packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 6.2.0-90

Browse Source 
- i386/cpuid: Move leaf 7 to correct group
- i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
- i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs
- i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available
- target/i386: Change wrong XFRM value in SGX CPUID leaf
- target/i386: Enable support for XSAVES based features
- target/i386: Add kvm_get_one_msr helper
- hw/block/hd-geometry: Do not override specified bios-chs-trans mainline inclusion commit fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix
- linux-user/riscv: Align signal frame to 16 bytes mainline inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix
- ipmi:smbus: Add a check around a memcpy mainline inclusion commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix
- tests/tcg/linux-test: Fix random hangs in test_socket mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category: bugfix
- qemu-options.hx: Don't claim "-serial" has limit of 4 serial ports Before v2.12, the implementation of serial ports was limited to a value of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for serial ports, so this limit is no longer present, but the documentation for the -serial options still reads:
- target/ppc: Modify the uncorrect value irq to n_IRQ
- block-migration: Ensure we don't crash during migration cleanup
- target/s390x: fix handling of zeroes in vfmin/vfmax mainline inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix
- hw/virtio/virtio-iommu: Enforce power-of-two notify for both MAP and UNMAP mainline inclusion commit 0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix
- configure: Add missing POSIX-required space mainline inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix
- vga: fix incorrect line height in 640x200x2 mode mainline inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix
- hw/ide/core: set ERR_STAT in unsupported command completion
- linux-user/flatload.c: Fix setting of  image_info::end_code mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category: bugfix
- load_elf: fix iterator's type for elf file processing
- hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize()
- hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize()
- hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array
- chardev/char.c: fix "abstract device type" error message
- block/rbd: fix handling of holes in .bdrv_co_block_status
- qga: treat get-guest-fsinfo as "best effort" mainline inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix
- usb/hcd-xhci: check slotid in  xhci_wakeup_endpoint() mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category: bugfix
- hw/display/bcm2835_fb: Fix framebuffer allocation  address mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category: bugfix
- block/parallels: Fix buffer-based write call mainline inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix
- vl: Improve error message for conflicting -incoming and -loadvm
- hw/smbios: Fix OEM strings table option validation

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit 5d1a5160936dce1757c09050d97d12f42642794b)
This commit is contained in:
Jiabo Feng 2024-03-16 14:59:18 +08:00 committed by openeuler-sync-bot
parent 7f2da5fa13
commit 6c5e9f07c4
33 changed files with 2005 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
block-migration-Ensure-we-don-t-crash-during-migrati.patch Normal file
View File

@ -0,0 +1,67 @@
From 98d4a8d9d5823d7d43ea816208a35372124a749f Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Sun, 10 Mar 2024 22:52:08 -0700
Subject: [PATCH] block-migration: Ensure we don't crash during migration
cleanup
We can fail the blk_insert_bs() at init_blk_migration(), leaving the
BlkMigDevState without a dirty_bitmap and BlockDriverState. Account
for the possibly missing elements when doing cleanup.
Fix the following crashes:
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555ec83ef in bdrv_release_dirty_bitmap (bitmap=0x0) at ../block/dirty-bitmap.c:359
359 BlockDriverState *bs = bitmap->bs;
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555e971ff in bdrv_op_unblock (bs=0x0, op=BLOCK_OP_TYPE_BACKUP_SOURCE, reason=0x0) at ../block.c:7073
7073 QLIST_FOREACH_SAFE(blocker, &bs->op_blockers[op], list, next) {
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-id: 20230731203338.27581-1-farosas@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit f187609f27b261702a17f79d20bf252ee0d4f9cd)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
migration/block.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/migration/block.c b/migration/block.c
index a950977855..391f8169fd 100644
--- a/migration/block.c
+++ b/migration/block.c
@@ -376,7 +376,9 @@ static void unset_dirty_tracking(void)
BlkMigDevState *bmds;
QSIMPLEQ_FOREACH(bmds, &block_mig_state.bmds_list, entry) {
- bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
+ if (bmds->dirty_bitmap) {
+ bdrv_release_dirty_bitmap(bmds->dirty_bitmap);
+ }
}
}
@@ -684,13 +686,18 @@ static int64_t get_remaining_dirty(void)
static void block_migration_cleanup_bmds(void)
{
BlkMigDevState *bmds;
+ BlockDriverState *bs;
AioContext *ctx;
unset_dirty_tracking();
while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
- bdrv_op_unblock_all(blk_bs(bmds->blk), bmds->blocker);
+
+ bs = blk_bs(bmds->blk);
+ if (bs) {
+ bdrv_op_unblock_all(bs,bmds->blocker);
+ }
error_free(bmds->blocker);
/* Save ctx, because bmds->blk can disappear during blk_unref. */
--
2.27.0

48
block-parallels-Fix-buffer-based-write-call.patch Normal file
View File

@ -0,0 +1,48 @@
From 38de3be1e41bff18bf21cbf16a1dc585359dd4bd Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 8 Mar 2024 05:39:12 +0000
Subject: [PATCH] block/parallels: Fix buffer-based write call mainline
inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix
---------------------------------------------------------------
Commit a4072543ccdddbd241d5962d9237b8b41fd006bf has changed the I/O here
from working on a local one-element I/O vector to just using the buffer
directly (using the bdrv_co_pread()/bdrv_co_pwrite() helper functions
introduced shortly before).
However, it only changed the bdrv_co_preadv() call to bdrv_co_pread() -
the subsequent bdrv_co_pwritev() call stayed this way, and so still
expects a QEMUIOVector pointer instead of a plain buffer. We must
change that to be a bdrv_co_pwrite() call.
Fixes: a4072543ccdddbd241d5962d ("block/parallels: use buffer-based io")
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Reviewed-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Message-Id: <20220714132801.72464-2-hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
block/parallels.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/block/parallels.c b/block/parallels.c
index 6ebad2a2bb..f3352b6aa7 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -240,8 +240,8 @@ static int64_t allocate_clusters(BlockDriverState *bs, int64_t sector_num,
return ret;
}
- ret = bdrv_co_pwritev(bs->file, s->data_end * BDRV_SECTOR_SIZE,
- nb_cow_bytes, buf, 0);
+ ret = bdrv_co_pwrite(bs->file, s->data_end * BDRV_SECTOR_SIZE,
+ nb_cow_bytes, buf, 0);
qemu_vfree(buf);
if (ret < 0) {
return ret;
--
2.27.0

52
block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch Normal file
View File

@ -0,0 +1,52 @@
From 3e4478d7b2669063f7b2b1caf80c73535f35b5a4 Mon Sep 17 00:00:00 2001
From: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
Date: Thu, 7 Mar 2024 17:51:57 +0800
Subject: [PATCH] block/rbd: fix handling of holes in .bdrv_co_block_status
cherry picked from commit 9e302f64bb407a9bb097b626da97228c2654cfee
the assumption that we can't hit a hole if we do not diff against a snapshot was wrong.
We can see a hole in an image if we diff against base if there exists an older snapshot
of the image and we have discarded blocks in the image where the snapshot has data.
Fix this by simply handling a hole like an unallocated area. There are no callbacks
for unallocated areas so just bail out if we hit a hole.
Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
Suggested-by: Ilya Dryomov <idryomov@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <20220113144426.4036493-2-pl@kamp.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Luo Yifan <luoyifan_yewu@cmss.chinamobile.com>
---
block/rbd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/block/rbd.c b/block/rbd.c
index ccb14efd55..6caf35cbba 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -1281,11 +1281,11 @@ static int qemu_rbd_diff_iterate_cb(uint64_t offs, size_t len,
RBDDiffIterateReq *req = opaque;
assert(req->offs + req->bytes <= offs);
- /*
- * we do not diff against a snapshot so we should never receive a callback
- * for a hole.
- */
- assert(exists);
+
+ /* treat a hole like an unallocated area and bail out */
+ if (!exists) {
+ return 0;
+ }
if (!req->exists && offs > req->offs) {
/*
--
2.27.0

37
chardev-char.c-fix-abstract-device-type-error-messag.patch Normal file
View File

@ -0,0 +1,37 @@
From 3f9bed27de471be4d88ef9eb8270e1d362dccc4a Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Mon, 4 Mar 2024 02:02:23 -0800
Subject: [PATCH] chardev/char.c: fix "abstract device type" error message
Current error message:
qemu-system-x86_64: -chardev spice,id=foo: Parameter 'driver' expects an abstract device type
while in fact the meaning is in reverse, -chardev expects
a non-abstract device type.
Fixes: 777357d758d9 ("chardev: qom-ify" 2016-12-07)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
(cherry picked from commit 4ad87cd4b2254197b7ac12e3da824854e6a90f8f)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
chardev/char.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/chardev/char.c b/chardev/char.c
index 0169d8dde4..6bb99bd485 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -519,7 +519,7 @@ static const ChardevClass *char_get_class(const char *driver, Error **errp)
if (object_class_is_abstract(oc)) {
error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "driver",
- "an abstract device type");
+ "a non-abstract device type");
return NULL;
}
--
2.27.0

44
configure-Add-missing-POSIX-required-space.patch Normal file
View File

@ -0,0 +1,44 @@
From 466653e339135572946a31d212205078854500da Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 13 Mar 2024 03:11:08 +0000
Subject: [PATCH] configure: Add missing POSIX-required space mainline
inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix
---------------------------------------------------------------
In commit 7d7dbf9dc15be6e1 we added a line to the configure script
which is not valid POSIX shell syntax, because it is missing a space
after a '!' character. shellcheck diagnoses this:
if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then
^-- SC1035: You are missing a required space after the !.
and the OpenBSD shell will not correctly handle this without the space.
Fixes: 7d7dbf9dc15be6e1 ("configure: replace --enable/disable-git-update with --with-git-submodules")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20220720152631.450903-2-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index d7a4502a8b..8c9abd0e6e 100755
--- a/configure
+++ b/configure
@@ -3337,7 +3337,7 @@ else
cxx=
fi
-if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then
+if ! (GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then
exit 1
fi
--
2.27.0

63
hw-block-hd-geometry-Do-not-override-specified-bios-.patch Normal file
View File

@ -0,0 +1,63 @@
From 0f13c505e833761a336bc4619b05afc373ebfdaa Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Thu, 21 Mar 2024 05:59:43 +0000
Subject: [PATCH] hw/block/hd-geometry: Do not override specified
bios-chs-trans mainline inclusion commit
fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix
---------------------------------------------------------------
For small disk images (<4 GiB), QEMU and SeaBIOS default to the
LARGE/ECHS disk translation method, but it is not uncommon for other
BIOS software to use LBA in these cases as well. Some operating
system boot loaders (e.g., NT 4) do not handle LARGE translations
outside of fixed configurations. See, e.g., Q154052:
"When starting an x86 based computer, Ntdetect.com retrieves and
stores Interrupt 13 information. . . If the disk controller is using a
32 sector/64 head translation scheme, this boundary will be 1 GB. If
the controller uses 63 sector/255 head translation [AUTHOR: i.e.,
LBA], the limit will be 4 GB."
To accommodate these situations, hd_geometry_guess() now follows the
disk translation specified by the user even when the ATA disk geometry
is guessed.
hd_geometry_guess():
* Only set the disk translation when translation is AUTO.
* Show the soon-to-be active translation (*ptrans) in the trace rather
than what was guessed.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/56
Buglink: https://bugs.launchpad.net/qemu/+bug/1745312
Signed-off-by: Lev Kujawski <lkujaw@member.fsf.org>
Message-Id: <20220707204045.999544-1-lkujaw@member.fsf.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/block/hd-geometry.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/block/hd-geometry.c b/hw/block/hd-geometry.c
index dcbccee294..67462f1752 100644
--- a/hw/block/hd-geometry.c
+++ b/hw/block/hd-geometry.c
@@ -150,7 +150,12 @@ void hd_geometry_guess(BlockBackend *blk,
translation = BIOS_ATA_TRANSLATION_NONE;
}
if (ptrans) {
- *ptrans = translation;
+ if (*ptrans == BIOS_ATA_TRANSLATION_AUTO) {
+ *ptrans = translation;
+ } else {
+ /* Defer to the translation specified by the user. */
+ translation = *ptrans;
+ }
}
trace_hd_geometry_guess(blk, *pcyls, *pheads, *psecs, translation);
}
--
2.27.0

53
hw-display-bcm2835_fb-Fix-framebuffer-allocation-add.patch Normal file
View File

@ -0,0 +1,53 @@
From 5a8be2987986a0191b9d8a7a1a59f491e657ebad Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 8 Mar 2024 04:12:58 +0000
Subject: [PATCH] hw/display/bcm2835_fb: Fix framebuffer allocation address
mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category:
bugfix
---------------------------------------------------------------
This patch fixes the dedicated framebuffer mailbox interface by
removing an unneeded offset. This means that we pick the framebuffer
address in the same way that we do if the guest code uses the buffer
allocate mechanism of the bcm2835_property interface (case
0x00040001: /* Allocate buffer */ in bcm2835_property.c).
The documentation of this mailbox interface doesn't say anything
about using parts of the request buffer address to affect the
chosen framebuffer address:
https://github.com/raspberrypi/firmware/wiki/Mailbox-framebuffer-interface
Some baremetal applications like the Screen01/Screen02 examples from
Baking Pi tutorial[1] didn't work before this patch.
[1] https://www.cl.cam.ac.uk/projects/raspberrypi/tutorials/os/screen01.html
Signed-off-by: Alan Jian <alanjian85@outlook.com>
Message-id: 20220725145838.8412-1-alanjian85@outlook.com
[PMM: tweaked commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/display/bcm2835_fb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index 2be77bdd3a..ac17c472a5 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -279,8 +279,7 @@ static void bcm2835_fb_mbox_push(BCM2835FBState *s, uint32_t value)
newconf.xoffset = ldl_le_phys(&s->dma_as, value + 24);
newconf.yoffset = ldl_le_phys(&s->dma_as, value + 28);
- newconf.base = s->vcram_base | (value & 0xc0000000);
- newconf.base += BCM2835_FB_OFFSET;
+ newconf.base = s->vcram_base + BCM2835_FB_OFFSET;
/* Copy fields which we don't want to change from the existing config */
newconf.pixo = s->config.pixo;
--
2.27.0

60
hw-ide-core-set-ERR_STAT-in-unsupported-command-comp.patch Normal file
View File

@ -0,0 +1,60 @@
From c2fe51f5e42bbb95209318e8e766212fe832aa9b Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Sun, 10 Mar 2024 20:15:39 -0700
Subject: [PATCH] hw/ide/core: set ERR_STAT in unsupported command completion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently, the first time sending an unsupported command
(e.g. READ LOG DMA EXT) will not have ERR_STAT set in the completion.
Sending the unsupported command again, will correctly have ERR_STAT set.
When ide_cmd_permitted() returns false, it calls ide_abort_command().
ide_abort_command() first calls ide_transfer_stop(), which will call
ide_transfer_halt() and ide_cmd_done(), after that ide_abort_command()
sets ERR_STAT in status.
ide_cmd_done() for AHCI will call ahci_write_fis_d2h() which writes the
current status in the FIS, and raises an IRQ. (The status here will not
have ERR_STAT set!).
Thus, we cannot call ide_transfer_stop() before setting ERR_STAT, as
ide_transfer_stop() will result in the FIS being written and an IRQ
being raised.
The reason why it works the second time, is that ERR_STAT will still
be set from the previous command, so when writing the FIS, the
completion will correctly have ERR_STAT set.
Set ERR_STAT before writing the FIS (calling cmd_done), so that we will
raise an error IRQ correctly when receiving an unsupported command.
Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230609140844.202795-3-nks@flawful.org
Signed-off-by: John Snow <jsnow@redhat.com>
(cherry picked from commit c3461c6264a7c8ca15b117e91fe5da786924a784)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/ide/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 15138225be..0d925c5ca5 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -528,9 +528,9 @@ BlockAIOCB *ide_issue_trim(
void ide_abort_command(IDEState *s)
{
- ide_transfer_stop(s);
s->status = READY_STAT | ERR_STAT;
s->error = ABRT_ERR;
+ ide_transfer_stop(s);
}
static void ide_set_retry(IDEState *s)
--
2.27.0

63
hw-misc-mps2-scc-Free-MPS2SCC-oscclk-array-on-finali.patch Normal file
View File

@ -0,0 +1,63 @@
From 8ae86aa13df2128b46b421df14f6000f81312795 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Mon, 4 Mar 2024 01:19:55 -0800
Subject: [PATCH] hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:
* It is the responsibility of the device deinit code to free the
* @_arrayfield memory.
Commit 4fb013afcc added:
DEFINE_PROP_ARRAY("oscclk", MPS2SCC, num_oscclk, oscclk_reset,
qdev_prop_uint32, uint32_t),
but forgot to free the 'oscclk_reset' array. Do it in the
instance_finalize() handler.
Cc: qemu-stable@nongnu.org
Fixes: 4fb013afcc ("hw/misc/mps2-scc: Support configurable number of OSCCLK values") # v6.0.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-4-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 896dd6ff7b9f2575f1a908a07f26a70b58d8b675)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/misc/mps2-scc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c
index b3b42a792c..fe5034db14 100644
--- a/hw/misc/mps2-scc.c
+++ b/hw/misc/mps2-scc.c
@@ -329,6 +329,13 @@ static void mps2_scc_realize(DeviceState *dev, Error **errp)
s->oscclk = g_new0(uint32_t, s->num_oscclk);
}
+static void mps2_scc_finalize(Object *obj)
+{
+ MPS2SCC *s = MPS2_SCC(obj);
+
+ g_free(s->oscclk_reset);
+}
+
static const VMStateDescription mps2_scc_vmstate = {
.name = "mps2-scc",
.version_id = 3,
@@ -385,6 +392,7 @@ static const TypeInfo mps2_scc_info = {
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(MPS2SCC),
.instance_init = mps2_scc_init,
+ .instance_finalize = mps2_scc_finalize,
.class_init = mps2_scc_class_init,
};
--
2.27.0

64
hw-nvram-xlnx-efuse-Free-XlnxEFuse-ro_bits-array-on-.patch Normal file
View File

@ -0,0 +1,64 @@
From aec47cbfa3ad713883d783cd86d3d6fe3413a585 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Mon, 4 Mar 2024 01:26:37 -0800
Subject: [PATCH] hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on
finalize()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:
* It is the responsibility of the device deinit code to free the
* @_arrayfield memory.
Commit 68fbcc344e added:
DEFINE_PROP_ARRAY("read-only", XlnxEFuse, ro_bits_cnt, ro_bits,
qdev_prop_uint32, uint32_t),
but forgot to free the 'ro_bits' array. Do it in the instance_finalize
handler.
Cc: qemu-stable@nongnu.org
Fixes: 68fbcc344e ("hw/nvram: Introduce Xilinx eFuse QOM") # v6.2.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-5-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 49b3e28b7bdfe771150d05c4b5860aa7854a4232)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/nvram/xlnx-efuse.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c
index a0fd77b586..5b131e89b1 100644
--- a/hw/nvram/xlnx-efuse.c
+++ b/hw/nvram/xlnx-efuse.c
@@ -217,6 +217,13 @@ static void efuse_realize(DeviceState *dev, Error **errp)
}
}
+static void efuse_finalize(Object *obj)
+{
+ XlnxEFuse *s = XLNX_EFUSE(obj);
+
+ g_free(s->ro_bits);
+}
+
static void efuse_prop_set_drive(Object *obj, Visitor *v, const char *name,
void *opaque, Error **errp)
{
@@ -273,6 +280,7 @@ static const TypeInfo efuse_info = {
.name = TYPE_XLNX_EFUSE,
.parent = TYPE_DEVICE,
.instance_size = sizeof(XlnxEFuse),
+ .instance_finalize = efuse_finalize,
.class_init = efuse_class_init,
};
--
2.27.0

65
hw-nvram-xlnx-efuse-ctrl-Free-XlnxVersalEFuseCtrl-pg.patch Normal file
View File

@ -0,0 +1,65 @@
From d8685a2aca40ad07ecab1da84ec97f6384b26a66 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Mon, 4 Mar 2024 01:46:13 -0800
Subject: [PATCH] hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[]
"pg0-lock" array
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:
* It is the responsibility of the device deinit code to free the
* @_arrayfield memory.
Commit 9e4aa1fafe added:
DEFINE_PROP_ARRAY("pg0-lock",
XlnxVersalEFuseCtrl, extra_pg0_lock_n16,
extra_pg0_lock_spec, qdev_prop_uint16, uint16_t),
but forgot to free the 'extra_pg0_lock_spec' array. Do it in the
instance_finalize() handler.
Cc: qemu-stable@nongnu.org
Fixes: 9e4aa1fafe ("hw/nvram: Xilinx Versal eFuse device") # v6.2.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-6-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 4f10c66077e39969940d928077560665e155cac8)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/nvram/xlnx-versal-efuse-ctrl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/nvram/xlnx-versal-efuse-ctrl.c b/hw/nvram/xlnx-versal-efuse-ctrl.c
index b35ba65ab5..2d2dc09526 100644
--- a/hw/nvram/xlnx-versal-efuse-ctrl.c
+++ b/hw/nvram/xlnx-versal-efuse-ctrl.c
@@ -725,6 +725,13 @@ static void efuse_ctrl_init(Object *obj)
sysbus_init_irq(sbd, &s->irq_efuse_imr);
}
+static void efuse_ctrl_finalize(Object *obj)
+{
+ XlnxVersalEFuseCtrl *s = XLNX_VERSAL_EFUSE_CTRL(obj);
+
+ g_free(s->extra_pg0_lock_spec);
+}
+
static const VMStateDescription vmstate_efuse_ctrl = {
.name = TYPE_XLNX_VERSAL_EFUSE_CTRL,
.version_id = 1,
@@ -762,6 +769,7 @@ static const TypeInfo efuse_ctrl_info = {
.instance_size = sizeof(XlnxVersalEFuseCtrl),
.class_init = efuse_ctrl_class_init,
.instance_init = efuse_ctrl_init,
+ .instance_finalize = efuse_ctrl_finalize,
};
static void efuse_ctrl_register_types(void)
--
2.27.0

51
hw-smbios-Fix-OEM-strings-table-option-validation.patch Normal file
View File

@ -0,0 +1,51 @@
From 7a332d757d2bec6d1c5433a807ceceb0cf96e00c Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 27 Feb 2024 10:22:18 +0800
Subject: [PATCH] hw/smbios: Fix OEM strings table option validation
cheery-pick from e8ddec58053e9361b2cc18ec6d17b6c95590bf3c
qemu_smbios_type11_opts did not have the list terminator and that
resulted in out-of-bound memory access. It also needs to have an element
for the type option.
Cc: qemu-stable@nongnu.org
Fixes: 2d6dcbf93fb0 ("smbios: support setting OEM strings table")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20240129-smbios-v2-1-9ee6fede0d10@daynix.com>
Reviewed-by: Ani Sinha <anisinha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/smbios/smbios.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 66be9aee09..f73b9417c8 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -332,6 +332,11 @@ static const QemuOptDesc qemu_smbios_type4_opts[] = {
};
static const QemuOptDesc qemu_smbios_type11_opts[] = {
+ {
+ .name = "type",
+ .type = QEMU_OPT_NUMBER,
+ .help = "SMBIOS element type",
+ },
{
.name = "value",
.type = QEMU_OPT_STRING,
@@ -342,6 +347,7 @@ static const QemuOptDesc qemu_smbios_type11_opts[] = {
.type = QEMU_OPT_STRING,
.help = "OEM string data from file",
},
+ { /* end of list */ }
};
static const QemuOptDesc qemu_smbios_type17_opts[] = {
--
2.27.0

113
hw-virtio-virtio-iommu-Enforce-power-of-two-notify-f.patch Normal file
View File

@ -0,0 +1,113 @@
From 89376545e23d5fa3b6e3f9d404edf0382c6f5ad3 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 13 Mar 2024 03:28:06 +0000
Subject: [PATCH] hw/virtio/virtio-iommu: Enforce power-of-two notify for both
MAP and UNMAP mainline inclusion commit
0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix
---------------------------------------------------------------
Currently we only enforce power-of-two mappings (required by the QEMU
notifier) for UNMAP requests. A MAP request not aligned on a
power-of-two may be successfully handled by VFIO, and then the
corresponding UNMAP notify will fail because it will attempt to split
that mapping. Ensure MAP and UNMAP notifications are consistent.
Fixes: dde3f08b5cab ("virtio-iommu: Handle non power of 2 range invalidations")
Reported-by: Tina Zhang <tina.zhang@intel.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-Id: <20220718135636.338264-1-jean-philippe@linaro.org>
Tested-by: Tina Zhang <tina.zhang@intel.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-iommu.c | 47 ++++++++++++++++++++++++----------------
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index ae33d93b11..190ec2579a 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -125,6 +125,32 @@ static gint interval_cmp(gconstpointer a, gconstpointer b, gpointer user_data)
}
}
+static void virtio_iommu_notify_map_unmap(IOMMUMemoryRegion *mr,
+ IOMMUTLBEvent *event,
+ hwaddr virt_start, hwaddr virt_end)
+{
+ uint64_t delta = virt_end - virt_start;
+
+ event->entry.iova = virt_start;
+ event->entry.addr_mask = delta;
+
+ if (delta == UINT64_MAX) {
+ memory_region_notify_iommu(mr, 0, *event);
+ }
+
+ while (virt_start != virt_end + 1) {
+ uint64_t mask = dma_aligned_pow2_mask(virt_start, virt_end, 64);
+
+ event->entry.addr_mask = mask;
+ event->entry.iova = virt_start;
+ memory_region_notify_iommu(mr, 0, *event);
+ virt_start += mask + 1;
+ if (event->entry.perm != IOMMU_NONE) {
+ event->entry.translated_addr += mask + 1;
+ }
+ }
+}
+
static void virtio_iommu_notify_map(IOMMUMemoryRegion *mr, hwaddr virt_start,
hwaddr virt_end, hwaddr paddr,
uint32_t flags)
@@ -143,19 +169,16 @@ static void virtio_iommu_notify_map(IOMMUMemoryRegion *mr, hwaddr virt_start,
event.type = IOMMU_NOTIFIER_MAP;
event.entry.target_as = &address_space_memory;
- event.entry.addr_mask = virt_end - virt_start;
- event.entry.iova = virt_start;
event.entry.perm = perm;
event.entry.translated_addr = paddr;
- memory_region_notify_iommu(mr, 0, event);
+ virtio_iommu_notify_map_unmap(mr, &event, virt_start, virt_end);
}
static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start,
hwaddr virt_end)
{
IOMMUTLBEvent event;
- uint64_t delta = virt_end - virt_start;
if (!(mr->iommu_notify_flags & IOMMU_NOTIFIER_UNMAP)) {
return;
@@ -167,22 +190,8 @@ static void virtio_iommu_notify_unmap(IOMMUMemoryRegion *mr, hwaddr virt_start,
event.entry.target_as = &address_space_memory;
event.entry.perm = IOMMU_NONE;
event.entry.translated_addr = 0;
- event.entry.addr_mask = delta;
- event.entry.iova = virt_start;
-
- if (delta == UINT64_MAX) {
- memory_region_notify_iommu(mr, 0, event);
- }
-
- while (virt_start != virt_end + 1) {
- uint64_t mask = dma_aligned_pow2_mask(virt_start, virt_end, 64);
-
- event.entry.addr_mask = mask;
- event.entry.iova = virt_start;
- memory_region_notify_iommu(mr, 0, event);
- virt_start += mask + 1;
- }
+ virtio_iommu_notify_map_unmap(mr, &event, virt_start, virt_end);
}
static gboolean virtio_iommu_notify_unmap_cb(gpointer key, gpointer value,
--
2.27.0

41
i386-cpu-Clear-FEAT_XSAVE_XSS_LO-HI-leafs-when-CPUID.patch Normal file
View File

@ -0,0 +1,41 @@
From fb069ba131d312e4f4008c95710d0150c4039acf Mon Sep 17 00:00:00 2001
From: Xiaoyao Li <xiaoyao.li@intel.com>
Date: Mon, 15 Jan 2024 04:13:24 -0500
Subject: [PATCH] i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when
CPUID_EXT_XSAVE is not available
commit 81f5cad3858f27623b1b14467926032d229b76cc upstream.
Leaf FEAT_XSAVE_XSS_LO and FEAT_XSAVE_XSS_HI also need to be cleared
when CPUID_EXT_XSAVE is not set.
Intel-SIG: commit 81f5cad3858f i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available
Backport i386/cpu bugfixes
Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features")
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Yang Weijiang <weijiang.yang@intel.com>
Message-ID: <20240115091325.1904229-2-xiaoyao.li@intel.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 9ab8ef3bd1..ba8a3f4f2f 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -6479,6 +6479,8 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE)) {
env->features[FEAT_XSAVE_XCR0_LO] = 0;
env->features[FEAT_XSAVE_XCR0_HI] = 0;
+ env->features[FEAT_XSAVE_XSS_LO] = 0;
+ env->features[FEAT_XSAVE_XSS_HI] = 0;
return;
}
--
2.27.0

45
i386-cpu-Mask-with-XCR0-XSS-mask-for-FEAT_XSAVE_XCR0.patch Normal file
View File

@ -0,0 +1,45 @@
From a4497d44e8124a7a5ee4ae403fde058651155ca9 Mon Sep 17 00:00:00 2001
From: Xiaoyao Li <xiaoyao.li@intel.com>
Date: Mon, 15 Jan 2024 04:13:25 -0500
Subject: [PATCH] i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and
FEAT_XSAVE_XSS_HI leafs
commit a11a365159b944e05be76f3ec3b98c8b38cb70fd upstream.
The value of FEAT_XSAVE_XCR0_HI leaf and FEAT_XSAVE_XSS_HI leaf also
need to be masked by XCR0 and XSS mask respectively, to make it
logically correct.
Intel-SIG: commit a11a365159b9 i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs
Backport i36/cpu bugfixes
Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features")
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Yang Weijiang <weijiang.yang@intel.com>
Message-ID: <20240115091325.1904229-3-xiaoyao.li@intel.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index ba8a3f4f2f..62ac5ed005 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -6499,9 +6499,9 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
}
env->features[FEAT_XSAVE_XCR0_LO] = mask & CPUID_XSTATE_XCR0_MASK;
- env->features[FEAT_XSAVE_XCR0_HI] = mask >> 32;
+ env->features[FEAT_XSAVE_XCR0_HI] = (mask & CPUID_XSTATE_XCR0_MASK) >> 32;
env->features[FEAT_XSAVE_XSS_LO] = mask & CPUID_XSTATE_XSS_MASK;
- env->features[FEAT_XSAVE_XSS_HI] = mask >> 32;
+ env->features[FEAT_XSAVE_XSS_HI] = (mask & CPUID_XSTATE_XSS_MASK) >> 32;
}
/***** Steps involved on loading and filtering CPUID data
--
2.27.0

41
i386-cpuid-Decrease-cpuid_i-when-skipping-CPUID-leaf.patch Normal file
View File

@ -0,0 +1,41 @@
From 3b70aff18c50fc36dde1a0d305acfd1872f57141 Mon Sep 17 00:00:00 2001
From: Xiaoyao Li <xiaoyao.li@intel.com>
Date: Wed, 24 Jan 2024 21:40:14 -0500
Subject: [PATCH] i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
commit 10f92799af8ba3c3cef2352adcd4780f13fbab31 upstream.
Existing code misses a decrement of cpuid_i when skip leaf 0x1F.
There's a blank CPUID entry(with leaf, subleaf as 0, and all fields
stuffed 0s) left in the CPUID array.
It conflicts with correct CPUID leaf 0.
Intel-SIG: commit 10f92799af8b i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
Backport i386/cpu bugfixes
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by:Yang Weijiang <weijiang.yang@intel.com>
Message-ID: <20240125024016.2521244-2-xiaoyao.li@intel.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/kvm/kvm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index e1601422bc..0927d1f515 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -1759,6 +1759,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
}
case 0x1f:
if (env->nr_dies < 2) {
+ cpuid_i--;
break;
}
/* fallthrough */
--
2.27.0

53
i386-cpuid-Move-leaf-7-to-correct-group.patch Normal file
View File

@ -0,0 +1,53 @@
From 83beaa72ec488c7bb35fbca3efd84ecaa0d88071 Mon Sep 17 00:00:00 2001
From: Xiaoyao Li <xiaoyao.li@intel.com>
Date: Wed, 24 Jan 2024 21:40:16 -0500
Subject: [PATCH] i386/cpuid: Move leaf 7 to correct group
commit 0729857c707535847d7fe31d3d91eb8b2a118e3c upstream.
CPUID leaf 7 was grouped together with SGX leaf 0x12 by commit
b9edbadefb9e ("i386: Propagate SGX CPUID sub-leafs to KVM") by mistake.
SGX leaf 0x12 has its specific logic to check if subleaf (starting from 2)
is valid or not by checking the bit 0:3 of corresponding EAX is 1 or
not.
Leaf 7 follows the logic that EAX of subleaf 0 enumerates the maximum
valid subleaf.
Intel-SIG: commit 0729857c7075 i386/cpuid: Move leaf 7 to correct group
Backport i386/cpu bugfixes
Fixes: b9edbadefb9e ("i386: Propagate SGX CPUID sub-leafs to KVM")
Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-ID: <20240125024016.2521244-4-xiaoyao.li@intel.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/kvm/kvm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index 0927d1f515..99be7f6155 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -1800,7 +1800,6 @@ int kvm_arch_init_vcpu(CPUState *cs)
c = &cpuid_data.entries[cpuid_i++];
}
break;
- case 0x7:
case 0x12:
for (j = 0; ; j++) {
c->function = i;
@@ -1820,6 +1819,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
c = &cpuid_data.entries[cpuid_i++];
}
break;
+ case 0x7:
case 0x14:
case 0x1d:
case 0x1e: {
--
2.27.0

47
ipmi-smbus-Add-a-check-around-a-memcpy.patch Normal file
View File

@ -0,0 +1,47 @@
From d9f1221c0f4ff778e5e11d71519dfe1fe2f37e28 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Thu, 21 Mar 2024 03:16:54 +0000
Subject: [PATCH] ipmi:smbus: Add a check around a memcpy mainline inclusion
commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix
---------------------------------------------------------------
In one case:
memcpy(sid->inmsg + sid->inlen, buf, len);
if len == 0 then sid->inmsg + sig->inlen can point to one past the inmsg
array if the array is full. We have to allow len == 0 due to some
vagueness in the spec, but we don't have to call memcpy.
Found by Coverity. This is not a problem in practice, but the results
are technically (maybe) undefined. So make Coverity happy.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/ipmi/smbus_ipmi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/ipmi/smbus_ipmi.c b/hw/ipmi/smbus_ipmi.c
index 1fdf0a66b6..1591211a86 100644
--- a/hw/ipmi/smbus_ipmi.c
+++ b/hw/ipmi/smbus_ipmi.c
@@ -280,7 +280,9 @@ static int ipmi_write_data(SMBusDevice *dev, uint8_t *buf, uint8_t len)
*/
send = true;
}
- memcpy(sid->inmsg + sid->inlen, buf, len);
+ if (len > 0) {
+ memcpy(sid->inmsg + sid->inlen, buf, len);
+ }
sid->inlen += len;
break;
}
--
2.27.0

47
linux-user-flatload.c-Fix-setting-of-image_info-end_.patch Normal file
View File

@ -0,0 +1,47 @@
From 28654c3906e23d26dd740a3a300832345c9e0325 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 13 Mar 2024 02:33:21 +0000
Subject: [PATCH] linux-user/flatload.c: Fix setting of image_info::end_code
mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category:
bugfix
---------------------------------------------------------------
The flatload loader sets the end_code field in the image_info struct
incorrectly, due to a typo.
This is a very long-standing bug (dating all the way back to when
the bFLT loader was added in 2006), but has gone unnoticed because
(a) most people don't use bFLT binaries
(b) we don't actually do anything with the end_code field, except
print it in debugging traces and pass it to TCG plugins
Fix the typo.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1119
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220728151406.2262862-1-peter.maydell@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
linux-user/flatload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/flatload.c b/linux-user/flatload.c
index e4c2f89a22..e99570ca18 100644
--- a/linux-user/flatload.c
+++ b/linux-user/flatload.c
@@ -808,7 +808,7 @@ int load_flt_binary(struct linux_binprm *bprm, struct image_info *info)
/* Stash our initial stack pointer into the mm structure */
info->start_code = libinfo[0].start_code;
- info->end_code = libinfo[0].start_code = libinfo[0].text_len;
+ info->end_code = libinfo[0].start_code + libinfo[0].text_len;
info->start_data = libinfo[0].start_data;
info->end_data = libinfo[0].end_data;
info->start_brk = libinfo[0].start_brk;
--
2.27.0

39
linux-user-riscv-Align-signal-frame-to-16-bytes.patch Normal file
View File

@ -0,0 +1,39 @@
From e011a861479e486201feb0760a5fd2f449270f4d Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Thu, 21 Mar 2024 05:38:28 +0000
Subject: [PATCH] linux-user/riscv: Align signal frame to 16 bytes mainline
inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix
---------------------------------------------------------------
Follow the kernel's alignment, as we already noted.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1093
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20220729201942.30738-1-richard.henderson@linaro.org>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
linux-user/riscv/signal.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/linux-user/riscv/signal.c b/linux-user/riscv/signal.c
index a0f9542ce3..c50ac6d0aa 100644
--- a/linux-user/riscv/signal.c
+++ b/linux-user/riscv/signal.c
@@ -64,9 +64,7 @@ static abi_ulong get_sigframe(struct target_sigaction *ka,
/* This is the X/Open sanctioned signal stack switching. */
sp = target_sigsp(sp, ka) - framesize;
-
- /* XXX: kernel aligns with 0xf ? */
- sp &= ~3UL; /* align sp on 4-byte boundary */
+ sp &= ~0xf;
return sp;
}
--
2.27.0

42
load_elf-fix-iterator-s-type-for-elf-file-processing.patch Normal file
View File

@ -0,0 +1,42 @@
From 5ae048bf81cea4b992649fda03ebc7fa21effaa6 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Sun, 3 Mar 2024 23:06:14 -0800
Subject: [PATCH] load_elf: fix iterator's type for elf file processing
j is used while loading an ELF file to byteswap segments'
data. If data is larger than 2GB an overflow may happen.
So j should be elf_word.
This commit fixes a minor bug: it's unlikely anybody is trying to
load ELF files with 2GB+ segments for wrong-endianness targets,
but if they did, it wouldn't work correctly.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: qemu-stable@nongnu.org
Fixes: 7ef295ea5b ("loader: Add data swap option to load-elf")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 410c2a4d75f52f6a2fe978eda5a9b6f854afe5ea)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
include/hw/elf_ops.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index 7c3b1d0f6c..ea17fe9fb5 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -499,7 +499,7 @@ static ssize_t glue(load_elf, SZ)(const char *name, int fd,
}
if (data_swab) {
- int j;
+ elf_word j;
for (j = 0; j < file_size; j += (1 << data_swab)) {
uint8_t *dp = data + j;
switch (data_swab) {
--
2.27.0

41
qemu-options.hx-Don-t-claim-serial-has-limit-of-4-se.patch Normal file
View File

@ -0,0 +1,41 @@
From c80641ae418a782544304adf64260487ca581c19 Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Wed, 6 Mar 2024 09:57:24 +0000
Subject: [PATCH] qemu-options.hx: Don't claim "-serial" has limit of 4 serial
ports Before v2.12, the implementation of serial ports was limited to a value
of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for
serial ports, so this limit is no longer present, but the documentation for
the -serial options still reads:
"This option can be used several times to simulate up to 4 serial ports."
Update to "This option can be used several times to simulate
multiple serial ports." to avoid misleading.
Signed-off-by: default avatarSteven Shen <steven.shen@jaguarmicro.com>
Message-id: 20240305013016.2268-1-steven.shen@jaguarmicro.com
Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
[PMM: tweaked commit message]
Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
qemu-options.hx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/qemu-options.hx b/qemu-options.hx
index e25b76771d..d940b4aea5 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3783,7 +3783,7 @@ SRST
default device is ``vc`` in graphical mode and ``stdio`` in non
graphical mode.
- This option can be used several times to simulate up to 4 serial
+ This option can be used several times to simulate multiple serial
ports.
Use ``-serial none`` to disable all serial ports.
--
2.27.0

68
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 6.2.0
Release: 89
Release: 90
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -875,6 +875,38 @@ Patch0860: ui-clipboard-mark-type-as-not-available-when-there-i.patch
Patch0861: virtio-net-correctly-copy-vnet-header-when-flushing-.patch
Patch0862: hw-timer-fix-systick-trace-message.patch
Patch0863: qga-win-Fix-guest-get-fsinfo-multi-disks-collection.patch
Patch0864: hw-smbios-Fix-OEM-strings-table-option-validation.patch
Patch0865: vl-Improve-error-message-for-conflicting-incoming-an.patch
Patch0866: block-parallels-Fix-buffer-based-write-call.patch
Patch0867: hw-display-bcm2835_fb-Fix-framebuffer-allocation-add.patch
Patch0868: usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch
Patch0869: qga-treat-get-guest-fsinfo-as-best-effort.patch
Patch0870: block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch
Patch0871: chardev-char.c-fix-abstract-device-type-error-messag.patch
Patch0872: hw-nvram-xlnx-efuse-ctrl-Free-XlnxVersalEFuseCtrl-pg.patch
Patch0873: hw-nvram-xlnx-efuse-Free-XlnxEFuse-ro_bits-array-on-.patch
Patch0874: hw-misc-mps2-scc-Free-MPS2SCC-oscclk-array-on-finali.patch
Patch0875: load_elf-fix-iterator-s-type-for-elf-file-processing.patch
Patch0876: linux-user-flatload.c-Fix-setting-of-image_info-end_.patch
Patch0877: hw-ide-core-set-ERR_STAT-in-unsupported-command-comp.patch
Patch0878: vga-fix-incorrect-line-height-in-640x200x2-mode.patch
Patch0879: configure-Add-missing-POSIX-required-space.patch
Patch0880: hw-virtio-virtio-iommu-Enforce-power-of-two-notify-f.patch
Patch0881: target-s390x-fix-handling-of-zeroes-in-vfmin-vfmax.patch
Patch0882: block-migration-Ensure-we-don-t-crash-during-migrati.patch
Patch0883: target-ppc-Modify-the-uncorrect-value-irq-to-n_IRQ.patch
Patch0884: qemu-options.hx-Don-t-claim-serial-has-limit-of-4-se.patch
Patch0885: tests-tcg-linux-test-Fix-random-hangs-in-test_socket.patch
Patch0886: ipmi-smbus-Add-a-check-around-a-memcpy.patch
Patch0887: linux-user-riscv-Align-signal-frame-to-16-bytes.patch
Patch0888: hw-block-hd-geometry-Do-not-override-specified-bios-.patch
Patch0889: target-i386-Add-kvm_get_one_msr-helper.patch
Patch0890: target-i386-Enable-support-for-XSAVES-based-features.patch
Patch0891: target-i386-Change-wrong-XFRM-value-in-SGX-CPUID-lea.patch
Patch0892: i386-cpu-Clear-FEAT_XSAVE_XSS_LO-HI-leafs-when-CPUID.patch
Patch0893: i386-cpu-Mask-with-XCR0-XSS-mask-for-FEAT_XSAVE_XCR0.patch
Patch0894: i386-cpuid-Decrease-cpuid_i-when-skipping-CPUID-leaf.patch
Patch0895: i386-cpuid-Move-leaf-7-to-correct-group.patch
BuildRequires: flex
BuildRequires: gcc
@ -1473,6 +1505,40 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Sat Mar 23 2024 <fengjiabo1@huawei.com> - 10:6.2.0-90
- i386/cpuid: Move leaf 7 to correct group
- i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F
- i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs
- i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available
- target/i386: Change wrong XFRM value in SGX CPUID leaf
- target/i386: Enable support for XSAVES based features
- target/i386: Add kvm_get_one_msr helper
- hw/block/hd-geometry: Do not override specified bios-chs-trans mainline inclusion commit fd8a68ad6823d33bedeba20a22857867a1c3890e category: bugfix
- linux-user/riscv: Align signal frame to 16 bytes mainline inclusion commit 1eaa63429a9944265c92efdb94c02fabb231f564 category: bugfix
- ipmi:smbus: Add a check around a memcpy mainline inclusion commit 3fde641e7286f9b968bdb3b4b922c6465f2a9abc category: bugfix
- tests/tcg/linux-test: Fix random hangs in test_socket mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category: bugfix
- qemu-options.hx: Don't claim "-serial" has limit of 4 serial ports Before v2.12, the implementation of serial ports was limited to a value of MAX_SERIAL_PORTS = 4. We now dynamically allocate the data structures for serial ports, so this limit is no longer present, but the documentation for the -serial options still reads:
- target/ppc: Modify the uncorrect value irq to n_IRQ
- block-migration: Ensure we don't crash during migration cleanup
- target/s390x: fix handling of zeroes in vfmin/vfmax mainline inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix
- hw/virtio/virtio-iommu: Enforce power-of-two notify for both MAP and UNMAP mainline inclusion commit 0522be9a0c0094088ccef7aab352c57f483ca250 category: bugfix
- configure: Add missing POSIX-required space mainline inclusion commit 35a7a6fc5624b1df828d82f2dfa74d0e4188b3b2 category: bugfix
- vga: fix incorrect line height in 640x200x2 mode mainline inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix
- hw/ide/core: set ERR_STAT in unsupported command completion
- linux-user/flatload.c: Fix setting of image_info::end_code mainline inclusion commit 734a659ad264ac080457167e845ffabbaaa66d0e category: bugfix
- load_elf: fix iterator's type for elf file processing
- hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize()
- hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize()
- hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array
- chardev/char.c: fix "abstract device type" error message
- block/rbd: fix handling of holes in .bdrv_co_block_status
- qga: treat get-guest-fsinfo as "best effort" mainline inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix
- usb/hcd-xhci: check slotid in xhci_wakeup_endpoint() mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category: bugfix
- hw/display/bcm2835_fb: Fix framebuffer allocation address mainline inclusion commit 5865d99fe88d8c8fa437c18c6b63fb2a8165634f category: bugfix
- block/parallels: Fix buffer-based write call mainline inclusion commit eba088f91d21d9e42a81bef847173da30c5da961 category: bugfix
- vl: Improve error message for conflicting -incoming and -loadvm
- hw/smbios: Fix OEM strings table option validation
* Sat Mar 9 2024 <fengjiabo1@huawei.com> - 10:6.2.0-89
- qga-win: Fix guest-get-fsinfo multi-disks collection
- hw/timer: fix systick trace message

56
qga-treat-get-guest-fsinfo-as-best-effort.patch Normal file
View File

@ -0,0 +1,56 @@
From 2e6562a5c390407e89eb7ab903ab4cc09651bbcb Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 8 Mar 2024 02:48:34 +0000
Subject: [PATCH] qga: treat get-guest-fsinfo as "best effort" mainline
inclusion commit bbb0151cf2e82489120a15df5e2eb9653312b0ec category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
In some container environments, there may be references to block devices
witnessable from a container through /proc/self/mountinfo that reference
devices we simply don't have access to in the container, and cannot
provide information about.
Instead of failing the entire fsinfo command, return stub information
for these failed lookups.
This allows test-qga to pass under docker tests, which are in turn used
by the CentOS VM tests.
Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220708153503.18864-2-jsnow@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
qga/commands-posix.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 4e06271889..bee7a47ed2 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -1201,7 +1201,15 @@ static void build_guest_fsinfo_for_device(char const *devpath,
syspath = realpath(devpath, NULL);
if (!syspath) {
- error_setg_errno(errp, errno, "realpath(\"%s\")", devpath);
+ if (errno != ENOENT) {
+ error_setg_errno(errp, errno, "realpath(\"%s\")", devpath);
+ return;
+ }
+
+ /* ENOENT: This devpath may not exist because of container config */
+ if (!fs->name) {
+ fs->name = g_path_get_basename(devpath);
+ }
return;
}
--
2.27.0

123
target-i386-Add-kvm_get_one_msr-helper.patch Normal file
View File

@ -0,0 +1,123 @@
From 66d093c4b3fbb3dcb232b38852c47fe1d7d5e1c1 Mon Sep 17 00:00:00 2001
From: Yang Weijiang <weijiang.yang@intel.com>
Date: Tue, 15 Feb 2022 14:52:53 -0500
Subject: [PATCH] target/i386: Add kvm_get_one_msr helper
commit 5a778a5f820fdd907b95e93560637a61f6ea3c71 upstream.
When try to get one msr from KVM, I found there's no such kind of
existing interface while kvm_put_one_msr() is there. So here comes
the patch. It'll remove redundant preparation code before finally
call KVM_GET_MSRS IOCTL.
No functional change intended.
Intel-SIG: commit 5a778a5f820f target/i386: Add kvm_get_one_msr helper
Backport i386/cpu bugfixes
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Message-Id: <20220215195258.29149-4-weijiang.yang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/kvm/kvm.c | 46 ++++++++++++++++++++++++-------------------
1 file changed, 26 insertions(+), 20 deletions(-)
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index 54e48530ad..e1601422bc 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -138,6 +138,7 @@ static struct kvm_msr_list *kvm_feature_msrs;
#define BUS_LOCK_SLICE_TIME 1000000000ULL /* ns */
static RateLimit bus_lock_ratelimit_ctrl;
+static int kvm_get_one_msr(X86CPU *cpu, int index, uint64_t *value);
int kvm_has_pit_state2(void)
{
@@ -208,28 +209,21 @@ static int kvm_get_tsc(CPUState *cs)
{
X86CPU *cpu = X86_CPU(cs);
CPUX86State *env = &cpu->env;
- struct {
- struct kvm_msrs info;
- struct kvm_msr_entry entries[1];
- } msr_data = {};
+ uint64_t value;
int ret;
if (env->tsc_valid) {
return 0;
}
- memset(&msr_data, 0, sizeof(msr_data));
- msr_data.info.nmsrs = 1;
- msr_data.entries[0].index = MSR_IA32_TSC;
env->tsc_valid = !runstate_is_running();
- ret = kvm_vcpu_ioctl(CPU(cpu), KVM_GET_MSRS, &msr_data);
+ ret = kvm_get_one_msr(cpu, MSR_IA32_TSC, &value);
if (ret < 0) {
return ret;
}
- assert(ret == 1);
- env->tsc = msr_data.entries[0].data;
+ env->tsc = value;
return 0;
}
@@ -1529,21 +1523,14 @@ static int hyperv_init_vcpu(X86CPU *cpu)
* the kernel doesn't support setting vp_index; assert that its value
* is in sync
*/
- struct {
- struct kvm_msrs info;
- struct kvm_msr_entry entries[1];
- } msr_data = {
- .info.nmsrs = 1,
- .entries[0].index = HV_X64_MSR_VP_INDEX,
- };
+ uint64_t value;
- ret = kvm_vcpu_ioctl(cs, KVM_GET_MSRS, &msr_data);
+ ret = kvm_get_one_msr(cpu, HV_X64_MSR_VP_INDEX, &value);
if (ret < 0) {
return ret;
}
- assert(ret == 1);
- if (msr_data.entries[0].data != hyperv_vp_index(CPU(cpu))) {
+ if (value != hyperv_vp_index(CPU(cpu))) {
error_report("kernel's vp_index != QEMU's vp_index");
return -ENXIO;
}
@@ -2766,6 +2753,25 @@ static int kvm_put_one_msr(X86CPU *cpu, int index, uint64_t value)
return kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf);
}
+static int kvm_get_one_msr(X86CPU *cpu, int index, uint64_t *value)
+{
+ int ret;
+ struct {
+ struct kvm_msrs info;
+ struct kvm_msr_entry entries[1];
+ } msr_data = {
+ .info.nmsrs = 1,
+ .entries[0].index = index,
+ };
+
+ ret = kvm_vcpu_ioctl(CPU(cpu), KVM_GET_MSRS, &msr_data);
+ if (ret < 0) {
+ return ret;
+ }
+ assert(ret == 1);
+ *value = msr_data.entries[0].data;
+ return ret;
+}
void kvm_put_apicbase(X86CPU *cpu, uint64_t value)
{
int ret;
--
2.27.0

46
target-i386-Change-wrong-XFRM-value-in-SGX-CPUID-lea.patch Normal file
View File

@ -0,0 +1,46 @@
From ad727933a766e952b5054bfd53c93ad43fdb6dec Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@linux.intel.com>
Date: Thu, 6 Apr 2023 02:40:41 -0400
Subject: [PATCH] target/i386: Change wrong XFRM value in SGX CPUID leaf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit 72497cff896fecf74306ed33626c30e43633cdd6 upstream.
The previous patch wrongly replaced FEAT_XSAVE_XCR0_{LO|HI} with
FEAT_XSAVE_XSS_{LO|HI} in CPUID(EAX=12,ECX=1):{ECX,EDX}. As a result,
SGX enclaves only supported SSE and x87 feature (xfrm=0x3).
Intel-SIG: commit 72497cff896f target/i386: Change wrong XFRM value in SGX CPUID leaf
Backport i386/cpu bugfixes
Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features")
Signed-off-by: Yang Zhong <yang.zhong@linux.intel.com>
Reviewed-by: Yang Weijiang <weijiang.yang@intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Message-Id: <20230406064041.420039-1-yang.zhong@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 6b098cc832..9ab8ef3bd1 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5951,8 +5951,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
} else {
*eax &= env->features[FEAT_SGX_12_1_EAX];
*ebx &= 0; /* ebx reserve */
- *ecx &= env->features[FEAT_XSAVE_XSS_LO];
- *edx &= env->features[FEAT_XSAVE_XSS_HI];
+ *ecx &= env->features[FEAT_XSAVE_XCR0_LO];
+ *edx &= env->features[FEAT_XSAVE_XCR0_HI];
/* FP and SSE are always allowed regardless of XSAVE/XCR0. */
*ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK;
--
2.27.0

286
target-i386-Enable-support-for-XSAVES-based-features.patch Normal file
View File

@ -0,0 +1,286 @@
From 0a83478189efce4e6775977dc3c76a5750b52fb4 Mon Sep 17 00:00:00 2001
From: Yang Weijiang <weijiang.yang@intel.com>
Date: Tue, 15 Feb 2022 14:52:54 -0500
Subject: [PATCH] target/i386: Enable support for XSAVES based features
commit 301e90675c3fed6cdc48682021a1ab42bc0e0d76 upstream.
There're some new features, including Arch LBR, depending
on XSAVES/XRSTORS support, the new instructions will
save/restore data based on feature bits enabled in XCR0 | XSS.
This patch adds the basic support for related CPUID enumeration
and meanwhile changes the name from FEAT_XSAVE_COMP_{LO|HI} to
FEAT_XSAVE_XCR0_{LO|HI} to differentiate clearly the feature
bits in XCR0 and those in XSS.
Intel-SIG: commit 301e90675c3f target/i386: Enable support for XSAVES based features
Backport i386/cpu bugfixes
Signed-off-by: Yang Weijiang <weijiang.yang@intel.com>
Message-Id: <20220215195258.29149-5-weijiang.yang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 104 +++++++++++++++++++++++++++++++++++-----------
target/i386/cpu.h | 14 ++++++-
2 files changed, 92 insertions(+), 26 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 53a7484ca8..6b098cc832 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -977,6 +977,34 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
},
.tcg_features = TCG_XSAVE_FEATURES,
},
+ [FEAT_XSAVE_XSS_LO] = {
+ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+ .cpuid = {
+ .eax = 0xD,
+ .needs_ecx = true,
+ .ecx = 1,
+ .reg = R_ECX,
+ },
+ },
+ [FEAT_XSAVE_XSS_HI] = {
+ .type = CPUID_FEATURE_WORD,
+ .cpuid = {
+ .eax = 0xD,
+ .needs_ecx = true,
+ .ecx = 1,
+ .reg = R_EDX
+ },
+ },
[FEAT_6_EAX] = {
.type = CPUID_FEATURE_WORD,
.feat_names = {
@@ -992,7 +1020,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.cpuid = { .eax = 6, .reg = R_EAX, },
.tcg_features = TCG_6_EAX_FEATURES,
},
- [FEAT_XSAVE_COMP_LO] = {
+ [FEAT_XSAVE_XCR0_LO] = {
.type = CPUID_FEATURE_WORD,
.cpuid = {
.eax = 0xD,
@@ -1005,7 +1033,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
XSTATE_OPMASK_MASK | XSTATE_ZMM_Hi256_MASK | XSTATE_Hi16_ZMM_MASK |
XSTATE_PKRU_MASK,
},
- [FEAT_XSAVE_COMP_HI] = {
+ [FEAT_XSAVE_XCR0_HI] = {
.type = CPUID_FEATURE_WORD,
.cpuid = {
.eax = 0xD,
@@ -1422,6 +1450,9 @@ static const X86RegisterInfo32 x86_reg_info_32[CPU_NB_REGS32] = {
};
#undef REGISTER
+/* CPUID feature bits available in XSS */
+#define CPUID_XSTATE_XSS_MASK (0)
+
ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
[XSTATE_FP_BIT] = {
/* x87 FP state component is always enabled if XSAVE is supported */
@@ -1464,15 +1495,18 @@ ExtSaveArea x86_ext_save_areas[XSAVE_STATE_AREA_COUNT] = {
},
};
-static uint32_t xsave_area_size(uint64_t mask)
+static uint32_t xsave_area_size(uint64_t mask, bool compacted)
{
+ uint64_t ret = x86_ext_save_areas[0].size;
+ const ExtSaveArea *esa;
+ uint32_t offset = 0;
int i;
- uint64_t ret = 0;
- for (i = 0; i < ARRAY_SIZE(x86_ext_save_areas); i++) {
- const ExtSaveArea *esa = &x86_ext_save_areas[i];
+ for (i = 2; i < ARRAY_SIZE(x86_ext_save_areas); i++) {
+ esa = &x86_ext_save_areas[i];
if ((mask >> i) & 1) {
- ret = MAX(ret, esa->offset + esa->size);
+ offset = compacted ? ret : esa->offset;
+ ret = MAX(ret, offset + esa->size);
}
}
return ret;
@@ -1483,10 +1517,10 @@ static inline bool accel_uses_host_cpuid(void)
return kvm_enabled() || hvf_enabled();
}
-static inline uint64_t x86_cpu_xsave_components(X86CPU *cpu)
+static inline uint64_t x86_cpu_xsave_xcr0_components(X86CPU *cpu)
{
- return ((uint64_t)cpu->env.features[FEAT_XSAVE_COMP_HI]) << 32 |
- cpu->env.features[FEAT_XSAVE_COMP_LO];
+ return ((uint64_t)cpu->env.features[FEAT_XSAVE_XCR0_HI]) << 32 |
+ cpu->env.features[FEAT_XSAVE_XCR0_LO];
}
/* Return name of 32-bit register, from a R_* constant */
@@ -1498,6 +1532,12 @@ static const char *get_register_name_32(unsigned int reg)
return x86_reg_info_32[reg].name;
}
+static inline uint64_t x86_cpu_xsave_xss_components(X86CPU *cpu)
+{
+ return ((uint64_t)cpu->env.features[FEAT_XSAVE_XSS_HI]) << 32 |
+ cpu->env.features[FEAT_XSAVE_XSS_LO];
+}
+
/*
* Returns the set of feature flags that are supported and migratable by
* QEMU, for a given FeatureWord.
@@ -4940,8 +4980,8 @@ static const char *x86_cpu_feature_name(FeatureWord w, int bitnr)
/* XSAVE components are automatically enabled by other features,
* so return the original feature name instead
*/
- if (w == FEAT_XSAVE_COMP_LO || w == FEAT_XSAVE_COMP_HI) {
- int comp = (w == FEAT_XSAVE_COMP_HI) ? bitnr + 32 : bitnr;
+ if (w == FEAT_XSAVE_XCR0_LO || w == FEAT_XSAVE_XCR0_HI) {
+ int comp = (w == FEAT_XSAVE_XCR0_HI) ? bitnr + 32 : bitnr;
if (comp < ARRAY_SIZE(x86_ext_save_areas) &&
x86_ext_save_areas[comp].bits) {
@@ -5831,25 +5871,36 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
}
if (count == 0) {
- *ecx = xsave_area_size(x86_cpu_xsave_components(cpu));
- *eax = env->features[FEAT_XSAVE_COMP_LO];
- *edx = env->features[FEAT_XSAVE_COMP_HI];
+ *ecx = xsave_area_size(x86_cpu_xsave_xcr0_components(cpu), false);
+ *eax = env->features[FEAT_XSAVE_XCR0_LO];
+ *edx = env->features[FEAT_XSAVE_XCR0_HI];
/*
* The initial value of xcr0 and ebx == 0, On host without kvm
* commit 412a3c41(e.g., CentOS 6), the ebx's value always == 0
* even through guest update xcr0, this will crash some legacy guest
* (e.g., CentOS 6), So set ebx == ecx to workaroud it.
*/
- *ebx = kvm_enabled() ? *ecx : xsave_area_size(env->xcr0);
+ *ebx = kvm_enabled() ? *ecx : xsave_area_size(env->xcr0, false);
} else if (count == 1) {
+ uint64_t xstate = x86_cpu_xsave_xcr0_components(cpu) |
+ x86_cpu_xsave_xss_components(cpu);
+
*eax = env->features[FEAT_XSAVE];
+ *ebx = xsave_area_size(xstate, true);
+ *ecx = env->features[FEAT_XSAVE_XSS_LO];
+ *edx = env->features[FEAT_XSAVE_XSS_HI];
} else if (count < ARRAY_SIZE(x86_ext_save_areas)) {
- if ((x86_cpu_xsave_components(cpu) >> count) & 1) {
- const ExtSaveArea *esa = &x86_ext_save_areas[count];
+ const ExtSaveArea *esa = &x86_ext_save_areas[count];
+
+ if (x86_cpu_xsave_xcr0_components(cpu) & (1ULL << count)) {
*eax = esa->size;
*ebx = esa->offset;
*ecx = esa->ecx &
(ESA_FEATURE_ALIGN64_MASK | ESA_FEATURE_XFD_MASK);
+ } else if (x86_cpu_xsave_xss_components(cpu) & (1ULL << count)) {
+ *eax = esa->size;
+ *ebx = 0;
+ *ecx = 1;
}
}
break;
@@ -5900,8 +5951,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
} else {
*eax &= env->features[FEAT_SGX_12_1_EAX];
*ebx &= 0; /* ebx reserve */
- *ecx &= env->features[FEAT_XSAVE_COMP_LO];
- *edx &= env->features[FEAT_XSAVE_COMP_HI];
+ *ecx &= env->features[FEAT_XSAVE_XSS_LO];
+ *edx &= env->features[FEAT_XSAVE_XSS_HI];
/* FP and SSE are always allowed regardless of XSAVE/XCR0. */
*ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK;
@@ -6306,6 +6357,9 @@ static void x86_cpu_reset(DeviceState *dev)
}
for (i = 2; i < ARRAY_SIZE(x86_ext_save_areas); i++) {
const ExtSaveArea *esa = &x86_ext_save_areas[i];
+ if (!((1 << i) & CPUID_XSTATE_XCR0_MASK)) {
+ continue;
+ }
if (env->features[esa->feature] & esa->bits) {
xcr0 |= 1ull << i;
}
@@ -6423,8 +6477,8 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
static bool request_perm;
if (!(env->features[FEAT_1_ECX] & CPUID_EXT_XSAVE)) {
- env->features[FEAT_XSAVE_COMP_LO] = 0;
- env->features[FEAT_XSAVE_COMP_HI] = 0;
+ env->features[FEAT_XSAVE_XCR0_LO] = 0;
+ env->features[FEAT_XSAVE_XCR0_HI] = 0;
return;
}
@@ -6442,8 +6496,10 @@ static void x86_cpu_enable_xsave_components(X86CPU *cpu)
request_perm = true;
}
- env->features[FEAT_XSAVE_COMP_LO] = mask;
- env->features[FEAT_XSAVE_COMP_HI] = mask >> 32;
+ env->features[FEAT_XSAVE_XCR0_LO] = mask & CPUID_XSTATE_XCR0_MASK;
+ env->features[FEAT_XSAVE_XCR0_HI] = mask >> 32;
+ env->features[FEAT_XSAVE_XSS_LO] = mask & CPUID_XSTATE_XSS_MASK;
+ env->features[FEAT_XSAVE_XSS_HI] = mask >> 32;
}
/***** Steps involved on loading and filtering CPUID data
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 32ecec5fa7..e8322a928b 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -565,6 +565,14 @@ typedef enum X86Seg {
#define ESA_FEATURE_XFD_MASK (1U << ESA_FEATURE_XFD_BIT)
+/* CPUID feature bits available in XCR0 */
+#define CPUID_XSTATE_XCR0_MASK (XSTATE_FP_MASK | XSTATE_SSE_MASK | \
+ XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | \
+ XSTATE_BNDCSR_MASK | XSTATE_OPMASK_MASK | \
+ XSTATE_ZMM_Hi256_MASK | \
+ XSTATE_Hi16_ZMM_MASK | XSTATE_PKRU_MASK | \
+ XSTATE_XTILE_CFG_MASK | XSTATE_XTILE_DATA_MASK)
+
/* CPUID feature words */
typedef enum FeatureWord {
FEAT_1_EDX, /* CPUID[1].EDX */
@@ -583,8 +591,8 @@ typedef enum FeatureWord {
FEAT_SVM, /* CPUID[8000_000A].EDX */
FEAT_XSAVE, /* CPUID[EAX=0xd,ECX=1].EAX */
FEAT_6_EAX, /* CPUID[6].EAX */
- FEAT_XSAVE_COMP_LO, /* CPUID[EAX=0xd,ECX=0].EAX */
- FEAT_XSAVE_COMP_HI, /* CPUID[EAX=0xd,ECX=0].EDX */
+ FEAT_XSAVE_XCR0_LO, /* CPUID[EAX=0xd,ECX=0].EAX */
+ FEAT_XSAVE_XCR0_HI, /* CPUID[EAX=0xd,ECX=0].EDX */
FEAT_ARCH_CAPABILITIES,
FEAT_CORE_CAPABILITY,
FEAT_PERF_CAPABILITIES,
@@ -601,6 +609,8 @@ typedef enum FeatureWord {
FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */
FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */
FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */
+ FEAT_XSAVE_XSS_LO, /* CPUID[EAX=0xd,ECX=1].ECX */
+ FEAT_XSAVE_XSS_HI, /* CPUID[EAX=0xd,ECX=1].EDX */
FEAT_7_1_EDX, /* CPUID[EAX=7,ECX=1].EDX */
FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */
FEATURE_WORDS,
--
2.27.0

28
target-ppc-Modify-the-uncorrect-value-irq-to-n_IRQ.patch Normal file
View File

@ -0,0 +1,28 @@
From 7ccba831f3a42e95eb06e997b9b85fddf3cd724c Mon Sep 17 00:00:00 2001
From: JianChunfu <chunfu.jian@shingroup.cn>
Date: Fri, 15 Mar 2024 14:22:45 +0800
Subject: [PATCH] target/ppc: Modify the uncorrect value irq to n_IRQ
Modify the uncorrect value "irq" to "n_IRQ" submitted before.
Signed-off-by: JianChunfu <chunfu.jian@shingroup.cn>
---
hw/ppc/ppc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index 6396bbe523..dedd56263d 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -67,7 +67,7 @@ void ppc_set_irq(PowerPCCPU *cpu, int n_IRQ, int level)
if (old_pending != env->pending_interrupts) {
if (kvm_enabled()) {
- kvmppc_set_interrupt(cpu, irq, level);
+ kvmppc_set_interrupt(cpu, n_IRQ, level);
}
}
--
2.27.0

51
target-s390x-fix-handling-of-zeroes-in-vfmin-vfmax.patch Normal file
View File

@ -0,0 +1,51 @@
From 81d20b4ec93e9689bff056a0a8bf6ff260da0c68 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 13 Mar 2024 05:40:28 +0000
Subject: [PATCH] target/s390x: fix handling of zeroes in vfmin/vfmax mainline
inclusion commit 13c59eb09bd6d1fbc13f08b708226421f14a232b category: bugfix
---------------------------------------------------------------
vfmin_res() / vfmax_res() are trying to check whether a and b are both
zeroes, but in reality they check that they are the same kind of zero.
This causes incorrect results when comparing positive and negative
zeroes.
Fixes: da4807527f3b ("s390x/tcg: Implement VECTOR FP (MAXIMUM|MINIMUM)")
Co-developed-by: Ulrich Weigand <ulrich.weigand@de.ibm.com>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-Id: <20220713182612.3780050-2-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
target/s390x/tcg/vec_fpu_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/s390x/tcg/vec_fpu_helper.c b/target/s390x/tcg/vec_fpu_helper.c
index 1a77993471..d1249706f9 100644
--- a/target/s390x/tcg/vec_fpu_helper.c
+++ b/target/s390x/tcg/vec_fpu_helper.c
@@ -794,7 +794,7 @@ static S390MinMaxRes vfmin_res(uint16_t dcmask_a, uint16_t dcmask_b,
default:
g_assert_not_reached();
}
- } else if (unlikely(dcmask_a & dcmask_b & DCMASK_ZERO)) {
+ } else if (unlikely((dcmask_a & DCMASK_ZERO) && (dcmask_b & DCMASK_ZERO))) {
switch (type) {
case S390_MINMAX_TYPE_JAVA:
return neg_a ? S390_MINMAX_RES_A : S390_MINMAX_RES_B;
@@ -844,7 +844,7 @@ static S390MinMaxRes vfmax_res(uint16_t dcmask_a, uint16_t dcmask_b,
default:
g_assert_not_reached();
}
- } else if (unlikely(dcmask_a & dcmask_b & DCMASK_ZERO)) {
+ } else if (unlikely((dcmask_a & DCMASK_ZERO) && (dcmask_b & DCMASK_ZERO))) {
const bool neg_a = dcmask_a & DCMASK_NEGATIVE;
switch (type) {
--
2.27.0

41
tests-tcg-linux-test-Fix-random-hangs-in-test_socket.patch Normal file
View File

@ -0,0 +1,41 @@
From e4bfb1b17a1e548bdc96228a80e85c97eedf0299 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Thu, 21 Mar 2024 02:57:07 +0000
Subject: [PATCH] tests/tcg/linux-test: Fix random hangs in test_socket
mainline inclusion commit b9e6074fc5b429b1e956e9c60db7e284a91e0f3d category:
bugfix
---------------------------------------------------------------
test_socket hangs randomly in connect(), especially when run without
qemu. Apparently the reason is that linux started treating backlog
value of 0 literally instead of rounding it up since v4.4 (commit
ef547f2ac16b).
So set it to 1 instead.
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20220725144251.192720-1-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/tcg/multiarch/linux/linux-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/tcg/multiarch/linux/linux-test.c b/tests/tcg/multiarch/linux/linux-test.c
index 78c68540ef..64f57cb287 100644
--- a/tests/tcg/multiarch/linux/linux-test.c
+++ b/tests/tcg/multiarch/linux/linux-test.c
@@ -263,7 +263,7 @@ static int server_socket(void)
sockaddr.sin_port = htons(0); /* choose random ephemeral port) */
sockaddr.sin_addr.s_addr = 0;
chk_error(bind(fd, (struct sockaddr *)&sockaddr, sizeof(sockaddr)));
- chk_error(listen(fd, 0));
+ chk_error(listen(fd, 1));
return fd;
}
--
2.27.0

39
usb-hcd-xhci-check-slotid-in-xhci_wakeup_endpoint.patch Normal file
View File

@ -0,0 +1,39 @@
From d43f2a9725a1211a0db657b9911a54d58ba26b36 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 8 Mar 2024 03:10:14 +0000
Subject: [PATCH] usb/hcd-xhci: check slotid in xhci_wakeup_endpoint()
mainline inclusion commit 84218892f05515d20347fde4506e1944eb11cb25 category:
bugfix
---------------------------------------------------------------
This prevents an OOB read (followed by an assertion failure in
xhci_kick_ep) when slotid > xhci->numslots.
Reported-by: Soul Chen <soulchen8650@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220705174734.2348829-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/usb/hcd-xhci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 40300e1bcd..29636795be 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3288,7 +3288,8 @@ static void xhci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep,
DPRINTF("%s\n", __func__);
slotid = ep->dev->addr;
- if (slotid == 0 || !xhci->slots[slotid-1].enabled) {
+ if (slotid == 0 || slotid > xhci->numslots ||
+ !xhci->slots[slotid - 1].enabled) {
DPRINTF("%s: oops, no slot for dev %d\n", __func__, ep->dev->addr);
return;
}
--
2.27.0

45
vga-fix-incorrect-line-height-in-640x200x2-mode.patch Normal file
View File

@ -0,0 +1,45 @@
From d996226ded0190b96cce09169291cc696a390832 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 13 Mar 2024 02:51:28 +0000
Subject: [PATCH] vga: fix incorrect line height in 640x200x2 mode mainline
inclusion commit 37e7b86766244b62a406747bb78e049390d0b528 category: bugfix
---------------------------------------------------------------
When in CGA modes, QEMU wants to ignore the maximum scan field (bits 0..4) of
the maximum scan length register in the CRTC. It is not clear why this is
needed---for example, Bochs ignores bit 7 instead. The issue is that the
CGA modes are not detected correctly, and in particular mode 6 results in
multi_scan==3 according to how SeaBIOS programs it. The right way to check
for CGA graphics modes is to check whether bit 13 of the address is special
cased by the CRT controller to achieve line interleaving, i.e. whether bit 0
of the CRTC mode control register is clear.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1020
Reported-by: Korneliusz Osmenda <korneliuszo@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/display/vga.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 9d1f66af40..33765148d9 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1514,9 +1514,10 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
force_shadow = true;
}
+ /* bits 5-6: 0 = 16-color mode, 1 = 4-color mode, 2 = 256-color mode. */
shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3;
double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7);
- if (shift_control != 1) {
+ if (s->cr[VGA_CRTC_MODE] & 1) {
multi_scan = (((s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1) << double_scan)
- 1;
} else {
--
2.27.0

47
vl-Improve-error-message-for-conflicting-incoming-an.patch Normal file
View File

@ -0,0 +1,47 @@
From 2971bbb88efe921f7b3e1ee80295e16ae5954e67 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Sun, 3 Mar 2024 22:41:52 -0800
Subject: [PATCH] vl: Improve error message for conflicting -incoming and
-loadvm
Currently, the conflict between -incoming and -loadvm is only detected
when loading the snapshot fails because the image is still inactive for
the incoming migration. This results in a suboptimal error message:
$ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer
qemu-system-x86_64: Device 'ide0-hd0' is writable but does not support snapshots
Catch the situation already in qemu_validate_options() to improve the
message:
$ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer
qemu-system-x86_64: 'incoming' and 'loadvm' options are mutually exclusive
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20231201142520.32255-3-kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 5a7f21efaf99c60614fe1967be1c0f9aa46c526e)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
softmmu/vl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/softmmu/vl.c b/softmmu/vl.c
index e34c8a0646..9dcbc3b266 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -2474,6 +2474,10 @@ static void qemu_validate_options(const QDict *machine_opts)
}
}
+ if (loadvm && incoming) {
+ error_report("'incoming' and 'loadvm' options are mutually exclusive");
+ exit(EXIT_FAILURE);
+ }
if (loadvm && preconfig_requested) {
error_report("'preconfig' and 'loadvm' options are "
"mutually exclusive");
--
2.27.0