sm4 = gcrypt
+ # SM4 ALG is available in libgcrypt >= 1.9
+ if gcrypt.found() and not cc.links('''
+ #include <gcrypt.h>
+ int main(void) {
+ gcry_cipher_hd_t handler;
+ gcry_cipher_open(&handler, GCRY_CIPHER_SM4, GCRY_CIPHER_MODE_ECB, 0);
+ return 0;
+ }''', dependencies: gcrypt)
+ crypto_sm4 = not_found
+ endif
endif
elif get_option('virtfs').disabled()
have_virtfs = false
@@ -1487,6 +1522,7 @@ config_host_data.set('CONFIG_GNUTLS', gnutls.found())
config_host_data.set('CONFIG_GNUTLS_CRYPTO', gnutls_crypto.found())
config_host_data.set('CONFIG_GCRYPT', gcrypt.found())
config_host_data.set('CONFIG_NETTLE', nettle.found())
+config_host_data.set('CONFIG_CRYPTO_SM4', crypto_sm4.found())
config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private')
config_host_data.set('CONFIG_MALLOC_TRIM', has_malloc_trim)
config_host_data.set('CONFIG_STATX', has_statx)
@@ -2093,6 +2129,18 @@ if capstone_opt in ['enabled', 'auto', 'system']
if capstone_opt == 'system'
error('system capstone requested, it does not appear to work')
endif
+ crypto_sm4 = nettle
+ # SM4 ALG is available in nettle >= 3.9
+ if nettle.found() and not cc.links('''
+ #include <nettle/sm4.h>
+ int main(void) {
+ struct sm4_ctx ctx;
+ unsigned char key[16] = {0};
+ sm4_set_encrypt_key(&ctx, key);
+ return 0;
+ }''', dependencies: nettle)
+ crypto_sm4 = not_found
+ endif
endif
if capstone.found()
@@ -3432,6 +3480,7 @@ summary_info += {'nettle': nettle}
if nettle.found()
summary_info += {' XTS': xts != 'private'}
endif
+summary_info += {'SM4 ALG support': crypto_sm4}
summary_info += {'crypto afalg': config_host.has_key('CONFIG_AF_ALG')}
summary_info += {'rng-none': config_host.has_key('CONFIG_RNG_NONE')}
summary_info += {'Linux keyring': config_host.has_key('CONFIG_SECRET_KEYRING')}
diff --git a/qapi/crypto.json b/qapi/crypto.json
index 1ec54c15ca..60e706ae09 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -75,6 +75,8 @@
# @twofish-128: Twofish with 128 bit / 16 byte keys
# @twofish-192: Twofish with 192 bit / 24 byte keys
# @twofish-256: Twofish with 256 bit / 32 byte keys
+# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
+#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
@@ -83,7 +85,8 @@
'des', '3des',
'cast5-128',
'serpent-128', 'serpent-192', 'serpent-256',
- 'twofish-128', 'twofish-192', 'twofish-256']}
+ 'twofish-128', 'twofish-192', 'twofish-256',
+ 'sm4']}
##
diff --git a/tests/unit/test-crypto-cipher.c b/tests/unit/test-crypto-cipher.c
index d9d9d078ff..11ab1a54fc 100644
--- a/tests/unit/test-crypto-cipher.c
+++ b/tests/unit/test-crypto-cipher.c
@@ -382,6 +382,19 @@ static QCryptoCipherTestData test_data[] = {
.plaintext = "90afe91bb288544f2c32dc239b2635e6",
.ciphertext = "6cb4561c40bf0a9705931cb6d408e7fa",
},
+#ifdef CONFIG_CRYPTO_SM4
+ {
+ /* SM4, GB/T 32907-2016, Appendix A.1 */
+ .path = "/crypto/cipher/sm4",
+ .alg = QCRYPTO_CIPHER_ALG_SM4,
+ .mode = QCRYPTO_CIPHER_MODE_ECB,
+ .key = "0123456789abcdeffedcba9876543210",
+ .plaintext =
+ "0123456789abcdeffedcba9876543210",
+ .ciphertext =
+ "681edf34d206965e86b3e94f536e4246",
+ },
+#endif
{
/* #1 32 byte key, 32 byte PTX */
.path = "/crypto/cipher/aes-xts-128-1",
--
2.41.0.windows.1

170
acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch Normal file
View File

@ -0,0 +1,170 @@
From 4682b5120ba5eb8e9347f034d72e0e739bee3ff3 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Wed, 23 Oct 2024 14:53:23 +0800
Subject: [PATCH] acpi: cpuhp: fix guest-visible maximum access size to the
legacy reg block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from dab30fbef3896bb652a09d46c37d3f55657cbcbb
The modern ACPI CPU hotplug interface was introduced in the following
series (aa1dd39ca307..679dd1a957df), released in v2.7.0:
1 abd49bc2ed2f docs: update ACPI CPU hotplug spec with new protocol
2 16bcab97eb9f pc: piix4/ich9: add 'cpu-hotplug-legacy' property
3 5e1b5d93887b acpi: cpuhp: add CPU devices AML with _STA method
4 ac35f13ba8f8 pc: acpi: introduce AcpiDeviceIfClass.madt_cpu hook
5 d2238cb6781d acpi: cpuhp: implement hot-add parts of CPU hotplug
interface
6 8872c25a26cc acpi: cpuhp: implement hot-remove parts of CPU hotplug
interface
7 76623d00ae57 acpi: cpuhp: add cpu._OST handling
8 679dd1a957df pc: use new CPU hotplug interface since 2.7 machine type
Before patch#1, "docs/specs/acpi_cpu_hotplug.txt" only specified 1-byte
accesses for the hotplug register block. Patch#1 preserved the same
restriction for the legacy register block, but:
- it specified DWORD accesses for some of the modern registers,
- in particular, the switch from the legacy block to the modern block
would require a DWORD write to the *legacy* block.
The latter functionality was then implemented in cpu_status_write()
[hw/acpi/cpu_hotplug.c], in patch#8.
Unfortunately, all DWORD accesses depended on a dormant bug: the one
introduced in earlier commit a014ed07bd5a ("memory: accept mismatching
sizes in memory_region_access_valid", 2013-05-29); first released in
v1.6.0. Due to commit a014ed07bd5a, the DWORD accesses to the *legacy*
CPU hotplug register block would work in spite of the above series *not*
relaxing "valid.max_access_size = 1" in "hw/acpi/cpu_hotplug.c":
> static const MemoryRegionOps AcpiCpuHotplug_ops = {
> .read = cpu_status_read,
> .write = cpu_status_write,
> .endianness = DEVICE_LITTLE_ENDIAN,
> .valid = {
> .min_access_size = 1,
> .max_access_size = 1,
> },
> };
Later, in commits e6d0c3ce6895 ("acpi: cpuhp: introduce 'Command data 2'
field", 2020-01-22) and ae340aa3d256 ("acpi: cpuhp: spec: add typical
usecases", 2020-01-22), first released in v5.0.0, the modern CPU hotplug
interface (including the documentation) was extended with another DWORD
*read* access, namely to the "Command data 2" register, which would be
important for the guest to confirm whether it managed to switch the
register block from legacy to modern.
This functionality too silently depended on the bug from commit
a014ed07bd5a.
In commit 5d971f9e6725 ('memory: Revert "memory: accept mismatching sizes
in memory_region_access_valid"', 2020-06-26), first released in v5.1.0,
the bug from commit a014ed07bd5a was fixed (the commit was reverted).
That swiftly exposed the bug in "AcpiCpuHotplug_ops", still present from
the v2.7.0 series quoted at the top -- namely the fact that
"valid.max_access_size = 1" didn't match what the guest was supposed to
do, according to the spec ("docs/specs/acpi_cpu_hotplug.txt").
The symptom is that the "modern interface negotiation protocol"
described in commit ae340aa3d256:
> + Use following steps to detect and enable modern CPU hotplug interface:
> + 1. Store 0x0 to the 'CPU selector' register,
> + attempting to switch to modern mode
> + 2. Store 0x0 to the 'CPU selector' register,
> + to ensure valid selector value
> + 3. Store 0x0 to the 'Command field' register,
> + 4. Read the 'Command data 2' register.
> + If read value is 0x0, the modern interface is enabled.
> + Otherwise legacy or no CPU hotplug interface available
falls apart for the guest: steps 1 and 2 are lost, because they are DWORD
writes; so no switching happens. Step 3 (a single-byte write) is not
lost, but it has no effect; see the condition in cpu_status_write() in
patch#8. And step 4 *misleads* the guest into thinking that the switch
worked: the DWORD read is lost again -- it returns zero to the guest
without ever reaching the device model, so the guest never learns the
switch didn't work.
This means that guest behavior centered on the "Command data 2" register
worked *only* in the v5.0.0 release; it got effectively regressed in
v5.1.0.
To make things *even more* complicated, the breakage was (and remains, as
of today) visible with TCG acceleration only. Commit 5d971f9e6725 makes
no difference with KVM acceleration -- the DWORD accesses still work,
despite "valid.max_access_size = 1".
As commit 5d971f9e6725 suggests, fix the problem by raising
"valid.max_access_size" to 4 -- the spec now clearly instructs the guest
to perform DWORD accesses to the legacy register block too, for enabling
(and verifying!) the modern block. In order to keep compatibility for the
device model implementation though, set "impl.max_access_size = 1", so
that wide accesses be split before they reach the legacy read/write
handlers, like they always have been on KVM, and like they were on TCG
before 5d971f9e6725 (v5.1.0).
Tested with:
- OVMF IA32 + qemu-system-i386, CPU hotplug/hot-unplug with SMM,
intermixed with ACPI S3 suspend/resume, using KVM accel
(regression-test);
- OVMF IA32X64 + qemu-system-x86_64, CPU hotplug/hot-unplug with SMM,
intermixed with ACPI S3 suspend/resume, using KVM accel
(regression-test);
- OVMF IA32 + qemu-system-i386, SMM enabled, using TCG accel; verified the
register block switch and the present/possible CPU counting through the
modern hotplug interface, during OVMF boot (bugfix test);
- I do not have any testcase (guest payload) for regression-testing CPU
hotplug through the *legacy* CPU hotplug register block.
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Ani Sinha <ani@anisinha.ca>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: qemu-stable@nongnu.org
Ref: "IO port write width clamping differs between TCG and KVM"
Link: http://mid.mail-archive.com/aaedee84-d3ed-a4f9-21e7-d221a28d1683@redhat.com
Link: https://lists.gnu.org/archive/html/qemu-devel/2023-01/msg00199.html
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230105161804.82486-1-lersek@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/acpi/cpu_hotplug.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/acpi/cpu_hotplug.c b/hw/acpi/cpu_hotplug.c
index 53654f8638..ff14c3f410 100644
--- a/hw/acpi/cpu_hotplug.c
+++ b/hw/acpi/cpu_hotplug.c
@@ -52,6 +52,9 @@ static const MemoryRegionOps AcpiCpuHotplug_ops = {
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
.min_access_size = 1,
+ .max_access_size = 4,
+ },
+ .impl = {
.max_access_size = 1,
},
};
--
2.41.0.windows.1

59
acpi-ged-Add-macro-for-acpi-sleep-control-register.patch Normal file
View File

@ -0,0 +1,59 @@
From 865e7df2b0c8dd7fa026350f9f4d0a4e1063f0a5 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Wed, 23 Oct 2024 14:43:08 +0800
Subject: [PATCH] acpi: ged: Add macro for acpi sleep control register
cheery-pick from edafc90ba481c586d0a649f34dcb8cd1f29c4259
Macro definition is added for acpi sleep control register, ged emulation
driver can use the macro , also it can be used in FDT table if ged is
exposed with FDT table.
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20240918014206.2165821-2-maobibo@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/acpi/generic_event_device.c | 6 +++---
include/hw/acpi/generic_event_device.h | 7 +++++--
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/hw/acpi/generic_event_device.c b/hw/acpi/generic_event_device.c
index 9118681662..9daf4f9f13 100644
--- a/hw/acpi/generic_event_device.c
+++ b/hw/acpi/generic_event_device.c
@@ -201,9 +201,9 @@ static void ged_regs_write(void *opaque, hwaddr addr, uint64_t data,
switch (addr) {
case ACPI_GED_REG_SLEEP_CTL:
- slp_typ = (data >> 2) & 0x07;
- slp_en = (data >> 5) & 0x01;
- if (slp_en && slp_typ == 5) {
+ slp_typ = (data >> ACPI_GED_SLP_TYP_POS) & ACPI_GED_SLP_TYP_MASK;
+ slp_en = !!(data & ACPI_GED_SLP_EN);
+ if (slp_en && slp_typ == ACPI_GED_SLP_TYP_S5) {
qemu_system_shutdown_request(SHUTDOWN_CAUSE_GUEST_SHUTDOWN);
}
return;
diff --git a/include/hw/acpi/generic_event_device.h b/include/hw/acpi/generic_event_device.h
index 6bb2ade385..95ade521e9 100644
--- a/include/hw/acpi/generic_event_device.h
+++ b/include/hw/acpi/generic_event_device.h
@@ -83,8 +83,11 @@ OBJECT_DECLARE_SIMPLE_TYPE(AcpiGedState, ACPI_GED)
/* ACPI_GED_REG_RESET value for reset*/
#define ACPI_GED_RESET_VALUE 0x42
-/* ACPI_GED_REG_SLEEP_CTL.SLP_TYP value for S5 (aka poweroff) */
-#define ACPI_GED_SLP_TYP_S5 0x05
+/* [ACPI 5.0 Chapter 4.8.3.7] Sleep Control and Status Register */
+#define ACPI_GED_SLP_TYP_POS 0x2 /* SLP_TYPx Bit Offset */
+#define ACPI_GED_SLP_TYP_MASK 0x07 /* SLP_TYPx 3-bit mask */
+#define ACPI_GED_SLP_TYP_S5 0x05 /* System _S5 State (Soft Off) */
+#define ACPI_GED_SLP_EN 0x20 /* SLP_EN write-only bit */
#define GED_DEVICE "GED"
#define AML_GED_EVT_REG "EREG"
--
2.41.0.windows.1

42
block-nvme-nvme_process_completion-fix-bound-for-cid.patch Normal file
View File

@ -0,0 +1,42 @@
From 3abff2e277d590cd59941672278bbc3c94a8b90d Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 14:48:25 +0800
Subject: [PATCH] block/nvme: nvme_process_completion() fix bound for cid
cheery-pick from cc8fb0c3ae3c950eb40e969607e17ff16a7519ac
NVMeQueuePair::reqs has length NVME_NUM_REQS, which less than
NVME_QUEUE_SIZE by 1.
Fixes: 1086e95da17050 ("block/nvme: switch to a NVMeRequest freelist")
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-5-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
block/nvme.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/block/nvme.c b/block/nvme.c
index fa360b9b3c..d8f4b04e19 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -410,9 +410,10 @@ static bool nvme_process_completion(NVMeQueuePair *q)
q->cq_phase = !q->cq_phase;
}
cid = le16_to_cpu(c->cid);
- if (cid == 0 || cid > NVME_QUEUE_SIZE) {
- warn_report("NVMe: Unexpected CID in completion queue: %"PRIu32", "
- "queue size: %u", cid, NVME_QUEUE_SIZE);
+ if (cid == 0 || cid > NVME_NUM_REQS) {
+ warn_report("NVMe: Unexpected CID in completion queue: %" PRIu32
+ ", should be within: 1..%u inclusively", cid,
+ NVME_NUM_REQS);
continue;
}
trace_nvme_complete_command(s, q->index, cid);
--
2.41.0.windows.1

58
chardev-baum-Replace-magic-values-by-X_MAX-Y_MAX-def.patch Normal file
View File

@ -0,0 +1,58 @@
From 185f3887a17ed6f35d67934a8583096de0713168 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 08:53:40 +0000
Subject: [PATCH] chardev/baum: Replace magic values by X_MAX / Y_MAX
definitions mainline inclusion commit
f63a6e381c48b796c3964accaa88c0d0e229b17f category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
Replace '84' magic value by the X_MAX definition, and '1' by Y_MAX.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-2-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
chardev/baum.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/chardev/baum.c b/chardev/baum.c
index 79d618e350..6d538808a0 100644
--- a/chardev/baum.c
+++ b/chardev/baum.c
@@ -87,6 +87,9 @@
#define BUF_SIZE 256
+#define X_MAX 84
+#define Y_MAX 1
+
struct BaumChardev {
Chardev parent;
@@ -244,11 +247,11 @@ static int baum_deferred_init(BaumChardev *baum)
brlapi_perror("baum: brlapi__getDisplaySize");
return 0;
}
- if (baum->y > 1) {
- baum->y = 1;
+ if (baum->y > Y_MAX) {
+ baum->y = Y_MAX;
}
- if (baum->x > 84) {
- baum->x = 84;
+ if (baum->x > X_MAX) {
+ baum->x = X_MAX;
}
con = qemu_console_lookup_by_index(0);
--
2.41.0.windows.1

53
chardev-baum-Use-definitions-to-avoid-dynamic-stack-.patch Normal file
View File

@ -0,0 +1,53 @@
From 68657107f970ea068b662e7a13b8b3ebcfcb36e1 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 20:04:58 +0800
Subject: [PATCH] chardev/baum: Use definitions to avoid dynamic stack
allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We know 'x * y' will be at most 'X_MAX * Y_MAX' (which is not
a big value, it is actually 84). Instead of having the compiler
use variable-length array, declare an array able to hold the
maximum 'x * y'.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-3-peter.maydell@linaro.org
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
chardev/baum.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/chardev/baum.c b/chardev/baum.c
index 79d618e350..522ea1351e 100644
--- a/chardev/baum.c
+++ b/chardev/baum.c
@@ -380,9 +380,9 @@ static int baum_eat_packet(BaumChardev *baum, const uint8_t *buf, int len)
switch (req) {
case BAUM_REQ_DisplayData:
{
- uint8_t cells[baum->x * baum->y], c;
- uint8_t text[baum->x * baum->y];
- uint8_t zero[baum->x * baum->y];
+ uint8_t cells[X_MAX * Y_MAX], c;
+ uint8_t text[X_MAX * Y_MAX];
+ uint8_t zero[X_MAX * Y_MAX];
int cursor = BRLAPI_CURSOR_OFF;
int i;
@@ -405,7 +405,7 @@ static int baum_eat_packet(BaumChardev *baum, const uint8_t *buf, int len)
}
timer_del(baum->cellCount_timer);
- memset(zero, 0, sizeof(zero));
+ memset(zero, 0, baum->x * baum->y);
brlapi_writeArguments_t wa = {
.displayNumber = BRLAPI_DISPLAY_DEFAULT,
--
2.41.0.windows.1

42
chardev-char-fix-qemu_chr_is_busy-check.patch Normal file
View File

@ -0,0 +1,42 @@
From f443bb4b240574e17bb0b06fc88d910a68b40d54 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Thu, 17 Oct 2024 13:50:26 +0800
Subject: [PATCH] chardev/char: fix qemu_chr_is_busy() check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from df12798f8791a929f4d7309f67a0f437c608e7fb
`mux_cnt` struct member never goes negative or decrements,
so mux chardev can be !busy only when there are no
frontends attached. This patch fixes the always-true
check.
Fixes: a4afa548fc6d ("char: move front end handlers in CharBackend")
Signed-off-by: Roman Penyaev <r.peniaev@gmail.com>
Cc: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: qemu-devel@nongnu.org
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20241014152408.427700-2-r.peniaev@gmail.com>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
chardev/char.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chardev/char.c b/chardev/char.c
index 6bb99bd485..b76bbe8019 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -320,7 +320,7 @@ static bool qemu_chr_is_busy(Chardev *s)
{
if (CHARDEV_IS_MUX(s)) {
MuxChardev *d = MUX_CHARDEV(s);
- return d->mux_cnt >= 0;
+ return d->mux_cnt > 0;
} else {
return s->be != NULL;
}
--
2.41.0.windows.1

32
configs-Fix-typo-in-the-sh4-softmmu-devices-config-f.patch Normal file
View File

@ -0,0 +1,32 @@
From e4e3d2395eabfeee431155af2fb766c819d6513b Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Wed, 9 Oct 2024 00:39:58 +0000
Subject: [PATCH] configs: Fix typo in the sh4-softmmu devices config file
cherry-pick from 01063ba5e7490f209e13b28e700195c9d4800b73
This is the config file for the little endian target, so there
should not be a "eb" in here.
Message-ID: <20240920161045.84622-1-thuth@redhat.com>
Reviewed-by: default avatarRichard Henderson <richard.henderson@linaro.org>
Reviewed-by: default avatarYoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Thomas Huth's avatarThomas Huth <thuth@redhat.com>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
configs/devices/sh4-softmmu/default.mak | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configs/devices/sh4-softmmu/default.mak b/configs/devices/sh4-softmmu/default.mak
index 565e8b0b5d..5e86578647 100644
--- a/configs/devices/sh4-softmmu/default.mak
+++ b/configs/devices/sh4-softmmu/default.mak
@@ -1,4 +1,4 @@
-# Default configuration for sh4eb-softmmu
+# Default configuration for sh4-softmmu
# Uncomment the following lines to disable these optional devices:
#
--
2.41.0.windows.1

31
docs-tools-qemu-img.rst-fix-typo-sumarizes.patch Normal file
View File

@ -0,0 +1,31 @@
From 0dcbabca41c8f59b4fc0f4e46379e016100dc73d Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 09:42:05 +0800
Subject: [PATCH] docs/tools/qemu-img.rst: fix typo (sumarizes)
cheery-pick from 8a8be21dde814e7cef43acac8140a7ccd0c4f6fb
Signed-off-by: Samuel Tardieu <sam@rfc1149.net>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
docs/tools/qemu-img.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
index d663dd92bd..1d68f9238f 100644
--- a/docs/tools/qemu-img.rst
+++ b/docs/tools/qemu-img.rst
@@ -402,7 +402,7 @@ Command description:
Compare exits with ``0`` in case the images are equal and with ``1``
in case the images differ. Other exit codes mean an error occurred during
execution and standard error output should contain an error message.
- The following table sumarizes all exit codes of the compare subcommand:
+ The following table summarizes all exit codes of the compare subcommand:
0
Images are identical (or requested help was printed)
--
2.41.0.windows.1

47
edu-fix-DMA-range-upper-bound-check.patch Normal file
View File

@ -0,0 +1,47 @@
From 2773eb7848850e1e5099b255d84fb1da13fecd44 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Fri, 18 Oct 2024 09:07:39 +0800
Subject: [PATCH] edu: fix DMA range upper bound check
cheery-pick from 2c5107e1b455d4a157124f021826ead4e04b4aea
The edu_check_range function checks that start <= end1 < end2, where
end1 is the upper bound (exclusive) of the guest-supplied DMA range and
end2 is the upper bound (exclusive) of the device's allowed DMA range.
When the guest tries to transfer exactly DMA_SIZE (4096) bytes, end1
will be equal to end2, so the check fails and QEMU aborts with this
puzzling error message (newlines added for formatting):
qemu: hardware error: EDU: DMA range
0x0000000000040000-0x0000000000040fff out of bounds
(0x0000000000040000-0x0000000000040fff)!
By checking end1 <= end2 instead, guests will be allowed to transfer
exactly 4096 bytes. It is not necessary to explicitly check for
start <= end1 because the previous two checks (within(addr, start, end2)
and end1 > addr) imply start < end1.
Fixes: b30934cb52a7 ("hw: misc, add educational driver", 2015-01-21)
Signed-off-by: Max Erenberg <merenber@uwaterloo.ca>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/misc/edu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/misc/edu.c b/hw/misc/edu.c
index e935c418d4..a9f6421aa5 100644
--- a/hw/misc/edu.c
+++ b/hw/misc/edu.c
@@ -115,7 +115,7 @@ static void edu_check_range(uint64_t addr, uint64_t size1, uint64_t start,
uint64_t end2 = start + size2;
if (within(addr, start, end2) &&
- end1 > addr && within(end1, start, end2)) {
+ end1 > addr && end1 <= end2) {
return;
}
--
2.41.0.windows.1

111
hcd-ohci-Drop-ohci_service_iso_td-if-ed-head-OHCI_DP.patch Normal file
View File

@ -0,0 +1,111 @@
From 11d2262ba82c29dd3b6bdfe1e40f57efad550ffc Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 09:47:17 +0000
Subject: [PATCH] hcd-ohci: Drop ohci_service_iso_td() if ed->head &
OHCI_DPTR_MASK is zero mainline inclusion commit
d8c2e6f2f6d29ccb766197181eb1c65c1d46b3a4 category: bugfix
---------------------------------------------------------------
An abort happens in ohci_frame_boundary() when ohci->done is 0 [1].
``` c
static void ohci_frame_boundary(void *opaque)
{
// ...
if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
if (!ohci->done)
abort(); <----------------------------------------- [1]
```
This was reported in https://bugs.launchpad.net/qemu/+bug/1911216/,
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html, and
https://gitlab.com/qemu-project/qemu/-/issues/545. I can still reproduce it with
the latest QEMU.
This happends due to crafted ED with putting ISO_TD at physical address 0.
Suppose ed->head & OHCI_DPTR_MASK is 0 [2], and we memset 0 to the phyiscal
memory from 0 to sizeof(ohci_iso_td). Then, starting_frame [3] and frame_count
[4] are both 0. As we can control the value of ohci->frame_number (0 to 0x1f,
suppose 1), we then control the value of relative_frame_number to be 1 [6]. The
control flow goes to [7] where ohci->done is 0. Have returned from
ohci_service_iso_td(), ohci_frame_boundary() will abort() [1].
``` c
static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
{
// ...
addr = ed->head & OHCI_DPTR_MASK; // <--------------------- [2]
if (ohci_read_iso_td(ohci, addr, &iso_td)) { // <-------- [3]
// ...
starting_frame = OHCI_BM(iso_td.flags, TD_SF); // <-------- [4]
frame_count = OHCI_BM(iso_td.flags, TD_FC); // <-------- [5]
relative_frame_number = USUB(ohci->frame_number, starting_frame);
// <-------- [6]
if (relative_frame_number < 0) {
return 1;
} else if (relative_frame_number > frame_count) {
// ...
ohci->done = addr; // <-------- [7]
// ...
}
```
As only (afaik) a guest root user can manipulate ED, TD and the physical memory,
this assertion failure is not a security bug.
The idea to fix this issue is to drop ohci_service_iso_td() if ed->head &
OHCI_DPTR_MASK is 0, which is similar to the drop operation for
ohci_service_ed_list() when head is 0. Probably, a similar issue is in
ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0.
Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)")
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/545
Buglink: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html
Buglink: https://bugs.launchpad.net/qemu/+bug/1911216
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220826051557.119570-1-cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/usb/hcd-ohci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index a93d6b2e98..d6f1ae700e 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -668,6 +668,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
addr = ed->head & OHCI_DPTR_MASK;
+ if (addr == 0) {
+ ohci_die(ohci);
+ return 1;
+ }
+
if (ohci_read_iso_td(ohci, addr, &iso_td)) {
trace_usb_ohci_iso_td_read_failed(addr);
ohci_die(ohci);
@@ -953,6 +958,11 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
int completion;
addr = ed->head & OHCI_DPTR_MASK;
+ if (addr == 0) {
+ ohci_die(ohci);
+ return 1;
+ }
+
/* See if this TD has already been submitted to the device. */
completion = (addr == ohci->async_td);
if (completion && !ohci->async_complete) {
--
2.41.0.windows.1

101
hw-core-ptimer-fix-timer-zero-period-condition-for-f.patch Normal file
View File

@ -0,0 +1,101 @@
From 309d5b48a969e67ee97a7cae0c77e67728742c19 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Wed, 16 Oct 2024 14:33:19 +0800
Subject: [PATCH] hw/core/ptimer: fix timer zero period condition for freq >
1GHz
cheery-pick from 446e5e8b4515e9a7be69ef6a29852975289bb6f0
The real period is zero when both period and period_frac are zero.
Check the method ptimer_set_freq, if freq is larger than 1000 MHz,
the period is zero, but the period_frac is not, in this case, the
ptimer will work but the current code incorrectly recognizes that
the ptimer is disabled.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2306
Signed-off-by: JianZhou Yue <JianZhou.Yue@verisilicon.com>
Message-id: 3DA024AEA8B57545AF1B3CAA37077D0FB75E82C8@SHASXM03.verisilicon.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/core/ptimer.c | 4 ++--
tests/unit/ptimer-test.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
index 6ba19fd965..25063deefe 100644
--- a/hw/core/ptimer.c
+++ b/hw/core/ptimer.c
@@ -84,7 +84,7 @@ static void ptimer_reload(ptimer_state *s, int delta_adjust)
delta = s->delta = s->limit;
}
- if (s->period == 0) {
+ if (s->period == 0 && s->period_frac == 0) {
if (!qtest_enabled()) {
fprintf(stderr, "Timer with period zero, disabling\n");
}
@@ -310,7 +310,7 @@ void ptimer_run(ptimer_state *s, int oneshot)
assert(s->in_transaction);
- if (was_disabled && s->period == 0) {
+ if (was_disabled && s->period == 0 && s->period_frac == 0) {
if (!qtest_enabled()) {
fprintf(stderr, "Timer with period zero, disabling\n");
}
diff --git a/tests/unit/ptimer-test.c b/tests/unit/ptimer-test.c
index 9176b96c1c..8544b6486c 100644
--- a/tests/unit/ptimer-test.c
+++ b/tests/unit/ptimer-test.c
@@ -763,6 +763,33 @@ static void check_oneshot_with_load_0(gconstpointer arg)
ptimer_free(ptimer);
}
+static void check_freq_more_than_1000M(gconstpointer arg)
+{
+ const uint8_t *policy = arg;
+ ptimer_state *ptimer = ptimer_init(ptimer_trigger, NULL, *policy);
+ bool no_round_down = (*policy & PTIMER_POLICY_NO_COUNTER_ROUND_DOWN);
+
+ triggered = false;
+
+ ptimer_transaction_begin(ptimer);
+ ptimer_set_freq(ptimer, 2000000000);
+ ptimer_set_limit(ptimer, 8, 1);
+ ptimer_run(ptimer, 1);
+ ptimer_transaction_commit(ptimer);
+
+ qemu_clock_step(3);
+
+ g_assert_cmpuint(ptimer_get_count(ptimer), ==, no_round_down ? 3 : 2);
+ g_assert_false(triggered);
+
+ qemu_clock_step(1);
+
+ g_assert_cmpuint(ptimer_get_count(ptimer), ==, 0);
+ g_assert_true(triggered);
+
+ ptimer_free(ptimer);
+}
+
static void add_ptimer_tests(uint8_t policy)
{
char policy_name[256] = "";
@@ -857,6 +884,12 @@ static void add_ptimer_tests(uint8_t policy)
policy_name),
g_memdup(&policy, 1), check_oneshot_with_load_0, g_free);
g_free(tmp);
+
+ g_test_add_data_func_full(
+ tmp = g_strdup_printf("/ptimer/freq_more_than_1000M policy=%s",
+ policy_name),
+ g_memdup(&policy, 1), check_freq_more_than_1000M, g_free);
+ g_free(tmp);
}
static void add_all_ptimer_policies_comb_tests(void)
--
2.41.0.windows.1

50
hw-i386-multiboot-Avoid-dynamic-stack-allocation.patch Normal file
View File

@ -0,0 +1,50 @@
From 1869848dd0bf4ac99ce1b272afc90d161558370c Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 09:20:58 +0000
Subject: [PATCH] hw/i386/multiboot: Avoid dynamic stack allocation mainline
inclusion commit fa87341dabebe79d2e5577432a98b83c9eddf968 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
Use autofree heap allocation instead of variable-length array on
the stack. Replace the snprintf() call by g_strdup_printf().
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-9-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/i386/multiboot.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index 0a10089f14..963e29362e 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -163,6 +163,7 @@ int load_multiboot(X86MachineState *x86ms,
uint8_t *mb_bootinfo_data;
uint32_t cmdline_len;
GList *mods = NULL;
+ g_autofree char *kcmdline = NULL;
/* Ok, let's see if it is a multiboot image.
The header is 12x32bit long, so the latest entry may be 8192 - 48. */
@@ -362,9 +363,7 @@ int load_multiboot(X86MachineState *x86ms,
}
/* Commandline support */
- char kcmdline[strlen(kernel_filename) + strlen(kernel_cmdline) + 2];
- snprintf(kcmdline, sizeof(kcmdline), "%s %s",
- kernel_filename, kernel_cmdline);
+ kcmdline = g_strdup_printf("%s %s", kernel_filename, kernel_cmdline);
stl_p(bootinfo + MBI_CMDLINE, mb_add_cmdline(&mbs, kcmdline));
stl_p(bootinfo + MBI_BOOTLOADER, mb_add_bootloader(&mbs, bootloader_name));
--
2.41.0.windows.1

42
hw-intc-xics-Avoid-dynamic-stack-allocation.patch Normal file
View File

@ -0,0 +1,42 @@
From 2eae57b784c362d1e3aeb8f2b4c5796faaf91ac3 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 09:04:19 +0000
Subject: [PATCH] hw/intc/xics: Avoid dynamic stack allocation mainline
inclusion commit 7650c8fe520c67c3b36f6962c4ad990f56ad40b8 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
Use autofree heap allocation instead of variable-length
array on the stack.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-8-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/intc/xics.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index 48a835eab7..9215ef1fb5 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -565,8 +565,8 @@ static void ics_reset_irq(ICSIRQState *irq)
static void ics_reset(DeviceState *dev)
{
ICSState *ics = ICS(dev);
+ g_autofree uint8_t *flags = g_malloc(ics->nr_irqs);
int i;
- uint8_t flags[ics->nr_irqs];
for (i = 0; i < ics->nr_irqs; i++) {
flags[i] = ics->irqs[i].flags;
--
2.41.0.windows.1

43
hw-net-can-sja1000-fix-bug-for-single-acceptance-fil.patch Normal file
View File

@ -0,0 +1,43 @@
From 57625e5ddfb167711ebd0b9486594ef8413d519c Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Thu, 17 Oct 2024 11:07:11 +0800
Subject: [PATCH] hw/net/can/sja1000: fix bug for single acceptance filter and
standard frame
cheery-pick from 25145a7d7735344a469551946fc2a7f19eb4aa3d
A CAN sja1000 standard frame filter mask has been computed and applied
incorrectly for standard frames when single Acceptance Filter Mode
(MOD_AFM = 1) has been selected. The problem has not been found
by Linux kernel testing because it uses dual filter mode (MOD_AFM = 0)
and leaves falters fully open.
The problem has been noticed by Grant Ramsay when testing with Zephyr
RTOS which uses single filter mode.
Signed-off-by: Pavel Pisa <pisa@cmp.felk.cvut.cz>
Reported-by: Grant Ramsay <gramsay@enphaseenergy.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2028
Fixes: 733210e754 ("hw/net/can: SJA1000 chip register level emulation")
Message-ID: <20240103231426.5685-1-pisa@fel.cvut.cz>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/net/can/can_sja1000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/can/can_sja1000.c b/hw/net/can/can_sja1000.c
index 34eea684ce..5eefb8407e 100644
--- a/hw/net/can/can_sja1000.c
+++ b/hw/net/can/can_sja1000.c
@@ -108,7 +108,7 @@ void can_sja_single_filter(struct qemu_can_filter *filter,
}
filter->can_mask = (uint32_t)amr[0] << 3;
- filter->can_mask |= (uint32_t)amr[1] << 5;
+ filter->can_mask |= (uint32_t)amr[1] >> 5;
filter->can_mask = ~filter->can_mask & QEMU_CAN_SFF_MASK;
if (!(amr[1] & 0x10)) {
filter->can_mask |= QEMU_CAN_RTR_FLAG;
--
2.41.0.windows.1

51
hw-net-e1000e_core-Use-definition-to-avoid-dynamic-s.patch Normal file
View File

@ -0,0 +1,51 @@
From 01a9518a9f305ea0ade60028c6bf4c26431fd707 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 09:01:55 +0000
Subject: [PATCH] hw/net/e1000e_core: Use definition to avoid dynamic stack
allocation mainline inclusion commit c140a69055bad798a335ea3c83aebceaca82bde0
category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
The compiler isn't clever enough to figure 'min_buf_size'
is a constant, so help it by using a definitions instead.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-6-peter.maydell@linaro.org
---
hw/net/e1000e_core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index 8ae6fb7e14..32c3507795 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -1620,15 +1620,16 @@ e1000e_rx_fix_l4_csum(E1000ECore *core, struct NetRxPkt *pkt)
}
}
+/* Min. octets in an ethernet frame sans FCS */
+#define MIN_BUF_SIZE 60
+
ssize_t
e1000e_receive_iov(E1000ECore *core, const struct iovec *iov, int iovcnt)
{
static const int maximum_ethernet_hdr_len = (14 + 4);
- /* Min. octets in an ethernet frame sans FCS */
- static const int min_buf_size = 60;
uint32_t n = 0;
- uint8_t min_buf[min_buf_size];
+ uint8_t min_buf[MIN_BUF_SIZE];
struct iovec min_iov;
uint8_t *filter_buf;
size_t size, orig_size;
--
2.41.0.windows.1

73
hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch Normal file
View File

@ -0,0 +1,73 @@
From 8784e43349fe54c50ecd9df804bb610c2b7f6f3c Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Thu, 17 Oct 2024 12:14:27 +0800
Subject: [PATCH] hw/net/virtio-net: fix qemu set used ring flag even vhost
started
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 4c54f5bc8e1d38f15cc35b6a6932d8fbe219c692
When vhost-user or vhost-kernel is handling virtio net datapath,
QEMU should not touch used ring.
But with vhost-user socket reconnect scenario, in a very rare case
(has pending kick event). VRING_USED_F_NO_NOTIFY is set by QEMU in
following code path:
#0 virtio_queue_split_set_notification (vq=0x7ff5f4c920a8, enable=0) at ../hw/virtio/virtio.c:511
#1 0x0000559d6dbf033b in virtio_queue_set_notification (vq=0x7ff5f4c920a8, enable=0) at ../hw/virtio/virtio.c:576
#2 0x0000559d6dbbbdbc in virtio_net_handle_tx_bh (vdev=0x559d703a6aa0, vq=0x7ff5f4c920a8) at ../hw/net/virtio-net.c:2801
#3 0x0000559d6dbf4791 in virtio_queue_notify_vq (vq=0x7ff5f4c920a8) at ../hw/virtio/virtio.c:2248
#4 0x0000559d6dbf79da in virtio_queue_host_notifier_read (n=0x7ff5f4c9211c) at ../hw/virtio/virtio.c:3525
#5 0x0000559d6d9a5814 in virtio_bus_cleanup_host_notifier (bus=0x559d703a6a20, n=1) at ../hw/virtio/virtio-bus.c:321
#6 0x0000559d6dbf83c9 in virtio_device_stop_ioeventfd_impl (vdev=0x559d703a6aa0) at ../hw/virtio/virtio.c:3774
#7 0x0000559d6d9a55c8 in virtio_bus_stop_ioeventfd (bus=0x559d703a6a20) at ../hw/virtio/virtio-bus.c:259
#8 0x0000559d6d9a53e8 in virtio_bus_grab_ioeventfd (bus=0x559d703a6a20) at ../hw/virtio/virtio-bus.c:199
#9 0x0000559d6dbf841c in virtio_device_grab_ioeventfd (vdev=0x559d703a6aa0) at ../hw/virtio/virtio.c:3783
#10 0x0000559d6d9bde18 in vhost_dev_enable_notifiers (hdev=0x559d707edd70, vdev=0x559d703a6aa0) at ../hw/virtio/vhost.c:1592
#11 0x0000559d6d89a0b8 in vhost_net_start_one (net=0x559d707edd70, dev=0x559d703a6aa0) at ../hw/net/vhost_net.c:266
#12 0x0000559d6d89a6df in vhost_net_start (dev=0x559d703a6aa0, ncs=0x559d7048d890, data_queue_pairs=31, cvq=0) at ../hw/net/vhost_net.c:412
#13 0x0000559d6dbb5b89 in virtio_net_vhost_status (n=0x559d703a6aa0, status=15 '\017') at ../hw/net/virtio-net.c:311
#14 0x0000559d6dbb5e34 in virtio_net_set_status (vdev=0x559d703a6aa0, status=15 '\017') at ../hw/net/virtio-net.c:392
#15 0x0000559d6dbb60d8 in virtio_net_set_link_status (nc=0x559d7048d890) at ../hw/net/virtio-net.c:455
#16 0x0000559d6da64863 in qmp_set_link (name=0x559d6f0b83d0 "hostnet1", up=true, errp=0x7ffdd76569f0) at ../net/net.c:1459
#17 0x0000559d6da7226e in net_vhost_user_event (opaque=0x559d6f0b83d0, event=CHR_EVENT_OPENED) at ../net/vhost-user.c:301
#18 0x0000559d6ddc7f63 in chr_be_event (s=0x559d6f2ffea0, event=CHR_EVENT_OPENED) at ../chardev/char.c:62
#19 0x0000559d6ddc7fdc in qemu_chr_be_event (s=0x559d6f2ffea0, event=CHR_EVENT_OPENED) at ../chardev/char.c:82
This issue causes guest kernel stop kicking device and traffic stop.
Add vhost_started check in virtio_net_handle_tx_bh to fix this wrong
VRING_USED_F_NO_NOTIFY set.
Signed-off-by: Yajun Wu <yajunw@nvidia.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20240402045109.97729-1-yajunw@nvidia.com>
[PMD: Use unlikely()]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/net/virtio-net.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index cef7fc0aa0..7c87aa28ef 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -2709,6 +2709,10 @@ static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq)
VirtIONet *n = VIRTIO_NET(vdev);
VirtIONetQueue *q = &n->vqs[vq2q(virtio_get_queue_index(vq))];
+ if (unlikely(n->vhost_started)) {
+ return;
+ }
+
if (unlikely((n->status & VIRTIO_NET_S_LINK_UP) == 0)) {
virtio_net_drop_tx_queue_data(vdev, vq);
return;
--
2.41.0.windows.1

52
hw-pci-Add-parenthesis-to-PCI_BUILD_BDF-macro.patch Normal file
View File

@ -0,0 +1,52 @@
From cf7f716ba8fbcc4fc4d4edcce7bc3c6bbfa425a5 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Wed, 6 Nov 2024 15:02:38 +0800
Subject: [PATCH] hw/pci: Add parenthesis to PCI_BUILD_BDF macro
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The bus parameter in the macro PCI_BUILD_BDF is not surrounded by
parenthesis. This can create a compile error when warnings are
treated as errors or can potentially create runtime errors due to the
operator precedence.
For instance:
file.c:x:32: error: suggest parentheses around '-' inside '<<'
[-Werror=parentheses]
171 | uint16_t bdf = PCI_BUILD_BDF(a - b, sdev->devfn);
| ~~^~~
include/hw/pci/pci.h:19:41: note: in definition of macro
'PCI_BUILD_BDF'
19 | #define PCI_BUILD_BDF(bus, devfn) ((bus << 8) | (devfn))
| ^~~
cc1: all warnings being treated as errors
Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Reviewed-by: Nabih Estefan <nabihestefan@google.com>
Message-Id: <20241101215923.3399311-1-roqueh@google.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
include/hw/pci/pci.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index 458126a18c..a0cf893bfd 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -18,7 +18,7 @@ extern bool pci_available;
#define PCI_BUS_NUM(x) (((x) >> 8) & 0xff)
#define PCI_SLOT(devfn) (((devfn) >> 3) & 0x1f)
#define PCI_FUNC(devfn) ((devfn) & 0x07)
-#define PCI_BUILD_BDF(bus, devfn) ((bus << 8) | (devfn))
+#define PCI_BUILD_BDF(bus, devfn) (((bus) << 8) | (devfn))
#define PCI_BUS_MAX 256
#define PCI_DEVFN_MAX 256
#define PCI_SLOT_MAX 32
--
2.41.0.windows.1

50
hw-pci-bridge-Add-a-Kconfig-switch-for-the-normal-PC.patch Normal file
View File

@ -0,0 +1,50 @@
From 44ed577fd7c8ecf487157658e3d54cbfccb30ec2 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Wed, 23 Oct 2024 14:02:47 +0800
Subject: [PATCH] hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from e779e5c05ad5d8237e2a7d8ba8b432cd24c1708b
The pci-bridge device is not usable on s390x, so introduce a Kconfig
switch that allows to disable it.
Message-ID: <20240913144844.427899-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/pci-bridge/Kconfig | 5 +++++
hw/pci-bridge/meson.build | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/pci-bridge/Kconfig b/hw/pci-bridge/Kconfig
index f8df4315ba..d87b96e8bc 100644
--- a/hw/pci-bridge/Kconfig
+++ b/hw/pci-bridge/Kconfig
@@ -1,3 +1,8 @@
+config PCI_BRIDGE
+ bool
+ default y if PCI_DEVICES
+ depends on PCI
+
config PCIE_PORT
bool
default y if PCI_DEVICES
diff --git a/hw/pci-bridge/meson.build b/hw/pci-bridge/meson.build
index daab8acf2a..a48a6b9653 100644
--- a/hw/pci-bridge/meson.build
+++ b/hw/pci-bridge/meson.build
@@ -1,5 +1,5 @@
pci_ss = ss.source_set()
-pci_ss.add(files('pci_bridge_dev.c'))
+pci_ss.add(when: 'CONFIG_PCI_BRIDGE', if_true: files('pci_bridge_dev.c'))
pci_ss.add(when: 'CONFIG_I82801B11', if_true: files('i82801b11.c'))
pci_ss.add(when: 'CONFIG_IOH3420', if_true: files('ioh3420.c'))
pci_ss.add(when: 'CONFIG_PCIE_PORT', if_true: files('pcie_root_port.c', 'gen_pcie_root_port.c', 'pcie_pci_bridge.c'))
--
2.41.0.windows.1

60
hw-pci-host-pnv_phb-3-4-Fix-heap-out-of-bound-access.patch Normal file
View File

@ -0,0 +1,60 @@
From 1a122b51bddc216fa129e039012711a1a1a8b6b4 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 14 Oct 2024 16:42:03 +0800
Subject: [PATCH] hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access
failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
pnv_phb3_root_bus_info and pnv_phb4_root_bus_info are missing the
instance_size initialization. This results in accessing out-of-bound
memory when setting 'chip-id' and 'phb-id', and eventually crashes
glib's malloc functionality with the following message:
"qemu-system-ppc64: GLib: ../glib-2.72.3/glib/gmem.c:131: failed to allocate 3232 bytes"
This issue was noticed only when running qtests with QEMU Windows
32-bit executable. Windows 64-bit, Linux 32/64-bit do not expose
this bug though.
Fixes: 9ae1329ee2fe ("ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge")
Fixes: 4f9924c4d4cf ("ppc/pnv: Add models for POWER9 PHB4 PCIe Host bridge")
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-Id: <20220920103159.1865256-29-bmeng.cn@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
hw/pci-host/pnv_phb3.c | 1 +
hw/pci-host/pnv_phb4.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
index 947efa77dc..bdc128013e 100644
--- a/hw/pci-host/pnv_phb3.c
+++ b/hw/pci-host/pnv_phb3.c
@@ -1130,6 +1130,7 @@ static void pnv_phb3_root_bus_class_init(ObjectClass *klass, void *data)
static const TypeInfo pnv_phb3_root_bus_info = {
.name = TYPE_PNV_PHB3_ROOT_BUS,
.parent = TYPE_PCIE_BUS,
+ .instance_size = sizeof(PnvPHB3RootBus),
.class_init = pnv_phb3_root_bus_class_init,
.interfaces = (InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
index 4e17a48d35..9f115da7ac 100644
--- a/hw/pci-host/pnv_phb4.c
+++ b/hw/pci-host/pnv_phb4.c
@@ -1321,6 +1321,7 @@ static void pnv_phb4_root_bus_class_init(ObjectClass *klass, void *data)
static const TypeInfo pnv_phb4_root_bus_info = {
.name = TYPE_PNV_PHB4_ROOT_BUS,
.parent = TYPE_PCIE_BUS,
+ .instance_size = sizeof(PnvPHB4RootBus),
.class_init = pnv_phb4_root_bus_class_init,
.interfaces = (InterfaceInfo[]) {
{ INTERFACE_PCIE_DEVICE },
--
2.41.0.windows.1

45
hw-ppc-spapr-Fix-code-style-problems-reported-by-che.patch Normal file
View File

@ -0,0 +1,45 @@
From c6f178f914eeac4cf1fd537e5e1c4172cf494029 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 08:43:14 +0000
Subject: [PATCH] hw/ppc/spapr: Fix code style problems reported by checkpatch
mainline inclusion commit 6b5cf264ee76d24b357a60b69b0635a533c1f647 category:
bugfix
---------------------------------------------------------------
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Message-Id: <20220919231720.163121-5-shentey@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
include/hw/ppc/spapr.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 316b80318e..8390dd7743 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -754,7 +754,8 @@ static inline uint64_t ppc64_phys_to_real(uint64_t addr)
static inline uint32_t rtas_ld(target_ulong phys, int n)
{
- return ldl_be_phys(&address_space_memory, ppc64_phys_to_real(phys + 4*n));
+ return ldl_be_phys(&address_space_memory,
+ ppc64_phys_to_real(phys + 4 * n));
}
static inline uint64_t rtas_ldq(target_ulong phys, int n)
@@ -764,7 +765,7 @@ static inline uint64_t rtas_ldq(target_ulong phys, int n)
static inline void rtas_st(target_ulong phys, int n, uint32_t val)
{
- stl_be_phys(&address_space_memory, ppc64_phys_to_real(phys + 4*n), val);
+ stl_be_phys(&address_space_memory, ppc64_phys_to_real(phys + 4 * n), val);
}
typedef void (*spapr_rtas_fn)(PowerPCCPU *cpu, SpaprMachineState *sm,
--
2.41.0.windows.1

58
hw-usb-hcd-ohci-Use-definition-to-avoid-dynamic-stac.patch Normal file
View File

@ -0,0 +1,58 @@
From eb7f58bd9b45b2e113a66a3694661977541cd266 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 09:21:03 +0000
Subject: [PATCH] hw/usb/hcd-ohci: Use definition to avoid dynamic stack
allocation mainline inclusion commit 29d81e429d16fe8f0f1cd99e63507ca53ca1945c
category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
The compiler isn't clever enough to figure 'width' is a constant,
so help it by using a definitions instead.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-10-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/usb/hcd-ohci.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index a93d6b2e98..5e67eb4089 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -900,13 +900,14 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
return 1;
}
+#define HEX_CHAR_PER_LINE 16
+
static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
{
bool print16;
bool printall;
- const int width = 16;
int i;
- char tmp[3 * width + 1];
+ char tmp[3 * HEX_CHAR_PER_LINE + 1];
char *p = tmp;
print16 = !!trace_event_get_state_backends(TRACE_USB_OHCI_TD_PKT_SHORT);
@@ -917,7 +918,7 @@ static void ohci_td_pkt(const char *msg, const uint8_t *buf, size_t len)
}
for (i = 0; ; i++) {
- if (i && (!(i % width) || (i == len))) {
+ if (i && (!(i % HEX_CHAR_PER_LINE) || (i == len))) {
if (!printall) {
trace_usb_ohci_td_pkt_short(msg, tmp);
break;
--
2.41.0.windows.1

180
intel_iommu-Add-missed-sanity-check-for-256-bit-inva.patch Normal file
View File

@ -0,0 +1,180 @@
From c14cdf57217aaf043b5ac1087b7ade9b3b5cd730 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Wed, 6 Nov 2024 10:55:43 +0800
Subject: [PATCH] intel_iommu: Add missed sanity check for 256-bit invalidation
queue
According to VTD spec, a 256-bit descriptor will result in an invalid
descriptor error if submitted in an IQ that is setup to provide hardware
with 128-bit descriptors (IQA_REG.DW=0). Meanwhile, there are old inv desc
types (e.g. iotlb_inv_desc) that can be either 128bits or 256bits. If a
128-bit version of this descriptor is submitted into an IQ that is setup
to provide hardware with 256-bit descriptors will also result in an invalid
descriptor error.
The 2nd will be captured by the tail register update. So we only need to
focus on the 1st.
Because the reserved bit check between different types of invalidation desc
are common, so introduce a common function vtd_inv_desc_reserved_check()
to do all the checks and pass the differences as parameters.
With this change, need to replace error_report_once() call with error_report()
to catch different call sites. This isn't an issue as error_report_once()
here is mainly used to help debug guest error, but it only dumps once in
qemu life cycle and doesn't help much, we need error_report() instead.
Fixes: c0c1d351849b ("intel_iommu: add 256 bits qi_desc support")
Suggested-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Message-Id: <20241104125536.1236118-3-zhenzhong.duan@intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Zhongrui Tang tangzhongrui_yewu@cmss.chinamobile.com
---
hw/i386/intel_iommu.c | 80 ++++++++++++++++++++++++----------
hw/i386/intel_iommu_internal.h | 1 +
2 files changed, 59 insertions(+), 22 deletions(-)
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 2f8bcc1557..296a32a927 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -2293,15 +2293,51 @@ static bool vtd_get_inv_desc(IntelIOMMUState *s,
return true;
}
+static bool vtd_inv_desc_reserved_check(IntelIOMMUState *s,
+ VTDInvDesc *inv_desc,
+ uint64_t mask[4], bool dw,
+ const char *func_name,
+ const char *desc_type)
+{
+ if (s->iq_dw) {
+ if (inv_desc->val[0] & mask[0] || inv_desc->val[1] & mask[1] ||
+ inv_desc->val[2] & mask[2] || inv_desc->val[3] & mask[3]) {
+ error_report("%s: invalid %s desc val[3]: 0x%"PRIx64
+ " val[2]: 0x%"PRIx64" val[1]=0x%"PRIx64
+ " val[0]=0x%"PRIx64" (reserved nonzero)",
+ func_name, desc_type, inv_desc->val[3],
+ inv_desc->val[2], inv_desc->val[1],
+ inv_desc->val[0]);
+ return false;
+ }
+ } else {
+ if (dw) {
+ error_report("%s: 256-bit %s desc in 128-bit invalidation queue",
+ func_name, desc_type);
+ return false;
+ }
+
+ if (inv_desc->lo & mask[0] || inv_desc->hi & mask[1]) {
+ error_report("%s: invalid %s desc: hi=%"PRIx64", lo=%"PRIx64
+ " (reserved nonzero)", func_name, desc_type,
+ inv_desc->hi, inv_desc->lo);
+ return false;
+ }
+ }
+
+ return true;
+}
+
static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc)
{
- if ((inv_desc->hi & VTD_INV_DESC_WAIT_RSVD_HI) ||
- (inv_desc->lo & VTD_INV_DESC_WAIT_RSVD_LO)) {
- error_report_once("%s: invalid wait desc: hi=%"PRIx64", lo=%"PRIx64
- " (reserved nonzero)", __func__, inv_desc->hi,
- inv_desc->lo);
+ uint64_t mask[4] = {VTD_INV_DESC_WAIT_RSVD_LO, VTD_INV_DESC_WAIT_RSVD_HI,
+ VTD_INV_DESC_ALL_ONE, VTD_INV_DESC_ALL_ONE};
+
+ if (!vtd_inv_desc_reserved_check(s, inv_desc, mask, false,
+ __func__, "wait")) {
return false;
}
+
if (inv_desc->lo & VTD_INV_DESC_WAIT_SW) {
/* Status Write */
uint32_t status_data = (uint32_t)(inv_desc->lo >>
@@ -2335,13 +2371,14 @@ static bool vtd_process_context_cache_desc(IntelIOMMUState *s,
VTDInvDesc *inv_desc)
{
uint16_t sid, fmask;
+ uint64_t mask[4] = {VTD_INV_DESC_CC_RSVD, VTD_INV_DESC_ALL_ONE,
+ VTD_INV_DESC_ALL_ONE, VTD_INV_DESC_ALL_ONE};
- if ((inv_desc->lo & VTD_INV_DESC_CC_RSVD) || inv_desc->hi) {
- error_report_once("%s: invalid cc inv desc: hi=%"PRIx64", lo=%"PRIx64
- " (reserved nonzero)", __func__, inv_desc->hi,
- inv_desc->lo);
+ if (!vtd_inv_desc_reserved_check(s, inv_desc, mask, false,
+ __func__, "cc inv")) {
return false;
}
+
switch (inv_desc->lo & VTD_INV_DESC_CC_G) {
case VTD_INV_DESC_CC_DOMAIN:
trace_vtd_inv_desc_cc_domain(
@@ -2371,12 +2408,11 @@ static bool vtd_process_iotlb_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc)
uint16_t domain_id;
uint8_t am;
hwaddr addr;
+ uint64_t mask[4] = {VTD_INV_DESC_IOTLB_RSVD_LO, VTD_INV_DESC_IOTLB_RSVD_HI,
+ VTD_INV_DESC_ALL_ONE, VTD_INV_DESC_ALL_ONE};
- if ((inv_desc->lo & VTD_INV_DESC_IOTLB_RSVD_LO) ||
- (inv_desc->hi & VTD_INV_DESC_IOTLB_RSVD_HI)) {
- error_report_once("%s: invalid iotlb inv desc: hi=0x%"PRIx64
- ", lo=0x%"PRIx64" (reserved bits unzero)",
- __func__, inv_desc->hi, inv_desc->lo);
+ if (!vtd_inv_desc_reserved_check(s, inv_desc, mask, false,
+ __func__, "iotlb inv")) {
return false;
}
@@ -2439,6 +2475,14 @@ static bool vtd_process_device_iotlb_desc(IntelIOMMUState *s,
uint8_t devfn;
bool size;
uint8_t bus_num;
+ uint64_t mask[4] = {VTD_INV_DESC_DEVICE_IOTLB_RSVD_LO,
+ VTD_INV_DESC_DEVICE_IOTLB_RSVD_HI,
+ VTD_INV_DESC_ALL_ONE, VTD_INV_DESC_ALL_ONE};
+
+ if (!vtd_inv_desc_reserved_check(s, inv_desc, mask, false,
+ __func__, "dev-iotlb inv")) {
+ return false;
+ }
addr = VTD_INV_DESC_DEVICE_IOTLB_ADDR(inv_desc->hi);
sid = VTD_INV_DESC_DEVICE_IOTLB_SID(inv_desc->lo);
@@ -2446,14 +2490,6 @@ static bool vtd_process_device_iotlb_desc(IntelIOMMUState *s,
bus_num = sid >> 8;
size = VTD_INV_DESC_DEVICE_IOTLB_SIZE(inv_desc->hi);
- if ((inv_desc->lo & VTD_INV_DESC_DEVICE_IOTLB_RSVD_LO) ||
- (inv_desc->hi & VTD_INV_DESC_DEVICE_IOTLB_RSVD_HI)) {
- error_report_once("%s: invalid dev-iotlb inv desc: hi=%"PRIx64
- ", lo=%"PRIx64" (reserved nonzero)", __func__,
- inv_desc->hi, inv_desc->lo);
- return false;
- }
-
vtd_bus = vtd_find_as_from_bus_num(s, bus_num);
if (!vtd_bus) {
goto done;
diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
index 2b2f0dd848..827b91e2ba 100644
--- a/hw/i386/intel_iommu_internal.h
+++ b/hw/i386/intel_iommu_internal.h
@@ -340,6 +340,7 @@ union VTDInvDesc {
typedef union VTDInvDesc VTDInvDesc;
/* Masks for struct VTDInvDesc */
+#define VTD_INV_DESC_ALL_ONE -1ULL
#define VTD_INV_DESC_TYPE(val) ((((val) >> 5) & 0x70ULL) | \
((val) & 0xfULL))
#define VTD_INV_DESC_CC 0x1 /* Context-cache Invalidate Desc */
--
2.41.0.windows.1

99
intel_iommu-Fix-invalidation-descriptor-type-field.patch Normal file
View File

@ -0,0 +1,99 @@
From 9ce9ecae9d7cf59554908787386901dd82fd7395 Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Wed, 9 Oct 2024 09:21:03 +0800
Subject: [PATCH] intel_iommu: Fix invalidation descriptor type field
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cherry-pick from 663168943d3db6d9b51d3dfa0998848a6e6eda71
According to spec, invalidation descriptor type is 7bits which is
concatenation of bits[11:9] and bits[3:0] of invalidation descriptor.
Currently we only pick bits[3:0] as the invalidation type and treat
bits[11:9] as reserved zero. This is not a problem for now as bits[11:9]
is zero for all current invalidation types. But it will break if newer
type occupies bits[11:9].
Fix it by taking bits[11:9] into type and make reserved bits check accurate.
Suggested-by: default avatarClément <Mathieu--Drif&lt;clement.mathieu--drif@eviden.com>
Signed-off-by: default avatarZhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: default avatarYi Liu <yi.l.liu@intel.com>
Reviewed-by: default avatarClément <Mathieu--Drif&lt;clement.mathieu--drif@eviden.com>
Message-Id: <20240814071321.2621384-2-zhenzhong.duan@intel.com>
Reviewed-by: MST's avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: MST's avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
hw/i386/intel_iommu.c | 2 +-
hw/i386/intel_iommu_internal.h | 11 ++++++-----
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 2d5ad84149..2f8bcc1557 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -2502,7 +2502,7 @@ static bool vtd_process_inv_desc(IntelIOMMUState *s)
return false;
}
- desc_type = inv_desc.lo & VTD_INV_DESC_TYPE;
+ desc_type = VTD_INV_DESC_TYPE(inv_desc.lo);
/* FIXME: should update at first or at last? */
s->iq_last_desc_type = desc_type;
diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
index a6c788049b..2b2f0dd848 100644
--- a/hw/i386/intel_iommu_internal.h
+++ b/hw/i386/intel_iommu_internal.h
@@ -340,7 +340,8 @@ union VTDInvDesc {
typedef union VTDInvDesc VTDInvDesc;
/* Masks for struct VTDInvDesc */
-#define VTD_INV_DESC_TYPE 0xf
+#define VTD_INV_DESC_TYPE(val) ((((val) >> 5) & 0x70ULL) | \
+ ((val) & 0xfULL))
#define VTD_INV_DESC_CC 0x1 /* Context-cache Invalidate Desc */
#define VTD_INV_DESC_IOTLB 0x2
#define VTD_INV_DESC_DEVICE 0x3
@@ -356,7 +357,7 @@ typedef union VTDInvDesc VTDInvDesc;
#define VTD_INV_DESC_WAIT_IF (1ULL << 4)
#define VTD_INV_DESC_WAIT_FN (1ULL << 6)
#define VTD_INV_DESC_WAIT_DATA_SHIFT 32
-#define VTD_INV_DESC_WAIT_RSVD_LO 0Xffffff80ULL
+#define VTD_INV_DESC_WAIT_RSVD_LO 0Xfffff180ULL
#define VTD_INV_DESC_WAIT_RSVD_HI 3ULL
/* Masks for Context-cache Invalidation Descriptor */
@@ -367,7 +368,7 @@ typedef union VTDInvDesc VTDInvDesc;
#define VTD_INV_DESC_CC_DID(val) (((val) >> 16) & VTD_DOMAIN_ID_MASK)
#define VTD_INV_DESC_CC_SID(val) (((val) >> 32) & 0xffffUL)
#define VTD_INV_DESC_CC_FM(val) (((val) >> 48) & 3UL)
-#define VTD_INV_DESC_CC_RSVD 0xfffc00000000ffc0ULL
+#define VTD_INV_DESC_CC_RSVD 0xfffc00000000f1c0ULL
/* Masks for IOTLB Invalidate Descriptor */
#define VTD_INV_DESC_IOTLB_G (3ULL << 4)
@@ -377,7 +378,7 @@ typedef union VTDInvDesc VTDInvDesc;
#define VTD_INV_DESC_IOTLB_DID(val) (((val) >> 16) & VTD_DOMAIN_ID_MASK)
#define VTD_INV_DESC_IOTLB_ADDR(val) ((val) & ~0xfffULL)
#define VTD_INV_DESC_IOTLB_AM(val) ((val) & 0x3fULL)
-#define VTD_INV_DESC_IOTLB_RSVD_LO 0xffffffff0000ff00ULL
+#define VTD_INV_DESC_IOTLB_RSVD_LO 0xffffffff0000f100ULL
#define VTD_INV_DESC_IOTLB_RSVD_HI 0xf80ULL
/* Mask for Device IOTLB Invalidate Descriptor */
@@ -385,7 +386,7 @@ typedef union VTDInvDesc VTDInvDesc;
#define VTD_INV_DESC_DEVICE_IOTLB_SIZE(val) ((val) & 0x1)
#define VTD_INV_DESC_DEVICE_IOTLB_SID(val) (((val) >> 32) & 0xFFFFULL)
#define VTD_INV_DESC_DEVICE_IOTLB_RSVD_HI 0xffeULL
-#define VTD_INV_DESC_DEVICE_IOTLB_RSVD_LO 0xffff0000ffe0fff8
+#define VTD_INV_DESC_DEVICE_IOTLB_RSVD_LO 0xffff0000ffe0f1f0
/* Rsvd field masks for spte */
#define VTD_SPTE_SNP 0x800ULL
--
2.41.0.windows.1

39
intel_iommu-Send-IQE-event-when-setting-reserved-bit.patch Normal file
View File

@ -0,0 +1,39 @@
From aa81e4e3f5d02bd8e8012df677452c4a8b208ac7 Mon Sep 17 00:00:00 2001
From: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date: Mon, 4 Nov 2024 20:55:34 +0800
Subject: [PATCH] intel_iommu: Send IQE event when setting reserved bit in
IQT_TAIL
According to VTD spec, Figure 11-22, Invalidation Queue Tail Register,
"When Descriptor Width (DW) field in Invalidation Queue Address Register
(IQA_REG) is Set (256-bit descriptors), hardware treats bit-4 as reserved
and a value of 1 in the bit will result in invalidation queue error."
Current code missed to send IQE event to guest, fix it.
Fixes: c0c1d351849b ("intel_iommu: add 256 bits qi_desc support")
Suggested-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Message-Id: <20241104125536.1236118-2-zhenzhong.duan@intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
hw/i386/intel_iommu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 2f8bcc1557..deb853e1ea 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -2605,6 +2605,7 @@ static void vtd_handle_iqt_write(IntelIOMMUState *s)
if (s->iq_dw && (val & VTD_IQT_QT_256_RSV_BIT)) {
error_report_once("%s: RSV bit is set: val=0x%"PRIx64,
__func__, val);
+ vtd_handle_inv_queue_error(s);
return;
}
s->iq_tail = VTD_IQT_QT(s->iq_dw, val);
--
2.41.0.windows.1

82
linux-user-use-max-instead-of-qemu32-qemu64-by-defau.patch Normal file
View File

@ -0,0 +1,82 @@
From 9a09bf2b463cb0b98a71e335c6814143b23b3319 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Tue, 22 Oct 2024 04:52:33 +0800
Subject: [PATCH] linux-user: use 'max' instead of 'qemu32' / 'qemu64' by
default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The 'qemu64' CPU model implements the least featureful x86_64 CPU that's
possible. Historically this hasn't been an issue since it was rare for
OS distros to build with a higher mandatory CPU baseline.
With RHEL-9, however, the entire distro is built for the x86_64-v2 ABI
baseline:
https://developers.redhat.com/blog/2021/01/05/building-red-hat-enterprise-linux-9-for-the-x86-64-v2-microarchitecture-level
It is likely that other distros may take similar steps in the not too
distant future. For example, it has been suggested for Fedora on a
number of occasions.
This new baseline is not compatible with the qemu64 CPU model though.
While it is possible to pass a '-cpu xxx' flag to qemu-x86_64, the
usage of QEMU doesn't always allow for this. For example, the args
are typically controlled via binfmt rules that the user has no ability
to change. This impacts users who are trying to use podman on aarch64
platforms, to run containers with x86_64 content. There's no arg to
podman that can be used to change the qemu-x86_64 args, and a non-root
user of podman can not change binfmt rules without elevating privileges:
https://github.com/containers/podman/issues/15456#issuecomment-1228210973
Changing to the 'max' CPU model gives 'qemu-x86_64' maximum
compatibility with binaries it is likely to encounter in the wild,
and not likely to have a significant downside for existing usage.
Most other architectures already use an 'any' CPU model, which is
often mapped to 'max' (or similar) already, rather than the oldest
possible CPU model.
For the sake of consistency the 'i386' architecture is also changed
from using 'qemu32' to 'max'.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220923110413.70593-1-berrange@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
linux-user/i386/target_elf.h | 2 +-
linux-user/x86_64/target_elf.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux-user/i386/target_elf.h b/linux-user/i386/target_elf.h
index 1c6142e7da..238a9aba73 100644
--- a/linux-user/i386/target_elf.h
+++ b/linux-user/i386/target_elf.h
@@ -9,6 +9,6 @@
#define I386_TARGET_ELF_H
static inline const char *cpu_get_model(uint32_t eflags)
{
- return "qemu32";
+ return "max";
}
#endif
diff --git a/linux-user/x86_64/target_elf.h b/linux-user/x86_64/target_elf.h
index 7b76a90de8..3f628f8d66 100644
--- a/linux-user/x86_64/target_elf.h
+++ b/linux-user/x86_64/target_elf.h
@@ -9,6 +9,6 @@
#define X86_64_TARGET_ELF_H
static inline const char *cpu_get_model(uint32_t eflags)
{
- return "qemu64";
+ return "max";
}
#endif
--
2.41.0.windows.1

42
platform-bus-fix-refcount-leak.patch Normal file
View File

@ -0,0 +1,42 @@
From ffb4abbc465b344d9e6195a9aac51e2530b13165 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Thu, 17 Oct 2024 13:14:54 +0800
Subject: [PATCH] platform-bus: fix refcount leak
cheery-pick from 99ec7b440a1d6a6ef07450b68687d24d13a25fb5
memory_region_find() returns an MR which it is the caller's
responsibility to unref, but platform_bus_map_mmio() was
forgetting to do so, thus leaking the MR.
Signed-off-by: Gao Shiyuan <gaoshiyuan@baidu.com>
Message-id: 20240829131005.9196-1-gaoshiyuan@baidu.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: tweaked commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
hw/core/platform-bus.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/core/platform-bus.c b/hw/core/platform-bus.c
index b8487b26b6..dc58bf505a 100644
--- a/hw/core/platform-bus.c
+++ b/hw/core/platform-bus.c
@@ -145,9 +145,12 @@ static void platform_bus_map_mmio(PlatformBusDevice *pbus, SysBusDevice *sbdev,
* the target device's memory region
*/
for (off = 0; off < pbus->mmio_size; off += alignment) {
- if (!memory_region_find(&pbus->mmio, off, size).mr) {
+ MemoryRegion *mr = memory_region_find(&pbus->mmio, off, size).mr;
+ if (!mr) {
found_region = true;
break;
+ } else {
+ memory_region_unref(mr);
}
}
--
2.41.0.windows.1

93
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 6.2.0
Release: 102
Release: 103
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -1076,6 +1076,51 @@ Patch1061: target-ppc-Remove-extra-space-from-s128-field-in-ppc.patch
Patch1062: minikconf-print-error-entirely-on-stderr.patch
Patch1063: hw-mips-Build-fw_cfg.c-once.patch
Patch1064: target-ppc-Remove-unused-xer_-macros.patch
Patch1065: configs-Fix-typo-in-the-sh4-softmmu-devices-config-f.patch
Patch1066: intel_iommu-Fix-invalidation-descriptor-type-field.patch
Patch1067: hw-net-e1000e_core-Use-definition-to-avoid-dynamic-s.patch
Patch1068: hw-intc-xics-Avoid-dynamic-stack-allocation.patch
Patch1069: chardev-baum-Replace-magic-values-by-X_MAX-Y_MAX-def.patch
Patch1070: hw-ppc-spapr-Fix-code-style-problems-reported-by-che.patch
Patch1071: hw-i386-multiboot-Avoid-dynamic-stack-allocation.patch
Patch1072: hw-usb-hcd-ohci-Use-definition-to-avoid-dynamic-stac.patch
Patch1073: tests-unit-test-vmstate-Avoid-dynamic-stack-allocati.patch
Patch1074: hcd-ohci-Drop-ohci_service_iso_td-if-ed-head-OHCI_DP.patch
Patch1075: hw-core-ptimer-fix-timer-zero-period-condition-for-f.patch
Patch1076: util-userfaultfd-Remove-unused-uffd_poll_events.patch
Patch1077: tests-avocado-fix-typo-in-replay_linux.patch
Patch1078: hw-net-can-sja1000-fix-bug-for-single-acceptance-fil.patch
Patch1079: hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch
Patch1080: platform-bus-fix-refcount-leak.patch
Patch1081: edu-fix-DMA-range-upper-bound-check.patch
Patch1082: chardev-char-fix-qemu_chr_is_busy-check.patch
Patch1083: docs-tools-qemu-img.rst-fix-typo-sumarizes.patch
Patch1084: s390-sclp-fix-SCLP-facility-map.patch
Patch1085: ui-vnc-fix-handling-of-VNC_FEATURE_XVP.patch
Patch1086: hw-pci-bridge-Add-a-Kconfig-switch-for-the-normal-PC.patch
Patch1087: acpi-ged-Add-macro-for-acpi-sleep-control-register.patch
Patch1088: acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
Patch1089: intel_iommu-Send-IQE-event-when-setting-reserved-bit.patch
Patch1090: hw-pci-Add-parenthesis-to-PCI_BUILD_BDF-macro.patch
Patch1091: target-ppc-Set-result-to-QNaN-for-DENBCD-when-VXCVI-.patch
Patch1092: target-ppc-Zero-second-doubleword-for-VSX-madd-instr.patch
Patch1093: target-ppc-Set-OV32-when-OV-is-set.patch
Patch1094: target-ppc-Zero-second-doubleword-of-VSR-registers-f.patch
Patch1095: hw-pci-host-pnv_phb-3-4-Fix-heap-out-of-bound-access.patch
Patch1096: block-nvme-nvme_process_completion-fix-bound-for-cid.patch
Patch1097: target-m68k-Implement-atomic-test-and-set.patch
Patch1098: target-m68k-Fix-MACSR-to-CCR.patch
Patch1099: target-m68k-Perform-writback-before-modifying-SR.patch
Patch1100: target-m68k-always-call-gen_exit_tb-after-writes-to-.patch
Patch1101: ui-curses-Avoid-dynamic-stack-allocation.patch
Patch1102: virtiofsd-use-g_date_time_get_microsecond-to-get-sub.patch
Patch1103: s390x-tcg-Fix-opcode-for-lzrf.patch
Patch1104: ui-console-Get-tab-completion-working-again-in-the-S.patch
Patch1105: chardev-baum-Use-definitions-to-avoid-dynamic-stack-.patch
Patch1106: linux-user-use-max-instead-of-qemu32-qemu64-by-defau.patch
Patch1107: intel_iommu-Add-missed-sanity-check-for-256-bit-inva.patch
Patch1108: Introduce-the-SM4-cipher-algorithms-OSCCA-GB-T-32907.patch
BuildRequires: flex
BuildRequires: gcc
@ -1674,6 +1719,52 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Sat Nov 30 2024 <fengjiabo1@huawei.com> - 10:6.2.0-103
- Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
- intel_iommu: Add missed sanity check for 256-bit invalidation queue
- linux-user: use 'max' instead of 'qemu32' / 'qemu64' by default
- chardev/baum: Use definitions to avoid dynamic stack allocation
- ui/console: Get tab completion working again in the SDL monitor vc
- s390x/tcg: Fix opcode for lzrf
- virtiofsd: use g_date_time_get_microsecond to get subsecond
- ui/curses: Avoid dynamic stack allocation
- target/m68k: always call gen_exit_tb() after writes to SR
- target/m68k: Perform writback before modifying SR
- target/m68k: Fix MACSR to CCR
- target/m68k: Implement atomic test-and-set
- block/nvme: nvme_process_completion() fix bound for cid
- hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure
- target/ppc: Zero second doubleword of VSR registers for FPR insns
- target/ppc: Set OV32 when OV is set
- target/ppc: Zero second doubleword for VSX madd instructions
- target/ppc: Set result to QNaN for DENBCD when VXCVI occurs
- hw/pci: Add parenthesis to PCI_BUILD_BDF macro
- intel_iommu: Send IQE event when setting reserved bit in IQT_TAIL
- acpi: cpuhp: fix guest-visible maximum access size to the legacy reg block
- acpi: ged: Add macro for acpi sleep control register
- hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge
- ui/vnc: fix handling of VNC_FEATURE_XVP
- s390/sclp: fix SCLP facility map
- docs/tools/qemu-img.rst: fix typo (sumarizes)
- chardev/char: fix qemu_chr_is_busy() check
- edu: fix DMA range upper bound check
- platform-bus: fix refcount leak
- hw/net/virtio-net: fix qemu set used ring flag even vhost started
- hw/net/can/sja1000: fix bug for single acceptance filter and standard frame
- tests/avocado: fix typo in replay_linux
- util/userfaultfd: Remove unused uffd_poll_events
- hw/core/ptimer: fix timer zero period condition for freq > 1GHz
- hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero
- tests/unit/test-vmstate: Avoid dynamic stack allocation
- hw/usb/hcd-ohci: Use definition to avoid dynamic stack allocation
- hw/i386/multiboot: Avoid dynamic stack allocation
- hw/ppc/spapr: Fix code style problems reported by checkpatch
- chardev/baum: Replace magic values by X_MAX / Y_MAX definitions
- hw/intc/xics: Avoid dynamic stack allocation
- hw/net/e1000e_core: Use definition to avoid dynamic stack allocation
- intel_iommu: Fix invalidation descriptor type field
- configs: Fix typo in the sh4-softmmu devices config file
* Sat Nov 30 2024 <fengjiabo1@huawei.com> - 10:6.2.0-102
- target/ppc: Remove unused xer_* macros
- hw/mips: Build fw_cfg.c once

43
s390-sclp-fix-SCLP-facility-map.patch Normal file
View File

@ -0,0 +1,43 @@
From 0fe9c678645699c5dd27f60d5110d4da43e9db00 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 14:16:42 +0800
Subject: [PATCH] s390/sclp: fix SCLP facility map
cheery-pick from 81f993828bce9a9afd72da17b7672cb8bd121e63
Qemu's SCLP implementation incorrectly reports that it supports CPU
reconfiguration. If a guest issues a CPU reconfiguration request it
is rejected as invalid command.
Fix the SCLP_HAS_CPU_INFO mask, and remove the unused
SCLP_CMDW_CONFIGURE_CPU and SCLP_CMDW_DECONFIGURE_CPU defines.
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Message-ID: <20231024100703.929679-1-hca@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
include/hw/s390x/sclp.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
index d3ade40a5a..a170ee5d71 100644
--- a/include/hw/s390x/sclp.h
+++ b/include/hw/s390x/sclp.h
@@ -38,10 +38,8 @@
#define MAX_STORAGE_INCREMENTS 1020
/* CPU hotplug SCLP codes */
-#define SCLP_HAS_CPU_INFO 0x0C00000000000000ULL
+#define SCLP_HAS_CPU_INFO 0x0800000000000000ULL
#define SCLP_CMDW_READ_CPU_INFO 0x00010001
-#define SCLP_CMDW_CONFIGURE_CPU 0x00110001
-#define SCLP_CMDW_DECONFIGURE_CPU 0x00100001
/* SCLP PCI codes */
#define SCLP_HAS_IOA_RECONFIG 0x0000000040000000ULL
--
2.41.0.windows.1

37
s390x-tcg-Fix-opcode-for-lzrf.patch Normal file
View File

@ -0,0 +1,37 @@
From 2a966471139fff8fd01afb1bfa2bfbc9e65ed9ff Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Tue, 22 Oct 2024 04:16:57 +0800
Subject: [PATCH] s390x/tcg: Fix opcode for lzrf
Fix the opcode for Load and Zero Rightmost Byte (32).
Fixes: c2a5c1d718ea ("target/s390x: Implement load-and-zero-rightmost-byte insns")
Reported-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20220914105750.767697-1-borntraeger@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/s390x/tcg/insn-data.def | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/s390x/tcg/insn-data.def b/target/s390x/tcg/insn-data.def
index 3e5594210c..149f2577be 100644
--- a/target/s390x/tcg/insn-data.def
+++ b/target/s390x/tcg/insn-data.def
@@ -463,7 +463,7 @@
C(0xe39f, LAT, RXY_a, LAT, 0, m2_32u, r1, 0, lat, 0)
C(0xe385, LGAT, RXY_a, LAT, 0, a2, r1, 0, lgat, 0)
/* LOAD AND ZERO RIGHTMOST BYTE */
- C(0xe3eb, LZRF, RXY_a, LZRB, 0, m2_32u, new, r1_32, lzrb, 0)
+ C(0xe33b, LZRF, RXY_a, LZRB, 0, m2_32u, new, r1_32, lzrb, 0)
C(0xe32a, LZRG, RXY_a, LZRB, 0, m2_64, r1, 0, lzrb, 0)
/* LOAD LOGICAL AND ZERO RIGHTMOST BYTE */
C(0xe33a, LLZRGF, RXY_a, LZRB, 0, m2_32u, r1, 0, lzrb, 0)
--
2.41.0.windows.1

38
target-m68k-Fix-MACSR-to-CCR.patch Normal file
View File

@ -0,0 +1,38 @@
From 82293e21ded10ebdbd0efae9f9ef090f1fc62705 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 19:15:42 +0800
Subject: [PATCH] target/m68k: Fix MACSR to CCR
First, we were writing to the entire SR register, instead
of only the flags portion. Second, we were not clearing C
as per the documentation (X was cleared via the 0xf mask).
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20220913142818.7802-2-richard.henderson@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/m68k/translate.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index af43c8eab8..657f663fbe 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -5809,8 +5809,10 @@ DISAS_INSN(from_mext)
DISAS_INSN(macsr_to_ccr)
{
TCGv tmp = tcg_temp_new();
- tcg_gen_andi_i32(tmp, QREG_MACSR, 0xf);
- gen_helper_set_sr(cpu_env, tmp);
+
+ /* Note that X and C are always cleared. */
+ tcg_gen_andi_i32(tmp, QREG_MACSR, CCF_N | CCF_Z | CCF_V);
+ gen_helper_set_ccr(cpu_env, tmp);
tcg_temp_free(tmp);
set_cc_op(s, CC_OP_FLAGS);
}
--
2.41.0.windows.1

74
target-m68k-Implement-atomic-test-and-set.patch Normal file
View File

@ -0,0 +1,74 @@
From ea7c41f4146774298ed8210e2cc3e28f7d610675 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 19:03:19 +0800
Subject: [PATCH] target/m68k: Implement atomic test-and-set
This is slightly more complicated than cas,
because tas is allowed on data registers.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-Id: <20220829051746.227094-1-richard.henderson@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/m68k/translate.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index af43c8eab8..3a7c4c5231 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -2809,19 +2809,39 @@ DISAS_INSN(illegal)
gen_exception(s, s->base.pc_next, EXCP_ILLEGAL);
}
-/* ??? This should be atomic. */
DISAS_INSN(tas)
{
- TCGv dest;
- TCGv src1;
- TCGv addr;
+ int mode = extract32(insn, 3, 3);
+ int reg0 = REG(insn, 0);
- dest = tcg_temp_new();
- SRC_EA(env, src1, OS_BYTE, 1, &addr);
- gen_logic_cc(s, src1, OS_BYTE);
- tcg_gen_ori_i32(dest, src1, 0x80);
- DEST_EA(env, insn, OS_BYTE, dest, &addr);
- tcg_temp_free(dest);
+ if (mode == 0) {
+ /* data register direct */
+ TCGv dest = cpu_dregs[reg0];
+ gen_logic_cc(s, dest, OS_BYTE);
+ tcg_gen_ori_tl(dest, dest, 0x80);
+ } else {
+ TCGv src1, addr;
+
+ addr = gen_lea_mode(env, s, mode, reg0, OS_BYTE);
+ if (IS_NULL_QREG(addr)) {
+ gen_addr_fault(s);
+ return;
+ }
+ src1 = tcg_temp_new();
+ tcg_gen_atomic_fetch_or_tl(src1, addr, tcg_constant_tl(0x80),
+ IS_USER(s), MO_SB);
+ gen_logic_cc(s, src1, OS_BYTE);
+ tcg_temp_free(src1);
+
+ switch (mode) {
+ case 3: /* Indirect postincrement. */
+ tcg_gen_addi_i32(AREG(insn, 0), addr, 1);
+ break;
+ case 4: /* Indirect predecrememnt. */
+ tcg_gen_mov_i32(AREG(insn, 0), addr);
+ break;
+ }
+ }
}
DISAS_INSN(mull)
--
2.41.0.windows.1

49
target-m68k-Perform-writback-before-modifying-SR.patch Normal file
View File

@ -0,0 +1,49 @@
From 364efd620bb9b6003a2b65fe7ea56b640a209be4 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 19:22:03 +0800
Subject: [PATCH] target/m68k: Perform writback before modifying SR
Writes to SR may change security state, which may involve
a swap of %ssp with %usp as reflected in %a7. Finish the
writeback of %sp@+ before swapping stack pointers.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1206
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20220913142818.7802-3-richard.henderson@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/m68k/translate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index af43c8eab8..6cc4321921 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -2269,9 +2269,9 @@ static void gen_set_sr_im(DisasContext *s, uint16_t val, int ccr_only)
tcg_gen_movi_i32(QREG_CC_N, val & CCF_N ? -1 : 0);
tcg_gen_movi_i32(QREG_CC_X, val & CCF_X ? 1 : 0);
} else {
- TCGv sr = tcg_const_i32(val);
- gen_helper_set_sr(cpu_env, sr);
- tcg_temp_free(sr);
+ /* Must writeback before changing security state. */
+ do_writebacks(s);
+ gen_helper_set_sr(cpu_env, tcg_constant_i32(val));
}
set_cc_op(s, CC_OP_FLAGS);
}
@@ -2281,6 +2281,8 @@ static void gen_set_sr(DisasContext *s, TCGv val, int ccr_only)
if (ccr_only) {
gen_helper_set_ccr(cpu_env, val);
} else {
+ /* Must writeback before changing security state. */
+ do_writebacks(s);
gen_helper_set_sr(cpu_env, val);
}
set_cc_op(s, CC_OP_FLAGS);
--
2.41.0.windows.1

61
target-m68k-always-call-gen_exit_tb-after-writes-to-.patch Normal file
View File

@ -0,0 +1,61 @@
From 0338db7f0f42f68b709ad6bbd79e471292b32baf Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 21 Oct 2024 19:32:15 +0800
Subject: [PATCH] target/m68k: always call gen_exit_tb() after writes to SR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Any write to SR can change the security state so always call gen_exit_tb() when
this occurs. In particular MacOS makes use of andiw/oriw in a few places to
handle the switch between user and supervisor mode.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220917112515.83905-5-mark.cave-ayland@ilande.co.uk>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/m68k/translate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index 6cc4321921..9e465272ea 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -2359,6 +2359,7 @@ DISAS_INSN(arith_im)
tcg_gen_or_i32(dest, src1, im);
if (with_SR) {
gen_set_sr(s, dest, opsize == OS_BYTE);
+ gen_exit_tb(s);
} else {
DEST_EA(env, insn, opsize, dest, &addr);
gen_logic_cc(s, dest, opsize);
@@ -2368,6 +2369,7 @@ DISAS_INSN(arith_im)
tcg_gen_and_i32(dest, src1, im);
if (with_SR) {
gen_set_sr(s, dest, opsize == OS_BYTE);
+ gen_exit_tb(s);
} else {
DEST_EA(env, insn, opsize, dest, &addr);
gen_logic_cc(s, dest, opsize);
@@ -2391,6 +2393,7 @@ DISAS_INSN(arith_im)
tcg_gen_xor_i32(dest, src1, im);
if (with_SR) {
gen_set_sr(s, dest, opsize == OS_BYTE);
+ gen_exit_tb(s);
} else {
DEST_EA(env, insn, opsize, dest, &addr);
gen_logic_cc(s, dest, opsize);
@@ -4594,6 +4597,7 @@ DISAS_INSN(strldsr)
}
gen_push(s, gen_get_sr(s));
gen_set_sr_im(s, ext, 0);
+ gen_exit_tb(s);
}
DISAS_INSN(move_from_sr)
--
2.41.0.windows.1

43
target-ppc-Set-OV32-when-OV-is-set.patch Normal file
View File

@ -0,0 +1,43 @@
From 6381854884f45d24fb67dca13519935e30642f48 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 14 Oct 2024 16:07:54 +0800
Subject: [PATCH] target/ppc: Set OV32 when OV is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
According to PowerISA: "OV32 is set whenever OV is implicitly set, and
is set to the same value that OV is defined to be set to in 32-bit
mode".
This patch changes helper_update_ov_legacy to set/clear ov32 when
applicable.
Signed-off-by: Víctor Colombo <victor.colombo@eldorado.org.br>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220906125523.38765-7-victor.colombo@eldorado.org.br>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/ppc/int_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/ppc/int_helper.c b/target/ppc/int_helper.c
index 9bc327bcba..b577b43f4c 100644
--- a/target/ppc/int_helper.c
+++ b/target/ppc/int_helper.c
@@ -36,9 +36,9 @@
static inline void helper_update_ov_legacy(CPUPPCState *env, int ov)
{
if (unlikely(ov)) {
- env->so = env->ov = 1;
+ env->so = env->ov = env->ov32 = 1;
} else {
- env->ov = 0;
+ env->ov = env->ov32 = 0;
}
}
--
2.41.0.windows.1

84
target-ppc-Set-result-to-QNaN-for-DENBCD-when-VXCVI-.patch Normal file
View File

@ -0,0 +1,84 @@
From 05cee5f46432c4eb9774b53d014c5799bd924b8d Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 14 Oct 2024 15:54:33 +0800
Subject: [PATCH] target/ppc: Set result to QNaN for DENBCD when VXCVI occurs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
According to the ISA, for instruction DENBCD:
"If an invalid BCD digit or sign code is detected in the source
operand, an invalid-operation exception (VXCVI) occurs."
In the Invalid Operation Exception section, there is the situation:
"When Invalid Operation Exception is disabled (VE=0) and Invalid
Operation occurs (...) If the operation is an (...) or format the
target FPR is set to a Quiet NaN". This was not being done in
QEMU.
This patch sets the result to QNaN when the instruction DENBCD causes
an Invalid Operation Exception.
Signed-off-by: Víctor Colombo <victor.colombo@eldorado.org.br>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220906125523.38765-5-victor.colombo@eldorado.org.br>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/ppc/dfp_helper.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/target/ppc/dfp_helper.c b/target/ppc/dfp_helper.c
index 0d01ac3de0..0398b3a50e 100644
--- a/target/ppc/dfp_helper.c
+++ b/target/ppc/dfp_helper.c
@@ -1144,6 +1144,26 @@ static inline uint8_t dfp_get_bcd_digit_128(ppc_vsr_t *t, unsigned n)
return t->VsrD((n & 0x10) ? 0 : 1) >> ((n << 2) & 63) & 15;
}
+static inline void dfp_invalid_op_vxcvi_64(struct PPC_DFP *dfp)
+{
+ /* TODO: fpscr is incorrectly not being saved to env */
+ dfp_set_FPSCR_flag(dfp, FP_VX | FP_VXCVI, FPSCR_VE);
+ if ((dfp->env->fpscr & FP_VE) == 0) {
+ dfp->vt.VsrD(1) = 0x7c00000000000000; /* QNaN */
+ }
+}
+
+
+static inline void dfp_invalid_op_vxcvi_128(struct PPC_DFP *dfp)
+{
+ /* TODO: fpscr is incorrectly not being saved to env */
+ dfp_set_FPSCR_flag(dfp, FP_VX | FP_VXCVI, FPSCR_VE);
+ if ((dfp->env->fpscr & FP_VE) == 0) {
+ dfp->vt.VsrD(0) = 0x7c00000000000000; /* QNaN */
+ dfp->vt.VsrD(1) = 0x0;
+ }
+}
+
#define DFP_HELPER_ENBCD(op, size) \
void helper_##op(CPUPPCState *env, ppc_fprp_t *t, ppc_fprp_t *b, \
uint32_t s) \
@@ -1170,7 +1190,8 @@ void helper_##op(CPUPPCState *env, ppc_fprp_t *t, ppc_fprp_t *b, \
sgn = 0; \
break; \
default: \
- dfp_set_FPSCR_flag(&dfp, FP_VX | FP_VXCVI, FPSCR_VE); \
+ dfp_invalid_op_vxcvi_##size(&dfp); \
+ set_dfp##size(t, &dfp.vt); \
return; \
} \
} \
@@ -1180,7 +1201,8 @@ void helper_##op(CPUPPCState *env, ppc_fprp_t *t, ppc_fprp_t *b, \
digits[(size) / 4 - n] = dfp_get_bcd_digit_##size(&dfp.vb, \
offset++); \
if (digits[(size) / 4 - n] > 10) { \
- dfp_set_FPSCR_flag(&dfp, FP_VX | FP_VXCVI, FPSCR_VE); \
+ dfp_invalid_op_vxcvi_##size(&dfp); \
+ set_dfp##size(t, &dfp.vt); \
return; \
} else { \
nonzero |= (digits[(size) / 4 - n] > 0); \
--
2.41.0.windows.1

41
target-ppc-Zero-second-doubleword-for-VSX-madd-instr.patch Normal file
View File

@ -0,0 +1,41 @@
From 8a7cee2fcf1520efea6103ab67e34b5fdc4a44fa Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 14 Oct 2024 16:01:16 +0800
Subject: [PATCH] target/ppc: Zero second doubleword for VSX madd instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In 205eb5a89e we updated most VSX instructions to zero the
second doubleword, as is requested by PowerISA since v3.1.
However, VSX_MADD helper was left behind unchanged, while it
is also affected and should be fixed as well.
This patch applies the fix for MADD instructions.
Fixes: 205eb5a89e ("target/ppc: Change VSX instructions behavior to fill with zeros")
Signed-off-by: Víctor Colombo <victor.colombo@eldorado.org.br>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220906125523.38765-6-victor.colombo@eldorado.org.br>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/ppc/fpu_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index c4896cecc8..4e34cc2a3f 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -2086,7 +2086,7 @@ VSX_TSQRT(xvtsqrtsp, 4, float32, VsrW(i), -126, 23)
void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \
ppc_vsr_t *xa, ppc_vsr_t *b, ppc_vsr_t *c) \
{ \
- ppc_vsr_t t = *xt; \
+ ppc_vsr_t t = { }; \
int i; \
\
helper_reset_fpstatus(env); \
--
2.41.0.windows.1

47
target-ppc-Zero-second-doubleword-of-VSR-registers-f.patch Normal file
View File

@ -0,0 +1,47 @@
From bdaf1aecc24fcb74424b00f2fcfe28992aa2e30a Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Mon, 14 Oct 2024 16:14:28 +0800
Subject: [PATCH] target/ppc: Zero second doubleword of VSR registers for FPR
insns
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
FPR register are mapped to the first doubleword of the VSR registers.
Since PowerISA v3.1, the second doubleword of the target register
must be zeroed for FP instructions.
This patch does it by writting 0 to the second dw everytime the
first dw is being written using set_fpr.
Signed-off-by: Víctor Colombo <victor.colombo@eldorado.org.br>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220906125523.38765-8-victor.colombo@eldorado.org.br>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
target/ppc/translate.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 9960df6e18..153552ab50 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -7290,6 +7290,14 @@ static inline void get_fpr(TCGv_i64 dst, int regno)
static inline void set_fpr(int regno, TCGv_i64 src)
{
tcg_gen_st_i64(src, cpu_env, fpr_offset(regno));
+ /*
+ * Before PowerISA v3.1 the result of doubleword 1 of the VSR
+ * corresponding to the target FPR was undefined. However,
+ * most (if not all) real hardware were setting the result to 0.
+ * Starting at ISA v3.1, the result for doubleword 1 is now defined
+ * to be 0.
+ */
+ tcg_gen_st_i64(tcg_constant_i64(0), cpu_env, vsr64_offset(regno, false));
}
static inline void get_avr64(TCGv_i64 dst, int regno, bool high)
--
2.41.0.windows.1

36
tests-avocado-fix-typo-in-replay_linux.patch Normal file
View File

@ -0,0 +1,36 @@
From 91aff32c821c74267c78462fdf36bce6017a3947 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Thu, 17 Oct 2024 10:40:12 +0800
Subject: [PATCH] tests/avocado: fix typo in replay_linux
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 2d8508bbab39bf342fe80e73c0b528eb3960fa37
Reviewed-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231211091346.14616-3-alex.bennee@linaro.org>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
tests/avocado/replay_linux.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/avocado/replay_linux.py b/tests/avocado/replay_linux.py
index 897d5bad19..e2ee35a7f3 100644
--- a/tests/avocado/replay_linux.py
+++ b/tests/avocado/replay_linux.py
@@ -83,7 +83,7 @@ def launch_and_wait(self, record, args, shift):
else:
vm.event_wait('SHUTDOWN', self.timeout)
vm.wait()
- logger.info('successfully fihished the replay')
+ logger.info('successfully finished the replay')
elapsed = time.time() - start_time
logger.info('elapsed time %.2f sec' % elapsed)
return elapsed
--
2.41.0.windows.1

53
tests-unit-test-vmstate-Avoid-dynamic-stack-allocati.patch Normal file
View File

@ -0,0 +1,53 @@
From 8c7bdb086c3417e73bcda56a317ca2586ccd2116 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Sat, 12 Oct 2024 09:38:31 +0000
Subject: [PATCH] tests/unit/test-vmstate: Avoid dynamic stack allocation
mainline inclusion commit 972d325a8dc855aa3817d0df9e09fd556a0449f7 category:
bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
Use autofree heap allocation instead of variable-length
array on the stack.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-12-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/unit/test-vmstate.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/tests/unit/test-vmstate.c b/tests/unit/test-vmstate.c
index ac47f0a44b..91879ad2d4 100644
--- a/tests/unit/test-vmstate.c
+++ b/tests/unit/test-vmstate.c
@@ -88,17 +88,16 @@ static void save_buffer(const uint8_t *buf, size_t buf_size)
static void compare_vmstate(const uint8_t *wire, size_t size)
{
QEMUFile *f = open_test_file(false);
- uint8_t result[size];
+ g_autofree uint8_t *result = g_malloc(size);
/* read back as binary */
- g_assert_cmpint(qemu_get_buffer(f, result, sizeof(result)), ==,
- sizeof(result));
+ g_assert_cmpint(qemu_get_buffer(f, result, size), ==, size);
g_assert(!qemu_file_get_error(f));
/* Compare that what is on the file is the same that what we
expected to be there */
- SUCCESS(memcmp(result, wire, sizeof(result)));
+ SUCCESS(memcmp(result, wire, size));
/* Must reach EOF */
qemu_get_byte(f);
--
2.41.0.windows.1

47
ui-console-Get-tab-completion-working-again-in-the-S.patch Normal file
View File

@ -0,0 +1,47 @@
From b3703fa43dff0c9059bef2c0c2ce1f1b09b12ca7 Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Tue, 22 Oct 2024 04:26:00 +0800
Subject: [PATCH] ui/console: Get tab completion working again in the SDL
monitor vc
Define a QEMU special key constant for the tab key and add an entry for
it in the qcode_to_keysym table. This allows tab completion to work again
in the SDL monitor virtual console, which has been broken ever since the
migration from SDL1 to SDL2.
Signed-off-by: Cal Peake <cp@absolutedigital.net>
Message-Id: <7054816e-99c-7e2-6737-7cf98cc56e2@absolutedigital.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
include/ui/console.h | 1 +
ui/console.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/include/ui/console.h b/include/ui/console.h
index 6d678924f6..407efaf5e3 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
@@ -70,6 +70,7 @@ void hmp_mouse_set(Monitor *mon, const QDict *qdict);
/* keysym is a unicode code except for special keys (see QEMU_KEY_xxx
constants) */
#define QEMU_KEY_ESC1(c) ((c) | 0xe100)
+#define QEMU_KEY_TAB 0x0009
#define QEMU_KEY_BACKSPACE 0x007f
#define QEMU_KEY_UP QEMU_KEY_ESC1('A')
#define QEMU_KEY_DOWN QEMU_KEY_ESC1('B')
diff --git a/ui/console.c b/ui/console.c
index d22c3def20..28770bacd1 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -1187,6 +1187,7 @@ static const int qcode_to_keysym[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_PGUP] = QEMU_KEY_PAGEUP,
[Q_KEY_CODE_PGDN] = QEMU_KEY_PAGEDOWN,
[Q_KEY_CODE_DELETE] = QEMU_KEY_DELETE,
+ [Q_KEY_CODE_TAB] = QEMU_KEY_TAB,
[Q_KEY_CODE_BACKSPACE] = QEMU_KEY_BACKSPACE,
};
--
2.41.0.windows.1

36
ui-curses-Avoid-dynamic-stack-allocation.patch Normal file
View File

@ -0,0 +1,36 @@
From 6c3d7f8453cf7f18eed0c605ba2a7911caf9714b Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Tue, 22 Oct 2024 03:47:05 +0800
Subject: [PATCH] ui/curses: Avoid dynamic stack allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use autofree heap allocation instead of variable-length
array on the stack.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220819153931.3147384-11-peter.maydell@linaro.org
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
ui/curses.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/curses.c b/ui/curses.c
index 861d63244c..de962faa7c 100644
--- a/ui/curses.c
+++ b/ui/curses.c
@@ -69,7 +69,7 @@ static void curses_update(DisplayChangeListener *dcl,
int x, int y, int w, int h)
{
console_ch_t *line;
- cchar_t curses_line[width];
+ g_autofree cchar_t *curses_line = g_new(cchar_t, width);
wchar_t wch[CCHARW_MAX];
attr_t attrs;
short colors;
--
2.41.0.windows.1

42
ui-vnc-fix-handling-of-VNC_FEATURE_XVP.patch Normal file
View File

@ -0,0 +1,42 @@
From e6a8d11ec3fed5127626b0ed41546373ca84bf16 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Wed, 23 Oct 2024 09:36:06 +0800
Subject: [PATCH] ui/vnc: fix handling of VNC_FEATURE_XVP
cheery-pick from 477b301000d665313217f65e3a368d2cb7769c42
VNC_FEATURE_XVP was not shifted left before adding it to vs->features,
so it was never enabled; but it was also checked the wrong way with
a logical AND instead of vnc_has_feature. Fix both places.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
ui/vnc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 667db3b990..c72de81053 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2221,7 +2221,7 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
break;
case VNC_ENCODING_XVP:
if (vs->vd->power_control) {
- vs->features |= VNC_FEATURE_XVP;
+ vs->features |= VNC_FEATURE_XVP_MASK;
send_xvp_message(vs, VNC_XVP_CODE_INIT);
}
break;
@@ -2475,7 +2475,7 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
break;
case VNC_MSG_CLIENT_XVP:
- if (!(vs->features & VNC_FEATURE_XVP)) {
+ if (!vnc_has_feature(vs, VNC_FEATURE_XVP)) {
error_report("vnc: xvp client message while disabled");
vnc_client_error(vs);
break;
--
2.41.0.windows.1

70
util-userfaultfd-Remove-unused-uffd_poll_events.patch Normal file
View File

@ -0,0 +1,70 @@
From 9c262dccf8329c646f09ea53b6423a641abf7e80 Mon Sep 17 00:00:00 2001
From: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
Date: Thu, 17 Oct 2024 09:36:03 +0800
Subject: [PATCH] util/userfaultfd: Remove unused uffd_poll_events
chery-pick from ccf6b78275816c9dec84d3a40e9aa3b6ba6ebc06
uffd_poll_events has been unused since it was added; it's also
just a wrapper around a plain old poll call, so doesn't add anything.
Signed-off-by: Dr. David Alan Gilbert <dave@treblig.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/r/20240919134626.166183-8-dave@treblig.org
Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Zhang Jiao <zhangjiao2_yewu@cmss.chinamobile.com>
---
include/qemu/userfaultfd.h | 1 -
util/userfaultfd.c | 28 ----------------------------
2 files changed, 29 deletions(-)
diff --git a/include/qemu/userfaultfd.h b/include/qemu/userfaultfd.h
index 6b74f92792..99831c052d 100644
--- a/include/qemu/userfaultfd.h
+++ b/include/qemu/userfaultfd.h
@@ -30,6 +30,5 @@ int uffd_copy_page(int uffd_fd, void *dst_addr, void *src_addr,
int uffd_zero_page(int uffd_fd, void *addr, uint64_t length, bool dont_wake);
int uffd_wakeup(int uffd_fd, void *addr, uint64_t length);
int uffd_read_events(int uffd_fd, struct uffd_msg *msgs, int count);
-bool uffd_poll_events(int uffd_fd, int tmo);
#endif /* USERFAULTFD_H */
diff --git a/util/userfaultfd.c b/util/userfaultfd.c
index f1cd6af2b1..50d9246287 100644
--- a/util/userfaultfd.c
+++ b/util/userfaultfd.c
@@ -315,31 +315,3 @@ int uffd_read_events(int uffd_fd, struct uffd_msg *msgs, int count)
return (int) (res / sizeof(struct uffd_msg));
}
-
-/**
- * uffd_poll_events: poll UFFD file descriptor for read
- *
- * Returns true if events are available for read, false otherwise
- *
- * @uffd_fd: UFFD file descriptor
- * @tmo: timeout value
- */
-bool uffd_poll_events(int uffd_fd, int tmo)
-{
- int res;
- struct pollfd poll_fd = { .fd = uffd_fd, .events = POLLIN, .revents = 0 };
-
- do {
- res = poll(&poll_fd, 1, tmo);
- } while (res < 0 && errno == EINTR);
-
- if (res == 0) {
- return false;
- }
- if (res < 0) {
- error_report("uffd_poll_events() failed: errno=%i", errno);
- return false;
- }
-
- return (poll_fd.revents & POLLIN) != 0;
-}
--
2.41.0.windows.1

53
virtiofsd-use-g_date_time_get_microsecond-to-get-sub.patch Normal file
View File

@ -0,0 +1,53 @@
From f6952f558b09aeafc6fd51e6b319f0e69c83981f Mon Sep 17 00:00:00 2001
From: Liu Jing <liujing_yewu@cmss.chinamobile.com>
Date: Tue, 22 Oct 2024 04:06:30 +0800
Subject: [PATCH] virtiofsd: use g_date_time_get_microsecond to get subsecond
The "%f" specifier in g_date_time_format() is only available in glib
2.65.2 or later. If combined with older glib, the function returns null
and the timestamp displayed as "(null)".
For backward compatibility, g_date_time_get_microsecond should be used
to retrieve subsecond.
In this patch the g_date_time_format() leaves subsecond field as "%06d"
and let next snprintf to format with g_date_time_get_microsecond.
Signed-off-by: Yusuke Okada <okada.yusuke@jp.fujitsu.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20220818184618.2205172-1-yokada.996@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Liu Jing <liujing_yewu@cmss.chinamobile.com>
---
tools/virtiofsd/passthrough_ll.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index b3d0674f6d..523d8fbe1e 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -3791,6 +3791,7 @@ static void setup_nofile_rlimit(unsigned long rlimit_nofile)
static void log_func(enum fuse_log_level level, const char *fmt, va_list ap)
{
g_autofree char *localfmt = NULL;
+ char buf[64];
if (current_log_level < level) {
return;
@@ -3803,9 +3804,11 @@ static void log_func(enum fuse_log_level level, const char *fmt, va_list ap)
fmt);
} else {
g_autoptr(GDateTime) now = g_date_time_new_now_utc();
- g_autofree char *nowstr = g_date_time_format(now, "%Y-%m-%d %H:%M:%S.%f%z");
+ g_autofree char *nowstr = g_date_time_format(now,
+ "%Y-%m-%d %H:%M:%S.%%06d%z");
+ snprintf(buf, 64, nowstr, g_date_time_get_microsecond(now));
localfmt = g_strdup_printf("[%s] [ID: %08ld] %s",
- nowstr, syscall(__NR_gettid), fmt);
+ buf, syscall(__NR_gettid), fmt);
}
fmt = localfmt;
}
--
2.41.0.windows.1