diff --git a/hw-arm-virt-Introduce-a-IPIV-machine-option.patch b/hw-arm-virt-Introduce-a-IPIV-machine-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cf229cb16793b4d5e4dff2cb77a982bdeb31f8c --- /dev/null +++ b/hw-arm-virt-Introduce-a-IPIV-machine-option.patch @@ -0,0 +1,105 @@ +From 9db5487d84eef5ba38adefb70138644d1012f05f Mon Sep 17 00:00:00 2001 +From: Jinqian Yang +Date: Tue, 23 Sep 2025 12:09:39 +0800 +Subject: [PATCH] hw/arm/virt: Introduce a IPIV machine option + +Add the ipiv switch in the "-machine" to allow the guest to more +flexibly choose whether to enable ipiv. + +Signed-off-by: Jinqian Yang +--- + hw/arm/virt.c | 19 +++++++++++++++++++ + include/hw/arm/virt.h | 1 + + target/arm/kvm.c | 10 ++++++++-- + 3 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index f7a9ba9a58..db1b9715e0 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -3044,6 +3044,20 @@ static void virt_set_its(Object *obj, bool value, Error **errp) + vms->its = value; + } + ++static bool virt_get_ipiv(Object *obj, Error **errp) ++{ ++ VirtMachineState *vms = VIRT_MACHINE(obj); ++ ++ return vms->ipiv; ++} ++ ++static void virt_set_ipiv(Object *obj, bool value, Error **errp) ++{ ++ VirtMachineState *vms = VIRT_MACHINE(obj); ++ ++ vms->ipiv = value; ++} ++ + static void virt_get_dtb_randomness(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) + { +@@ -4086,6 +4100,11 @@ static void virt_machine_class_init(ObjectClass *oc, void *data) + "in ACPI table header." + "The string may be up to 8 bytes in size"); + ++ object_class_property_add_bool(oc, "ipiv", ++ virt_get_ipiv, ++ virt_set_ipiv); ++ object_class_property_set_description(oc, "ipiv", ++ "Set on/off to enable/disable IPIV"); + } + + static char *virt_get_kvm_type(Object *obj, Error **errp G_GNUC_UNUSED) +diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h +index fee7c27e0c..a54b0057fb 100644 +--- a/include/hw/arm/virt.h ++++ b/include/hw/arm/virt.h +@@ -225,6 +225,7 @@ struct VirtMachineState { + bool cpu_hotplug_enabled; + bool ras; + bool mte; ++ bool ipiv; + OnOffAuto dtb_randomness; + bool pmu; + int smmu_accel_count; +diff --git a/target/arm/kvm.c b/target/arm/kvm.c +index f45783a9da..7d443a967d 100644 +--- a/target/arm/kvm.c ++++ b/target/arm/kvm.c +@@ -34,6 +34,7 @@ + #include "hw/irq.h" + #include "qapi/visitor.h" + #include "qemu/log.h" ++#include "hw/arm/virt.h" + + const KVMCapabilityInfo kvm_arch_required_capabilities[] = { + KVM_CAP_LAST_INFO +@@ -259,10 +260,15 @@ int kvm_arch_get_default_type(MachineState *ms) + return fixed_ipa ? 0 : size; + } + +-static void kvm_update_ipiv_cap(KVMState *s) ++static void kvm_update_ipiv_cap(MachineState *ms, KVMState *s) + { ++ VirtMachineState *vms = VIRT_MACHINE(ms); + int ret; + ++ if (!vms->ipiv) { ++ return; ++ } ++ + if (!kvm_check_extension(s, KVM_CAP_ARM_HISI_IPIV)) { + return; + } +@@ -349,7 +355,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s) + } + + kvm_arm_init_debug(s); +- kvm_update_ipiv_cap(s); ++ kvm_update_ipiv_cap(ms, s); + + ret = kvm_arm_rme_init(ms); + if (ret) { +-- +2.33.0 + diff --git a/hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch b/hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..7592c6e3436b6392f0a89d5a356f419ab3300247 --- /dev/null +++ b/hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch @@ -0,0 +1,57 @@ +From 6bba3fc99e393c8bdec27ce671f124d18b5642ff Mon Sep 17 00:00:00 2001 +From: Kunkun Jiang +Date: Sun, 28 Sep 2025 15:43:12 +0800 +Subject: [PATCH] hw/vfio/migration: Fix vfio migration isn't aborted in a + corner case + +In the final stage of vfio migration, the destination VM will execute +vm_start + vfio_vmstate_change + vfio_migration_set_state +At this time, vfio_migration_set_state may return failure. For example, +the device is in the reset process due to some hardware problems. In +this case, the vfio migration should be aborted, but the current logic +does not abort. Instead, it continues to execute, which will cause +Unpredictable impact. This patch fixes this case. + +Signed-off-by: Kunkun Jiang +--- + hw/vfio/migration.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c +index b81cb7e23b..8c27298477 100644 +--- a/hw/vfio/migration.c ++++ b/hw/vfio/migration.c +@@ -720,7 +720,7 @@ static void vfio_vmstate_change_prepare(void *opaque, bool running, + static void vfio_vmstate_change(void *opaque, bool running, RunState state) + { + VFIODevice *vbasedev = opaque; +- enum vfio_device_mig_state new_state; ++ enum vfio_device_mig_state new_state, pre_state; + int ret; + + if (running) { +@@ -733,6 +733,8 @@ static void vfio_vmstate_change(void *opaque, bool running, RunState state) + VFIO_DEVICE_STATE_STOP; + } + ++ pre_state = vbasedev->migration->device_state; ++ + /* + * If setting the device in new_state fails, the device should be reset. + * To do so, use ERROR state as a recover state. +@@ -747,6 +749,10 @@ static void vfio_vmstate_change(void *opaque, bool running, RunState state) + if (migrate_get_current()->to_dst_file) { + qemu_file_set_error(migrate_get_current()->to_dst_file, ret); + } ++ ++ if (pre_state == VFIO_DEVICE_STATE_RESUMING) { ++ exit(EXIT_FAILURE); ++ } + } + + trace_vfio_vmstate_change(vbasedev->name, running, RunState_str(state), +-- +2.33.0 + diff --git a/qemu.spec b/qemu.spec index fb4c021e8dec20968675908f85636f83b2d1e73c..70b023b17240fffbb4ed964ebb00f79f8eb08b71 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 47 +Release: 48 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -1082,6 +1082,17 @@ Patch1065: ssh-Do-not-switch-session-to-non-blocking-mode.patch Patch1066: target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch Patch1067: target-ppc-Fix-non-maskable-interrupt-while-halted.patch Patch1068: elfload-Fix-alignment-when-unmapping-excess-reservat.patch +Patch1069: target-s390x-Fix-MVC-not-always-invalidating-transla.patch +Patch1070: target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch +Patch1071: virtio-net-Fix-size-check-in-dhclient-workaround.patch +Patch1072: vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch +Patch1073: x86-loader-only-patch-linux-kernels.patch +Patch1074: target-ppc-Fix-e200-duplicate-SPRs.patch +Patch1075: vfio-container-For-CSV3-VM-only-register-listener-to.patch +Patch1076: target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch +Patch1077: target-riscv-kvm-Fix-exposure-of-Zkr.patch +Patch1078: hw-arm-virt-Introduce-a-IPIV-machine-option.patch +Patch1079: hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch BuildRequires: flex BuildRequires: gcc @@ -1684,6 +1695,19 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Oct 22 2025 Junqi Ma - 11:8.2.0-48 +- target/s390x: Fix MVC not always invalidating translation blocks +- target/sparc: Fix gdbstub incorrectly handling registers f32-f62 +- virtio-net: Fix size check in dhclient workaround +- vdpa: Fix endian bugs in shadow virtqueue +- x86/loader: only patch linux kernels +- target/ppc: Fix e200 duplicate SPRs +- vfio/container: For CSV3 VM, only register listener to shared_memory_listener list in vfio_connect_container() +- target/riscv/kvm: update the KVM regs to Linux rvck-6.6 +- target/riscv/kvm: Fix exposure of Zkr +- hw/arm/virt: Introduce a IPIV machine option +- hw/vfio/migration: Fix vfio migration isn't aborted in a corner case + * Mon Oct 20 2025 Pengrui Zhang - 11:8.2.0-47 - vdpa: Allow vDPA to work on big-endian machine - vfio/container: Replace basename with g_path_get_basename diff --git a/target-ppc-Fix-e200-duplicate-SPRs.patch b/target-ppc-Fix-e200-duplicate-SPRs.patch new file mode 100644 index 0000000000000000000000000000000000000000..90264275de2da35f08e94f1e2816903b38246877 --- /dev/null +++ b/target-ppc-Fix-e200-duplicate-SPRs.patch @@ -0,0 +1,46 @@ +From 338823420b806247a98c1c6c2be3ac8a257a7eca Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:03:45 -0400 +Subject: [PATCH] target/ppc: Fix e200 duplicate SPRs + +cheery-pick from d63f951f4746f080fbdc11e577f1fba931be8cdc + +DSRR0/1 registers are in the BookE ISA not e200 specific, so +remove the duplicate e200 register definitions. + +Cc: Roman Kapl +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2768 +Fixes: 0e3bf4890906 ("ppc: add DBCR based debugging") +Signed-off-by: Nicholas Piggin +(cherry picked from commit 73c0c904fc99e2ceecbbded84ec76d40d3f2daae) +(Mjt: context fix for + v9.0.0-935-g581eea5d656b "target/ppc: Split off common embedded TLB init") +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/ppc/cpu_init.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c +index 40fe14a6c2..c01a8c9a90 100644 +--- a/target/ppc/cpu_init.c ++++ b/target/ppc/cpu_init.c +@@ -2713,14 +2713,6 @@ static void init_proc_e200(CPUPPCState *env) + SPR_NOACCESS, SPR_NOACCESS, + &spr_read_generic, &spr_write_generic, + 0x00000000); /* TOFIX */ +- spr_register(env, SPR_BOOKE_DSRR0, "DSRR0", +- SPR_NOACCESS, SPR_NOACCESS, +- &spr_read_generic, &spr_write_generic, +- 0x00000000); +- spr_register(env, SPR_BOOKE_DSRR1, "DSRR1", +- SPR_NOACCESS, SPR_NOACCESS, +- &spr_read_generic, &spr_write_generic, +- 0x00000000); + #if !defined(CONFIG_USER_ONLY) + env->nb_tlb = 64; + env->nb_ways = 1; +-- +2.33.0 + diff --git a/target-riscv-kvm-Fix-exposure-of-Zkr.patch b/target-riscv-kvm-Fix-exposure-of-Zkr.patch new file mode 100644 index 0000000000000000000000000000000000000000..af31237dfa34506422a86e1aaffe2015f7889c92 --- /dev/null +++ b/target-riscv-kvm-Fix-exposure-of-Zkr.patch @@ -0,0 +1,124 @@ +From 35a53e8e95ccd1d929f9091c08fc9f06f26ab3c1 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 4 Sep 2025 17:18:17 +0800 +Subject: [PATCH] target/riscv/kvm: Fix exposure of Zkr + +commit 86997772fa807f3961e5aeed97af7738adec1b43 upstream + +The Zkr extension may only be exposed to KVM guests if the VMM +implements the SEED CSR. Use the same implementation as TCG. + +Without this patch, running with a KVM which does not forward the +SEED CSR access to QEMU will result in an ILL exception being +injected into the guest (this results in Linux guests crashing on +boot). And, when running with a KVM which does forward the access, +QEMU will crash, since QEMU doesn't know what to do with the exit. + +Fixes: 3108e2f1c69d ("target/riscv/kvm: update KVM exts to Linux 6.8") +Signed-off-by: Andrew Jones +Reviewed-by: Daniel Henrique Barboza +Cc: qemu-stable +Message-ID: <20240422134605.534207-2-ajones@ventanamicro.com> +Signed-off-by: Alistair Francis +--- + target/riscv/cpu.h | 3 +++ + target/riscv/csr.c | 18 ++++++++++++++---- + target/riscv/kvm/kvm-cpu.c | 25 +++++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 4 deletions(-) + +diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h +index e1c3485216..4b596a6964 100644 +--- a/target/riscv/cpu.h ++++ b/target/riscv/cpu.h +@@ -793,6 +793,9 @@ void riscv_set_csr_ops(int csrno, riscv_csr_operations *ops); + + void riscv_cpu_register_gdb_regs_for_features(CPUState *cs); + ++target_ulong riscv_new_csr_seed(target_ulong new_value, ++ target_ulong write_mask); ++ + uint8_t satp_mode_max_from_map(uint32_t map); + const char *satp_mode_str(uint8_t satp_mode, bool is_32_bit); + +diff --git a/target/riscv/csr.c b/target/riscv/csr.c +index 3d9ea0c316..69921e04cf 100644 +--- a/target/riscv/csr.c ++++ b/target/riscv/csr.c +@@ -4199,10 +4199,8 @@ static RISCVException write_upmbase(CPURISCVState *env, int csrno, + #endif + + /* Crypto Extension */ +-static RISCVException rmw_seed(CPURISCVState *env, int csrno, +- target_ulong *ret_value, +- target_ulong new_value, +- target_ulong write_mask) ++target_ulong riscv_new_csr_seed(target_ulong new_value, ++ target_ulong write_mask) + { + uint16_t random_v; + Error *random_e = NULL; +@@ -4226,6 +4224,18 @@ static RISCVException rmw_seed(CPURISCVState *env, int csrno, + rval = random_v | SEED_OPST_ES16; + } + ++ return rval; ++} ++ ++static RISCVException rmw_seed(CPURISCVState *env, int csrno, ++ target_ulong *ret_value, ++ target_ulong new_value, ++ target_ulong write_mask) ++{ ++ target_ulong rval; ++ ++ rval = riscv_new_csr_seed(new_value, write_mask); ++ + if (ret_value) { + *ret_value = rval; + } +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index ce26163d03..c38e8077a2 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -1260,6 +1260,28 @@ static int kvm_riscv_handle_sbi(CPUState *cs, struct kvm_run *run) + return ret; + } + ++static int kvm_riscv_handle_csr(CPUState *cs, struct kvm_run *run) ++{ ++ target_ulong csr_num = run->riscv_csr.csr_num; ++ target_ulong new_value = run->riscv_csr.new_value; ++ target_ulong write_mask = run->riscv_csr.write_mask; ++ int ret = 0; ++ ++ switch (csr_num) { ++ case CSR_SEED: ++ run->riscv_csr.ret_value = riscv_new_csr_seed(new_value, write_mask); ++ break; ++ default: ++ qemu_log_mask(LOG_UNIMP, ++ "%s: un-handled CSR EXIT for CSR %lx\n", ++ __func__, csr_num); ++ ret = -1; ++ break; ++ } ++ ++ return ret; ++} ++ + int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run) + { + int ret = 0; +@@ -1267,6 +1289,9 @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run) + case KVM_EXIT_RISCV_SBI: + ret = kvm_riscv_handle_sbi(cs, run); + break; ++ case KVM_EXIT_RISCV_CSR: ++ ret = kvm_riscv_handle_csr(cs, run); ++ break; + default: + qemu_log_mask(LOG_UNIMP, "%s: un-handled exit reason %d\n", + __func__, run->exit_reason); +-- +2.33.0 + diff --git a/target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch b/target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch new file mode 100644 index 0000000000000000000000000000000000000000..fb8aa59245efd82a672a547989ca46387bef9e34 --- /dev/null +++ b/target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch @@ -0,0 +1,256 @@ +From bab10c628c7df3b79a6225c19cc0e0d1b795e79f Mon Sep 17 00:00:00 2001 +From: yechao-w +Date: Wed, 3 Sep 2025 14:14:03 +0800 +Subject: [PATCH] target/riscv/kvm: update the KVM regs to Linux rvck-6.6 + +Few new regs added: +ziccrse,zicond,zihintntl,zimop,zcmop,zabha,zacas,zawrs,zfa,zfh,zfhmin, +zbc,zbkb,zbkc,zbkx,zca,zcb,zcd,zcf,zknd,zkne,zknh,zkr,zksed,zksh,zkt, +ztso,zvbb,zvbc,zvfh,zvfhmin,zvkb,zvkg,zvkned,zvknha,zvknhb,zvksed,zvksh, +zvkt,smnpm,smstateen,ssnpm,svade,svadu,svvptc + +Signed-off-by: yechao-w +--- + linux-headers/asm-riscv/kvm.h | 44 ++++++++++++++++++++++++++++++++++ + target/riscv/cpu.c | 9 +++++++ + target/riscv/cpu.h | 3 ++- + target/riscv/cpu_cfg.h | 12 ++++++++++ + target/riscv/kvm/kvm-cpu.c | 45 +++++++++++++++++++++++++++++++++++ + 5 files changed, 112 insertions(+), 1 deletion(-) + +diff --git a/linux-headers/asm-riscv/kvm.h b/linux-headers/asm-riscv/kvm.h +index 60d3b21dea..5655a69769 100644 +--- a/linux-headers/asm-riscv/kvm.h ++++ b/linux-headers/asm-riscv/kvm.h +@@ -139,6 +139,50 @@ enum KVM_RISCV_ISA_EXT_ID { + KVM_RISCV_ISA_EXT_ZIHPM, + KVM_RISCV_ISA_EXT_SMSTATEEN, + KVM_RISCV_ISA_EXT_ZICOND, ++ KVM_RISCV_ISA_EXT_ZBC, ++ KVM_RISCV_ISA_EXT_ZBKB, ++ KVM_RISCV_ISA_EXT_ZBKC, ++ KVM_RISCV_ISA_EXT_ZBKX, ++ KVM_RISCV_ISA_EXT_ZKND, ++ KVM_RISCV_ISA_EXT_ZKNE, ++ KVM_RISCV_ISA_EXT_ZKNH, ++ KVM_RISCV_ISA_EXT_ZKR, ++ KVM_RISCV_ISA_EXT_ZKSED, ++ KVM_RISCV_ISA_EXT_ZKSH, ++ KVM_RISCV_ISA_EXT_ZKT, ++ KVM_RISCV_ISA_EXT_ZVBB, ++ KVM_RISCV_ISA_EXT_ZVBC, ++ KVM_RISCV_ISA_EXT_ZVKB, ++ KVM_RISCV_ISA_EXT_ZVKG, ++ KVM_RISCV_ISA_EXT_ZVKNED, ++ KVM_RISCV_ISA_EXT_ZVKNHA, ++ KVM_RISCV_ISA_EXT_ZVKNHB, ++ KVM_RISCV_ISA_EXT_ZVKSED, ++ KVM_RISCV_ISA_EXT_ZVKSH, ++ KVM_RISCV_ISA_EXT_ZVKT, ++ KVM_RISCV_ISA_EXT_ZFH, ++ KVM_RISCV_ISA_EXT_ZFHMIN, ++ KVM_RISCV_ISA_EXT_ZIHINTNTL, ++ KVM_RISCV_ISA_EXT_ZVFH, ++ KVM_RISCV_ISA_EXT_ZVFHMIN, ++ KVM_RISCV_ISA_EXT_ZFA, ++ KVM_RISCV_ISA_EXT_ZTSO, ++ KVM_RISCV_ISA_EXT_ZACAS, ++ KVM_RISCV_ISA_EXT_SSCOFPMF, ++ KVM_RISCV_ISA_EXT_ZIMOP, ++ KVM_RISCV_ISA_EXT_ZCA, ++ KVM_RISCV_ISA_EXT_ZCB, ++ KVM_RISCV_ISA_EXT_ZCD, ++ KVM_RISCV_ISA_EXT_ZCF, ++ KVM_RISCV_ISA_EXT_ZCMOP, ++ KVM_RISCV_ISA_EXT_ZAWRS, ++ KVM_RISCV_ISA_EXT_SMNPM, ++ KVM_RISCV_ISA_EXT_SSNPM, ++ KVM_RISCV_ISA_EXT_SVADE, ++ KVM_RISCV_ISA_EXT_SVADU, ++ KVM_RISCV_ISA_EXT_SVVPTC, ++ KVM_RISCV_ISA_EXT_ZABHA, ++ KVM_RISCV_ISA_EXT_ZICCRSE, + KVM_RISCV_ISA_EXT_MAX, + }; + +diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c +index 77cb59b8a1..7d921d8e9b 100644 +--- a/target/riscv/cpu.c ++++ b/target/riscv/cpu.c +@@ -79,6 +79,7 @@ const uint32_t misa_bits[] = {RVI, RVE, RVM, RVA, RVF, RVD, RVV, + const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zicbom, PRIV_VERSION_1_12_0, ext_zicbom), + ISA_EXT_DATA_ENTRY(zicboz, PRIV_VERSION_1_12_0, ext_zicboz), ++ ISA_EXT_DATA_ENTRY(ziccrse, PRIV_VERSION_1_11_0, ext_ziccrse), + ISA_EXT_DATA_ENTRY(zicond, PRIV_VERSION_1_12_0, ext_zicond), + ISA_EXT_DATA_ENTRY(zicntr, PRIV_VERSION_1_12_0, ext_zicntr), + ISA_EXT_DATA_ENTRY(zicsr, PRIV_VERSION_1_10_0, ext_zicsr), +@@ -86,7 +87,10 @@ const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zihintntl, PRIV_VERSION_1_10_0, ext_zihintntl), + ISA_EXT_DATA_ENTRY(zihintpause, PRIV_VERSION_1_10_0, ext_zihintpause), + ISA_EXT_DATA_ENTRY(zihpm, PRIV_VERSION_1_12_0, ext_zihpm), ++ ISA_EXT_DATA_ENTRY(zimop, PRIV_VERSION_1_13_0, ext_zimop), + ISA_EXT_DATA_ENTRY(zmmul, PRIV_VERSION_1_12_0, ext_zmmul), ++ ISA_EXT_DATA_ENTRY(zabha, PRIV_VERSION_1_13_0, ext_zabha), ++ ISA_EXT_DATA_ENTRY(zacas, PRIV_VERSION_1_12_0, ext_zacas), + ISA_EXT_DATA_ENTRY(zawrs, PRIV_VERSION_1_12_0, ext_zawrs), + ISA_EXT_DATA_ENTRY(zfa, PRIV_VERSION_1_12_0, ext_zfa), + ISA_EXT_DATA_ENTRY(zfbfmin, PRIV_VERSION_1_12_0, ext_zfbfmin), +@@ -118,6 +122,7 @@ const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zksed, PRIV_VERSION_1_12_0, ext_zksed), + ISA_EXT_DATA_ENTRY(zksh, PRIV_VERSION_1_12_0, ext_zksh), + ISA_EXT_DATA_ENTRY(zkt, PRIV_VERSION_1_12_0, ext_zkt), ++ ISA_EXT_DATA_ENTRY(ztso, PRIV_VERSION_1_12_0, ext_ztso), + ISA_EXT_DATA_ENTRY(zvbb, PRIV_VERSION_1_12_0, ext_zvbb), + ISA_EXT_DATA_ENTRY(zvbc, PRIV_VERSION_1_12_0, ext_zvbc), + ISA_EXT_DATA_ENTRY(zve32f, PRIV_VERSION_1_10_0, ext_zve32f), +@@ -145,14 +150,18 @@ const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zhinxmin, PRIV_VERSION_1_12_0, ext_zhinxmin), + ISA_EXT_DATA_ENTRY(smaia, PRIV_VERSION_1_12_0, ext_smaia), + ISA_EXT_DATA_ENTRY(smepmp, PRIV_VERSION_1_12_0, ext_smepmp), ++ ISA_EXT_DATA_ENTRY(smmpm, PRIV_VERSION_1_13_0, ext_smmpm), ++ ISA_EXT_DATA_ENTRY(smnpm, PRIV_VERSION_1_13_0, ext_smnpm), + ISA_EXT_DATA_ENTRY(smstateen, PRIV_VERSION_1_12_0, ext_smstateen), + ISA_EXT_DATA_ENTRY(ssaia, PRIV_VERSION_1_12_0, ext_ssaia), + ISA_EXT_DATA_ENTRY(sscofpmf, PRIV_VERSION_1_12_0, ext_sscofpmf), + ISA_EXT_DATA_ENTRY(sstc, PRIV_VERSION_1_12_0, ext_sstc), ++ ISA_EXT_DATA_ENTRY(svade, PRIV_VERSION_1_11_0, ext_svade), + ISA_EXT_DATA_ENTRY(svadu, PRIV_VERSION_1_12_0, ext_svadu), + ISA_EXT_DATA_ENTRY(svinval, PRIV_VERSION_1_12_0, ext_svinval), + ISA_EXT_DATA_ENTRY(svnapot, PRIV_VERSION_1_12_0, ext_svnapot), + ISA_EXT_DATA_ENTRY(svpbmt, PRIV_VERSION_1_12_0, ext_svpbmt), ++ ISA_EXT_DATA_ENTRY(svvptc, PRIV_VERSION_1_13_0, ext_svvptc), + ISA_EXT_DATA_ENTRY(xtheadba, PRIV_VERSION_1_11_0, ext_xtheadba), + ISA_EXT_DATA_ENTRY(xtheadbb, PRIV_VERSION_1_11_0, ext_xtheadbb), + ISA_EXT_DATA_ENTRY(xtheadbs, PRIV_VERSION_1_11_0, ext_xtheadbs), +diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h +index d74b361be6..e1c3485216 100644 +--- a/target/riscv/cpu.h ++++ b/target/riscv/cpu.h +@@ -81,8 +81,9 @@ enum { + PRIV_VERSION_1_10_0 = 0, + PRIV_VERSION_1_11_0, + PRIV_VERSION_1_12_0, ++ PRIV_VERSION_1_13_0, + +- PRIV_VERSION_LATEST = PRIV_VERSION_1_12_0, ++ PRIV_VERSION_LATEST = PRIV_VERSION_1_13_0, + }; + + #define VEXT_VERSION_1_00_0 0x00010000 +diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h +index f4605fb190..07b7e54877 100644 +--- a/target/riscv/cpu_cfg.h ++++ b/target/riscv/cpu_cfg.h +@@ -70,13 +70,19 @@ struct RISCVCPUConfig { + bool ext_zihintntl; + bool ext_zihintpause; + bool ext_zihpm; ++ bool ext_zimop; ++ bool ext_zcmop; ++ bool ext_ztso; + bool ext_smstateen; + bool ext_sstc; + bool ext_svadu; + bool ext_svinval; + bool ext_svnapot; + bool ext_svpbmt; ++ bool ext_svvptc; + bool ext_zdinx; ++ bool ext_zacas; ++ bool ext_zabha; + bool ext_zawrs; + bool ext_zfa; + bool ext_zfbfmin; +@@ -113,6 +119,9 @@ struct RISCVCPUConfig { + bool ext_ssaia; + bool ext_sscofpmf; + bool ext_smepmp; ++ bool ext_ssnpm; ++ bool ext_smnpm; ++ bool ext_smmpm; + bool rvv_ta_all_1s; + bool rvv_ma_all_1s; + +@@ -120,6 +129,9 @@ struct RISCVCPUConfig { + uint64_t marchid; + uint64_t mimpid; + ++ bool ext_svade; ++ bool ext_ziccrse; ++ + /* Vendor-specific custom extensions */ + bool ext_xtheadba; + bool ext_xtheadbb; +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 9615e68ce4..ce26163d03 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -228,19 +228,64 @@ static void kvm_riscv_update_cpu_misa_ext(RISCVCPU *cpu, CPUState *cs) + static KVMCPUConfig kvm_multi_ext_cfgs[] = { + KVM_EXT_CFG("zicbom", ext_zicbom, KVM_RISCV_ISA_EXT_ZICBOM), + KVM_EXT_CFG("zicboz", ext_zicboz, KVM_RISCV_ISA_EXT_ZICBOZ), ++ KVM_EXT_CFG("ziccrse", ext_ziccrse, KVM_RISCV_ISA_EXT_ZICCRSE), + KVM_EXT_CFG("zicntr", ext_zicntr, KVM_RISCV_ISA_EXT_ZICNTR), ++ KVM_EXT_CFG("zicond", ext_zicond, KVM_RISCV_ISA_EXT_ZICOND), + KVM_EXT_CFG("zicsr", ext_zicsr, KVM_RISCV_ISA_EXT_ZICSR), + KVM_EXT_CFG("zifencei", ext_zifencei, KVM_RISCV_ISA_EXT_ZIFENCEI), ++ KVM_EXT_CFG("zihintntl", ext_zihintntl, KVM_RISCV_ISA_EXT_ZIHINTNTL), + KVM_EXT_CFG("zihintpause", ext_zihintpause, KVM_RISCV_ISA_EXT_ZIHINTPAUSE), + KVM_EXT_CFG("zihpm", ext_zihpm, KVM_RISCV_ISA_EXT_ZIHPM), ++ KVM_EXT_CFG("zimop", ext_zimop, KVM_RISCV_ISA_EXT_ZIMOP), ++ KVM_EXT_CFG("zcmop", ext_zcmop, KVM_RISCV_ISA_EXT_ZCMOP), ++ KVM_EXT_CFG("zabha", ext_zabha, KVM_RISCV_ISA_EXT_ZABHA), ++ KVM_EXT_CFG("zacas", ext_zacas, KVM_RISCV_ISA_EXT_ZACAS), ++ KVM_EXT_CFG("zawrs", ext_zawrs, KVM_RISCV_ISA_EXT_ZAWRS), ++ KVM_EXT_CFG("zfa", ext_zfa, KVM_RISCV_ISA_EXT_ZFA), ++ KVM_EXT_CFG("zfh", ext_zfh, KVM_RISCV_ISA_EXT_ZFH), ++ KVM_EXT_CFG("zfhmin", ext_zfhmin, KVM_RISCV_ISA_EXT_ZFHMIN), + KVM_EXT_CFG("zba", ext_zba, KVM_RISCV_ISA_EXT_ZBA), + KVM_EXT_CFG("zbb", ext_zbb, KVM_RISCV_ISA_EXT_ZBB), ++ KVM_EXT_CFG("zbc", ext_zbc, KVM_RISCV_ISA_EXT_ZBC), ++ KVM_EXT_CFG("zbkb", ext_zbkb, KVM_RISCV_ISA_EXT_ZBKB), ++ KVM_EXT_CFG("zbkc", ext_zbkc, KVM_RISCV_ISA_EXT_ZBKC), ++ KVM_EXT_CFG("zbkx", ext_zbkx, KVM_RISCV_ISA_EXT_ZBKX), + KVM_EXT_CFG("zbs", ext_zbs, KVM_RISCV_ISA_EXT_ZBS), ++ KVM_EXT_CFG("zca", ext_zca, KVM_RISCV_ISA_EXT_ZCA), ++ KVM_EXT_CFG("zcb", ext_zcb, KVM_RISCV_ISA_EXT_ZCB), ++ KVM_EXT_CFG("zcd", ext_zcd, KVM_RISCV_ISA_EXT_ZCD), ++ KVM_EXT_CFG("zcf", ext_zcf, KVM_RISCV_ISA_EXT_ZCF), ++ KVM_EXT_CFG("zknd", ext_zknd, KVM_RISCV_ISA_EXT_ZKND), ++ KVM_EXT_CFG("zkne", ext_zkne, KVM_RISCV_ISA_EXT_ZKNE), ++ KVM_EXT_CFG("zknh", ext_zknh, KVM_RISCV_ISA_EXT_ZKNH), ++ KVM_EXT_CFG("zkr", ext_zkr, KVM_RISCV_ISA_EXT_ZKR), ++ KVM_EXT_CFG("zksed", ext_zksed, KVM_RISCV_ISA_EXT_ZKSED), ++ KVM_EXT_CFG("zksh", ext_zksh, KVM_RISCV_ISA_EXT_ZKSH), ++ KVM_EXT_CFG("zkt", ext_zkt, KVM_RISCV_ISA_EXT_ZKT), ++ KVM_EXT_CFG("ztso", ext_ztso, KVM_RISCV_ISA_EXT_ZTSO), ++ KVM_EXT_CFG("zvbb", ext_zvbb, KVM_RISCV_ISA_EXT_ZVBB), ++ KVM_EXT_CFG("zvbc", ext_zvbc, KVM_RISCV_ISA_EXT_ZVBC), ++ KVM_EXT_CFG("zvfh", ext_zvfh, KVM_RISCV_ISA_EXT_ZVFH), ++ KVM_EXT_CFG("zvfhmin", ext_zvfhmin, KVM_RISCV_ISA_EXT_ZVFHMIN), ++ KVM_EXT_CFG("zvkb", ext_zvkb, KVM_RISCV_ISA_EXT_ZVKB), ++ KVM_EXT_CFG("zvkg", ext_zvkg, KVM_RISCV_ISA_EXT_ZVKG), ++ KVM_EXT_CFG("zvkned", ext_zvkned, KVM_RISCV_ISA_EXT_ZVKNED), ++ KVM_EXT_CFG("zvknha", ext_zvknha, KVM_RISCV_ISA_EXT_ZVKNHA), ++ KVM_EXT_CFG("zvknhb", ext_zvknhb, KVM_RISCV_ISA_EXT_ZVKNHB), ++ KVM_EXT_CFG("zvksed", ext_zvksed, KVM_RISCV_ISA_EXT_ZVKSED), ++ KVM_EXT_CFG("zvksh", ext_zvksh, KVM_RISCV_ISA_EXT_ZVKSH), ++ KVM_EXT_CFG("zvkt", ext_zvkt, KVM_RISCV_ISA_EXT_ZVKT), ++ KVM_EXT_CFG("smnpm", ext_smnpm, KVM_RISCV_ISA_EXT_SMNPM), ++ KVM_EXT_CFG("smstateen", ext_smstateen, KVM_RISCV_ISA_EXT_SMSTATEEN), + KVM_EXT_CFG("ssaia", ext_ssaia, KVM_RISCV_ISA_EXT_SSAIA), ++ KVM_EXT_CFG("ssnpm", ext_ssnpm, KVM_RISCV_ISA_EXT_SSNPM), + KVM_EXT_CFG("sstc", ext_sstc, KVM_RISCV_ISA_EXT_SSTC), ++ KVM_EXT_CFG("svade", ext_svade, KVM_RISCV_ISA_EXT_SVADE), ++ KVM_EXT_CFG("svadu", ext_svadu, KVM_RISCV_ISA_EXT_SVADU), + KVM_EXT_CFG("svinval", ext_svinval, KVM_RISCV_ISA_EXT_SVINVAL), + KVM_EXT_CFG("svnapot", ext_svnapot, KVM_RISCV_ISA_EXT_SVNAPOT), + KVM_EXT_CFG("svpbmt", ext_svpbmt, KVM_RISCV_ISA_EXT_SVPBMT), ++ KVM_EXT_CFG("svvptc", ext_svvptc, KVM_RISCV_ISA_EXT_SVVPTC), + }; + + static void *kvmconfig_get_cfg_addr(RISCVCPU *cpu, KVMCPUConfig *kvmcfg) +-- +2.33.0 + diff --git a/target-s390x-Fix-MVC-not-always-invalidating-transla.patch b/target-s390x-Fix-MVC-not-always-invalidating-transla.patch new file mode 100644 index 0000000000000000000000000000000000000000..64628dc19e57d0916d0b01449fd23e16729b88e7 --- /dev/null +++ b/target-s390x-Fix-MVC-not-always-invalidating-transla.patch @@ -0,0 +1,65 @@ +From f1d3e679818594b4cab0601d426f8d02a6d35bdb Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:39:09 -0400 +Subject: [PATCH] target/s390x: Fix MVC not always invalidating translation + blocks + +cheery-pick from cbdb457d7981133e511eafa3296431871d84bea4 + +Node.js crashes in qemu-system-s390x with random SIGSEGVs / SIGILLs. + +The v8 JIT used by Node.js can garbage collect and overwrite unused +code. Overwriting is performed by WritableJitAllocation::CopyCode(), +code. Overwriting is performed by WritableJitAllocation::CopyCode(), +which ultimately calls memcpy(). For certain sizes, memcpy() uses the +MVC instruction. + +QEMU implements MVC and other similar instructions using helpers. While +TCG store ops invalidate affected translation blocks automatically, +helpers must do this manually by calling probe_access_flags(). The MVC +helper does this using the access_prepare() -> access_prepare_nf() -> +s390_probe_access() -> probe_access_flags() call chain. + +At the last step of this chain, the store size is replaced with 0. This +causes the probe_access_flags() -> notdirty_write() -> +tb_invalidate_phys_range_fast() chain to miss some translation blocks. + +When this happens, QEMU executes a mix of old and new code. This +quickly leads to either a SIGSEGV or a SIGILL in case the old code +ends in the middle of a new instruction. + +Fix by passing the true size. + +Reported-by: Berthold Gunreben +Cc: Sarah Kriesch +Cc: qemu-stable@nongnu.org +Closes: https://bugzilla.opensuse.org/show_bug.cgi?id=1235709 +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Richard Henderson +Reviewed-by: David Hildenbrand +Fixes: e2faabee78ff ("accel/tcg: Forward probe size on to notdirty_write") +Message-ID: <20250128001338.11474-1-iii@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit e43ced8be18dda77c229ab09f85136a4d600d40d) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/s390x/tcg/mem_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c +index 84103251b9..1da47c78e8 100644 +--- a/target/s390x/tcg/mem_helper.c ++++ b/target/s390x/tcg/mem_helper.c +@@ -146,7 +146,7 @@ static inline int s390_probe_access(CPUArchState *env, target_ulong addr, + int mmu_idx, bool nonfault, + void **phost, uintptr_t ra) + { +- int flags = probe_access_flags(env, addr, 0, access_type, mmu_idx, ++ int flags = probe_access_flags(env, addr, size, access_type, mmu_idx, + nonfault, phost, ra); + + if (unlikely(flags & TLB_INVALID_MASK)) { +-- +2.33.0 + diff --git a/target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch b/target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch new file mode 100644 index 0000000000000000000000000000000000000000..437e2a27809fb7b5b0565230edb8c741b4b04fa8 --- /dev/null +++ b/target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch @@ -0,0 +1,69 @@ +From cb97a92ee393673ff2c927740b98db1ed38d0924 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 03:03:33 -0400 +Subject: [PATCH] target/sparc: Fix gdbstub incorrectly handling registers + f32-f62 + +cheery-pick from 5af648acff28171d34a68aec4cf0f52e6401284c + +The gdbstub implementation for the Sparc architecture would +incorrectly calculate the the floating point register offset. +This resulted in, for example, registers f32 and f34 to point to +the same value. + +The issue was caused by the confusion between even register numbers +and even register indexes. For example, the register index of f32 is 64 +and f34 is 65. + +Cc: qemu-stable@nongnu.org +Fixes: 30038fd81808 ("target-sparc: Change fpr representation to doubles.") +Signed-off-by: Mikael Szreder +Reviewed-by: Richard Henderson +Signed-off-by: Richard Henderson +Message-ID: <20250214070343.11501-1-git@miszr.win> +(cherry picked from commit 7a74e468089a58756b438d31a2a9a97f183780d7) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/sparc/gdbstub.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/target/sparc/gdbstub.c b/target/sparc/gdbstub.c +index a1c8fdc4d5..109b7237e0 100644 +--- a/target/sparc/gdbstub.c ++++ b/target/sparc/gdbstub.c +@@ -80,8 +80,13 @@ int sparc_cpu_gdb_read_register(CPUState *cs, GByteArray *mem_buf, int n) + } + } + if (n < 80) { +- /* f32-f62 (double width, even numbers only) */ +- return gdb_get_reg64(mem_buf, env->fpr[(n - 32) / 2].ll); ++ /* f32-f62 (16 double width registers, even register numbers only) ++ * n == 64: f32 : env->fpr[16] ++ * n == 65: f34 : env->fpr[17] ++ * etc... ++ * n == 79: f62 : env->fpr[31] ++ */ ++ return gdb_get_reg64(mem_buf, env->fpr[(n - 64) + 16].ll); + } + switch (n) { + case 80: +@@ -174,8 +179,13 @@ int sparc_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n) + } + return 4; + } else if (n < 80) { +- /* f32-f62 (double width, even numbers only) */ +- env->fpr[(n - 32) / 2].ll = tmp; ++ /* f32-f62 (16 double width registers, even register numbers only) ++ * n == 64: f32 : env->fpr[16] ++ * n == 65: f34 : env->fpr[17] ++ * etc... ++ * n == 79: f62 : env->fpr[31] ++ */ ++ env->fpr[(n - 64) + 16].ll = tmp; + } else { + switch (n) { + case 80: +-- +2.33.0 + diff --git a/vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch b/vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch new file mode 100644 index 0000000000000000000000000000000000000000..72dc0f45f31e862db9ea3d7666c1dd69dd3ca973 --- /dev/null +++ b/vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch @@ -0,0 +1,98 @@ +From 99186ad14ebc29c79d17ff0afc46c087a9f44923 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 03:48:19 -0400 +Subject: [PATCH] vdpa: Fix endian bugs in shadow virtqueue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from ca12e95f1329b74c5fdaf0d92f38110129831090 + +VDPA didn't work on a big-endian machine due to missing/incorrect +CPU<->LE data format conversions. + +Signed-off-by: Konstantin Shkolnyy +Message-Id: <20250212164923.1971538-1-kshk@linux.ibm.com> +Fixes: 10857ec0ad ("vhost: Add VhostShadowVirtqueue") +Acked-by: Eugenio PĂ©rez +Tested-by: Lei Yang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 50e9754149066dc91f58405d3378b589098cb408) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/virtio/vhost-shadow-virtqueue.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c +index fc5f408f77..ca60167b08 100644 +--- a/hw/virtio/vhost-shadow-virtqueue.c ++++ b/hw/virtio/vhost-shadow-virtqueue.c +@@ -165,10 +165,10 @@ static bool vhost_svq_vring_write_descs(VhostShadowVirtqueue *svq, hwaddr *sg, + descs[i].len = cpu_to_le32(iovec[n].iov_len); + + last = i; +- i = cpu_to_le16(svq->desc_next[i]); ++ i = svq->desc_next[i]; + } + +- svq->free_head = le16_to_cpu(svq->desc_next[last]); ++ svq->free_head = svq->desc_next[last]; + return true; + } + +@@ -228,10 +228,12 @@ static void vhost_svq_kick(VhostShadowVirtqueue *svq) + smp_mb(); + + if (virtio_vdev_has_feature(svq->vdev, VIRTIO_RING_F_EVENT_IDX)) { +- uint16_t avail_event = *(uint16_t *)(&svq->vring.used->ring[svq->vring.num]); ++ uint16_t avail_event = le16_to_cpu( ++ *(uint16_t *)(&svq->vring.used->ring[svq->vring.num])); + needs_kick = vring_need_event(avail_event, svq->shadow_avail_idx, svq->shadow_avail_idx - 1); + } else { +- needs_kick = !(svq->vring.used->flags & VRING_USED_F_NO_NOTIFY); ++ needs_kick = ++ !(svq->vring.used->flags & cpu_to_le16(VRING_USED_F_NO_NOTIFY)); + } + + if (!needs_kick) { +@@ -365,7 +367,7 @@ static bool vhost_svq_more_used(VhostShadowVirtqueue *svq) + return true; + } + +- svq->shadow_used_idx = cpu_to_le16(*(volatile uint16_t *)used_idx); ++ svq->shadow_used_idx = le16_to_cpu(*(volatile uint16_t *)used_idx); + + return svq->last_used_idx != svq->shadow_used_idx; + } +@@ -383,7 +385,7 @@ static bool vhost_svq_enable_notification(VhostShadowVirtqueue *svq) + { + if (virtio_vdev_has_feature(svq->vdev, VIRTIO_RING_F_EVENT_IDX)) { + uint16_t *used_event = (uint16_t *)&svq->vring.avail->ring[svq->vring.num]; +- *used_event = svq->shadow_used_idx; ++ *used_event = cpu_to_le16(svq->shadow_used_idx); + } else { + svq->vring.avail->flags &= ~cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT); + } +@@ -408,7 +410,7 @@ static uint16_t vhost_svq_last_desc_of_chain(const VhostShadowVirtqueue *svq, + uint16_t num, uint16_t i) + { + for (uint16_t j = 0; j < (num - 1); ++j) { +- i = le16_to_cpu(svq->desc_next[i]); ++ i = svq->desc_next[i]; + } + + return i; +@@ -681,7 +683,7 @@ void vhost_svq_start(VhostShadowVirtqueue *svq, VirtIODevice *vdev, + svq->desc_state = g_new0(SVQDescState, svq->vring.num); + svq->desc_next = g_new0(uint16_t, svq->vring.num); + for (unsigned i = 0; i < svq->vring.num - 1; i++) { +- svq->desc_next[i] = cpu_to_le16(i + 1); ++ svq->desc_next[i] = i + 1; + } + } + +-- +2.33.0 + diff --git a/vfio-container-For-CSV3-VM-only-register-listener-to.patch b/vfio-container-For-CSV3-VM-only-register-listener-to.patch new file mode 100644 index 0000000000000000000000000000000000000000..67c6960666d1673dc0a68d20eb49c9009cf1d03a --- /dev/null +++ b/vfio-container-For-CSV3-VM-only-register-listener-to.patch @@ -0,0 +1,42 @@ +From 17038e49ea5b89bf3088d7e7f7186ca5aba4975f Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Thu, 21 Aug 2025 16:35:45 +0800 +Subject: [PATCH] vfio/container: For CSV3 VM, only register listener to + shared_memory_listener list in vfio_connect_container() + +There is a regression for booting CSV3 VM with passthr devices when +backporting the commit c7b313d300 ("vfio/container: Move listener to +base container"). + +Fix it here. + +Signed-off-by: hanliyang +--- + hw/vfio/container.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/vfio/container.c b/hw/vfio/container.c +index 95b8cff33b..56c55d00f1 100644 +--- a/hw/vfio/container.c ++++ b/hw/vfio/container.c +@@ -736,14 +736,14 @@ static int vfio_connect_container(VFIOGroup *group, AddressSpace *as, + group->container = container; + QLIST_INSERT_HEAD(&container->group_list, group, container_next); + ++ bcontainer->listener = vfio_memory_listener; + if (kvm_csv3_enabled()) { + shared_memory_listener_register(&bcontainer->listener, + bcontainer->space->as); ++ } else { ++ memory_listener_register(&bcontainer->listener, bcontainer->space->as); + } + +- bcontainer->listener = vfio_memory_listener; +- memory_listener_register(&bcontainer->listener, bcontainer->space->as); +- + if (bcontainer->error) { + ret = -1; + error_propagate_prepend(errp, bcontainer->error, +-- +2.33.0 + diff --git a/virtio-net-Fix-size-check-in-dhclient-workaround.patch b/virtio-net-Fix-size-check-in-dhclient-workaround.patch new file mode 100644 index 0000000000000000000000000000000000000000..6314115c49e089df9c9a5f90f63acff85df85d97 --- /dev/null +++ b/virtio-net-Fix-size-check-in-dhclient-workaround.patch @@ -0,0 +1,43 @@ +From 441df39082f9eba5ab5fa56e33dda522060f87be Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 03:57:30 -0400 +Subject: [PATCH] virtio-net: Fix size check in dhclient workaround + +cheery-pick from aac6bdec4cb37ac1f0c12d769589ab14c8a5bbad + +work_around_broken_dhclient() accesses IP and UDP headers to detect +relevant packets and to calculate checksums, but it didn't check if +the packet has size sufficient to accommodate them, causing out-of-bound +access hazards. Fix this by correcting the size requirement. + +Fixes: 1d41b0c1ec66 ("Work around dhclient brokenness") +Cc: qemu-stable@nongnu.org +Signed-off-by: Akihiko Odaki +Signed-off-by: Jason Wang +(cherry picked from commit a8575f7fb2f213e6690b23160b04271d47fdfaa8) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/net/virtio-net.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 7184c9c526..5d58aa8a8c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1712,8 +1712,11 @@ static void virtio_net_hdr_swap(VirtIODevice *vdev, struct virtio_net_hdr *hdr) + static void work_around_broken_dhclient(struct virtio_net_hdr *hdr, + uint8_t *buf, size_t size) + { ++ size_t csum_size = ETH_HLEN + sizeof(struct ip_header) + ++ sizeof(struct udp_header); ++ + if ((hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) && /* missing csum */ +- (size > 27 && size < 1500) && /* normal sized MTU */ ++ (size >= csum_size && size < 1500) && /* normal sized MTU */ + (buf[12] == 0x08 && buf[13] == 0x00) && /* ethertype == IPv4 */ + (buf[23] == 17) && /* ip.protocol == UDP */ + (buf[34] == 0 && buf[35] == 67)) { /* udp.srcport == bootps */ +-- +2.33.0 + diff --git a/x86-loader-only-patch-linux-kernels.patch b/x86-loader-only-patch-linux-kernels.patch new file mode 100644 index 0000000000000000000000000000000000000000..23d87d162c873ca4f080583c5265530c6a2b3090 --- /dev/null +++ b/x86-loader-only-patch-linux-kernels.patch @@ -0,0 +1,46 @@ +From 08d849e4c516ab826dfdb71d3e57dddf668b6898 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 04:02:45 -0400 +Subject: [PATCH] x86/loader: only patch linux kernels + +cheery-pick from 3f73fe11188307773ab6bce481a977c7a11e367e + +If the binary loaded via -kernel is *not* a linux kernel (in which +case protocol == 0), do not patch the linux kernel header fields. + +It's (a) pointless and (b) might break binaries by random patching +and (c) changes the binary hash which in turn breaks secure boot +verification. + +Background: OVMF happily loads and runs not only linux kernels but +any efi binary via direct kernel boot. + +Note: Breaking the secure boot verification is a problem for linux +kernels too, but fixed that is left for another day ... + +Signed-off-by: Gerd Hoffmann +Message-ID: <20240905141211.1253307-3-kraxel@redhat.com> +(cherry picked from commit 57e2cc9abf5da38f600354fe920ff20e719607b4) +Signed-off-by: Michael Tokarev +(Mjt: it is in hw/i386/x86.c not hw/i386/x86-common.c in 8.2.x) +Signed-off-by: qihao_yewu +--- + hw/i386/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/x86.c b/hw/i386/x86.c +index 2b6291ad8d..672de72762 100644 +--- a/hw/i386/x86.c ++++ b/hw/i386/x86.c +@@ -1105,7 +1105,7 @@ void x86_load_linux(X86MachineState *x86ms, + * kernel on the other side of the fw_cfg interface matches the hash of the + * file the user passed in. + */ +- if (!sev_enabled()) { ++ if (!sev_enabled() && protocol > 0) { + memcpy(setup, header, MIN(sizeof(header), setup_size)); + } + +-- +2.33.0 +