| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
It is possible to store a very large value to the decrementer that it
does not raise the decrementer exception so the timer is scheduled, but
the next time value wraps and is treated as in the past.
This can occur if (u64)-1 is stored on a zero-triggered exception, or
(u64)-1 is stored twice on an underflow-triggered exception, for
example.
If such a value is set in DECAR, it gets stored to the decrementer by
the timer function, which then immediately causes another timer, which
hangs QEMU.
Clamp the decrementer to the implemented width, and use that as the
value for the timer calculation, effectively preventing this overflow.
Reported-by: sdicaro@DDCI.com
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20230530131214.373524-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Rework store conditional to avoid a branch in the success case.
Change some of the variable names and layout while here so
gen_conditional_store more closely matches gen_stqcx_.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20230605025445.161932-4-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
larx and stcx. are not defined to order any memory operations.
Remove the barriers.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20230605025445.161932-3-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Differently-sized larx/stcx. pairs can succeed if the starting address
matches. Add a check to require the size of stcx. exactly match the larx
that established the reservation. Use the term "reserve_length" for this
state, which matches the terminology used in the ISA.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20230605025445.161932-2-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
lqarx does not set cpu_reserve, which causes stqcx. to never succeed.
Cc: qemu-stable@nongnu.org
Fixes: 94bf2658676 ("target/ppc: Use atomic load for LQ and LQARX")
Fixes: 57b38ffd0c6 ("target/ppc: Use tcg_gen_qemu_{ld,st}_i128 for LQARX, LQ, STQ")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230605025445.161932-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Move out checking PID registers into a separate function which makes
mmubooke_check_tlb() simpler and avoids using goto.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <bd84d5f38af0ba2983ccd5c07635db49267c828f.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <bacd1bcbe99c07930c29a9815915da9ac75f6920.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
No nead to store return value and break from loop when we can return
directly.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <d470118c3adcbd41b1a91779f6bb7cbdb2b0d346.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Make lines shorter and fix indentation in some functions prototypes.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <70952ba2d82141db1cf5cfcf4b227402be575874.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
This function is the only reason why ppcemb_tlb_check() is not static
to mmu_common.c but it also better fits in mmu_common.c so move it
there.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <b64fd712a773558dea9b84945c57785546c0ae2e.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
This is only used by one caller so simplify function by removing this
parameter and move the operation to the single place where it's used.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <b21f11ae20e8a8c2e8b5d943f2bff12b5356005a.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
The get_physical_address() function is a trivial wrapper of
get_physical_address_wtlb() that is only used once. Remove it and call
get_physical_address_wtlb() directly instead.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <302697d63d26caebefaeee1e45352145ebd0318a.1685448535.git.balaton@eik.bme.hu>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
The PMU raises a performance monitor exception (causing an interrupt
when MSR[EE]=1) when MMCR0[PMAO] is set, and lowers it when clear.
Wire this up and implement the interrupt delivery for books. Linux perf
record can now collect PMI-driven samples.
fire_PMC_interrupt is renamed to perfm_alert, which matches a bit closer
to the new terminology used in the ISA and distinguishes the alert
condition (e.g., counter overflow) from the PERFM (or EBB) interrupts.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20230530134313.387252-2-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
BookS msgsndp instruction to self or DPDES register can cause SDOOR
interrupts which crash QEMU with exception not implemented.
Linux does not use msgsndp in SMT1, and KVM only uses DPDES to cause
doorbells when emulating a SMT guest (which is not the default), so
this has gone unnoticed.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230530130526.372701-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
msgclrp matches msgsndp and should clear PPC_INTERRUPT_DOORBELL.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230530130714.373215-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
FCECE does not get cleared according to the ISA v3.1B.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20230530134313.387252-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Some of the PMU hflags bits can go out of synch, for example a store to
MMCR0 with PMCjCE=1 fails to update hflags correctly and results in
hflags mismatch:
qemu: fatal: TCG hflags mismatch (current:0x2408003d rebuilt:0x240a003d)
This can be reproduced by running perf on a recent machine.
Some of the fragility here is the duplication of PMU hflags calculations.
This change consolidates that in a single place to update pmu-related
hflags, to be called after a well defined state changes.
The post-load PMU update is pulled out of the MSR update because it does
not depend on the MSR value.
Fixes: 8b3d1c49a9f0 ("target/ppc: Add new PMC HFLAGS")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20230530130447.372617-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
When dumping the END and NVP tables ("info pic" from the HMP) on the
P10 model, we're likely to be flooded with error messages such as:
XIVE[0] - VST: invalid NVPT entry f33800 !?
The error is printed when finding an empty VSD in an indirect
table (thus END and NVP tables with skiboot), which is going to happen
when dumping the xive state. So let's tune down those messages. They
can be re-enabled easily with a macro if needed.
Those errors were already hidden on xive/P9, for the same reason.
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230531150537.369350-1-fbarrat@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
ppc hypervisors turn HEAI interrupts into program interrupts injected
into the guest that executed the illegal instruction, if the hypervisor
doesn't handle it some other way.
The nested-hv implementation failed to account for this HEAI->program
conversion. The virtual hypervisor wants to see the HEAI when running
a nested guest, so that interrupt type can be returned to its KVM
caller.
Fixes: 7cebc5db2eba6 ("target/ppc: Introduce a vhyp framework for nested HV support")
Cc: balaton@eik.bme.hu
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20230530132127.385001-1-npiggin@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
The Thread Interrupt Management Area (TIMA) can be accessed through 4
ports, targeted by the address. The base address of a TIMA
is using port 0 and the other ports are 0x80 apart. Using one port or
another can be useful to balance the load on the snoop buses. With
skiboot and linux, we currently use port 0, but as it tends to be
busy, another hypervisor is using port 1 for TIMA access.
The port address bits fall in between the special op indication
bits (the 2 MSBs) and the register offset bits (the 6 LSBs). They are
"don't care" for the hardware when processing a TIMA operation. This
patch filters out those port address bits so that a TIMA operation can
be triggered using any port.
It is also true for indirect access (through the IC BAR) and it's
actually nothing new, it was already the case on P9. Which helps here,
as the TIMA handling code is common between P9 (xive) and P10 (xive2).
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230601121331.487207-6-fbarrat@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
TIMA addresses are somewhat special and are split in several bit
fields with different meanings. This patch describes it and introduce
macros to more easily access the various fields.
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230601121331.487207-5-fbarrat@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Fix what was probably a silly mistake and allow to write the Physical
Thread enable registers 0 and 1. Skiboot prefers to use the ENx_SET
variant so it went unnoticed, but there's no reason to discard a write
to the full register, it is Read-Write.
Fixes: da71b7e3ed45 ("ppc/pnv: Add a XIVE2 controller to the POWER10 chip")
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230601121331.487207-4-fbarrat@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Add basic read/write support for the ESB cache configuration register
on P10. We don't model the ESB cache in qemu so reading/writing the
register won't do anything, but it avoids logging a guest error when
skiboot configures it:
qemu-system-ppc64 -machine powernv10 ... -d guest_errors
...
XIVE[0] - VC: invalid read @240
XIVE[0] - VC: invalid write @240
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230601121331.487207-3-fbarrat@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Add basic read/write support for the TCTXT Config register on P10. qemu
doesn't do anything with it yet, but it avoids logging a guest error
when skiboot configures the fused-core state:
qemu-system-ppc64 -machine powernv10 ... -d guest_errors
...
[ 0.131670000,5] XIVE: [ IC 00 ] Initializing XIVE block ID 0...
XIVE[0] - TCTXT: invalid read @140
XIVE[0] - TCTXT: invalid write @140
Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-Id: <20230601121331.487207-2-fbarrat@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
Given several different concepts are suggested for investigation, let's
not confuse e.g. ulimit's -R with what was actually intended.
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
As-is the error message can cause some confusion as the mentioned sysctl
attribute name is wrong:
https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html#mmap-min-addr
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
job may be NULL if queue->exit is true. Check
it before dereference job.
Fixes: f31f9c1080 ("vnc: add magic cookie to VncState")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Coverity doesn't like the way we might end up calling getgroups()
with a NULL grouplist pointer. This is fine for the special case
of gidsetsize == 0, but we will also do it if the guest passes
us a negative gidsetsize. (CID 1512465)
Explicitly fail the negative gidsetsize with EINVAL, as the kernel
does. This means we definitely only call the libc getgroups()
with valid parameters. It also brings the getgroups() code in
to line with the setgroups() code.
Possibly Coverity may still complain about getgroups(0, NULL), but
that would be a false positive.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
There are 2 pairs of identical code (with different types)
for TARGET_NR_setgroups & TARGET_NR_setgroups32, and
for TARGET_NR_getgroups & TARGET_NR_getgroups32. Add
comments stating this fact, so that further modifications
are done in two places.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Remove unnecessary intermediate variables.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Use object_dynamic_cast() to determine if 'dev' is a TYPE_VIRTIO_MMIO.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Use the FloatRelation enum to hold the comparison result (missed
in commit 71bfd65c5f "softfloat: Name compare relation enum").
Inspired-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
They are required only for system emulation (i.e. have_system is true).
Signed-off-by: Carlos Santos <casantos@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Add the forgotten trailing newline.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
The printed offset value is prefixed with 0x, but was actually printed
in decimal. To spare others the confusion, adjust the format specifier
to hexadecimal.
Signed-off-by: Mattias Nissler <mnissler@rivosinc.com>
Reviewed-by: Jagannathan Raman <jag.raman@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
3 trivial fixes: 2 .json comments which goes to
executables, and 1 .h file comment.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Fixes: f3034ad71fcd0a6a58bc37830f182b307f089159
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
|
|
Signed-off-by: Milan Zamazal <mzamazal@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
Cut and paste error from the 4-operand memops.
Fixes: ab64da797740 ("tcg/tci: Adjust passing of MemOpIdx")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20230608162925.677598-1-richard.henderson@linaro.org>
|
|
staging
maintainers: update maintainers list for vfio-user & multi-process QEMU
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v2.0.22 (GNU/Linux)
#
# iQIcBAABAgAGBQJkghtXAAoJEI00T2TOPz3HoS8P/3rAXQIT6GO+JcqU/FJEyG6T
# ngP38kHDtRxyAci+GyzkZEVs3NkXDPDSUQ4uqcOH89a0MOSw6jZeQb7hjLWMaJbS
# JvVXO97mY4NUSTYGTO4egyPlxnmXgaUnDjiRZSHMIxdQyOuhsstokNj5I00X2YhI
# gzoT0EEZy/y2jfgY70xZpiZz3P+JDgvbsA9JIyxUhy6+LvFdf8hdGFtezng4yBu5
# KQ1PQ8G2NaFLjI5Z2FYegWjgXyi+8Qj/wBLTmJAYJQDCL2D9WH6ACq69YXrSj0GN
# Dwakb1VCYzwFIle/L8+Gzoalk/6FISHRBErB/M84Wzvo3Q9OyFAOHJeUeIDHFKSk
# cZnJphy4MPSiT2x7KOPeJMX7lQtoLMcg545bRl3UCSl9A2S6+eI02XVpeIWC/GWz
# sOzOPlM81HKWKCnsDp5V5CIF1z/7ACK6tBzQN7jhGEVx1hDdCAG8S4J216FH4sxF
# SCcwBGYbNv5dXNJ8J9699/fvYB6f9+3xLuKCazNEMvEK+Q5vyPTHMPUvepisgMF/
# KEoXAkmH5er5RhtLusPIHDBoWH8xIMxL1401YSFeh6M0x7VV5hOyv1j1o4x3cVIz
# Ev/0tGCpiSy5K6XQLZVHUioyIIJ4UKyQlKVWpBmgftUfA6kc0WRpJe/Gh4FMXNdz
# 91Rmr56MT/GkybQhs59D
# =M2cP
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 08 Jun 2023 11:17:59 AM PDT
# gpg: using RSA key 8D344F64CE3F3DC7
# gpg: Good signature from "Jagannathan Raman <jag.raman@oracle.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B36D 9579 7F7B 3D4F 87A6 D8CF 8D34 4F64 CE3F 3DC7
* tag 'pull-maintainers-20230608' of https://gitlab.com/jraman/qemu:
maintainers: update maintainers list for vfio-user & multi-process QEMU
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
staging
* Fix for CVE-2023-2861.
# -----BEGIN PGP SIGNATURE-----
#
# iQJLBAABCgA1FiEEltjREM96+AhPiFkBNMK1h2Wkc5UFAmSB7yMXHHFlbXVfb3Nz
# QGNydWRlYnl0ZS5jb20ACgkQNMK1h2Wkc5XykxAAzQb+d2clDVyj3Y3UqcB/YS7X
# ijxoZph9ObweyPiP2IThjsAcvNPnVR2Bc8bgEpihRkpEYGNLicw5BSk1SjqOgZvg
# buDRc8bOvOOrKqvYEBXbzaS/OHVIdozn8h+WNjX0jSsdUd4uq9vcwX+uqshkPwl+
# L4Ipx7ChzmHpaEigkVLh1biQEkLPRCTplny5JK/ZzvAmGVaqYb1usbSx//OVu7k+
# gBuBALmvJQst3iz/1e+bmVg+JhyxRqcHfCJuuWxaOLIyiZME3ZhTn7tp+2ilivRj
# n4/AGglTAv+yaVwRi6XEca7GND23HqFs26RPGgZrIhsAkFV03Iz3IT/BJ3Psy3Qv
# 7KYE4FhhReDnNU5JNfCbNxUPWVilwLY83BXVL9I0CADbAHgTqRSnataQ/PY26VQp
# BqKJKmxjAEnmsGVZSgRuCDDOhOBlPUPMRFINCUp2b0qujsUQaV5XHUlQ3qRfjUBc
# JQCy1LrxcSINg7oTRPZczNcrb9iWtaOfD24OGGeW1O6ihCAV0CYaRSmHUhFVPOPR
# uu4LWnbSToNgfNxBXaMk3vHA0SzWxJl7zBi53GVRvn8ciiTkAPVIoZLf0W8jE47X
# 5nkzfTpNdjnQJlaKAfDx+YcAyBUPxiknJjAJmjF/mquAtW8c9XbsCVJpyUgS4Lna
# GNfRoCUHQ6+6ui+/zM0=
# =6Vxp
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 08 Jun 2023 08:09:23 AM PDT
# gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg: issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4
# Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395
* tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu:
9pfs: prevent opening special files (CVE-2023-2861)
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.
With QEMU this could only be exploited in the following unsafe setups:
- Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
security model.
or
- Using 9p 'proxy' fs driver (which is running its helper daemon as
root).
These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.
Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
|
|
into staging
- Refactor PCXI/ICR field handling in newer ISA versions
- Add simple tests written in C
# -----BEGIN PGP SIGNATURE-----
#
# iQJTBAABCgA9FiEEbmNqfoPy3Qz6bm43CtLGOWtpyhQFAmSArqkfHGtiYXN0aWFu
# QG1haWwudW5pLXBhZGVyYm9ybi5kZQAKCRAK0sY5a2nKFKKTD/0dXpexGX7K62d4
# dLZwj9AHOa/9NOD4E6+ub2UYovF7UlydSzy+mgJyxiIUGaPBHYe3dFfktHOppSwn
# OGJp9TTqeutpXYF8/zvDnmf+TDJ71DRQWM40uC0HAUXrjUO43PiK0LMh+fm5D9uG
# vRHSDGBWUNZrNxTZSj8Kx7Sb7PkqeB8qWvpIJh1AVVhIT+dyoAp5V7EkAETpwhtz
# a7qKclQpFNWdaYnthCF5wcmoMawQKMUnO96j0lQWIXfnhDP7XmrWlNM7Ry2cMPEy
# aRxAT3hTOr2dD2Cic8brF/w1NeXJjxWDz65uD7X7Rog54+SD4+SmfZiYwdAs5YMo
# 1XTkbG0qE6HwrtaO+nZDQZFc8tdvLSlDcBd/cjOonwxJyvJVX8qjR2Ufb3PSfTct
# 85R5wRBsEapSbQwicwu71fK0N8ZVkLM3fc4nFEKMxOx8I66eJm3bcTxpT/A8knEw
# OwykEVB3Xiq45JlWOV2BkyZJ1EiHeFQzZfzckW4bYFDdCnuMHlaVG9qpKEAu7mQh
# 4Ug3Y4KhYqZA0UDHG6Ik6Ms64FYU4s+zbFYic/Jhew9NC4MoMXa8oKqXJC5W7RCl
# 1HesyBPu1i/45Xk6/kneJ16YO+i4hcH+Hp/osJrRE6qFHGtbvKJ0EFy1471YHyLf
# HjRQBmsd9XW2TaYBQgST80UvCh9CkQ==
# =5m1P
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 07 Jun 2023 09:22:01 AM PDT
# gpg: using RSA key 6E636A7E83F2DD0CFA6E6E370AD2C6396B69CA14
# gpg: issuer "kbastian@mail.uni-paderborn.de"
# gpg: Good signature from "Bastian Koppelmann <kbastian@mail.uni-paderborn.de>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6E63 6A7E 83F2 DD0C FA6E 6E37 0AD2 C639 6B69 CA14
* tag 'pull-tricore-20230607' of https://github.com/bkoppelmann/qemu:
tests/tcg/tricore: Add recursion test for CSAs
target/tricore: Fix wrong PSW for call insns
target/tricore: Refactor PCXI/ICR register fields
tests/tcg/tricore: Add first C program
tests/tcg/tricore: Uses label for memory addresses
tests/tcg/tricore: Move asm tests into 'asm' directory
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Build system snafus.
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmSAhGYUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroM8PAf+JQXoIFJJJPQI/jqaxzXrUAbZYBD0
# YQlclLinF0Iabhm0VMR/gYLS1ozvNBzhLvV6nsX7kKegG1Zy3BpCUld+UaJCCmax
# MfnRLdSjHG/QzP3kqJW7XDwVs5MF1n5KqVzowjB6orToaN5qDvPkMNg6YIk/BvuY
# G/w0JxbKj86KASzqcHgCuP+qPTXRrLKN63MB4xos7kVZsCv1BHJls35MJrGbMKSW
# 664Ji2YOtZe5Bf3xQ+20KddU+iPtYyryrhf1SGwXQK3w2UNVze4E0ZAb2F7IET7I
# grYUNtApLVqNDnjSz+WOVI1q2mtoOLc98T4TaKNg/4Qdu/RLXcoa0//hXQ==
# =ansd
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 07 Jun 2023 06:21:42 AM PDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [unknown]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
tests: fp: remove unused submodules
configure: check for $download value properly
meson: fix "static build" entry in summary
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
https://xenbits.xen.org/git-http/people/aperard/qemu-dm into staging
Xen queue
- fix for xen-block segv
- Resolve TYPE_PIIX3_XEN_DEVICE
- Xen emulation build/Coverity fixes
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEE+AwAYwjiLP2KkueYDPVXL9f7Va8FAmSAkU0ACgkQDPVXL9f7
# Va/mMQf9Hs8pFGz7qRMc8RbuBvwVNGcdqOKZN+sbBKPb2pp9X8gkP5EV5SMLF/eu
# CjaoZU+SsZcVLZ0HZ/TevAEuMrflZeeRfneJzEcl58cwOxo5l18puRwy9iDxfh6m
# goqGGxQA2OmUa5eVZ7WX2JXo0wG/RQqqc/pChKbPAsTT9/QE23irOQBdUDf7sbGP
# WFI/LoLR0c6NNbQyZNWSP0e/+es8ztq+Is7Bl6d1fdG/6YeXK2yVaro1gyMmxKAm
# EKuvI9qva2ilV5RJEc/gB/x4PuIVCPizkrbB8XClQ81Szo49x55ChPdnpT5i7Sqd
# qjFWO2plgV/gXri1/RTCzyBujeuCOA==
# =E1Qb
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 07 Jun 2023 07:16:45 AM PDT
# gpg: using RSA key F80C006308E22CFD8A92E7980CF5572FD7FB55AF
# gpg: Good signature from "Anthony PERARD <anthony.perard@gmail.com>" [unknown]
# gpg: aka "Anthony PERARD <anthony.perard@citrix.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 5379 2F71 024C 600F 778A 7161 D8D5 7199 DF83 42C8
# Subkey fingerprint: F80C 0063 08E2 2CFD 8A92 E798 0CF5 572F D7FB 55AF
* tag 'pull-xen-20230607' of https://xenbits.xen.org/git-http/people/aperard/qemu-dm:
xen-block: fix segv on unrealize
hw/isa/piix3: Resolve redundant TYPE_PIIX3_XEN_DEVICE
hw/isa/piix3: Resolve redundant k->config_write assignments
hw/isa/piix3: Avoid Xen-specific variant of piix3_write_config()
hw/isa/piix3: Wire up Xen PCI IRQ handling outside of PIIX3
hw/isa/piix3: Reuse piix3_realize() in piix3_xen_realize()
hw/pci/pci.c: Don't leak PCIBus::irq_count[] in pci_bus_irqs()
include/hw/xen/xen: Rename xen_piix3_set_irq() to xen_intx_set_irq()
hw/xen: Fix broken check for invalid state in xs_be_open()
xen: Drop support for Xen versions below 4.7.1
hw/xen: Fix memory leak in libxenstore_open() for Xen
hw/xen: Simplify emulated Xen platform init
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
staging
vfio-user: Fix the documentation for vfio-user and multi-process QEMU
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v2.0.22 (GNU/Linux)
#
# iQIcBAABAgAGBQJkgJP9AAoJEI00T2TOPz3HSoYQAJsyb9ve1MOAaTgL6DzrOe0F
# rS9A/F+isAXNr8XENhBBPeHpmMyZLmw35G+xUuxAerZAIo+kRWrB7ab1F7VrCi16
# sGWNIZ9byjt5dTqQTX63/txmXhKnM5puJxgJ/VlEGyZwGNCLhkS8yTmlKC1n8D92
# KzP1doqvqGV8AdEOudj7sFQsN5e//qrEsXm0vkZrUlr3L44QbJxrU+525r191dpP
# qFC8+lqh6CfnGgZyUSxrnFUUEP7yNGuLsCkeoFVywWQKgR/aA0UtUS8+lQHcloAG
# 4fSDMp6dMXZDWed48ZUpd+DptdiID64WDy+v6knin24awXY91dA7gFwXMvt2+IIl
# LDr99FJ8wdZpEwwXQrUwMis4RE3E3bQw7W11hb2GEPG+K90aRKeljZZQVl3Rhs3e
# cAxY5qwTrxhwpo1erPMfv8PLqSDk5+VWS0r+whEbnpHULOppDL8fgSz77NEt0CU1
# EdMRWBs7cTf2cdGLqKusekPwDMyKgQauvvQfTBBOAvHxM7+NpJPog9APiXx4BBG9
# On+eyV23VHRDdeuXvpLJyL9OswuRc8HmXZVR/Nk0vXWGP0ZCWoTSIeZfJfgKRjdR
# 6au8m/RI88tfJHMTT1Q/MJzdX+FlFRddt3JcPOiX9rMqj9eXKIjQBzpTW6R/hKNi
# SOKYdZF06D1hs/r8De1O
# =nA+U
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 07 Jun 2023 07:28:13 AM PDT
# gpg: using RSA key 8D344F64CE3F3DC7
# gpg: Good signature from "Jagannathan Raman <jag.raman@oracle.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B36D 9579 7F7B 3D4F 87A6 D8CF 8D34 4F64 CE3F 3DC7
* tag 'pull-vfio-user-20230607' of https://gitlab.com/jraman/qemu:
docs: fix multi-process QEMU documentation
vfio-user: update comments
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Message-Id: <20230526061946.54514-7-kbastian@mail.uni-paderborn.de>
|
