diff --git a/Always-create-pflash-objects-and-register-properties.patch b/Always-create-pflash-objects-and-register-properties.patch new file mode 100644 index 0000000000000000000000000000000000000000..78a909b4a0e37b6a74db7c81f00261e3baf82686 --- /dev/null +++ b/Always-create-pflash-objects-and-register-properties.patch @@ -0,0 +1,93 @@ +From 77e90909b868a7e394903e9f0e990f212e896242 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Thu, 4 Sep 2025 10:50:38 +0800 +Subject: [PATCH] Always create pflash objects and register properties for QOM + even in confidential mode, to satisfy qemu_apply_machine_options. This fixes + the "Property 'virt-8.2-machine.pflash0' not found" error. + +Revert "hw/arm/virt: Move virt_flash_create() to machvirt_init()" +This reverts commit ddf23b6f58d3c605a083ad3f09388dcb6edf729e. +--- + hw/arm/virt.c | 31 ++++++++++++------------------- + 1 file changed, 12 insertions(+), 19 deletions(-) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index cf4156ed49..f7a9ba9a58 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -1407,10 +1407,10 @@ static PFlashCFI01 *virt_flash_create1(VirtMachineState *vms, + + static void virt_flash_create(VirtMachineState *vms) + { +- if (virt_machine_is_confidential(vms)) { +- return; +- } +- ++ /* Always create pflash objects and register properties for QOM ++ * even in confidential mode, to satisfy qemu_apply_machine_options. ++ * This fixes the "Property 'virt-8.2-machine.pflash0' not found" error. ++ */ + vms->flash[0] = virt_flash_create1(vms, "virt.flash0", "pflash0"); + vms->flash[1] = virt_flash_create1(vms, "virt.flash1", "pflash1"); + } +@@ -1449,10 +1449,6 @@ static void virt_flash_map(VirtMachineState *vms, + hwaddr flashsize = vms->memmap[VIRT_FLASH].size / 2; + hwaddr flashbase = vms->memmap[VIRT_FLASH].base; + +- if (virt_machine_is_confidential(vms)) { +- return; +- } +- + virt_flash_map1(vms->flash[0], flashbase, flashsize, + secure_sysmem); + virt_flash_map1(vms->flash[1], flashbase + flashsize, flashsize, +@@ -1532,15 +1528,6 @@ static bool virt_firmware_init(VirtMachineState *vms, + const char *bios_name; + BlockBackend *pflash_blk0; + +- /* +- * For a confidential VM, the firmware image and any boot information, +- * including EFI variables, are stored in RAM in order to be measurable and +- * private. Create a RAM region and load the firmware image there. +- */ +- if (virt_machine_is_confidential(vms)) { +- return virt_confidential_firmware_init(vms, sysmem); +- } +- + /* Map legacy -drive if=pflash to machine properties */ + for (i = 0; i < ARRAY_SIZE(vms->flash); i++) { + pflash_cfi01_legacy_drive(vms->flash[i], +@@ -1551,7 +1538,12 @@ static bool virt_firmware_init(VirtMachineState *vms, + + pflash_blk0 = pflash_cfi01_get_blk(vms->flash[0]); + +- if (virtcca_cvm_enabled()) { ++ /* ++ * For a confidential VM, the firmware image and any boot information, ++ * including EFI variables, are stored in RAM in order to be measurable and ++ * private. Create a RAM region and load the firmware image there. ++ */ ++ if (virtcca_cvm_enabled() || virt_machine_is_confidential(vms)) { + return virt_confidential_firmware_init(vms, sysmem); + } + +@@ -2609,7 +2601,6 @@ static void machvirt_init(MachineState *machine) + } + + finalize_gic_version(vms); +- virt_flash_create(vms); + + possible_cpus = mc->possible_cpu_arch_ids(machine); + +@@ -4163,6 +4154,8 @@ static void virt_instance_init(Object *obj) + + vms->irqmap = a15irqmap; + ++ virt_flash_create(vms); ++ + vms->oem_id = g_strndup(ACPI_BUILD_APPNAME6, 6); + vms->oem_table_id = g_strndup(ACPI_BUILD_APPNAME8, 8); + +-- +2.33.0 + diff --git a/block-qed-fix-use-after-free-by-nullifying-timer-poi.patch b/block-qed-fix-use-after-free-by-nullifying-timer-poi.patch new file mode 100644 index 0000000000000000000000000000000000000000..47e846625826dc87fdf3a721d7ccb21a3f083539 --- /dev/null +++ b/block-qed-fix-use-after-free-by-nullifying-timer-poi.patch @@ -0,0 +1,44 @@ +From 83d07b4feac945d8b483642d28c8eebcabc4fa12 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 21:40:03 -0400 +Subject: [PATCH] block/qed: fix use-after-free by nullifying timer pointer + after free + +cheery-pick from 9f1e501fb1cb83b46f49df8bb2fb0950ea5fa5a5 + +This error was discovered by fuzzing qemu-img. + +In the QED block driver, the need_check_timer timer is freed in +bdrv_qed_detach_aio_context, but the pointer to the timer is not +set to NULL. This can lead to a use-after-free scenario +in bdrv_qed_drain_begin(). + +The need_check_timer pointer is set to NULL after freeing the timer. +Which helps catch this condition when checking in bdrv_qed_drain_begin(). + +Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852 +Signed-off-by: Denis Rastyogin +Message-ID: <20250304083927.37681-1-gerben@altlinux.org> +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 2ad638a3d160923ef3dbf87c73944e6e44bdc724) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + block/qed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/qed.c b/block/qed.c +index bc2f0a61c0..b986353979 100644 +--- a/block/qed.c ++++ b/block/qed.c +@@ -353,6 +353,7 @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs) + + qed_cancel_need_check_timer(s); + timer_free(s->need_check_timer); ++ s->need_check_timer = NULL; + } + + static void bdrv_qed_attach_aio_context(BlockDriverState *bs, +-- +2.33.0 + diff --git a/common-user-host-riscv-use-tail-pseudoinstruction-fo.patch b/common-user-host-riscv-use-tail-pseudoinstruction-fo.patch new file mode 100644 index 0000000000000000000000000000000000000000..4930e8a57d9684083b9bd4e06f66aeeaf47df36c --- /dev/null +++ b/common-user-host-riscv-use-tail-pseudoinstruction-fo.patch @@ -0,0 +1,47 @@ +From 163c04af60750ebf617ac1152fccbf72fea3f873 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Thu, 17 Apr 2025 15:22:06 +0800 +Subject: [PATCH] common-user/host/riscv: use tail pseudoinstruction for + calling tail + +The j pseudoinstruction maps to a JAL instruction, which can only handle +a jump to somewhere with a signed 20-bit destination. In case of static +linking and LTO'ing this easily leads to "relocation truncated to fit" +error. + +Switch to use tail pseudoinstruction, which is the standard way to +tail-call a function in medium code model (emits AUIPC+JALR). + +--- +Upstream commit 22b448ccc6611a59d4aa54419f4d88c1f343cb35 , v10.1.0 + +Signed-off-by: Icenowy Zheng +Reviewed-by: Richard Henderson +Message-ID: <20250417072206.364008-1-uwu@icenowy.me> +Signed-off-by: Alistair Francis +Cc: qemu-stable@nongnu.org +--- + common-user/host/riscv/safe-syscall.inc.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common-user/host/riscv/safe-syscall.inc.S b/common-user/host/riscv/safe-syscall.inc.S +index dfe83c300e..c8b81e33d0 100644 +--- a/common-user/host/riscv/safe-syscall.inc.S ++++ b/common-user/host/riscv/safe-syscall.inc.S +@@ -69,11 +69,11 @@ safe_syscall_end: + + /* code path setting errno */ + 0: neg a0, a0 +- j safe_syscall_set_errno_tail ++ tail safe_syscall_set_errno_tail + + /* code path when we didn't execute the syscall */ + 2: li a0, QEMU_ERESTARTSYS +- j safe_syscall_set_errno_tail ++ tail safe_syscall_set_errno_tail + + .cfi_endproc + .size safe_syscall_base, .-safe_syscall_base +-- +2.33.0 + diff --git a/elfload-Fix-alignment-when-unmapping-excess-reservat.patch b/elfload-Fix-alignment-when-unmapping-excess-reservat.patch new file mode 100644 index 0000000000000000000000000000000000000000..6fbeae6d3876611479ca3958149b135571b582ef --- /dev/null +++ b/elfload-Fix-alignment-when-unmapping-excess-reservat.patch @@ -0,0 +1,45 @@ +From ecdd2a7388d57c88511e8d7ffc0ce0956253c0df Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 21:57:52 -0400 +Subject: [PATCH] elfload: Fix alignment when unmapping excess reservation + +cheery-pick from 2c837358c2f3b30524754ffebedb6c5d60ae3552 + +When complying with the alignment requested in the ELF and unmapping +the excess reservation, having align_end not aligned to the guest page +causes the unmap to be rejected by the alignment check at +target_munmap and later brk adjustments hit an EEXIST. + +Fix by aligning the start of region to be unmapped. + +Fixes: c81d1fafa6 ("linux-user: Honor elf alignment when placing images") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1913 +Signed-off-by: Fabiano Rosas +[rth: Align load_end as well.] +Signed-off-by: Richard Henderson +Message-ID: <20250213143558.10504-1-farosas@suse.de> +(cherry picked from commit 4b7b20a3b72c5000ea71bef505c16e6e628268b6) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + linux-user/elfload.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux-user/elfload.c b/linux-user/elfload.c +index 87eb318b46..f0c9095d57 100644 +--- a/linux-user/elfload.c ++++ b/linux-user/elfload.c +@@ -3417,8 +3417,8 @@ static void load_elf_image(const char *image_name, const ImageSource *src, + + if (align_size != reserve_size) { + abi_ulong align_addr = ROUND_UP(load_addr, align); +- abi_ulong align_end = align_addr + reserve_size; +- abi_ulong load_end = load_addr + align_size; ++ abi_ulong align_end = TARGET_PAGE_ALIGN(align_addr + reserve_size); ++ abi_ulong load_end = TARGET_PAGE_ALIGN(load_addr + align_size); + + if (align_addr != load_addr) { + target_munmap(load_addr, align_addr - load_addr); +-- +2.33.0 + diff --git a/hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch b/hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch new file mode 100644 index 0000000000000000000000000000000000000000..3068dc237e5d5c9b2a366b4eb23d9f930cb95570 --- /dev/null +++ b/hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch @@ -0,0 +1,72 @@ +From 6c6e62479472fc67b92d7bce2d6e8c2b379b6fe1 Mon Sep 17 00:00:00 2001 +From: yxk +Date: Thu, 4 Sep 2025 22:47:10 +0800 +Subject: [PATCH] hw/arm boot.c: Enforce CCA and virtCCA isolation. + +Since both CCA and virtCCA utilize info->confidential in +arm_setup_firmware_boot, we must distinguish between them. + +Signed-off-by: yxk +--- + hw/arm/boot.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/hw/arm/boot.c b/hw/arm/boot.c +index 4f5bf6e77c..9e28199a68 100644 +--- a/hw/arm/boot.c ++++ b/hw/arm/boot.c +@@ -1228,17 +1228,18 @@ static void arm_setup_confidential_firmware_boot(ARMCPU *cpu, + uint64_t tmi_version = 0; + int ret = -1; + +- if (kvm_enabled()) { ++ if (kvm_enabled() && virtcca_cvm_enabled()) { + ret = kvm_ioctl(kvm_state, KVM_GET_TMI_VERSION, &tmi_version); ++ if (ret < 0) { ++ error_report("please check the kernel version!"); ++ exit(EXIT_FAILURE); ++ } ++ if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) { ++ error_report("please check the tmi version!"); ++ exit(EXIT_FAILURE); ++ } + } +- if (ret < 0) { +- error_report("please check the kernel version!"); +- exit(EXIT_FAILURE); +- } +- if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) { +- error_report("please check the tmi version!"); +- exit(EXIT_FAILURE); +- } ++ + ssize_t fw_size; + const char *fname; + AddressSpace *as = arm_boot_address_space(cpu, info); +@@ -1273,7 +1274,7 @@ static void arm_setup_firmware_boot(ARMCPU *cpu, struct arm_boot_info *info, con + * DTB to the base of RAM for the bootloader to pick up. + */ + info->dtb_start = info->loader_start; +- if (info->confidential) ++ if (info->confidential && virtcca_cvm_enabled()) + tmm_add_ram_region(UEFI_LOADER_START, UEFI_MAX_SIZE, info->dtb_start, DTB_MAX , true); + } + +@@ -1317,9 +1318,11 @@ static void arm_setup_firmware_boot(ARMCPU *cpu, struct arm_boot_info *info, con + + if (info->confidential) { + arm_setup_confidential_firmware_boot(cpu, info, firmware_filename); +- virtcca_kvm_get_mmio_addr(&mmio_start, &mmio_size); +- kvm_load_user_data(info->loader_start, DTB_MAX, mmio_start, mmio_size, info->ram_size, +- (struct kvm_numa_info *)info->numa_info); ++ if (virtcca_cvm_enabled()) { ++ virtcca_kvm_get_mmio_addr(&mmio_start, &mmio_size); ++ kvm_load_user_data(info->loader_start, DTB_MAX, mmio_start, mmio_size, info->ram_size, ++ (struct kvm_numa_info *)info->numa_info); ++ } + } + /* + * We will start from address 0 (typically a boot ROM image) in the +-- +2.33.0 + diff --git a/hw-arm-virt-Introduce-a-IPIV-machine-option.patch b/hw-arm-virt-Introduce-a-IPIV-machine-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cf229cb16793b4d5e4dff2cb77a982bdeb31f8c --- /dev/null +++ b/hw-arm-virt-Introduce-a-IPIV-machine-option.patch @@ -0,0 +1,105 @@ +From 9db5487d84eef5ba38adefb70138644d1012f05f Mon Sep 17 00:00:00 2001 +From: Jinqian Yang +Date: Tue, 23 Sep 2025 12:09:39 +0800 +Subject: [PATCH] hw/arm/virt: Introduce a IPIV machine option + +Add the ipiv switch in the "-machine" to allow the guest to more +flexibly choose whether to enable ipiv. + +Signed-off-by: Jinqian Yang +--- + hw/arm/virt.c | 19 +++++++++++++++++++ + include/hw/arm/virt.h | 1 + + target/arm/kvm.c | 10 ++++++++-- + 3 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index f7a9ba9a58..db1b9715e0 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -3044,6 +3044,20 @@ static void virt_set_its(Object *obj, bool value, Error **errp) + vms->its = value; + } + ++static bool virt_get_ipiv(Object *obj, Error **errp) ++{ ++ VirtMachineState *vms = VIRT_MACHINE(obj); ++ ++ return vms->ipiv; ++} ++ ++static void virt_set_ipiv(Object *obj, bool value, Error **errp) ++{ ++ VirtMachineState *vms = VIRT_MACHINE(obj); ++ ++ vms->ipiv = value; ++} ++ + static void virt_get_dtb_randomness(Object *obj, Visitor *v, const char *name, + void *opaque, Error **errp) + { +@@ -4086,6 +4100,11 @@ static void virt_machine_class_init(ObjectClass *oc, void *data) + "in ACPI table header." + "The string may be up to 8 bytes in size"); + ++ object_class_property_add_bool(oc, "ipiv", ++ virt_get_ipiv, ++ virt_set_ipiv); ++ object_class_property_set_description(oc, "ipiv", ++ "Set on/off to enable/disable IPIV"); + } + + static char *virt_get_kvm_type(Object *obj, Error **errp G_GNUC_UNUSED) +diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h +index fee7c27e0c..a54b0057fb 100644 +--- a/include/hw/arm/virt.h ++++ b/include/hw/arm/virt.h +@@ -225,6 +225,7 @@ struct VirtMachineState { + bool cpu_hotplug_enabled; + bool ras; + bool mte; ++ bool ipiv; + OnOffAuto dtb_randomness; + bool pmu; + int smmu_accel_count; +diff --git a/target/arm/kvm.c b/target/arm/kvm.c +index f45783a9da..7d443a967d 100644 +--- a/target/arm/kvm.c ++++ b/target/arm/kvm.c +@@ -34,6 +34,7 @@ + #include "hw/irq.h" + #include "qapi/visitor.h" + #include "qemu/log.h" ++#include "hw/arm/virt.h" + + const KVMCapabilityInfo kvm_arch_required_capabilities[] = { + KVM_CAP_LAST_INFO +@@ -259,10 +260,15 @@ int kvm_arch_get_default_type(MachineState *ms) + return fixed_ipa ? 0 : size; + } + +-static void kvm_update_ipiv_cap(KVMState *s) ++static void kvm_update_ipiv_cap(MachineState *ms, KVMState *s) + { ++ VirtMachineState *vms = VIRT_MACHINE(ms); + int ret; + ++ if (!vms->ipiv) { ++ return; ++ } ++ + if (!kvm_check_extension(s, KVM_CAP_ARM_HISI_IPIV)) { + return; + } +@@ -349,7 +355,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s) + } + + kvm_arm_init_debug(s); +- kvm_update_ipiv_cap(s); ++ kvm_update_ipiv_cap(ms, s); + + ret = kvm_arm_rme_init(ms); + if (ret) { +-- +2.33.0 + diff --git a/hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch b/hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch new file mode 100644 index 0000000000000000000000000000000000000000..a214125eb0e3fa7c2d292880a05bd6727b227956 --- /dev/null +++ b/hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch @@ -0,0 +1,52 @@ +From 419104f21e81d883f1a41540512e86750363600e Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:18:09 -0400 +Subject: [PATCH] hw/gpio: npcm7xx: fixup out-of-bounds access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 27e3d81ffd81bb57b02816fc9cfe24f621d64c59 + +The reg isn't validated to be a possible register before +it's dereferenced for one case. The mmio space registered +for the gpio device is 4KiB but there aren't that many +registers in the struct. + +Cc: qemu-stable@nongnu.org +Fixes: 526dbbe0874 ("hw/gpio: Add GPIO model for Nuvoton NPCM7xx") +Signed-off-by: Patrick Venture +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20250226024603.493148-1-venture@google.com +Signed-off-by: Peter Maydell +(cherry picked from commit 3b2e22c0bbe2ce07123d93961d52f17644562cd7) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/gpio/npcm7xx_gpio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c +index 3376901ab1..c75f9e073d 100644 +--- a/hw/gpio/npcm7xx_gpio.c ++++ b/hw/gpio/npcm7xx_gpio.c +@@ -220,8 +220,6 @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v, + return; + } + +- diff = s->regs[reg] ^ value; +- + switch (reg) { + case NPCM7XX_GPIO_TLOCK1: + case NPCM7XX_GPIO_TLOCK2: +@@ -242,6 +240,7 @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v, + case NPCM7XX_GPIO_PU: + case NPCM7XX_GPIO_PD: + case NPCM7XX_GPIO_IEM: ++ diff = s->regs[reg] ^ value; + s->regs[reg] = value; + npcm7xx_gpio_update_pins(s, diff); + break; +-- +2.33.0 + diff --git a/hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch b/hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch new file mode 100644 index 0000000000000000000000000000000000000000..45fca24b9448ce4e7436f7f272685a4ba1ea9b8e --- /dev/null +++ b/hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch @@ -0,0 +1,73 @@ +From e03c56464bedc8dc78b2afa43b975cdb7a5897d9 Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 14 Oct 2025 15:04:01 +0800 +Subject: [PATCH] hw/intc/arm_gicv3_cpuif: Don't downgrade monitor traps + for AArch32 EL3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + In the gicv3_{irq,fiq,irqfiq}_access() functions, there is a check + which downgrades a CP_ACCESS_TRAP_EL3 to CP_ACCESS_TRAP if EL3 is not + AArch64. This has been there since the GIC was first implemented, + but it isn't right: if we are trapping because of SCR.IRQ or SCR.FIQ + then we definitely want to be going to EL3 (doing + AArch32.TakeMonitorTrapException() in pseudocode terms). We might + want to not take a trap at all, but we don't ever want to go to the + default target EL, because that would mean, for instance, taking a + trap to Hyp mode if the trapped access was made from Hyp mode. + + (This might have been an attempt to work around our failure to + properly implement Monitor Traps.) + + Remove the bogus check. + + Cc: qemu-stable@nongnu.org + Fixes: 359fbe65 ("hw/intc/arm_gicv3: Implement GICv3 CPU interface registers") + Signed-off-by: default avatarPeter Maydell + Reviewed-by: default avatarAlex Bennée + Reviewed-by: default avatarRichard Henderson + Message-id: 20250130182309.717346-7-peter.maydell@linaro.org + (cherry picked from commit d04c6c3c) + Signed-off-by: default avatarMichael Tokarev +--- + hw/intc/arm_gicv3_cpuif.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c +index a013510074..27458d2b8a 100644 +--- a/hw/intc/arm_gicv3_cpuif.c ++++ b/hw/intc/arm_gicv3_cpuif.c +@@ -2098,9 +2098,6 @@ static CPAccessResult gicv3_irqfiq_access(CPUARMState *env, + } + } + +- if (r == CP_ACCESS_TRAP_EL3 && !arm_el_is_aa64(env, 3)) { +- r = CP_ACCESS_TRAP; +- } + return r; + } + +@@ -2163,9 +2160,6 @@ static CPAccessResult gicv3_fiq_access(CPUARMState *env, + } + } + +- if (r == CP_ACCESS_TRAP_EL3 && !arm_el_is_aa64(env, 3)) { +- r = CP_ACCESS_TRAP; +- } + return r; + } + +@@ -2202,9 +2196,6 @@ static CPAccessResult gicv3_irq_access(CPUARMState *env, + } + } + +- if (r == CP_ACCESS_TRAP_EL3 && !arm_el_is_aa64(env, 3)) { +- r = CP_ACCESS_TRAP; +- } + return r; + } + +-- +2.33.0 + diff --git a/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch new file mode 100644 index 0000000000000000000000000000000000000000..36137592dcf5a76ecd0845aab6da17242bcaf8c0 --- /dev/null +++ b/hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch @@ -0,0 +1,73 @@ +From a7002fbaa0a8a88d5e57bf9cd981dcf70fb0cf5a Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Mon, 15 Sep 2025 14:29:10 +0100 +Subject: [PATCH] hw/usb/hcd-uhci: don't assert for SETUP to non-0 + endpoint(CVE-2024-8354) + +If the guest feeds invalid data to the UHCI controller, we +can assert: +qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. + +(see issue 2548 for the repro case). This happens because the guest +attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not +valid. The controller code doesn't catch this guest error, so +instead we hit the assertion in the USB core code. + +Catch the case of SETUP to non-zero endpoint, and treat it as a fatal +error in the TD, in the same way we do for an invalid PID value in +the TD. + +This is the UHCI equivalent of the same bug in OHCI that we fixed in +commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or +OUT"). + +This bug has been tracked as CVE-2024-8354. + +Cc: qemu-stable@nongnu.org +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548 +Signed-off-by: Peter Maydell +Reviewed-by: Michael Tokarev +--- + hw/usb/hcd-uhci.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c +index a92581ff5f..4ed30c59c7 100644 +--- a/hw/usb/hcd-uhci.c ++++ b/hw/usb/hcd-uhci.c +@@ -763,6 +763,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + bool spd; + bool queuing = (q != NULL); + uint8_t pid = td->token & 0xff; ++ uint8_t ep_id = (td->token >> 15) & 0xf; + UHCIAsync *async; + + async = uhci_async_find_td(s, td_addr); +@@ -806,9 +807,14 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + + switch (pid) { + case USB_TOKEN_OUT: +- case USB_TOKEN_SETUP: + case USB_TOKEN_IN: + break; ++ case USB_TOKEN_SETUP: ++ /* SETUP is only valid to endpoint 0 */ ++ if (ep_id == 0) { ++ break; ++ } ++ /* fallthrough */ + default: + /* invalid pid : frame interrupted */ + s->status |= UHCI_STS_HCPERR; +@@ -855,7 +861,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr, + return uhci_handle_td_error(s, td, td_addr, USB_RET_NODEV, + int_mask); + } +- ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf); ++ ep = usb_ep_get(dev, pid, ep_id); + q = uhci_queue_new(s, qh_addr, td, ep); + } + async = uhci_async_alloc(q, td_addr); +-- +2.33.0 + diff --git a/hw-usb-hcd-xhci-Unmap-canceled-packet.patch b/hw-usb-hcd-xhci-Unmap-canceled-packet.patch new file mode 100644 index 0000000000000000000000000000000000000000..27e42f81b4f640e3a4a11bf00e8bcce12d2ccef6 --- /dev/null +++ b/hw-usb-hcd-xhci-Unmap-canceled-packet.patch @@ -0,0 +1,64 @@ +From 04c9b45704f42bd398407acc3e2d3749ac5c00b7 Mon Sep 17 00:00:00 2001 +From: luowei +Date: Wed, 6 Aug 2025 10:26:27 +0800 +Subject: [PATCH] hw/usb/hcd-xhci: Unmap canceled packet cheery-pick from + aca4967567aaa168ce51d54145ba970aafb135de +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the Stop Endpoint Command is received, packets running +asynchronously are canceled and then all packets are cleaned up. Packets +running asynchronously hold the DMA mapping so cleaning the packets leak +the mapping. Remove the mapping after canceling packets to fix the leak. + +Fixes: 62c6ae04 ("xhci: Initial xHCI implementation") +Signed-off-by: default avatarAkihiko Odaki +Reviewed-by: default avatarPhilippe Mathieu-Daudé +Message-ID: <20250418-xhc-v1-1-bb32dab6a67e@daynix.com> +Signed-off-by: default avatarPhilippe Mathieu-Daudé +--- + hw/usb/hcd-xhci.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 4b60114207..3413a36ebe 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -1190,6 +1190,12 @@ static void xhci_ep_free_xfer(XHCITransfer *xfer) + g_free(xfer); + } + ++static void xhci_xfer_unmap(XHCITransfer *xfer) ++{ ++ usb_packet_unmap(&xfer->packet, &xfer->sgl); ++ qemu_sglist_destroy(&xfer->sgl); ++} ++ + static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report) + { + int killed = 0; +@@ -1201,6 +1207,7 @@ static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report) + + if (t->running_async) { + usb_cancel_packet(&t->packet); ++ xhci_xfer_unmap(t); + t->running_async = 0; + killed = 1; + } +@@ -1483,12 +1490,6 @@ err: + return -1; + } + +-static void xhci_xfer_unmap(XHCITransfer *xfer) +-{ +- usb_packet_unmap(&xfer->packet, &xfer->sgl); +- qemu_sglist_destroy(&xfer->sgl); +-} +- + static void xhci_xfer_report(XHCITransfer *xfer) + { + uint32_t edtla = 0; +-- +2.33.0 + diff --git a/hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch b/hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..7592c6e3436b6392f0a89d5a356f419ab3300247 --- /dev/null +++ b/hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch @@ -0,0 +1,57 @@ +From 6bba3fc99e393c8bdec27ce671f124d18b5642ff Mon Sep 17 00:00:00 2001 +From: Kunkun Jiang +Date: Sun, 28 Sep 2025 15:43:12 +0800 +Subject: [PATCH] hw/vfio/migration: Fix vfio migration isn't aborted in a + corner case + +In the final stage of vfio migration, the destination VM will execute +vm_start + vfio_vmstate_change + vfio_migration_set_state +At this time, vfio_migration_set_state may return failure. For example, +the device is in the reset process due to some hardware problems. In +this case, the vfio migration should be aborted, but the current logic +does not abort. Instead, it continues to execute, which will cause +Unpredictable impact. This patch fixes this case. + +Signed-off-by: Kunkun Jiang +--- + hw/vfio/migration.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c +index b81cb7e23b..8c27298477 100644 +--- a/hw/vfio/migration.c ++++ b/hw/vfio/migration.c +@@ -720,7 +720,7 @@ static void vfio_vmstate_change_prepare(void *opaque, bool running, + static void vfio_vmstate_change(void *opaque, bool running, RunState state) + { + VFIODevice *vbasedev = opaque; +- enum vfio_device_mig_state new_state; ++ enum vfio_device_mig_state new_state, pre_state; + int ret; + + if (running) { +@@ -733,6 +733,8 @@ static void vfio_vmstate_change(void *opaque, bool running, RunState state) + VFIO_DEVICE_STATE_STOP; + } + ++ pre_state = vbasedev->migration->device_state; ++ + /* + * If setting the device in new_state fails, the device should be reset. + * To do so, use ERROR state as a recover state. +@@ -747,6 +749,10 @@ static void vfio_vmstate_change(void *opaque, bool running, RunState state) + if (migrate_get_current()->to_dst_file) { + qemu_file_set_error(migrate_get_current()->to_dst_file, ret); + } ++ ++ if (pre_state == VFIO_DEVICE_STATE_RESUMING) { ++ exit(EXIT_FAILURE); ++ } + } + + trace_vfio_vmstate_change(vbasedev->name, running, RunState_str(state), +-- +2.33.0 + diff --git a/meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch b/meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch new file mode 100644 index 0000000000000000000000000000000000000000..27c54d13fabb765387ec25a8361881060279a718 --- /dev/null +++ b/meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch @@ -0,0 +1,54 @@ +From 19702630b27b96aa48b1acd4e4c9a22a6dfb444e Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 23 Sep 2025 16:02:55 +0800 +Subject: [PATCH] meson: Remove CONFIG_STATX and CONFIG_STATX_MNT_ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CONFIG_STATX and CONFIG_STATX_MNT_ID are not used since commit +e0dc2631 ("virtiofsd: Remove source"). + +Cc: qemu-stable@nongnu.org +Signed-off-by: default avatarAkihiko Odaki +Reviewed-by: default avatarPhilippe Mathieu-Daudé +Tested-by: default avatarPhilippe Mathieu-Daudé +Message-ID: <20250424-buildsys-v1-2-97655e3b25d7@daynix.com> +Signed-off-by: default avatarPhilippe Mathieu-Daudé +(cherry picked from commit 6804b89f) +Signed-off-by: default avatarMichael Tokarev +--- + meson.build | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/meson.build b/meson.build +index d221f5cad5..66c66c1ada 100644 +--- a/meson.build ++++ b/meson.build +@@ -1921,14 +1921,6 @@ gnu_source_prefix = ''' + #endif + ''' + +-# Check whether the glibc provides STATX_BASIC_STATS +- +-has_statx = cc.has_header_symbol('sys/stat.h', 'STATX_BASIC_STATS', prefix: gnu_source_prefix) +- +-# Check whether statx() provides mount ID information +- +-has_statx_mnt_id = cc.has_header_symbol('sys/stat.h', 'STATX_MNT_ID', prefix: gnu_source_prefix) +- + have_vhost_user_blk_server = get_option('vhost_user_blk_server') \ + .require(targetos == 'linux', + error_message: 'vhost_user_blk_server requires linux') \ +@@ -2304,8 +2296,6 @@ config_host_data.set('CONFIG_CRYPTO_SM3', crypto_sm3.found()) + config_host_data.set('CONFIG_HOGWEED', hogweed.found()) + config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private') + config_host_data.set('CONFIG_MALLOC_TRIM', has_malloc_trim) +-config_host_data.set('CONFIG_STATX', has_statx) +-config_host_data.set('CONFIG_STATX_MNT_ID', has_statx_mnt_id) + config_host_data.set('CONFIG_ZSTD', zstd.found()) + config_host_data.set('CONFIG_QPL', qpl.found()) + config_host_data.set('CONFIG_UADK', uadk.found()) +-- +2.33.0 + diff --git a/meson-Use-has_header_symbol-to-check-getcpu.patch b/meson-Use-has_header_symbol-to-check-getcpu.patch new file mode 100644 index 0000000000000000000000000000000000000000..00f0dbc474dffb1412d669d749312bf42f65cec0 --- /dev/null +++ b/meson-Use-has_header_symbol-to-check-getcpu.patch @@ -0,0 +1,50 @@ +From ddd158c60e9af53567067798eaf3996b012c3a20 Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 14 Oct 2025 15:00:01 +0800 +Subject: [PATCH] meson: Use has_header_symbol() to check getcpu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The use of gnu_source_prefix in the detection of getcpu() was +ineffective because the header file that declares getcpu() when +_GNU_SOURCE is defined was not included. Pass sched.h to +has_header_symbol() so that the existence of the declaration will be +properly checked. + +Cc: qemu-stable@nongnu.org +Signed-off-by: default avatarAkihiko Odaki +Reviewed-by: default avatarPhilippe Mathieu-Daudé +Tested-by: default avatarPhilippe Mathieu-Daudé +Message-ID: <20250424-buildsys-v1-1-97655e3b25d7@daynix.com> +Signed-off-by: default avatarPhilippe Mathieu-Daudé +(cherry picked from commit 563cd698) +Signed-off-by: default avatarMichael Tokarev ')) + # Note that we need to specify prefix: here to avoid incorrectly + # thinking that Windows has posix_memalign() +@@ -2427,6 +2426,8 @@ config_host_data.set('CONFIG_FALLOCATE_ZERO_RANGE', + config_host_data.set('CONFIG_FIEMAP', + cc.has_header('linux/fiemap.h') and + cc.has_header_symbol('linux/fs.h', 'FS_IOC_FIEMAP')) ++config_host_data.set('CONFIG_GETCPU', ++ cc.has_header_symbol('sched.h', 'getcpu', prefix: gnu_source_prefix)) + config_host_data.set('CONFIG_GETRANDOM', + cc.has_function('getrandom') and + cc.has_header_symbol('sys/random.h', 'GRND_NONBLOCK')) +-- +2.33.0 + diff --git a/migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch b/migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch new file mode 100644 index 0000000000000000000000000000000000000000..4d8eb2f0e529858904883e2499ff3e60363ec158 --- /dev/null +++ b/migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch @@ -0,0 +1,41 @@ +From 47d070644db6fd423da4e01728d91117180b7908 Mon Sep 17 00:00:00 2001 +From: lijunwei +Date: Tue, 14 Oct 2025 15:13:40 +0800 +Subject: [PATCH] migration: fix SEEK_CUR offset calculation in + qio_channel_block_seek +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The SEEK_CUR case in qio_channel_block_seek was incorrectly using the +'whence' parameter instead of the 'offset' parameter when calculating the +new position. + +Fixes: 65cf200a ("migration: introduce a QIOChannel impl for BlockDriverState VMState") +Signed-off-by: default avatarMarco Cavenati +Reviewed-by: default avatarDaniel P. Berrangé +Reviewed-by: default avatarMichael Tokarev +Message-ID: <20250326162230.3323199-1-Marco.Cavenati@eurecom.fr> +Signed-off-by: default avatarFabiano Rosas +(cherry picked from commit c0b32426) +Signed-off-by: default avatarMichael Tokarev +--- + migration/channel-block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/migration/channel-block.c b/migration/channel-block.c +index fff8d87094..b0477f5b6d 100644 +--- a/migration/channel-block.c ++++ b/migration/channel-block.c +@@ -123,7 +123,7 @@ qio_channel_block_seek(QIOChannel *ioc, + bioc->offset = offset; + break; + case SEEK_CUR: +- bioc->offset += whence; ++ bioc->offset += offset; + break; + case SEEK_END: + error_setg(errp, "Size of VMstate region is unknown"); +-- +2.33.0 + diff --git a/pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch b/pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch new file mode 100644 index 0000000000000000000000000000000000000000..0915bef5f79e2b1ce1fa5d5c5a123a145008af72 --- /dev/null +++ b/pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch @@ -0,0 +1,42 @@ +From dea0186756336e64133f2613cbb9bda1d5fb6515 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:34:38 -0400 +Subject: [PATCH] pci/msix: Fix msix pba read vector poll end calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 27c41db3f5bdfa40729ec749603e006e57c1e6ef + +The end vector calculation has a bug that results in polling fewer +than required vectors when reading at a non-zero offset in PBA memory. + +Fixes: bbef882cc193 ("msi: add API to get notified about pending bit poll") +Signed-off-by: Nicholas Piggin +Message-Id: <20241212120402.1475053-1-npiggin@gmail.com> +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 42e2a7a0ab23784e44fcb18369e06067abc89305) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/pci/msix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/pci/msix.c b/hw/pci/msix.c +index cd817f4ca8..057a1305cd 100644 +--- a/hw/pci/msix.c ++++ b/hw/pci/msix.c +@@ -250,7 +250,7 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr, + PCIDevice *dev = opaque; + if (dev->msix_vector_poll_notifier) { + unsigned vector_start = addr * 8; +- unsigned vector_end = MIN(addr + size * 8, dev->msix_entries_nr); ++ unsigned vector_end = MIN((addr + size) * 8, dev->msix_entries_nr); + dev->msix_vector_poll_notifier(dev, vector_start, vector_end); + } + +-- +2.33.0 + diff --git a/physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch b/physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc9bfb2112f55f27ca3ce3ae15b5170574d8ce4f --- /dev/null +++ b/physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch @@ -0,0 +1,61 @@ +From ec16a25f34ac8d2de561766e1d3ece6601ec9374 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:42:08 -0400 +Subject: [PATCH] physmem: fix qemu_ram_alloc_from_fd size calculation + +cheery-pick from 4afd17ebcc6a9412ba8009410e448a00af45f05b + +qemu_ram_alloc_from_fd allocates space if file_size == 0. If non-zero, +it uses the existing space and verifies it is large enough, but the +verification was broken when the offset parameter was introduced. As +a result, a file smaller than offset passes the verification and causes +errors later. Fix that, and update the error message to include offset. + +Peter provides this concise reproducer: + + $ touch ramfile + $ truncate -s 64M ramfile + $ ./qemu-system-x86_64 -object memory-backend-file,mem-path=./ramfile,offset=128M,size=128M,id=mem1,prealloc=on + qemu-system-x86_64: qemu_prealloc_mem: preallocating memory failed: Bad address + +With the fix, the error message is: + qemu-system-x86_64: mem1 backing store size 0x4000000 is too small for 'size' option 0x8000000 plus 'offset' option 0x8000000 + +Cc: qemu-stable@nongnu.org +Fixes: 4b870dc4d0c0 ("hostmem-file: add offset option") +Signed-off-by: Steve Sistare +Reviewed-by: Peter Xu +Acked-by: David Hildenbrand +Link: https://lore.kernel.org/r/1736967650-129648-3-git-send-email-steven.sistare@oracle.com +Signed-off-by: Fabiano Rosas +(cherry picked from commit 719168fba7c3215cc996dcfd32a6e5e9c7b8eee0) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + system/physmem.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/system/physmem.c b/system/physmem.c +index 8f4be2d131..e862f99ff6 100644 +--- a/system/physmem.c ++++ b/system/physmem.c +@@ -1945,10 +1945,12 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr, + + size = HOST_PAGE_ALIGN(size); + file_size = get_file_size(fd); +- if (file_size > offset && file_size < (offset + size)) { +- error_setg(errp, "backing store size 0x%" PRIx64 +- " does not match 'size' option 0x" RAM_ADDR_FMT, +- file_size, size); ++ if (file_size && file_size < offset + size) { ++ error_setg(errp, "%s backing store size 0x%" PRIx64 ++ " is too small for 'size' option 0x" RAM_ADDR_FMT ++ " plus 'offset' option 0x%" PRIx64, ++ memory_region_name(mr), file_size, size, ++ (uint64_t)offset); + return NULL; + } + +-- +2.33.0 + diff --git a/qemu.spec b/qemu.spec index 24015b9955b682fda3907f0a8828cd4d8379e252..f752e6d9d272ba3498fe34ca7c7c15583d1ac5b6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 41 +Release: 50 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -1019,7 +1019,88 @@ Patch1002: hw-riscv-virt-acpi-build.c-Generate-SPCR-table.patch Patch1003: hw-riscv-virt-acpi-build.c-Add-SRAT-and-SLIT-ACPI-ta.patch Patch1004: plugins-loader-fix-deadlock-when-resetting-uninstall.patch Patch1005: smbios-Fix-buffer-overrun-when-using-path-option.patch - +Patch1006: migration-show-error-message-when-postcopy-fails.patch +Patch1007: docs-about-emulation-Fix-broken-link.patch +Patch1008: update-include-hw-xen-arch_hvm.h.patch +Patch1009: hw-display-qxl-render-fix-qxl_unpack_chunks-chunk-si.patch +Patch1010: hw-i386-amd_iommu-Assign-pci-id-0x1419-for-the-AMD-I.patch +Patch1011: amd_iommu-Use-correct-bitmask-to-set-capability-BAR.patch +Patch1012: amd_iommu-Use-correct-DTE-field-for-interrupt-passth.patch +Patch1013: tcg-Reset-data_gen_ptr-correctly.patch +Patch1014: hw-virtio-fix-Werror-maybe-uninitialized.patch +Patch1015: util-timer-fix-Werror-maybe-uninitialized-false-posi.patch +Patch1016: hw-qxl-fix-Werror-maybe-uninitialized-false-positive.patch +Patch1017: nbd-fix-Werror-maybe-uninitialized-false-positive.patch +Patch1018: block-mirror-fix-Werror-maybe-uninitialized-false-po.patch +Patch1019: hw-ahci-fix-Werror-maybe-uninitialized-false-positiv.patch +Patch1020: hw-sdhci-fix-Werror-maybe-uninitialized-false-positi.patch +Patch1021: migration-fix-Werror-maybe-uninitialized-false-posit.patch +Patch1022: qemu-img-improve-queue-depth-validation-in-img_bench.patch +Patch1023: qemu-img-fix-division-by-zero-in-bench_cb-for-zero-s.patch +Patch1024: target-i386-cpu-set-correct-supported-XCR0-features-.patch +Patch1025: target-i386-do-not-rely-on-ExtSaveArea-for-accelerat.patch +Patch1026: target-i386-return-bool-from-x86_cpu_filter_features.patch +Patch1027: target-i386-add-AVX10-feature-and-AVX10-version-prop.patch +Patch1028: target-i386-add-CPUID.24-features-for-AVX10.patch +Patch1029: target-i386-Add-feature-dependencies-for-AVX10.patch +Patch1030: target-i386-Add-AVX512-state-when-AVX10-is-supported.patch +Patch1031: target-i386-Introduce-GraniteRapids-v2-model.patch +Patch1032: i386-cpu-Mark-avx10_version-filtered-when-prefix-is-.patch +Patch1033: target-i386-add-avx-vnni-int16-feature.patch +Patch1034: block-stream-fix-Werror-maybe-uninitialized-false-po.patch +Patch1035: migration-fix-Werror-maybe-uninitialized-false-posit2.patch +Patch1036: hw-ssi-xilinx_spips-Fix-flash-erase-assert-in-dual-p.patch +Patch1037: hw-nvme-cap-MDTS-value-for-internal-limitation.patch +Patch1038: accel-kvm-Make-kvm_has_guest_debug-static.patch +Patch1039: target-arm-tcg-Including-missing-exec-exec-all.h-hea.patch +Patch1040: system-qtest-Include-missing-hw-core-cpu.h-header.patch +Patch1041: qemu-options-Clarify-handling-of-commas-in-options-p.patch +Patch1042: tests-unit-test-qmp-event-Drop-superfluous-mutex.patch +Patch1043: configure-use-a-native-non-cross-compiler-for-linux-.patch +Patch1044: target-riscv-kvm-do-not-use-non-portable-strerrornam.patch +Patch1045: qemu-options-Unify-the-help-entries-for-cocoa.patch +Patch1046: virtio-rng-Check-notifier-helpers-for-VIRTIO_CONFIG_.patch +Patch1047: vhost-scsi-fix-usage-of-error_reportf_err.patch +Patch1048: esp-check-for-NULL-result-from-scsi_device_find.patch +Patch1049: migration-fix-coverity-migrate_mode-finding.patch +Patch1050: hw-core-cpu-Remove-final-vestiges-of-dynamic-state-t.patch +Patch1051: target-riscv-Fix-mcycle-minstret-increment-behavior.patch +Patch1052: chardev-char.c-fix-abstract-device-type-error-messag.patch +Patch1053: hw-net-cadence_gem-Fix-MDIO_OP_xxx-values.patch +Patch1054: Always-create-pflash-objects-and-register-properties.patch +Patch1055: vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch +Patch1056: vfio-container-Replace-basename-with-g_path_get_base.patch +Patch1057: vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch +Patch1058: vfio-pci-Clear-MSI-X-IRQ-index-always.patch +Patch1059: hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch +Patch1060: block-qed-fix-use-after-free-by-nullifying-timer-poi.patch +Patch1061: hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch +Patch1062: pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch +Patch1063: physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch +Patch1064: s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch +Patch1065: ssh-Do-not-switch-session-to-non-blocking-mode.patch +Patch1066: target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch +Patch1067: target-ppc-Fix-non-maskable-interrupt-while-halted.patch +Patch1068: elfload-Fix-alignment-when-unmapping-excess-reservat.patch +Patch1069: target-s390x-Fix-MVC-not-always-invalidating-transla.patch +Patch1070: target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch +Patch1071: virtio-net-Fix-size-check-in-dhclient-workaround.patch +Patch1072: vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch +Patch1073: x86-loader-only-patch-linux-kernels.patch +Patch1074: target-ppc-Fix-e200-duplicate-SPRs.patch +Patch1075: vfio-container-For-CSV3-VM-only-register-listener-to.patch +Patch1076: target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch +Patch1077: target-riscv-kvm-Fix-exposure-of-Zkr.patch +Patch1078: hw-arm-virt-Introduce-a-IPIV-machine-option.patch +Patch1079: hw-vfio-migration-Fix-vfio-migration-isn-t-aborted-i.patch +Patch1080: common-user-host-riscv-use-tail-pseudoinstruction-fo.patch +Patch1081: meson-Remove-CONFIG_STATX-and-CONFIG_STATX_MNT_ID.patch +Patch1082: qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch +Patch1083: hw-usb-hcd-uhci-don-t-assert-for-SETUP-to-non-0-endp.patch +Patch1084: hw-usb-hcd-xhci-Unmap-canceled-packet.patch +Patch1085: meson-Use-has_header_symbol-to-check-getcpu.patch +Patch1086: hw-intc-arm_gicv3_cpuif-Don-t-downgrade-monitor-trap.patch +Patch1087: migration-fix-SEEK_CUR-offset-calculation-in-qio_cha.patch BuildRequires: flex BuildRequires: gcc @@ -1082,6 +1163,8 @@ BuildRequires: qatzip-devel BuildRequires: intel-qpl-devel %endif +BuildRequires: glibc-static glib2-static zlib-static libatomic-static + # for upgrade from qemu-kvm Provides: qemu-kvm Obsoletes: qemu-kvm < 11:8.2.0 @@ -1205,6 +1288,26 @@ Requires: spice-gtk %description system-loongarch64 This package provides the QEMU system emulator for loongarch64. +%package user +Summary: Qemu-user +Requires: qemu +%description user +This package provides the QEMU user emulator for multi-arch. + +%package user-static +Summary: Qemu-user-static +%description user-static +This package provides the statically-linked QEMU user emulator for multi-arch. +These static emulators are particularly useful for container builds. + +%package user-binfmt +Summary: QEMU user mode emulation of qemu-user-static +Requires: systemd >= 197 +Requires(post): systemd +Requires(postun): systemd +%description user-binfmt +System level emulation of foreign architectures + %prep %setup -q -n qemu-%{version}%{?rcstr} %autopatch -p1 @@ -1212,26 +1315,41 @@ This package provides the QEMU system emulator for loongarch64. %build %ifarch x86_64 buildarch="x86_64-softmmu" -targetarch="aarch64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu" +targetarch="aarch64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu \ + aarch64-linux-user arm-linux-user riscv32-linux-user riscv64-linux-user" +usermode_emulator="qemu-aarch64 qemu-arm qemu-riscv32 qemu-riscv64" +usermode_static="qemu-aarch64-static qemu-arm-static qemu-riscv32-static qemu-riscv64-static" %endif %ifarch aarch64 buildarch="aarch64-softmmu" -targetarch="x86_64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu" +targetarch="x86_64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu \ + arm-linux-user riscv32-linux-user riscv64-linux-user" +usermode_emulator="qemu-arm qemu-riscv32 qemu-riscv64" +usermode_static="qemu-arm-static qemu-riscv32-static qemu-riscv64-static" %endif %ifarch ppc64le buildarch="ppc64-softmmu" -targetarch="x86_64-softmmu aarch64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu" +targetarch="x86_64-softmmu aarch64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu \ + aarch64-linux-user arm-linux-user riscv32-linux-user riscv64-linux-user" +usermode_emulator="qemu-aarch64 qemu-arm qemu-riscv32 qemu-riscv64" +usermode_static="qemu-aarch64-static qemu-arm-static qemu-riscv32-static qemu-riscv64-static" %endif %ifarch loongarch64 buildarch="loongarch64-softmmu" -targetarch="x86_64-softmmu aarch64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu" +targetarch="x86_64-softmmu aarch64-softmmu arm-softmmu riscv32-softmmu riscv64-softmmu \ + aarch64-linux-user arm-linux-user riscv32-linux-user riscv64-linux-user" +usermode_emulator="qemu-aarch64 qemu-arm qemu-riscv32 qemu-riscv64" +usermode_static="qemu-aarch64-static qemu-arm-static qemu-riscv32-static qemu-riscv64-static" %endif %ifarch riscv64 buildarch="riscv64-softmmu" -targetarch="x86_64-softmmu aarch64-softmmu arm-softmmu riscv32-softmmu" +targetarch="x86_64-softmmu aarch64-softmmu arm-softmmu riscv32-softmmu \ + aarch64-linux-user arm-linux-user riscv32-linux-user" +usermode_emulator="qemu-aarch64 qemu-arm qemu-riscv32" +usermode_static="qemu-aarch64-static qemu-arm-static qemu-riscv32-static" %endif buildldflags="VL_LDFLAGS=-Wl,--build-id" @@ -1308,6 +1426,48 @@ make %{?_smp_mflags} $buildldflags V=1 cp ${qemubuilddir}/${buildarch}/qemu-system-* qemu-kvm +# Independent static build for user mode emulators +# Dynamically generate static_targets from usermode_static +static_targets="" +for binary in $usermode_static; do + arch=$(echo $binary | sed 's/qemu-//' | sed 's/-static//') + static_targets="$static_targets $arch-linux-user" +done +# Remove leading space +static_targets=$(echo $static_targets | sed 's/^ *//') + +# Independent static build directory +mkdir -p static_builddir +cd static_builddir + +../configure \ + --prefix=%{_prefix} \ + --enable-attr \ + --enable-linux-user \ + --enable-pie \ + --enable-tcg \ + --disable-install-blobs \ + --target-list="$static_targets" \ + --static + +make %{?_smp_mflags} V=1 +cd .. + +# Generate file lists for user packages +for i in ${usermode_emulator}; do + echo "%{_bindir}/${i}" >> %{name}.user +done + +for binary in ${usermode_static}; do + echo "%{_bindir}/${binary}" >> %{name}.user-static +done + +# Create list of static binfmt configurations for %files section +for binary in ${usermode_static}; do + arch=$(echo $binary | sed 's/qemu-//' | sed 's/-static//') + echo "%{_exec_prefix}/lib/binfmt.d/qemu-${arch}-static.conf" >> %{name}.user-static-binfmt +done + %install make %{?_smp_mflags} DESTDIR=%{buildroot} \ @@ -1317,6 +1477,39 @@ make %{?_smp_mflags} DESTDIR=%{buildroot} \ install -m 0755 qemu-kvm %{buildroot}%{_libexecdir}/ ln -s %{_libexecdir}/qemu-kvm %{buildroot}/%{_bindir}/qemu-kvm +# Install user-static binaries +%define static_buildroot %{buildroot}/static/ +mkdir -p %{static_buildroot} + +pushd static_builddir +make DESTDIR=%{static_buildroot} install + +# Duplicates what the main build installs and we don't +# need second copy with a -static suffix +rm -f %{static_buildroot}%{_bindir}/qemu-trace-stap +popd +# back to root build directory + +# Rename all QEMU user emulators to have a -static suffix +for src in %{static_buildroot}%{_bindir}/qemu-*; do + mv $src %{buildroot}%{_bindir}/$(basename $src)-static; done + +rm -rf %{static_buildroot} + +# Install binfmt configuration files +%global binfmt_dir %{buildroot}%{_exec_prefix}/lib/binfmt.d +mkdir -p %{binfmt_dir} + +# Generate binfmt configuration for dynamic emulators +./scripts/qemu-binfmt-conf.sh --systemd ALL --exportdir %{binfmt_dir} --qemu-path %{_bindir} +for i in %{binfmt_dir}/*; do mv $i $(echo $i | sed 's/.conf/-dynamic.conf/'); done + +# Generate binfmt configuration for static emulators from dynamic ones +for regularfmt in %{binfmt_dir}/*; do + staticfmt="$(echo $regularfmt | sed 's/-dynamic/-static/g')" + cat $regularfmt | tr -d '\n' | sed "s/:$/-static:F/" > $staticfmt +done + install -D -p -m 0644 contrib/systemd/qemu-pr-helper.service %{buildroot}%{_unitdir}/qemu-pr-helper.service install -D -p -m 0644 contrib/systemd/qemu-pr-helper.socket %{buildroot}%{_unitdir}/qemu-pr-helper.socket install -D -p -m 0644 qemu.sasl %{buildroot}%{_sysconfdir}/sasl2/qemu.conf @@ -1621,7 +1814,127 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/bios.bin %endif +%files user -f %{name}.user + +%files user-static -f %{name}.user-static +%license COPYING COPYING.LIB LICENSE +# Include static binfmt configurations +%{_exec_prefix}/lib/binfmt.d/qemu-*-static.conf + +%files user-binfmt +%defattr(-,root,root,-) +# user-binfmt provides systemd registration for binfmt_misc +%{_exec_prefix}/lib/binfmt.d/qemu-*-dynamic.conf + +%post user-binfmt +/bin/systemctl try-restart systemd-binfmt.service &>/dev/null || : + +%postun user-binfmt +/bin/systemctl try-restart systemd-binfmt.service &>/dev/null || : + %changelog +* Sat Oct 25 2025 huangyan - 11:8.2.0-50 +- Add qemu-user package for arm, aarch64, riscv32, riscv64 targets +- Add user-static, user-binfmt package for statically-linked QEMU user emulator + +* Fri Oct 24 2025 Pengrui Zhang - 11:8.2.0-49 +- common-user/host/riscv: use tail pseudoinstruction for calling tail +- meson: Remove CONFIG_STATX and CONFIG_STATX_MNT_ID +- qga: fix potentially not initialized nr_volumes in qga_vss_fsfreeze() +- hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint(CVE-2024-8354) +- hw/usb/hcd-xhci: Unmap canceled packet +- meson: Use has_header_symbol() to check getcpu() +- hw/intc/arm_gicv3_cpuif: Don't downgrade monitor traps for AArch32 EL3 +- migration: fix SEEK_CUR offset calculation in qio_channel_block_seek + +* Wed Oct 22 2025 Junqi Ma - 11:8.2.0-48 +- target/s390x: Fix MVC not always invalidating translation blocks +- target/sparc: Fix gdbstub incorrectly handling registers f32-f62 +- virtio-net: Fix size check in dhclient workaround +- vdpa: Fix endian bugs in shadow virtqueue +- x86/loader: only patch linux kernels +- target/ppc: Fix e200 duplicate SPRs +- vfio/container: For CSV3 VM, only register listener to shared_memory_listener list in vfio_connect_container() +- target/riscv/kvm: update the KVM regs to Linux rvck-6.6 +- target/riscv/kvm: Fix exposure of Zkr +- hw/arm/virt: Introduce a IPIV machine option +- hw/vfio/migration: Fix vfio migration isn't aborted in a corner case + +* Mon Oct 20 2025 Pengrui Zhang - 11:8.2.0-47 +- vdpa: Allow vDPA to work on big-endian machine +- vfio/container: Replace basename with g_path_get_basename +- vfio/migration: Report only stop-copy size in vfio_state_pending_exact() +- vfio/pci: Clear MSI-X IRQ index always +- hw/arm boot.c: Enforce CCA and virtCCA isolation. +- block/qed: fix use-after-free by nullifying timer pointer after free +- hw/gpio: npcm7xx: fixup out-of-bounds access +- pci/msix: Fix msix pba read vector poll end calculation +- physmem: fix qemu_ram_alloc_from_fd size calculation +- s390x/s390-virtio-ccw: don't crash on weird RAM sizes +- ssh: Do not switch session to non-blocking mode +- target/ppc: Fix mtDPDES targeting SMT siblings +- target/ppc: Fix non-maskable interrupt while halted +- elfload: Fix alignment when unmapping excess reservation +- +* Fri Sep 05 2025 Pengrui Zhang - 11:8.2.0-46 +- Always create pflash objects and register properties for QOM + +* Sat Aug 30 2025 Pengrui Zhang - 11:8.2.0-45 +- tests/unit/test-qmp-event: Drop superfluous mutex +- configure: use a native non-cross compiler for linux-user +- target/riscv/kvm: do not use non-portable strerrorname_np() +- qemu-options: Unify the help entries for cocoa +- virtio: rng: Check notifier helpers for VIRTIO_CONFIG_IRQ_IDX +- vhost-scsi: fix usage of error_reportf_err() +- esp: check for NULL result from scsi_device_find() +- migration: fix coverity migrate_mode finding +- hw/core/cpu: Remove final vestiges of dynamic state tracing +- target/riscv: Fix mcycle/minstret increment behavior +- chardev/char.c: fix "abstract device type" error message +- hw/net: cadence_gem: Fix MDIO_OP_xxx values + +* Sat Aug 30 2025 Pengrui Zhang - 11:8.2.0-44 +- qemu-img: fix division by zero in bench_cb() for zero-sized images +- target/i386: cpu: set correct supported XCR0 features for TCG +- target/i386: do not rely on ExtSaveArea for accelerator-supported XCR0 bits +- target/i386: return bool from x86_cpu_filter_features +- target/i386: add AVX10 feature and AVX10 version property +- target/i386: add CPUID.24 features for AVX10 +- target/i386: Add feature dependencies for AVX10 +- target/i386: Add AVX512 state when AVX10 is supported +- target/i386: Introduce GraniteRapids-v2 model +- i386/cpu: Mark avx10_version filtered when prefix is NULL +- target/i386: add avx-vnni-int16 feature +- block/stream: fix -Werror=maybe-uninitialized false-positives +- migration: fix -Werror=maybe-uninitialized false-positives +- hw/ssi/xilinx_spips: Fix flash erase assert in dual parallel configuration +- hw/nvme: cap MDTS value for internal limitation +- accel/kvm: Make kvm_has_guest_debug static +- vtarget/arm/tcg: Including missing 'exec/exec-all.h' header +- system/qtest: Include missing 'hw/core/cpu.h' header +- qemu-options: Clarify handling of commas in options parameters + +* Thu Aug 28 2025 Pengrui Zhang - 11:8.2.0-43 +- util/timer: fix -Werror=maybe-uninitialized false-positive +- hw/qxl: fix -Werror=maybe-uninitialized false-positives +- nbd: fix -Werror=maybe-uninitialized false-positive +- block/mirror: fix -Werror=maybe-uninitialized false-positive +- hw/ahci: fix -Werror=maybe-uninitialized false-positive +- hw/sdhci: fix -Werror=maybe-uninitialized false-positive +- migration: fix -Werror=maybe-uninitialized false-positive +- qemu-img: improve queue depth validation in img_bench + +* Wed Aug 27 2025 Pengrui Zhang - 11:8.2.0-42 +- migration: show error message when postcopy fails +- docs/about/emulation: Fix broken link +- update include/hw/xen/arch_hvm.h. +- hw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculation +- hw/i386/amd_iommu: Assign pci-id 0x1419 for the AMD IOMMU device +- amd_iommu: Use correct bitmask to set capability BAR +- amd_iommu: Use correct DTE field for interrupt passthrough +- tcg: Reset data_gen_ptr correctly +- hw/virtio: fix -Werror=maybe-uninitialized + * Tue Aug 26 2025 Pengrui Zhang - 11:8.2.0-41 - target/i386/kvm: Refine VMX controls setting for backward compatibility - Bugfix: Correctly set vms->bootinfo.confidential in virtCCA senarios. diff --git a/qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch b/qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch new file mode 100644 index 0000000000000000000000000000000000000000..df3474850353982e462889941f0332bdba69a935 --- /dev/null +++ b/qga-fix-potentially-not-initialized-nr_volumes-in-qg.patch @@ -0,0 +1,61 @@ +From 78427e1c7669c60f3e0d3577830477b69dc498d2 Mon Sep 17 00:00:00 2001 +From: jipengfei +Date: Thu, 7 Aug 2025 15:32:21 +0200 +Subject: [PATCH] qga: fix potentially not initialized nr_volumes in + qga_vss_fsfreeze() + +In this function we could have this variable not initialized. If this +could be acceptable on error, the variable could be left not initialized +f.e. as follows: + +void requester_freeze(int *num_vols, void *mountpoints, ErrorSet *errset) +{ + ... + if (mountpoints) { + ... + if (num_mount_points == 0) { + /* If there is no valid mount points, just exit. */ + goto out; + } + } + ... + if (!mountpoints) { + ... + if (num_fixed_drives == 0) { + goto out; /* If there is no fixed drive, just exit. */ + } + } + ... +} + +Stay on safe side, initialize the variable at the beginning. + +cheery-pick from 42bdb911c22f9449f7a310efc73b70548ca42b24 + +Signed-off-by:jipengfei +Signed-off-by: Denis V. Lunev +CC: Kostiantyn Kostiuk +CC: Michael Roth +Reviewed-by: Kostiantyn Kostiuk +Link: https://lore.kernel.org/qemu-devel/20250807133221.1135453-1-den@openvz.org +Signed-off-by: Kostiantyn Kostiuk +--- + qga/vss-win32.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/qga/vss-win32.c b/qga/vss-win32.c +index f444a25a70..b272bfc782 100644 +--- a/qga/vss-win32.c ++++ b/qga/vss-win32.c +@@ -157,6 +157,8 @@ void qga_vss_fsfreeze(int *nr_volume, bool freeze, + .errp = errp, + }; + ++ *nr_volume = 0; ++ + g_assert(errp); /* requester.cpp requires it */ + func = (QGAVSSRequesterFunc)GetProcAddress(provider_lib, func_name); + if (!func) { +-- +2.33.0 + diff --git a/s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch b/s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch new file mode 100644 index 0000000000000000000000000000000000000000..385897e57d579321ae0dd8e43e1ff77bab44da2b --- /dev/null +++ b/s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch @@ -0,0 +1,59 @@ +From c380600ce0baf141bfd94c1dfec5a6b4ea29024a Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:51:14 -0400 +Subject: [PATCH] s390x/s390-virtio-ccw: don't crash on weird RAM sizes + +cheery-pick from f19312d014633e9ae942b75ead53333a4b2ec0c2 + +KVM is not happy when starting a VM with weird RAM sizes: + + # qemu-system-s390x --enable-kvm --nographic -m 1234K + qemu-system-s390x: kvm_set_user_memory_region: KVM_SET_USER_MEMORY_REGION + failed, slot=0, start=0x0, size=0x244000: Invalid argument + kvm_set_phys_mem: error registering slot: Invalid argument + Aborted (core dumped) + +Let's handle that in a better way by rejecting such weird RAM sizes +right from the start: + + # qemu-system-s390x --enable-kvm --nographic -m 1234K + qemu-system-s390x: ram size must be multiples of 1 MiB + +Message-ID: <20241219144115.2820241-2-david@redhat.com> +Acked-by: Michael S. Tsirkin +Reviewed-by: Eric Farman +Reviewed-by: Thomas Huth +Acked-by: Janosch Frank +Signed-off-by: David Hildenbrand +(cherry picked from commit 14e568ab4836347481af2e334009c385f456a734) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/s390x/s390-virtio-ccw.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c +index 7262725d2e..6e44c1dd6a 100644 +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -176,6 +176,17 @@ static void s390_memory_init(MemoryRegion *ram) + { + MemoryRegion *sysmem = get_system_memory(); + ++ if (!QEMU_IS_ALIGNED(memory_region_size(ram), 1 * MiB)) { ++ /* ++ * SCLP cannot possibly expose smaller granularity right now and KVM ++ * cannot handle smaller granularity. As we don't support NUMA, the ++ * region size directly corresponds to machine->ram_size, and the region ++ * is a single RAM memory region. ++ */ ++ error_report("ram size must be multiples of 1 MiB"); ++ exit(EXIT_FAILURE); ++ } ++ + /* allocate RAM for core */ + memory_region_add_subregion(sysmem, 0, ram); + +-- +2.33.0 + diff --git a/ssh-Do-not-switch-session-to-non-blocking-mode.patch b/ssh-Do-not-switch-session-to-non-blocking-mode.patch new file mode 100644 index 0000000000000000000000000000000000000000..2049e64d7d07cc51bdcf7e5763344de115c28ad7 --- /dev/null +++ b/ssh-Do-not-switch-session-to-non-blocking-mode.patch @@ -0,0 +1,57 @@ +From fdd0468f6da2e8bd7ac1414a0150efc471fa1291 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 01:49:10 -0400 +Subject: [PATCH] ssh: Do not switch session to non-blocking mode + +cheery-pick from 6d52a53e7bd886e7852a6be9694901a23752c88f + +The libssh does not handle non-blocking mode in SFTP correctly. The +driver code already changes the mode to blocking for the SFTP +initialization, but for some reason changes to non-blocking mode. +This used to work accidentally until libssh in 0.11 branch merged +the patch to avoid infinite looping in case of network errors: + +https://gitlab.com/libssh/libssh-mirror/-/merge_requests/498 + +Since then, the ssh driver in qemu fails to read files over SFTP +as the first SFTP messages exchanged after switching the session +to non-blocking mode return SSH_AGAIN, but that message is lost +int the SFTP internals and interpretted as SSH_ERROR, which is +returned to the caller: + +https://gitlab.com/libssh/libssh-mirror/-/issues/280 + +This is indeed an issue in libssh that we should address in the +long term, but it will require more work on the internals. For +now, the SFTP is not supported in non-blocking mode. + +Fixes: https://gitlab.com/libssh/libssh-mirror/-/issues/280 +Signed-off-by: Jakub Jelen +Signed-off-by: Richard W.M. Jones +Message-ID: <20241113125526.2495731-1-rjones@redhat.com> +Reviewed-by: Kevin Wolf +Signed-off-by: Kevin Wolf +(cherry picked from commit fbdea3d6c13d5a75895c287a004c6f1a6bf6c164) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + block/ssh.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/block/ssh.c b/block/ssh.c +index 2748253d4a..b2da9bb4c8 100644 +--- a/block/ssh.c ++++ b/block/ssh.c +@@ -860,9 +860,6 @@ static int ssh_file_open(BlockDriverState *bs, QDict *options, int bdrv_flags, + goto err; + } + +- /* Go non-blocking. */ +- ssh_set_blocking(s->session, 0); +- + if (s->attrs->type == SSH_FILEXFER_TYPE_REGULAR) { + bs->supported_truncate_flags = BDRV_REQ_ZERO_WRITE; + } +-- +2.33.0 + diff --git a/target-ppc-Fix-e200-duplicate-SPRs.patch b/target-ppc-Fix-e200-duplicate-SPRs.patch new file mode 100644 index 0000000000000000000000000000000000000000..90264275de2da35f08e94f1e2816903b38246877 --- /dev/null +++ b/target-ppc-Fix-e200-duplicate-SPRs.patch @@ -0,0 +1,46 @@ +From 338823420b806247a98c1c6c2be3ac8a257a7eca Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:03:45 -0400 +Subject: [PATCH] target/ppc: Fix e200 duplicate SPRs + +cheery-pick from d63f951f4746f080fbdc11e577f1fba931be8cdc + +DSRR0/1 registers are in the BookE ISA not e200 specific, so +remove the duplicate e200 register definitions. + +Cc: Roman Kapl +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2768 +Fixes: 0e3bf4890906 ("ppc: add DBCR based debugging") +Signed-off-by: Nicholas Piggin +(cherry picked from commit 73c0c904fc99e2ceecbbded84ec76d40d3f2daae) +(Mjt: context fix for + v9.0.0-935-g581eea5d656b "target/ppc: Split off common embedded TLB init") +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/ppc/cpu_init.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c +index 40fe14a6c2..c01a8c9a90 100644 +--- a/target/ppc/cpu_init.c ++++ b/target/ppc/cpu_init.c +@@ -2713,14 +2713,6 @@ static void init_proc_e200(CPUPPCState *env) + SPR_NOACCESS, SPR_NOACCESS, + &spr_read_generic, &spr_write_generic, + 0x00000000); /* TOFIX */ +- spr_register(env, SPR_BOOKE_DSRR0, "DSRR0", +- SPR_NOACCESS, SPR_NOACCESS, +- &spr_read_generic, &spr_write_generic, +- 0x00000000); +- spr_register(env, SPR_BOOKE_DSRR1, "DSRR1", +- SPR_NOACCESS, SPR_NOACCESS, +- &spr_read_generic, &spr_write_generic, +- 0x00000000); + #if !defined(CONFIG_USER_ONLY) + env->nb_tlb = 64; + env->nb_ways = 1; +-- +2.33.0 + diff --git a/target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch b/target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch new file mode 100644 index 0000000000000000000000000000000000000000..abea3d4ec4b70b2040c1716884ac99404d895e0b --- /dev/null +++ b/target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch @@ -0,0 +1,42 @@ +From db48224bbd2364f557ad0b29adc52d7195f14411 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:17:53 -0400 +Subject: [PATCH] target/ppc: Fix mtDPDES targeting SMT siblings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from a0f6b02792a3332c6d108f6eef002b97e30e4ab5 + +A typo in the loop over SMT threads to set irq level for doorbells +when storing to DPDES meant everything was aimed at the CPU executing +the instruction. + +Cc: qemu-stable@nongnu.org +Fixes: d24e80b2ae ("target/ppc: Add msgsnd/p and DPDES SMT support") +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Signed-off-by: Nicholas Piggin +(cherry picked from commit 0324d236d2918c18a9ad4a1081b1083965a1433b) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/ppc/misc_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/ppc/misc_helper.c b/target/ppc/misc_helper.c +index a05bdf78c9..a8d0501996 100644 +--- a/target/ppc/misc_helper.c ++++ b/target/ppc/misc_helper.c +@@ -283,7 +283,7 @@ void helper_store_dpdes(CPUPPCState *env, target_ulong val) + PowerPCCPU *ccpu = POWERPC_CPU(ccs); + uint32_t thread_id = ppc_cpu_tir(ccpu); + +- ppc_set_irq(cpu, PPC_INTERRUPT_DOORBELL, val & (0x1 << thread_id)); ++ ppc_set_irq(ccpu, PPC_INTERRUPT_DOORBELL, val & (0x1 << thread_id)); + } + qemu_mutex_unlock_iothread(); + } +-- +2.33.0 + diff --git a/target-ppc-Fix-non-maskable-interrupt-while-halted.patch b/target-ppc-Fix-non-maskable-interrupt-while-halted.patch new file mode 100644 index 0000000000000000000000000000000000000000..d9ee57d63e88044473ec8f307ebbde8fa15d3bcc --- /dev/null +++ b/target-ppc-Fix-non-maskable-interrupt-while-halted.patch @@ -0,0 +1,61 @@ +From fb3b1e10d05d62879e51d2221c199eb7b138eaa1 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:25:13 -0400 +Subject: [PATCH] target/ppc: Fix non-maskable interrupt while halted + +cheery-pick from dec1eee77fc548049c8cb443a1f8176fa0c2d3c4 + +The ppc (pnv and spapr) NMI injection code does not go through the +asynchronous interrupt path and set a bit in env->pending_interrupts +and raise an interrupt request that the cpu_exec() loop can see. +Instead it injects the exception directly into registers. + +This can lead to cpu_exec() missing that the thread has work to do, +if a NMI is injected while it was idle. + +Fix this by clearing halted when injecting the interrupt. Probably +NMI injection should be reworked to use the interrupt request interface, +but this seems to work as a minimal fix. + +Fixes: 3431648272d3 ("spapr: Add support for new NMI interface") +Reviewed-by: Glenn Miles +Signed-off-by: Nicholas Piggin +(cherry picked from commit fa416ae6157a933ad3f7106090684759baaaf3c9) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/ppc/excp_helper.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c +index a42743a3e0..6a822b5952 100644 +--- a/target/ppc/excp_helper.c ++++ b/target/ppc/excp_helper.c +@@ -2558,10 +2558,16 @@ static void ppc_deliver_interrupt(CPUPPCState *env, int interrupt) + } + } + ++/* ++ * system reset is not delivered via normal irq method, so have to set ++ * halted = 0 to resume CPU running if it was halted. Possibly we should ++ * move it over to using PPC_INTERRUPT_RESET rather than async_run_on_cpu. ++ */ + void ppc_cpu_do_system_reset(CPUState *cs) + { + PowerPCCPU *cpu = POWERPC_CPU(cs); + ++ cs->halted = 0; + powerpc_excp(cpu, POWERPC_EXCP_RESET); + } + +@@ -2583,6 +2589,7 @@ void ppc_cpu_do_fwnmi_machine_check(CPUState *cs, target_ulong vector) + + /* Anything for nested required here? MSR[HV] bit? */ + ++ cs->halted = 0; + powerpc_set_excp_state(cpu, vector, msr); + } + +-- +2.33.0 + diff --git a/target-riscv-kvm-Fix-exposure-of-Zkr.patch b/target-riscv-kvm-Fix-exposure-of-Zkr.patch new file mode 100644 index 0000000000000000000000000000000000000000..af31237dfa34506422a86e1aaffe2015f7889c92 --- /dev/null +++ b/target-riscv-kvm-Fix-exposure-of-Zkr.patch @@ -0,0 +1,124 @@ +From 35a53e8e95ccd1d929f9091c08fc9f06f26ab3c1 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 4 Sep 2025 17:18:17 +0800 +Subject: [PATCH] target/riscv/kvm: Fix exposure of Zkr + +commit 86997772fa807f3961e5aeed97af7738adec1b43 upstream + +The Zkr extension may only be exposed to KVM guests if the VMM +implements the SEED CSR. Use the same implementation as TCG. + +Without this patch, running with a KVM which does not forward the +SEED CSR access to QEMU will result in an ILL exception being +injected into the guest (this results in Linux guests crashing on +boot). And, when running with a KVM which does forward the access, +QEMU will crash, since QEMU doesn't know what to do with the exit. + +Fixes: 3108e2f1c69d ("target/riscv/kvm: update KVM exts to Linux 6.8") +Signed-off-by: Andrew Jones +Reviewed-by: Daniel Henrique Barboza +Cc: qemu-stable +Message-ID: <20240422134605.534207-2-ajones@ventanamicro.com> +Signed-off-by: Alistair Francis +--- + target/riscv/cpu.h | 3 +++ + target/riscv/csr.c | 18 ++++++++++++++---- + target/riscv/kvm/kvm-cpu.c | 25 +++++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 4 deletions(-) + +diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h +index e1c3485216..4b596a6964 100644 +--- a/target/riscv/cpu.h ++++ b/target/riscv/cpu.h +@@ -793,6 +793,9 @@ void riscv_set_csr_ops(int csrno, riscv_csr_operations *ops); + + void riscv_cpu_register_gdb_regs_for_features(CPUState *cs); + ++target_ulong riscv_new_csr_seed(target_ulong new_value, ++ target_ulong write_mask); ++ + uint8_t satp_mode_max_from_map(uint32_t map); + const char *satp_mode_str(uint8_t satp_mode, bool is_32_bit); + +diff --git a/target/riscv/csr.c b/target/riscv/csr.c +index 3d9ea0c316..69921e04cf 100644 +--- a/target/riscv/csr.c ++++ b/target/riscv/csr.c +@@ -4199,10 +4199,8 @@ static RISCVException write_upmbase(CPURISCVState *env, int csrno, + #endif + + /* Crypto Extension */ +-static RISCVException rmw_seed(CPURISCVState *env, int csrno, +- target_ulong *ret_value, +- target_ulong new_value, +- target_ulong write_mask) ++target_ulong riscv_new_csr_seed(target_ulong new_value, ++ target_ulong write_mask) + { + uint16_t random_v; + Error *random_e = NULL; +@@ -4226,6 +4224,18 @@ static RISCVException rmw_seed(CPURISCVState *env, int csrno, + rval = random_v | SEED_OPST_ES16; + } + ++ return rval; ++} ++ ++static RISCVException rmw_seed(CPURISCVState *env, int csrno, ++ target_ulong *ret_value, ++ target_ulong new_value, ++ target_ulong write_mask) ++{ ++ target_ulong rval; ++ ++ rval = riscv_new_csr_seed(new_value, write_mask); ++ + if (ret_value) { + *ret_value = rval; + } +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index ce26163d03..c38e8077a2 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -1260,6 +1260,28 @@ static int kvm_riscv_handle_sbi(CPUState *cs, struct kvm_run *run) + return ret; + } + ++static int kvm_riscv_handle_csr(CPUState *cs, struct kvm_run *run) ++{ ++ target_ulong csr_num = run->riscv_csr.csr_num; ++ target_ulong new_value = run->riscv_csr.new_value; ++ target_ulong write_mask = run->riscv_csr.write_mask; ++ int ret = 0; ++ ++ switch (csr_num) { ++ case CSR_SEED: ++ run->riscv_csr.ret_value = riscv_new_csr_seed(new_value, write_mask); ++ break; ++ default: ++ qemu_log_mask(LOG_UNIMP, ++ "%s: un-handled CSR EXIT for CSR %lx\n", ++ __func__, csr_num); ++ ret = -1; ++ break; ++ } ++ ++ return ret; ++} ++ + int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run) + { + int ret = 0; +@@ -1267,6 +1289,9 @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run) + case KVM_EXIT_RISCV_SBI: + ret = kvm_riscv_handle_sbi(cs, run); + break; ++ case KVM_EXIT_RISCV_CSR: ++ ret = kvm_riscv_handle_csr(cs, run); ++ break; + default: + qemu_log_mask(LOG_UNIMP, "%s: un-handled exit reason %d\n", + __func__, run->exit_reason); +-- +2.33.0 + diff --git a/target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch b/target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch new file mode 100644 index 0000000000000000000000000000000000000000..fb8aa59245efd82a672a547989ca46387bef9e34 --- /dev/null +++ b/target-riscv-kvm-update-the-KVM-regs-to-Linux-rvck-6.patch @@ -0,0 +1,256 @@ +From bab10c628c7df3b79a6225c19cc0e0d1b795e79f Mon Sep 17 00:00:00 2001 +From: yechao-w +Date: Wed, 3 Sep 2025 14:14:03 +0800 +Subject: [PATCH] target/riscv/kvm: update the KVM regs to Linux rvck-6.6 + +Few new regs added: +ziccrse,zicond,zihintntl,zimop,zcmop,zabha,zacas,zawrs,zfa,zfh,zfhmin, +zbc,zbkb,zbkc,zbkx,zca,zcb,zcd,zcf,zknd,zkne,zknh,zkr,zksed,zksh,zkt, +ztso,zvbb,zvbc,zvfh,zvfhmin,zvkb,zvkg,zvkned,zvknha,zvknhb,zvksed,zvksh, +zvkt,smnpm,smstateen,ssnpm,svade,svadu,svvptc + +Signed-off-by: yechao-w +--- + linux-headers/asm-riscv/kvm.h | 44 ++++++++++++++++++++++++++++++++++ + target/riscv/cpu.c | 9 +++++++ + target/riscv/cpu.h | 3 ++- + target/riscv/cpu_cfg.h | 12 ++++++++++ + target/riscv/kvm/kvm-cpu.c | 45 +++++++++++++++++++++++++++++++++++ + 5 files changed, 112 insertions(+), 1 deletion(-) + +diff --git a/linux-headers/asm-riscv/kvm.h b/linux-headers/asm-riscv/kvm.h +index 60d3b21dea..5655a69769 100644 +--- a/linux-headers/asm-riscv/kvm.h ++++ b/linux-headers/asm-riscv/kvm.h +@@ -139,6 +139,50 @@ enum KVM_RISCV_ISA_EXT_ID { + KVM_RISCV_ISA_EXT_ZIHPM, + KVM_RISCV_ISA_EXT_SMSTATEEN, + KVM_RISCV_ISA_EXT_ZICOND, ++ KVM_RISCV_ISA_EXT_ZBC, ++ KVM_RISCV_ISA_EXT_ZBKB, ++ KVM_RISCV_ISA_EXT_ZBKC, ++ KVM_RISCV_ISA_EXT_ZBKX, ++ KVM_RISCV_ISA_EXT_ZKND, ++ KVM_RISCV_ISA_EXT_ZKNE, ++ KVM_RISCV_ISA_EXT_ZKNH, ++ KVM_RISCV_ISA_EXT_ZKR, ++ KVM_RISCV_ISA_EXT_ZKSED, ++ KVM_RISCV_ISA_EXT_ZKSH, ++ KVM_RISCV_ISA_EXT_ZKT, ++ KVM_RISCV_ISA_EXT_ZVBB, ++ KVM_RISCV_ISA_EXT_ZVBC, ++ KVM_RISCV_ISA_EXT_ZVKB, ++ KVM_RISCV_ISA_EXT_ZVKG, ++ KVM_RISCV_ISA_EXT_ZVKNED, ++ KVM_RISCV_ISA_EXT_ZVKNHA, ++ KVM_RISCV_ISA_EXT_ZVKNHB, ++ KVM_RISCV_ISA_EXT_ZVKSED, ++ KVM_RISCV_ISA_EXT_ZVKSH, ++ KVM_RISCV_ISA_EXT_ZVKT, ++ KVM_RISCV_ISA_EXT_ZFH, ++ KVM_RISCV_ISA_EXT_ZFHMIN, ++ KVM_RISCV_ISA_EXT_ZIHINTNTL, ++ KVM_RISCV_ISA_EXT_ZVFH, ++ KVM_RISCV_ISA_EXT_ZVFHMIN, ++ KVM_RISCV_ISA_EXT_ZFA, ++ KVM_RISCV_ISA_EXT_ZTSO, ++ KVM_RISCV_ISA_EXT_ZACAS, ++ KVM_RISCV_ISA_EXT_SSCOFPMF, ++ KVM_RISCV_ISA_EXT_ZIMOP, ++ KVM_RISCV_ISA_EXT_ZCA, ++ KVM_RISCV_ISA_EXT_ZCB, ++ KVM_RISCV_ISA_EXT_ZCD, ++ KVM_RISCV_ISA_EXT_ZCF, ++ KVM_RISCV_ISA_EXT_ZCMOP, ++ KVM_RISCV_ISA_EXT_ZAWRS, ++ KVM_RISCV_ISA_EXT_SMNPM, ++ KVM_RISCV_ISA_EXT_SSNPM, ++ KVM_RISCV_ISA_EXT_SVADE, ++ KVM_RISCV_ISA_EXT_SVADU, ++ KVM_RISCV_ISA_EXT_SVVPTC, ++ KVM_RISCV_ISA_EXT_ZABHA, ++ KVM_RISCV_ISA_EXT_ZICCRSE, + KVM_RISCV_ISA_EXT_MAX, + }; + +diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c +index 77cb59b8a1..7d921d8e9b 100644 +--- a/target/riscv/cpu.c ++++ b/target/riscv/cpu.c +@@ -79,6 +79,7 @@ const uint32_t misa_bits[] = {RVI, RVE, RVM, RVA, RVF, RVD, RVV, + const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zicbom, PRIV_VERSION_1_12_0, ext_zicbom), + ISA_EXT_DATA_ENTRY(zicboz, PRIV_VERSION_1_12_0, ext_zicboz), ++ ISA_EXT_DATA_ENTRY(ziccrse, PRIV_VERSION_1_11_0, ext_ziccrse), + ISA_EXT_DATA_ENTRY(zicond, PRIV_VERSION_1_12_0, ext_zicond), + ISA_EXT_DATA_ENTRY(zicntr, PRIV_VERSION_1_12_0, ext_zicntr), + ISA_EXT_DATA_ENTRY(zicsr, PRIV_VERSION_1_10_0, ext_zicsr), +@@ -86,7 +87,10 @@ const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zihintntl, PRIV_VERSION_1_10_0, ext_zihintntl), + ISA_EXT_DATA_ENTRY(zihintpause, PRIV_VERSION_1_10_0, ext_zihintpause), + ISA_EXT_DATA_ENTRY(zihpm, PRIV_VERSION_1_12_0, ext_zihpm), ++ ISA_EXT_DATA_ENTRY(zimop, PRIV_VERSION_1_13_0, ext_zimop), + ISA_EXT_DATA_ENTRY(zmmul, PRIV_VERSION_1_12_0, ext_zmmul), ++ ISA_EXT_DATA_ENTRY(zabha, PRIV_VERSION_1_13_0, ext_zabha), ++ ISA_EXT_DATA_ENTRY(zacas, PRIV_VERSION_1_12_0, ext_zacas), + ISA_EXT_DATA_ENTRY(zawrs, PRIV_VERSION_1_12_0, ext_zawrs), + ISA_EXT_DATA_ENTRY(zfa, PRIV_VERSION_1_12_0, ext_zfa), + ISA_EXT_DATA_ENTRY(zfbfmin, PRIV_VERSION_1_12_0, ext_zfbfmin), +@@ -118,6 +122,7 @@ const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zksed, PRIV_VERSION_1_12_0, ext_zksed), + ISA_EXT_DATA_ENTRY(zksh, PRIV_VERSION_1_12_0, ext_zksh), + ISA_EXT_DATA_ENTRY(zkt, PRIV_VERSION_1_12_0, ext_zkt), ++ ISA_EXT_DATA_ENTRY(ztso, PRIV_VERSION_1_12_0, ext_ztso), + ISA_EXT_DATA_ENTRY(zvbb, PRIV_VERSION_1_12_0, ext_zvbb), + ISA_EXT_DATA_ENTRY(zvbc, PRIV_VERSION_1_12_0, ext_zvbc), + ISA_EXT_DATA_ENTRY(zve32f, PRIV_VERSION_1_10_0, ext_zve32f), +@@ -145,14 +150,18 @@ const RISCVIsaExtData isa_edata_arr[] = { + ISA_EXT_DATA_ENTRY(zhinxmin, PRIV_VERSION_1_12_0, ext_zhinxmin), + ISA_EXT_DATA_ENTRY(smaia, PRIV_VERSION_1_12_0, ext_smaia), + ISA_EXT_DATA_ENTRY(smepmp, PRIV_VERSION_1_12_0, ext_smepmp), ++ ISA_EXT_DATA_ENTRY(smmpm, PRIV_VERSION_1_13_0, ext_smmpm), ++ ISA_EXT_DATA_ENTRY(smnpm, PRIV_VERSION_1_13_0, ext_smnpm), + ISA_EXT_DATA_ENTRY(smstateen, PRIV_VERSION_1_12_0, ext_smstateen), + ISA_EXT_DATA_ENTRY(ssaia, PRIV_VERSION_1_12_0, ext_ssaia), + ISA_EXT_DATA_ENTRY(sscofpmf, PRIV_VERSION_1_12_0, ext_sscofpmf), + ISA_EXT_DATA_ENTRY(sstc, PRIV_VERSION_1_12_0, ext_sstc), ++ ISA_EXT_DATA_ENTRY(svade, PRIV_VERSION_1_11_0, ext_svade), + ISA_EXT_DATA_ENTRY(svadu, PRIV_VERSION_1_12_0, ext_svadu), + ISA_EXT_DATA_ENTRY(svinval, PRIV_VERSION_1_12_0, ext_svinval), + ISA_EXT_DATA_ENTRY(svnapot, PRIV_VERSION_1_12_0, ext_svnapot), + ISA_EXT_DATA_ENTRY(svpbmt, PRIV_VERSION_1_12_0, ext_svpbmt), ++ ISA_EXT_DATA_ENTRY(svvptc, PRIV_VERSION_1_13_0, ext_svvptc), + ISA_EXT_DATA_ENTRY(xtheadba, PRIV_VERSION_1_11_0, ext_xtheadba), + ISA_EXT_DATA_ENTRY(xtheadbb, PRIV_VERSION_1_11_0, ext_xtheadbb), + ISA_EXT_DATA_ENTRY(xtheadbs, PRIV_VERSION_1_11_0, ext_xtheadbs), +diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h +index d74b361be6..e1c3485216 100644 +--- a/target/riscv/cpu.h ++++ b/target/riscv/cpu.h +@@ -81,8 +81,9 @@ enum { + PRIV_VERSION_1_10_0 = 0, + PRIV_VERSION_1_11_0, + PRIV_VERSION_1_12_0, ++ PRIV_VERSION_1_13_0, + +- PRIV_VERSION_LATEST = PRIV_VERSION_1_12_0, ++ PRIV_VERSION_LATEST = PRIV_VERSION_1_13_0, + }; + + #define VEXT_VERSION_1_00_0 0x00010000 +diff --git a/target/riscv/cpu_cfg.h b/target/riscv/cpu_cfg.h +index f4605fb190..07b7e54877 100644 +--- a/target/riscv/cpu_cfg.h ++++ b/target/riscv/cpu_cfg.h +@@ -70,13 +70,19 @@ struct RISCVCPUConfig { + bool ext_zihintntl; + bool ext_zihintpause; + bool ext_zihpm; ++ bool ext_zimop; ++ bool ext_zcmop; ++ bool ext_ztso; + bool ext_smstateen; + bool ext_sstc; + bool ext_svadu; + bool ext_svinval; + bool ext_svnapot; + bool ext_svpbmt; ++ bool ext_svvptc; + bool ext_zdinx; ++ bool ext_zacas; ++ bool ext_zabha; + bool ext_zawrs; + bool ext_zfa; + bool ext_zfbfmin; +@@ -113,6 +119,9 @@ struct RISCVCPUConfig { + bool ext_ssaia; + bool ext_sscofpmf; + bool ext_smepmp; ++ bool ext_ssnpm; ++ bool ext_smnpm; ++ bool ext_smmpm; + bool rvv_ta_all_1s; + bool rvv_ma_all_1s; + +@@ -120,6 +129,9 @@ struct RISCVCPUConfig { + uint64_t marchid; + uint64_t mimpid; + ++ bool ext_svade; ++ bool ext_ziccrse; ++ + /* Vendor-specific custom extensions */ + bool ext_xtheadba; + bool ext_xtheadbb; +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 9615e68ce4..ce26163d03 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -228,19 +228,64 @@ static void kvm_riscv_update_cpu_misa_ext(RISCVCPU *cpu, CPUState *cs) + static KVMCPUConfig kvm_multi_ext_cfgs[] = { + KVM_EXT_CFG("zicbom", ext_zicbom, KVM_RISCV_ISA_EXT_ZICBOM), + KVM_EXT_CFG("zicboz", ext_zicboz, KVM_RISCV_ISA_EXT_ZICBOZ), ++ KVM_EXT_CFG("ziccrse", ext_ziccrse, KVM_RISCV_ISA_EXT_ZICCRSE), + KVM_EXT_CFG("zicntr", ext_zicntr, KVM_RISCV_ISA_EXT_ZICNTR), ++ KVM_EXT_CFG("zicond", ext_zicond, KVM_RISCV_ISA_EXT_ZICOND), + KVM_EXT_CFG("zicsr", ext_zicsr, KVM_RISCV_ISA_EXT_ZICSR), + KVM_EXT_CFG("zifencei", ext_zifencei, KVM_RISCV_ISA_EXT_ZIFENCEI), ++ KVM_EXT_CFG("zihintntl", ext_zihintntl, KVM_RISCV_ISA_EXT_ZIHINTNTL), + KVM_EXT_CFG("zihintpause", ext_zihintpause, KVM_RISCV_ISA_EXT_ZIHINTPAUSE), + KVM_EXT_CFG("zihpm", ext_zihpm, KVM_RISCV_ISA_EXT_ZIHPM), ++ KVM_EXT_CFG("zimop", ext_zimop, KVM_RISCV_ISA_EXT_ZIMOP), ++ KVM_EXT_CFG("zcmop", ext_zcmop, KVM_RISCV_ISA_EXT_ZCMOP), ++ KVM_EXT_CFG("zabha", ext_zabha, KVM_RISCV_ISA_EXT_ZABHA), ++ KVM_EXT_CFG("zacas", ext_zacas, KVM_RISCV_ISA_EXT_ZACAS), ++ KVM_EXT_CFG("zawrs", ext_zawrs, KVM_RISCV_ISA_EXT_ZAWRS), ++ KVM_EXT_CFG("zfa", ext_zfa, KVM_RISCV_ISA_EXT_ZFA), ++ KVM_EXT_CFG("zfh", ext_zfh, KVM_RISCV_ISA_EXT_ZFH), ++ KVM_EXT_CFG("zfhmin", ext_zfhmin, KVM_RISCV_ISA_EXT_ZFHMIN), + KVM_EXT_CFG("zba", ext_zba, KVM_RISCV_ISA_EXT_ZBA), + KVM_EXT_CFG("zbb", ext_zbb, KVM_RISCV_ISA_EXT_ZBB), ++ KVM_EXT_CFG("zbc", ext_zbc, KVM_RISCV_ISA_EXT_ZBC), ++ KVM_EXT_CFG("zbkb", ext_zbkb, KVM_RISCV_ISA_EXT_ZBKB), ++ KVM_EXT_CFG("zbkc", ext_zbkc, KVM_RISCV_ISA_EXT_ZBKC), ++ KVM_EXT_CFG("zbkx", ext_zbkx, KVM_RISCV_ISA_EXT_ZBKX), + KVM_EXT_CFG("zbs", ext_zbs, KVM_RISCV_ISA_EXT_ZBS), ++ KVM_EXT_CFG("zca", ext_zca, KVM_RISCV_ISA_EXT_ZCA), ++ KVM_EXT_CFG("zcb", ext_zcb, KVM_RISCV_ISA_EXT_ZCB), ++ KVM_EXT_CFG("zcd", ext_zcd, KVM_RISCV_ISA_EXT_ZCD), ++ KVM_EXT_CFG("zcf", ext_zcf, KVM_RISCV_ISA_EXT_ZCF), ++ KVM_EXT_CFG("zknd", ext_zknd, KVM_RISCV_ISA_EXT_ZKND), ++ KVM_EXT_CFG("zkne", ext_zkne, KVM_RISCV_ISA_EXT_ZKNE), ++ KVM_EXT_CFG("zknh", ext_zknh, KVM_RISCV_ISA_EXT_ZKNH), ++ KVM_EXT_CFG("zkr", ext_zkr, KVM_RISCV_ISA_EXT_ZKR), ++ KVM_EXT_CFG("zksed", ext_zksed, KVM_RISCV_ISA_EXT_ZKSED), ++ KVM_EXT_CFG("zksh", ext_zksh, KVM_RISCV_ISA_EXT_ZKSH), ++ KVM_EXT_CFG("zkt", ext_zkt, KVM_RISCV_ISA_EXT_ZKT), ++ KVM_EXT_CFG("ztso", ext_ztso, KVM_RISCV_ISA_EXT_ZTSO), ++ KVM_EXT_CFG("zvbb", ext_zvbb, KVM_RISCV_ISA_EXT_ZVBB), ++ KVM_EXT_CFG("zvbc", ext_zvbc, KVM_RISCV_ISA_EXT_ZVBC), ++ KVM_EXT_CFG("zvfh", ext_zvfh, KVM_RISCV_ISA_EXT_ZVFH), ++ KVM_EXT_CFG("zvfhmin", ext_zvfhmin, KVM_RISCV_ISA_EXT_ZVFHMIN), ++ KVM_EXT_CFG("zvkb", ext_zvkb, KVM_RISCV_ISA_EXT_ZVKB), ++ KVM_EXT_CFG("zvkg", ext_zvkg, KVM_RISCV_ISA_EXT_ZVKG), ++ KVM_EXT_CFG("zvkned", ext_zvkned, KVM_RISCV_ISA_EXT_ZVKNED), ++ KVM_EXT_CFG("zvknha", ext_zvknha, KVM_RISCV_ISA_EXT_ZVKNHA), ++ KVM_EXT_CFG("zvknhb", ext_zvknhb, KVM_RISCV_ISA_EXT_ZVKNHB), ++ KVM_EXT_CFG("zvksed", ext_zvksed, KVM_RISCV_ISA_EXT_ZVKSED), ++ KVM_EXT_CFG("zvksh", ext_zvksh, KVM_RISCV_ISA_EXT_ZVKSH), ++ KVM_EXT_CFG("zvkt", ext_zvkt, KVM_RISCV_ISA_EXT_ZVKT), ++ KVM_EXT_CFG("smnpm", ext_smnpm, KVM_RISCV_ISA_EXT_SMNPM), ++ KVM_EXT_CFG("smstateen", ext_smstateen, KVM_RISCV_ISA_EXT_SMSTATEEN), + KVM_EXT_CFG("ssaia", ext_ssaia, KVM_RISCV_ISA_EXT_SSAIA), ++ KVM_EXT_CFG("ssnpm", ext_ssnpm, KVM_RISCV_ISA_EXT_SSNPM), + KVM_EXT_CFG("sstc", ext_sstc, KVM_RISCV_ISA_EXT_SSTC), ++ KVM_EXT_CFG("svade", ext_svade, KVM_RISCV_ISA_EXT_SVADE), ++ KVM_EXT_CFG("svadu", ext_svadu, KVM_RISCV_ISA_EXT_SVADU), + KVM_EXT_CFG("svinval", ext_svinval, KVM_RISCV_ISA_EXT_SVINVAL), + KVM_EXT_CFG("svnapot", ext_svnapot, KVM_RISCV_ISA_EXT_SVNAPOT), + KVM_EXT_CFG("svpbmt", ext_svpbmt, KVM_RISCV_ISA_EXT_SVPBMT), ++ KVM_EXT_CFG("svvptc", ext_svvptc, KVM_RISCV_ISA_EXT_SVVPTC), + }; + + static void *kvmconfig_get_cfg_addr(RISCVCPU *cpu, KVMCPUConfig *kvmcfg) +-- +2.33.0 + diff --git a/target-s390x-Fix-MVC-not-always-invalidating-transla.patch b/target-s390x-Fix-MVC-not-always-invalidating-transla.patch new file mode 100644 index 0000000000000000000000000000000000000000..64628dc19e57d0916d0b01449fd23e16729b88e7 --- /dev/null +++ b/target-s390x-Fix-MVC-not-always-invalidating-transla.patch @@ -0,0 +1,65 @@ +From f1d3e679818594b4cab0601d426f8d02a6d35bdb Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:39:09 -0400 +Subject: [PATCH] target/s390x: Fix MVC not always invalidating translation + blocks + +cheery-pick from cbdb457d7981133e511eafa3296431871d84bea4 + +Node.js crashes in qemu-system-s390x with random SIGSEGVs / SIGILLs. + +The v8 JIT used by Node.js can garbage collect and overwrite unused +code. Overwriting is performed by WritableJitAllocation::CopyCode(), +code. Overwriting is performed by WritableJitAllocation::CopyCode(), +which ultimately calls memcpy(). For certain sizes, memcpy() uses the +MVC instruction. + +QEMU implements MVC and other similar instructions using helpers. While +TCG store ops invalidate affected translation blocks automatically, +helpers must do this manually by calling probe_access_flags(). The MVC +helper does this using the access_prepare() -> access_prepare_nf() -> +s390_probe_access() -> probe_access_flags() call chain. + +At the last step of this chain, the store size is replaced with 0. This +causes the probe_access_flags() -> notdirty_write() -> +tb_invalidate_phys_range_fast() chain to miss some translation blocks. + +When this happens, QEMU executes a mix of old and new code. This +quickly leads to either a SIGSEGV or a SIGILL in case the old code +ends in the middle of a new instruction. + +Fix by passing the true size. + +Reported-by: Berthold Gunreben +Cc: Sarah Kriesch +Cc: qemu-stable@nongnu.org +Closes: https://bugzilla.opensuse.org/show_bug.cgi?id=1235709 +Signed-off-by: Ilya Leoshkevich +Reviewed-by: Richard Henderson +Reviewed-by: David Hildenbrand +Fixes: e2faabee78ff ("accel/tcg: Forward probe size on to notdirty_write") +Message-ID: <20250128001338.11474-1-iii@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit e43ced8be18dda77c229ab09f85136a4d600d40d) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/s390x/tcg/mem_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c +index 84103251b9..1da47c78e8 100644 +--- a/target/s390x/tcg/mem_helper.c ++++ b/target/s390x/tcg/mem_helper.c +@@ -146,7 +146,7 @@ static inline int s390_probe_access(CPUArchState *env, target_ulong addr, + int mmu_idx, bool nonfault, + void **phost, uintptr_t ra) + { +- int flags = probe_access_flags(env, addr, 0, access_type, mmu_idx, ++ int flags = probe_access_flags(env, addr, size, access_type, mmu_idx, + nonfault, phost, ra); + + if (unlikely(flags & TLB_INVALID_MASK)) { +-- +2.33.0 + diff --git a/target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch b/target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch new file mode 100644 index 0000000000000000000000000000000000000000..437e2a27809fb7b5b0565230edb8c741b4b04fa8 --- /dev/null +++ b/target-sparc-Fix-gdbstub-incorrectly-handling-regist.patch @@ -0,0 +1,69 @@ +From cb97a92ee393673ff2c927740b98db1ed38d0924 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 03:03:33 -0400 +Subject: [PATCH] target/sparc: Fix gdbstub incorrectly handling registers + f32-f62 + +cheery-pick from 5af648acff28171d34a68aec4cf0f52e6401284c + +The gdbstub implementation for the Sparc architecture would +incorrectly calculate the the floating point register offset. +This resulted in, for example, registers f32 and f34 to point to +the same value. + +The issue was caused by the confusion between even register numbers +and even register indexes. For example, the register index of f32 is 64 +and f34 is 65. + +Cc: qemu-stable@nongnu.org +Fixes: 30038fd81808 ("target-sparc: Change fpr representation to doubles.") +Signed-off-by: Mikael Szreder +Reviewed-by: Richard Henderson +Signed-off-by: Richard Henderson +Message-ID: <20250214070343.11501-1-git@miszr.win> +(cherry picked from commit 7a74e468089a58756b438d31a2a9a97f183780d7) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/sparc/gdbstub.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/target/sparc/gdbstub.c b/target/sparc/gdbstub.c +index a1c8fdc4d5..109b7237e0 100644 +--- a/target/sparc/gdbstub.c ++++ b/target/sparc/gdbstub.c +@@ -80,8 +80,13 @@ int sparc_cpu_gdb_read_register(CPUState *cs, GByteArray *mem_buf, int n) + } + } + if (n < 80) { +- /* f32-f62 (double width, even numbers only) */ +- return gdb_get_reg64(mem_buf, env->fpr[(n - 32) / 2].ll); ++ /* f32-f62 (16 double width registers, even register numbers only) ++ * n == 64: f32 : env->fpr[16] ++ * n == 65: f34 : env->fpr[17] ++ * etc... ++ * n == 79: f62 : env->fpr[31] ++ */ ++ return gdb_get_reg64(mem_buf, env->fpr[(n - 64) + 16].ll); + } + switch (n) { + case 80: +@@ -174,8 +179,13 @@ int sparc_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n) + } + return 4; + } else if (n < 80) { +- /* f32-f62 (double width, even numbers only) */ +- env->fpr[(n - 32) / 2].ll = tmp; ++ /* f32-f62 (16 double width registers, even register numbers only) ++ * n == 64: f32 : env->fpr[16] ++ * n == 65: f34 : env->fpr[17] ++ * etc... ++ * n == 79: f62 : env->fpr[31] ++ */ ++ env->fpr[(n - 64) + 16].ll = tmp; + } else { + switch (n) { + case 80: +-- +2.33.0 + diff --git a/vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch b/vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch new file mode 100644 index 0000000000000000000000000000000000000000..495a317061d5c3c6b05f2773555a502aebb80b34 --- /dev/null +++ b/vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch @@ -0,0 +1,57 @@ +From e9252f173b62ce2dac563249a200c3eabc028710 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:08:37 +0800 +Subject: [PATCH] vdpa: Allow vDPA to work on big-endian machine +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from b027f55a994af885a7a498a40373a2dcc2d8b15e + +Add .set_vnet_le() function that always returns success, assuming that +vDPA h/w always implements LE data format. Otherwise, QEMU disables vDPA and +outputs the message: +"backend does not support LE vnet headers; falling back on userspace virtio" + +Reviewed-by: Michael S. Tsirkin +Acked-by: Eugenio Pérez +Signed-off-by: Konstantin Shkolnyy +Signed-off-by: gubin +--- + net/vhost-vdpa.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c +index d0614d7954..68cabe2d40 100644 +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -266,6 +266,18 @@ static bool vhost_vdpa_has_ufo(NetClientState *nc) + + } + ++/* ++ * FIXME: vhost_vdpa doesn't have an API to "set h/w endianness". But it's ++ * reasonable to assume that h/w is LE by default, because LE is what ++ * virtio 1.0 and later ask for. So, this function just says "yes, the h/w is ++ * LE". Otherwise, on a BE machine, higher-level code would mistakely think ++ * the h/w is BE and can't support VDPA for a virtio 1.0 client. ++ */ ++static int vhost_vdpa_set_vnet_le(NetClientState *nc, bool enable) ++{ ++ return 0; ++} ++ + static bool vhost_vdpa_check_peer_type(NetClientState *nc, ObjectClass *oc, + Error **errp) + { +@@ -429,6 +441,7 @@ static NetClientInfo net_vhost_vdpa_info = { + .cleanup = vhost_vdpa_cleanup, + .has_vnet_hdr = vhost_vdpa_has_vnet_hdr, + .has_ufo = vhost_vdpa_has_ufo, ++ .set_vnet_le = vhost_vdpa_set_vnet_le, + .check_peer_type = vhost_vdpa_check_peer_type, + .set_steering_ebpf = vhost_vdpa_set_steering_ebpf, + }; +-- +2.33.0 + diff --git a/vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch b/vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch new file mode 100644 index 0000000000000000000000000000000000000000..72dc0f45f31e862db9ea3d7666c1dd69dd3ca973 --- /dev/null +++ b/vdpa-Fix-endian-bugs-in-shadow-virtqueue.patch @@ -0,0 +1,98 @@ +From 99186ad14ebc29c79d17ff0afc46c087a9f44923 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 03:48:19 -0400 +Subject: [PATCH] vdpa: Fix endian bugs in shadow virtqueue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from ca12e95f1329b74c5fdaf0d92f38110129831090 + +VDPA didn't work on a big-endian machine due to missing/incorrect +CPU<->LE data format conversions. + +Signed-off-by: Konstantin Shkolnyy +Message-Id: <20250212164923.1971538-1-kshk@linux.ibm.com> +Fixes: 10857ec0ad ("vhost: Add VhostShadowVirtqueue") +Acked-by: Eugenio Pérez +Tested-by: Lei Yang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 50e9754149066dc91f58405d3378b589098cb408) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/virtio/vhost-shadow-virtqueue.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/virtio/vhost-shadow-virtqueue.c b/hw/virtio/vhost-shadow-virtqueue.c +index fc5f408f77..ca60167b08 100644 +--- a/hw/virtio/vhost-shadow-virtqueue.c ++++ b/hw/virtio/vhost-shadow-virtqueue.c +@@ -165,10 +165,10 @@ static bool vhost_svq_vring_write_descs(VhostShadowVirtqueue *svq, hwaddr *sg, + descs[i].len = cpu_to_le32(iovec[n].iov_len); + + last = i; +- i = cpu_to_le16(svq->desc_next[i]); ++ i = svq->desc_next[i]; + } + +- svq->free_head = le16_to_cpu(svq->desc_next[last]); ++ svq->free_head = svq->desc_next[last]; + return true; + } + +@@ -228,10 +228,12 @@ static void vhost_svq_kick(VhostShadowVirtqueue *svq) + smp_mb(); + + if (virtio_vdev_has_feature(svq->vdev, VIRTIO_RING_F_EVENT_IDX)) { +- uint16_t avail_event = *(uint16_t *)(&svq->vring.used->ring[svq->vring.num]); ++ uint16_t avail_event = le16_to_cpu( ++ *(uint16_t *)(&svq->vring.used->ring[svq->vring.num])); + needs_kick = vring_need_event(avail_event, svq->shadow_avail_idx, svq->shadow_avail_idx - 1); + } else { +- needs_kick = !(svq->vring.used->flags & VRING_USED_F_NO_NOTIFY); ++ needs_kick = ++ !(svq->vring.used->flags & cpu_to_le16(VRING_USED_F_NO_NOTIFY)); + } + + if (!needs_kick) { +@@ -365,7 +367,7 @@ static bool vhost_svq_more_used(VhostShadowVirtqueue *svq) + return true; + } + +- svq->shadow_used_idx = cpu_to_le16(*(volatile uint16_t *)used_idx); ++ svq->shadow_used_idx = le16_to_cpu(*(volatile uint16_t *)used_idx); + + return svq->last_used_idx != svq->shadow_used_idx; + } +@@ -383,7 +385,7 @@ static bool vhost_svq_enable_notification(VhostShadowVirtqueue *svq) + { + if (virtio_vdev_has_feature(svq->vdev, VIRTIO_RING_F_EVENT_IDX)) { + uint16_t *used_event = (uint16_t *)&svq->vring.avail->ring[svq->vring.num]; +- *used_event = svq->shadow_used_idx; ++ *used_event = cpu_to_le16(svq->shadow_used_idx); + } else { + svq->vring.avail->flags &= ~cpu_to_le16(VRING_AVAIL_F_NO_INTERRUPT); + } +@@ -408,7 +410,7 @@ static uint16_t vhost_svq_last_desc_of_chain(const VhostShadowVirtqueue *svq, + uint16_t num, uint16_t i) + { + for (uint16_t j = 0; j < (num - 1); ++j) { +- i = le16_to_cpu(svq->desc_next[i]); ++ i = svq->desc_next[i]; + } + + return i; +@@ -681,7 +683,7 @@ void vhost_svq_start(VhostShadowVirtqueue *svq, VirtIODevice *vdev, + svq->desc_state = g_new0(SVQDescState, svq->vring.num); + svq->desc_next = g_new0(uint16_t, svq->vring.num); + for (unsigned i = 0; i < svq->vring.num - 1; i++) { +- svq->desc_next[i] = cpu_to_le16(i + 1); ++ svq->desc_next[i] = i + 1; + } + } + +-- +2.33.0 + diff --git a/vfio-container-For-CSV3-VM-only-register-listener-to.patch b/vfio-container-For-CSV3-VM-only-register-listener-to.patch new file mode 100644 index 0000000000000000000000000000000000000000..67c6960666d1673dc0a68d20eb49c9009cf1d03a --- /dev/null +++ b/vfio-container-For-CSV3-VM-only-register-listener-to.patch @@ -0,0 +1,42 @@ +From 17038e49ea5b89bf3088d7e7f7186ca5aba4975f Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Thu, 21 Aug 2025 16:35:45 +0800 +Subject: [PATCH] vfio/container: For CSV3 VM, only register listener to + shared_memory_listener list in vfio_connect_container() + +There is a regression for booting CSV3 VM with passthr devices when +backporting the commit c7b313d300 ("vfio/container: Move listener to +base container"). + +Fix it here. + +Signed-off-by: hanliyang +--- + hw/vfio/container.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/vfio/container.c b/hw/vfio/container.c +index 95b8cff33b..56c55d00f1 100644 +--- a/hw/vfio/container.c ++++ b/hw/vfio/container.c +@@ -736,14 +736,14 @@ static int vfio_connect_container(VFIOGroup *group, AddressSpace *as, + group->container = container; + QLIST_INSERT_HEAD(&container->group_list, group, container_next); + ++ bcontainer->listener = vfio_memory_listener; + if (kvm_csv3_enabled()) { + shared_memory_listener_register(&bcontainer->listener, + bcontainer->space->as); ++ } else { ++ memory_listener_register(&bcontainer->listener, bcontainer->space->as); + } + +- bcontainer->listener = vfio_memory_listener; +- memory_listener_register(&bcontainer->listener, bcontainer->space->as); +- + if (bcontainer->error) { + ret = -1; + error_propagate_prepend(errp, bcontainer->error, +-- +2.33.0 + diff --git a/vfio-container-Replace-basename-with-g_path_get_base.patch b/vfio-container-Replace-basename-with-g_path_get_base.patch new file mode 100644 index 0000000000000000000000000000000000000000..905aacb00d3dca20b85ae47916c40ddba502b677 --- /dev/null +++ b/vfio-container-Replace-basename-with-g_path_get_base.patch @@ -0,0 +1,52 @@ +From bdfe852421d4b4e5da3e04931967223726fea9e2 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:15:11 +0800 +Subject: [PATCH] vfio/container: Replace basename with g_path_get_basename +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 213ae3ffda463c0503e39e0cf827511b5298c314 + +g_path_get_basename() is a portable utility function that has the +advantage of not modifing the string argument. It also fixes a compile +breakage with the Musl C library reported in [1]. + +[1] https://lore.kernel.org/all/20231212010228.2701544-1-raj.khem@gmail.com/ + +Reported-by: Khem Raj +Reviewed-by: Eric Auger +Reviewed-by: Zhao Liu +Reviewed-by: Zhenzhong Duan +Signed-off-by: Cédric Le Goater +Signed-off-by: gubin +--- + hw/vfio/container.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/vfio/container.c b/hw/vfio/container.c +index 539cf34b20..95b8cff33b 100644 +--- a/hw/vfio/container.c ++++ b/hw/vfio/container.c +@@ -987,7 +987,8 @@ static void vfio_put_base_device(VFIODevice *vbasedev) + + static int vfio_device_groupid(VFIODevice *vbasedev, Error **errp) + { +- char *tmp, group_path[PATH_MAX], *group_name; ++ char *tmp, group_path[PATH_MAX]; ++ g_autofree char *group_name = NULL; + int ret, groupid; + ssize_t len; + +@@ -1003,7 +1004,7 @@ static int vfio_device_groupid(VFIODevice *vbasedev, Error **errp) + + group_path[len] = 0; + +- group_name = basename(group_path); ++ group_name = g_path_get_basename(group_path); + if (sscanf(group_name, "%d", &groupid) != 1) { + error_setg_errno(errp, errno, "failed to read %s", group_path); + return -errno; +-- +2.33.0 + diff --git a/vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch b/vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a35846fe587a2f8ca143b991518ff720d322b89 --- /dev/null +++ b/vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch @@ -0,0 +1,52 @@ +From ccb05dc51a8265b86b76a35cb291ee4990cf5019 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:39:11 +0800 +Subject: [PATCH] vfio/migration: Report only stop-copy size in + vfio_state_pending_exact() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 3b5948f808e3b99aedfa0aff45cffbe8b7ec07ed + +vfio_state_pending_exact() is used to update migration core how much +device data is left for the device migration. Currently, the sum of +pre-copy and stop-copy sizes of the VFIO device are reported. + +The pre-copy size is obtained via the VFIO_MIG_GET_PRECOPY_INFO ioctl, +which returns the amount of device data available to be transferred +while the device is in the PRE_COPY states. + +The stop-copy size is obtained via the VFIO_DEVICE_FEATURE_MIG_DATA_SIZE +ioctl, which returns the total amount of device data left to be +transferred in order to complete the device migration. + +According to the above, current implementation is wrong -- it reports +extra overlapping data because pre-copy size is already contained in +stop-copy size. Fix it by reporting only stop-copy size. + +Fixes: eda7362af959 ("vfio/migration: Add VFIO migration pre-copy support") +Signed-off-by: Avihai Horon +Reviewed-by: Cédric Le Goater +Signed-off-by: gubin +--- + hw/vfio/migration.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c +index 3924beb289..b81cb7e23b 100644 +--- a/hw/vfio/migration.c ++++ b/hw/vfio/migration.c +@@ -480,9 +480,6 @@ static void vfio_state_pending_exact(void *opaque, uint64_t *must_precopy, + + if (vfio_device_state_is_precopy(vbasedev)) { + vfio_query_precopy_size(migration); +- +- *must_precopy += +- migration->precopy_init_size + migration->precopy_dirty_size; + } + + trace_vfio_state_pending_exact(vbasedev->name, *must_precopy, *can_postcopy, +-- +2.33.0 + diff --git a/vfio-pci-Clear-MSI-X-IRQ-index-always.patch b/vfio-pci-Clear-MSI-X-IRQ-index-always.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b38556eb222be62bbb165b55ffae8b0d81a728c --- /dev/null +++ b/vfio-pci-Clear-MSI-X-IRQ-index-always.patch @@ -0,0 +1,55 @@ +From 0e819d1b6e8391922dfa8bd66add74dd8f73f564 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:51:38 +0800 +Subject: [PATCH] vfio/pci: Clear MSI-X IRQ index always +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from d2b668fca5652760b435ce812a743bba03d2f316 + +When doing device assignment of a physical device, MSI-X can be +enabled with no vectors enabled and this sets the IRQ index to +VFIO_PCI_MSIX_IRQ_INDEX. However, when MSI-X is disabled, the IRQ +index is left untouched if no vectors are in use. Then, when INTx +is enabled, the IRQ index value is considered incompatible (set to +MSI-X) and VFIO_DEVICE_SET_IRQS fails. QEMU complains with : + +qemu-system-x86_64: vfio 0000:08:00.0: Failed to set up TRIGGER eventfd signaling for interrupt INTX-0: VFIO_DEVICE_SET_IRQS failure: Invalid argument + +To avoid that, unconditionaly clear the IRQ index when MSI-X is +disabled. + +Buglink: https://issues.redhat.com/browse/RHEL-21293 +Fixes: 5ebffa4e87e7 ("vfio/pci: use an invalid fd to enable MSI-X") +Cc: Jing Liu +Cc: Alex Williamson +Reviewed-by: Alex Williamson +Signed-off-by: Cédric Le Goater +Signed-off-by: gubin +--- + hw/vfio/pci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c +index ce958848b6..7322c8be63 100644 +--- a/hw/vfio/pci.c ++++ b/hw/vfio/pci.c +@@ -828,9 +828,11 @@ static void vfio_msix_disable(VFIOPCIDevice *vdev) + } + } + +- if (vdev->nr_vectors) { +- vfio_disable_irqindex(&vdev->vbasedev, VFIO_PCI_MSIX_IRQ_INDEX); +- } ++ /* ++ * Always clear MSI-X IRQ index. A PF device could have enabled ++ * MSI-X with no vectors. See vfio_msix_enable(). ++ */ ++ vfio_disable_irqindex(&vdev->vbasedev, VFIO_PCI_MSIX_IRQ_INDEX); + + vfio_msi_disable_common(vdev); + vfio_intx_enable(vdev, &err); +-- +2.33.0 + diff --git a/virtio-net-Fix-size-check-in-dhclient-workaround.patch b/virtio-net-Fix-size-check-in-dhclient-workaround.patch new file mode 100644 index 0000000000000000000000000000000000000000..6314115c49e089df9c9a5f90f63acff85df85d97 --- /dev/null +++ b/virtio-net-Fix-size-check-in-dhclient-workaround.patch @@ -0,0 +1,43 @@ +From 441df39082f9eba5ab5fa56e33dda522060f87be Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 03:57:30 -0400 +Subject: [PATCH] virtio-net: Fix size check in dhclient workaround + +cheery-pick from aac6bdec4cb37ac1f0c12d769589ab14c8a5bbad + +work_around_broken_dhclient() accesses IP and UDP headers to detect +relevant packets and to calculate checksums, but it didn't check if +the packet has size sufficient to accommodate them, causing out-of-bound +access hazards. Fix this by correcting the size requirement. + +Fixes: 1d41b0c1ec66 ("Work around dhclient brokenness") +Cc: qemu-stable@nongnu.org +Signed-off-by: Akihiko Odaki +Signed-off-by: Jason Wang +(cherry picked from commit a8575f7fb2f213e6690b23160b04271d47fdfaa8) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/net/virtio-net.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 7184c9c526..5d58aa8a8c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1712,8 +1712,11 @@ static void virtio_net_hdr_swap(VirtIODevice *vdev, struct virtio_net_hdr *hdr) + static void work_around_broken_dhclient(struct virtio_net_hdr *hdr, + uint8_t *buf, size_t size) + { ++ size_t csum_size = ETH_HLEN + sizeof(struct ip_header) + ++ sizeof(struct udp_header); ++ + if ((hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) && /* missing csum */ +- (size > 27 && size < 1500) && /* normal sized MTU */ ++ (size >= csum_size && size < 1500) && /* normal sized MTU */ + (buf[12] == 0x08 && buf[13] == 0x00) && /* ethertype == IPv4 */ + (buf[23] == 17) && /* ip.protocol == UDP */ + (buf[34] == 0 && buf[35] == 67)) { /* udp.srcport == bootps */ +-- +2.33.0 + diff --git a/x86-loader-only-patch-linux-kernels.patch b/x86-loader-only-patch-linux-kernels.patch new file mode 100644 index 0000000000000000000000000000000000000000..23d87d162c873ca4f080583c5265530c6a2b3090 --- /dev/null +++ b/x86-loader-only-patch-linux-kernels.patch @@ -0,0 +1,46 @@ +From 08d849e4c516ab826dfdb71d3e57dddf668b6898 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 04:02:45 -0400 +Subject: [PATCH] x86/loader: only patch linux kernels + +cheery-pick from 3f73fe11188307773ab6bce481a977c7a11e367e + +If the binary loaded via -kernel is *not* a linux kernel (in which +case protocol == 0), do not patch the linux kernel header fields. + +It's (a) pointless and (b) might break binaries by random patching +and (c) changes the binary hash which in turn breaks secure boot +verification. + +Background: OVMF happily loads and runs not only linux kernels but +any efi binary via direct kernel boot. + +Note: Breaking the secure boot verification is a problem for linux +kernels too, but fixed that is left for another day ... + +Signed-off-by: Gerd Hoffmann +Message-ID: <20240905141211.1253307-3-kraxel@redhat.com> +(cherry picked from commit 57e2cc9abf5da38f600354fe920ff20e719607b4) +Signed-off-by: Michael Tokarev +(Mjt: it is in hw/i386/x86.c not hw/i386/x86-common.c in 8.2.x) +Signed-off-by: qihao_yewu +--- + hw/i386/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/x86.c b/hw/i386/x86.c +index 2b6291ad8d..672de72762 100644 +--- a/hw/i386/x86.c ++++ b/hw/i386/x86.c +@@ -1105,7 +1105,7 @@ void x86_load_linux(X86MachineState *x86ms, + * kernel on the other side of the fw_cfg interface matches the hash of the + * file the user passed in. + */ +- if (!sev_enabled()) { ++ if (!sev_enabled() && protocol > 0) { + memcpy(setup, header, MIN(sizeof(header), setup_size)); + } + +-- +2.33.0 +