aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2024-04-10hw/audio/virtio-snd: Remove unused assignmentPhilippe Mathieu-Daudé1-2/+6
Coverity reported: >>> CID 1542933: Code maintainability issues (UNUSED_VALUE) >>> CID 1542934: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "NULL" to "stream" here, but that stored value is overwritten before it can be used. Simply remove the unused assignments. Resolves: Coverity CID 1542933 Resolves: Coverity CID 1542934 Fixes: 731655f87f ("virtio-snd: rewrite invalid tx/rx message handling") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <20240410053712.34747-1-philmd@linaro.org>
2024-04-10hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum()Philippe Mathieu-Daudé1-0/+4
If a fragmented packet size is too short, do not try to calculate its checksum. Reproduced using: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest -m 32M \ -device igb,netdev=net0 \ -netdev user,id=net0 \ -qtest stdio outl 0xcf8 0x80000810 outl 0xcfc 0xe0000000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0000403 0x1 0x02 writel 0xe0003808 0xffffffff write 0xe000381a 0x1 0x5b write 0xe000381b 0x1 0x00 EOF Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 Fixes: CVE-2024-3567 Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma <zheyuma97@gmail.com> Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-Id: <20240410070459.49112-1-philmd@linaro.org>
2024-04-10hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is setPhilippe Mathieu-Daudé1-0/+8
Per "SD Host Controller Standard Specification Version 3.00": * 2.2.5 Transfer Mode Register (Offset 00Ch) Writes to this register shall be ignored when the Command Inhibit (DAT) in the Present State register is 1. Do not update the TRNMOD register when Command Inhibit (DAT) bit is set to avoid the present-status register going out of sync, leading to malicious guest using DMA mode and overflowing the FIFO buffer: $ cat << EOF | qemu-system-i386 \ -display none -nographic -nodefaults \ -machine accel=qtest -m 512M \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio outl 0xcf8 0x80001013 outl 0xcfc 0x91 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0x9100002c 0x1 0x05 write 0x91000058 0x1 0x16 write 0x91000005 0x1 0x04 write 0x91000028 0x1 0x08 write 0x16 0x1 0x21 write 0x19 0x1 0x20 write 0x9100000c 0x1 0x01 write 0x9100000e 0x1 0x20 write 0x9100000f 0x1 0x00 write 0x9100000c 0x1 0x00 write 0x91000020 0x1 0x00 EOF Stack trace (part): ================================================================= ==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 WRITE of size 1 at 0x615000029900 thread T0 #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 ... 0x615000029900 is located 0 bytes to the right of 512-byte region [0x615000029700,0x615000029900) allocated by thread T0 here: #0 0x55d5f7237b27 in __interceptor_calloc #1 0x7f9e36dd4c50 in g_malloc0 #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10 #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 ... SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 in sdhci_write_dataport Add assertions to ensure the fifo_buffer[] is not overflowed by malicious accesses to the Buffer Data Port register. Fixes: CVE-2024-3447 Cc: qemu-stable@nongnu.org Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <CAFEAcA9iLiv1XGTGKeopgMa8Y9+8kvptvsb8z2OBeuy+5=NUfg@mail.gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240409145524.27913-1-philmd@linaro.org>
2024-04-10hw/net/lan9118: Fix overflow in MIL TX FIFOPhilippe Mathieu-Daudé1-1/+15
When the MAC Interface Layer (MIL) transmit FIFO is full, truncate the packet, and raise the Transmitter Error (TXE) flag. Broken since model introduction in commit 2a42499017 ("LAN9118 emulation"). When using the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/2267 we get: hw/net/lan9118.c:798:17: runtime error: index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')     #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43     #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9     #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9     #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5     #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18     #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16     #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18     #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19     #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12     #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18 ... [*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER" Cc: qemu-stable@nongnu.org Reported-by: Will Lester Reported-by: Chuhong Yuan <hslester96@gmail.com> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20240409133801.23503-3-philmd@linaro.org>
2024-04-10hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definitionPhilippe Mathieu-Daudé1-3/+9
The magic 2048 is explained in the LAN9211 datasheet (DS00002414A) in chapter 1.4, "10/100 Ethernet MAC": The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. [...] Note, the use of the constant in lan9118_receive() reveals that our implementation is using the same buffer for both tx and rx. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20240409133801.23503-2-philmd@linaro.org>
2024-04-10backends/cryptodev: Do not abort for invalid session IDPhilippe Mathieu-Daudé1-1/+3
Instead of aborting when a session ID is invalid, return VIRTIO_CRYPTO_INVSESS ("Invalid session id"). Reproduced using: $ cat << EOF | qemu-system-i386 -display none \ -machine q35,accel=qtest -m 512M -nodefaults \ -object cryptodev-backend-builtin,id=cryptodev0 \ -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \ -qtest stdio outl 0xcf8 0x80000804 outw 0xcfc 0x06 outl 0xcf8 0x80000820 outl 0xcfc 0xe0008000 write 0x10800e 0x1 0x01 write 0xe0008016 0x1 0x01 write 0xe0008020 0x4 0x00801000 write 0xe0008028 0x4 0x00c01000 write 0xe000801c 0x1 0x01 write 0x110000 0x1 0x05 write 0x110001 0x1 0x04 write 0x108002 0x1 0x11 write 0x108008 0x1 0x48 write 0x10800c 0x1 0x01 write 0x108018 0x1 0x10 write 0x10801c 0x1 0x02 write 0x10c002 0x1 0x01 write 0xe000b005 0x1 0x00 EOF Assertion failed: (session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]), function cryptodev_builtin_close_session, file cryptodev-builtin.c, line 430. Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma <zheyuma97@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2274 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: zhenwei pi <pizhenwei@bytedance.com> Message-Id: <20240409094757.9127-1-philmd@linaro.org>
2024-04-10hw/misc/applesmc: Fix memory leak in reset() handlerPhilippe Mathieu-Daudé1-0/+1
AppleSMCData is allocated with g_new0() in applesmc_add_key(): release it with g_free(). Leaked since commit 1ddda5cd36 ("AppleSMC device emulation"). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272 Reported-by: Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20240408095217.57239-3-philmd@linaro.org>
2024-04-10hw/misc/applesmc: Do not call DeviceReset from DeviceRealizePhilippe Mathieu-Daudé1-1/+0
QDev core layer always call DeviceReset() after DeviceRealize(), no need to do it manually. Remove the extra call. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20240408095217.57239-2-philmd@linaro.org>
2024-04-10hw/block/nand: Fix out-of-bound access in NAND block bufferPhilippe Mathieu-Daudé1-1/+7
nand_command() and nand_getio() don't check @offset points into the block, nor the available data length (s->iolen) is not negative. In order to fix: - check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(), - do not set @iolen if blk_load() failed. Reproducer: $ cat << EOF | qemu-system-arm -machine tosa \ -monitor none -serial none \ -display none -qtest stdio write 0x10000111 0x1 0xca write 0x10000104 0x1 0x47 write 0x1000ca04 0x1 0xd7 write 0x1000ca01 0x1 0xe0 write 0x1000ca04 0x1 0x71 write 0x1000ca00 0x1 0x50 write 0x1000ca04 0x1 0xd7 read 0x1000ca02 0x1 write 0x1000ca01 0x1 0x10 EOF ================================================================= ==15750==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000de0 at pc 0x560e61557210 bp 0x7ffcfc4a59f0 sp 0x7ffcfc4a59e8 READ of size 1 at 0x61f000000de0 thread T0 #0 0x560e6155720f in mem_and hw/block/nand.c:101:20 #1 0x560e6155ac9c in nand_blk_write_512 hw/block/nand.c:663:9 #2 0x560e61544200 in nand_command hw/block/nand.c:293:13 #3 0x560e6153cc83 in nand_setio hw/block/nand.c:520:13 #4 0x560e61a0a69e in tc6393xb_nand_writeb hw/display/tc6393xb.c:380:13 #5 0x560e619f9bf7 in tc6393xb_writeb hw/display/tc6393xb.c:524:9 #6 0x560e647c7d03 in memory_region_write_accessor softmmu/memory.c:492:5 #7 0x560e647c7641 in access_with_adjusted_size softmmu/memory.c:554:18 #8 0x560e647c5f66 in memory_region_dispatch_write softmmu/memory.c:1514:16 #9 0x560e6485409e in flatview_write_continue softmmu/physmem.c:2825:23 #10 0x560e648421eb in flatview_write softmmu/physmem.c:2867:12 #11 0x560e64841ca8 in address_space_write softmmu/physmem.c:2963:18 #12 0x560e61170162 in qemu_writeb tests/qtest/videzzo/videzzo_qemu.c:1080:5 #13 0x560e6116eef7 in dispatch_mmio_write tests/qtest/videzzo/videzzo_qemu.c:1227:28 0x61f000000de0 is located 0 bytes to the right of 3424-byte region [0x61f000000080,0x61f000000de0) allocated by thread T0 here: #0 0x560e611276cf in malloc /root/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f7959a87e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98) #2 0x560e64b98871 in object_new qom/object.c:749:12 #3 0x560e64b5d1a1 in qdev_new hw/core/qdev.c:153:19 #4 0x560e61547ea5 in nand_init hw/block/nand.c:639:11 #5 0x560e619f8772 in tc6393xb_init hw/display/tc6393xb.c:558:16 #6 0x560e6390bad2 in tosa_init hw/arm/tosa.c:250:12 SUMMARY: AddressSanitizer: heap-buffer-overflow hw/block/nand.c:101:20 in mem_and ==15750==ABORTING Broken since introduction in commit 3e3d5815cb ("NAND Flash memory emulation and ECC calculation helpers for use by NAND controllers"). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1445 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1446 Reported-by: Qiang Liu <cyruscyliu@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240409135944.24997-4-philmd@linaro.org>
2024-04-10hw/block/nand: Have blk_load() take unsigned offset and return booleanPhilippe Mathieu-Daudé1-4/+10
Negative offset is meaningless, use unsigned type. Return a boolean value indicating success. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240409135944.24997-3-philmd@linaro.org>
2024-04-10hw/block/nand: Factor nand_load_iolen() method outPhilippe Mathieu-Daudé1-13/+22
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240409135944.24997-2-philmd@linaro.org>
2024-04-10qemu-options: Fix CXL Fixed Memory Window interleave-granularity typoYuquan Wang1-3/+3
Fix the unit typo of interleave-granularity of CXL Fixed Memory Window in qemu-option.hx. Fixes: 03b39fcf64 ("hw/cxl: Make the CFMW a machine parameter.") Signed-off-by: Yuquan Wang wangyuquan1236@phytium.com.cn Message-ID: <20240407083539.1488172-2-wangyuquan1236@phytium.com.cn> [PMD: Reworded] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2024-04-10hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugsPhilippe Mathieu-Daudé1-2/+2
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-5-philmd@linaro.org>
2024-04-10hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugsPhilippe Mathieu-Daudé1-2/+1
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-4-philmd@linaro.org>
2024-04-10hw/display/virtio-gpu: Protect from DMA re-entrancy bugsPhilippe Mathieu-Daudé1-4/+2
Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest \ -m 512M \ -device virtio-gpu \ -qtest stdio outl 0xcf8 0x80000820 outl 0xcfc 0xe0004000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0004030 0x4 0x024000e0 write 0xe0004028 0x1 0xff write 0xe0004020 0x4 0x00009300 write 0xe000401c 0x1 0x01 write 0x101 0x1 0x04 write 0x103 0x1 0x1c write 0x9301c8 0x1 0x18 write 0x105 0x1 0x1c write 0x107 0x1 0x1c write 0x109 0x1 0x1c write 0x10b 0x1 0x00 write 0x10d 0x1 0x00 write 0x10f 0x1 0x00 write 0x111 0x1 0x00 write 0x113 0x1 0x00 write 0x115 0x1 0x00 write 0x117 0x1 0x00 write 0x119 0x1 0x00 write 0x11b 0x1 0x00 write 0x11d 0x1 0x00 write 0x11f 0x1 0x00 write 0x121 0x1 0x00 write 0x123 0x1 0x00 write 0x125 0x1 0x00 write 0x127 0x1 0x00 write 0x129 0x1 0x00 write 0x12b 0x1 0x00 write 0x12d 0x1 0x00 write 0x12f 0x1 0x00 write 0x131 0x1 0x00 write 0x133 0x1 0x00 write 0x135 0x1 0x00 write 0x137 0x1 0x00 write 0x139 0x1 0x00 write 0xe0007003 0x1 0x00 EOF ... ================================================================= ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178 at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58 READ of size 8 at 0x60d000011178 thread T0 #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42 #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5 #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13 #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9 #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5 #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9 #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5 #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11 #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9 #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14 #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3 #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0) 0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8) freed by thread T0 here: #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662) #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9 #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9 #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5 #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5 #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18 previously allocated by thread T0 here: #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e) #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12 #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16 #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15 #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response With this change, the same reproducer triggers: qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6 Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Yongkang Jia <kangel@zju.edu.cn> Reported-by: Xiao Lei <nop.leixiao@gmail.com> Reported-by: Yiming Tao <taoym@zju.edu.cn> Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-3-philmd@linaro.org>
2024-04-10hw/virtio: Introduce virtio_bh_new_guarded() helperPhilippe Mathieu-Daudé2-0/+17
Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded() but using the transport memory guard, instead of the device one (there can only be one virtio device per virtio bus). Inspired-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20240409105537.18308-2-philmd@linaro.org>
2024-04-09Merge tag 'edk2-20240409-pull-request' of https://gitlab.com/kraxel/qemu ↵Peter Maydell10-7/+20
into staging edk2: fix version information, rebuild binaries. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmYVbGAACgkQTLbY7tPo # cTiKIw/9G1GGakAfkq48BS7LDvO0u/qzFmt+EKaBtwbFEKEZ+aUp6RgdYENnARxO # qJpffW8nief9VchjRSnJ2Sy9lKR/rfckwc9HgXpXtRVzqyMYJkJmuVMiw3H5INC6 # QR+4IPIS3SckPPvBDMr92L0MQMYDNLnjnBF3KiZ0tNpRf5tstl4KN5QsatKk9gpB # /sspC9DzujE8uuDrcPb9bEAUm/jILvD9CmDN9TWSq9uk6yLw3Rgqh5lvs5zK//HY # cwzpEhn/OjLCfAx2RnXNDqBL2JbGLl65luVvMy+lkrB0PNP4YSREAuLdO4kwZGgx # LWFvMhNvAYuBSEZcoX7vurUzcoMc3G5Awh4ybv1Auwn5iOXKIkES15DxmGJVItXN # K09nFJiTI/Fr/zFHUqKGmM/PYggV5EjsKmTkJtKxn8u7GBTzbZOGQXCHK6pI3VpI # m61L4VOzQxIBlM4e6NLS32TOejXS4MIMlRnFixwQDgWMUzEQ7SogHVFhv3GNaXBs # DM6PRzdWUhpwMkRLzt+kO3hrJC4+SiZ1xMZQDoipIAtF3gKTz6/6vjtRtpMTmq9K # eI6YZXG7LfiHDInKJyQZIF1H+OFMdv+OIDe+tssmyjMRXxzsPIeb3dTnuGRbYiCo # Z/8UDig1EDPdu07Egr4ZM9S1GD0+r2OLFoJTH5G+zPvi+z0OCH8= # =rslQ # -----END PGP SIGNATURE----- # gpg: Signature made Tue 09 Apr 2024 17:27:12 BST # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * tag 'edk2-20240409-pull-request' of https://gitlab.com/kraxel/qemu: edk2: rebuild binaries with correct version information edk2/seabios: use common extra version edk2: commit version info edk2: get version + date from git submodule Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09edk2: rebuild binaries with correct version informationGerd Hoffmann8-0/+0
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2024-04-09edk2/seabios: use common extra versionGerd Hoffmann1-5/+5
Bring a bit more consistency into the naming. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-ID: <20240327102448.61877-4-kraxel@redhat.com>
2024-04-09edk2: commit version infoGerd Hoffmann1-0/+2
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-ID: <20240327102448.61877-3-kraxel@redhat.com>
2024-04-09edk2: get version + date from git submoduleGerd Hoffmann1-3/+14
Turned out hard-coding version and date in the Makefile wasn't a bright idea. Updating it on edk2 updates is easily forgotten. Fetch the info from git instead. Store in edk2-version, so this can be committed to the repo and is present in tarballs too. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-ID: <20240327102448.61877-2-kraxel@redhat.com>
2024-04-09Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu ↵Peter Maydell14-482/+97
into staging virtio,pc,pci: bugfixes Tiny fixes: important but mostly obvious ones. Revert VDPA network sim for this release as there are questions around it's maintainatiblity. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmYU7qcPHG1zdEByZWRo # YXQuY29tAAoJECgfDbjSjVRpn/cIAJBWRN67BS5ysdHjK0Hmw1zumbLpK+85wlAv # dTfmJmUnIV6Ft5yaFFXCpxVH0/lh/vhG2ra5+lu53mX+GMtwjdqk4Sufvo4TukXu # uweHUqlb4pdL37Yf7Q9N6kSX4Ay3ITEC7N18IvlBU8be5gRhidejMWlKq/gW/1rk # +mnWeD5Qxs91Lh2pxShcnsRah0D4UY47dNu3VnglC9wYb4fupukGgj0qOnqYDF2K # tG9Us0grU/qF1FgqWwbrlhOUO1Ntlp4uYn4JNOFhswAFDPm2XXIJRIPUhoYEi9G2 # HhxGSpDjJm8I9BBbllDnQVpIbBFxoG/EiQRT64Nt+rw+Tq01sPA= # =AZIl # -----END PGP SIGNATURE----- # gpg: Signature made Tue 09 Apr 2024 08:30:47 BST # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "mst@redhat.com" # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: qdev-monitor: fix error message in find_device_state() vhost-user-blk: simplify and fix vhost_user_blk_handle_config_change vdpa-dev: Fix the issue of device status not updating when configuration interruption is triggered hw/virtio: Fix packed virtqueue flush used_idx virtio-snd: rewrite invalid tx/rx message handling virtio-snd: Enhance error handling for invalid transfers Revert "hw/virtio: Add support for VDPA network simulation devices" Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into stagingPeter Maydell3-103/+108
* fall back to non-ioeventfd notification if KVM routing table is full * support kitware ninja with jobserver support * nanomips: fix warnings with GCC 14 # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmYURBsUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroNuygf8DzxNFSPCKatkiZ0HSekMUcM6+vCf # fcQx+PEmgnBGTMaeMqUMFGRBPx1FdrvvLpV0oeJ1RvyfyZLCEmRMaO9LnzkqlYgD # jd5R4/mQcbH+qpZyk5x+g10gHLzafXHYf/aBVkzqlO02UyO61lgpoXp/Z1l+jkhB # 1FA8Y3NH5x1gqT37pSCYUIeIAfoY1mndjsPNa/IuDUlMk0jwKz2zEWWYkQF2DvY0 # nfZG2+V7YdOBv+vkZi2gcl82FWAJdsZF+cMBmshvYp+N3/JKezgB588vJ3Yu3UVV # Y3Z/GbbqS+mCFBe2M6TsL7eU18UgU5E8mXB6Lp8fOGTwIG8iM0tcBYBc0g== # =qHqi # -----END PGP SIGNATURE----- # gpg: Signature made Mon 08 Apr 2024 20:23:07 BST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: kvm: error out of kvm_irqchip_add_msi_route() in case of full route table nanomips: fix warnings with GCC 14 Makefile: preserve --jobserver-auth argument when calling ninja Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-09qdev-monitor: fix error message in find_device_state()Vladimir Sementsov-Ogievskiy1-1/+1
This "hotpluggable" here is misleading. Actually we check is object a device or not. Let's drop the word. Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20240329183758.3360733-3-vsementsov@yandex-team.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09vhost-user-blk: simplify and fix vhost_user_blk_handle_config_changeVladimir Sementsov-Ogievskiy1-8/+3
Let's not care about what was changed and update the whole config, reasons: 1. config->geometry should be updated together with capacity, so we fix a bug. 2. Vhost-user protocol doesn't say anything about config change limitation. Silent ignore of changes doesn't seem to be correct. 3. vhost-user-vsock reads the whole config 4. on realize we don't do any checks on retrieved config, so no reason to care here Comment "valid for resize only" exists since introduction the whole hw/block/vhost-user-blk.c in commit 00343e4b54ba0685e9ebe928ec5713b0cf7f1d1c "vhost-user-blk: introduce a new vhost-user-blk host device", seems it was just an extra limitation. Also, let's notify guest unconditionally: 1. So does vhost-user-vsock 2. We are going to reuse the functionality in new cases when we do want to notify the guest unconditionally. So, no reason to create extra branches in the logic. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Acked-by: Raphael Norwitz <raphael.norwitz@nutanix.com> Message-Id: <20240329183758.3360733-2-vsementsov@yandex-team.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09vdpa-dev: Fix the issue of device status not updating when configuration ↵lyx6344498001-0/+7
interruption is triggered The set_config callback function vhost_vdpa_device_get_config in vdpa-dev does not fetch the current device status from the hardware device, causing the guest os to not receive the latest device status information. The hardware updates the config status of the vdpa device and then notifies the os. The guest os receives an interrupt notification, triggering a get_config access in the kernel, which then enters qemu internally. Ultimately, the vhost_vdpa_device_get_config function of vdpa-dev is called One scenario encountered is when the device needs to bring down the vdpa net device. After modifying the status field of virtio_net_config in the hardware, it sends an interrupt notification. However, the guest os always receives the STATUS field as VIRTIO_NET_S_LINK_UP. Signed-off-by: Yuxue Liu <yuxue.liu@jaguarmicro.com> Acked-by: Jason Wang <jasowang@redhat.com> Message-Id: <20240408020003.1979-1-yuxue.liu@jaguarmicro.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09hw/virtio: Fix packed virtqueue flush used_idxWafer1-2/+10
In the event of writing many chains of descriptors, the device must write just the id of the last buffer in the descriptor chain, skip forward the number of descriptors in the chain, and then repeat the operations for the rest of chains. Current QEMU code writes all the buffer ids consecutively, and then skips all the buffers altogether. This is a bug, and can be reproduced with a VirtIONet device with _F_MRG_RXBUB and without _F_INDIRECT_DESC: If a virtio-net device has the VIRTIO_NET_F_MRG_RXBUF feature but not the VIRTIO_RING_F_INDIRECT_DESC feature, 'VirtIONetQueue->rx_vq' will use the merge feature to store data in multiple 'elems'. The 'num_buffers' in the virtio header indicates how many elements are merged. If the value of 'num_buffers' is greater than 1, all the merged elements will be filled into the descriptor ring. The 'idx' of the elements should be the value of 'vq->used_idx' plus 'ndescs'. Fixes: 86044b24e8 ("virtio: basic packed virtqueue support") Acked-by: Eugenio Pérez <eperezma@redhat.com> Signed-off-by: Wafer <wafer@jaguarmicro.com> Message-Id: <20240407015451.5228-2-wafer@jaguarmicro.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09virtio-snd: rewrite invalid tx/rx message handlingManos Pitsidianakis2-76/+77
The current handling of invalid virtqueue elements inside the TX/RX virt queue handlers is wrong. They are added in a per-stream invalid queue to be processed after the handler is done examining each message, but the invalid message might not be specifying any stream_id; which means it's invalid to add it to any stream->invalid queue since stream could be NULL at this point. This commit moves the invalid queue to the VirtIOSound struct which guarantees there will always be a valid temporary place to store them inside the tx/rx handlers. The queue will be emptied before the handler returns, so the queue must be empty at any other point of the device's lifetime. Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <virtio-snd-rewrite-invalid-tx-rx-message-handling-v1.manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09virtio-snd: Enhance error handling for invalid transfersZheyu Ma1-4/+4
This patch improves error handling in virtio_snd_handle_tx_xfer() and virtio_snd_handle_rx_xfer() in the VirtIO sound driver. Previously, 'goto' statements were used for error paths, leading to unnecessary processing and potential null pointer dereferences. Now, 'continue' is used to skip the rest of the current loop iteration for errors such as message size discrepancies or null streams, reducing crash risks. ASAN log illustrating the issue addressed: ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b4 #0 0x57cea39967b8 in qemu_mutex_lock_impl qemu/util/qemu-thread-posix.c:92:5 #1 0x57cea128c462 in qemu_mutex_lock qemu/include/qemu/thread.h:122:5 #2 0x57cea128d72f in qemu_lockable_lock qemu/include/qemu/lockable.h:95:5 #3 0x57cea128c294 in qemu_lockable_auto_lock qemu/include/qemu/lockable.h:105:5 #4 0x57cea1285eb2 in virtio_snd_handle_rx_xfer qemu/hw/audio/virtio-snd.c:1026:9 #5 0x57cea2caebbc in virtio_queue_notify_vq qemu/hw/virtio/virtio.c:2268:9 #6 0x57cea2cae412 in virtio_queue_host_notifier_read qemu/hw/virtio/virtio.c:3671:9 #7 0x57cea39822f1 in aio_dispatch_handler qemu/util/aio-posix.c:372:9 #8 0x57cea3979385 in aio_dispatch_handlers qemu/util/aio-posix.c:414:20 #9 0x57cea3978eb1 in aio_dispatch qemu/util/aio-posix.c:424:5 #10 0x57cea3a1eede in aio_ctx_dispatch qemu/util/async.c:360:5 Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-Id: <20240322110827.568412-1-zheyuma97@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-09Revert "hw/virtio: Add support for VDPA network simulation devices"Michael S. Tsirkin9-399/+3
This reverts commit cd341fd1ffded978b2aa0b5309b00be7c42e347c. The patch adds non-upstream code in include/standard-headers/linux/virtio_pci.h which would make maintainance harder. Revert for now. Suggested-by: Jason Wang <jasowang@redhat.com> Message-Id: <df6b6b465753e754a19459e8cd61416548f89a42.1712569644.git.mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2024-04-08kvm: error out of kvm_irqchip_add_msi_route() in case of full route tableIgor Mammedov1-5/+10
subj is calling kvm_add_routing_entry() which simply extends KVMState::irq_routes::entries[] but doesn't check if number of routes goes beyond limit the kernel is willing to accept. Which later leads toi the assert qemu-kvm: ../accel/kvm/kvm-all.c:1833: kvm_irqchip_commit_routes: Assertion `ret == 0' failed typically it happens during guest boot for large enough guest Reproduced with: ./qemu --enable-kvm -m 8G -smp 64 -machine pc \ `for b in {1..2}; do echo -n "-device pci-bridge,id=pci$b,chassis_nr=$b "; for i in {0..31}; do touch /tmp/vblk$b$i; echo -n "-drive file=/tmp/vblk$b$i,if=none,id=drive$b$i,format=raw -device virtio-blk-pci,drive=drive$b$i,bus=pci$b "; done; done` While crash at boot time is bad, the same might happen at hotplug time which is unacceptable. So instead calling kvm_add_routing_entry() unconditionally, check first that number of routes won't exceed KVM_CAP_IRQ_ROUTING. This way virtio device insteads killin qemu, will gracefully fail to initialize device as expected with following warnings on console: virtio-blk failed to set guest notifier (-28), ensure -accel kvm is set. virtio_bus_start_ioeventfd: failed. Fallback to userspace (slower). Signed-off-by: Igor Mammedov <imammedo@redhat.com> Message-ID: <20240408110956.451558-1-imammedo@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-04-08nanomips: fix warnings with GCC 14Paolo Bonzini1-97/+97
GCC 14 shows -Wshadow=local warnings if an enum conflicts with a local variable (including a parameter). To avoid this, move the problematic enum and all of its dependencies after the hundreds of functions that have a parameter named "instruction". Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-04-08Merge tag 'pull-target-arm-20240408' of ↵Peter Maydell1-3/+7
https://git.linaro.org/people/pmaydell/qemu-arm into staging target-arm: * Use correct SecuritySpace for AArch64 AT ops at EL3 * Fix CNTPOFF_EL2 trap to missing EL3 # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmYUC2EZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3kyhD/9QQb8qrtd7Lan/ODI1PKuv # gHl1MNCpf1qxfCzl/hL2+Ci2p220AL22EIBUBwzTXoIjidRKoqmUAkKvNk3xANI2 # ZiO1+NZIOqdVLbQGboJDbd4jEDuABPok6fOSyw1WCs9FvGFOWYswx1Eb/T9X31hz # cSxakeW1cIQo0FNtVEGldUdKQLTxAw6pO/fuL/YleXq2Heiw6ktIe48LxQ0ufVLU # 7ebpTWSbVeEqwKb4H1HixZ54a2in4NnsHQkkIxup7mPjH78l78WvQjEn1d4CDqJB # /hzCV/tDrPzUYET7wYN5gHFYuMOOeDDcOn42Lj+qF+dyjMgg64qMMdZ46wxQKSdr # KInSkcnKCsMWNN8fYFDrGcefuXmvFd81l368DczxCHOgTWZdnZj+M3yQQ85a6TER # 5f9mmUOMLtvrogfxrlKJklo9P+FzHFp5luT3d8c8wXY46B5wkpS43tJGjZEyvHps # 1cQnJN+Y3ys6VU7FfLO9Dl/qI4dR0xUhDvjqPEicuu79lTBPgFoQox7xSGVAk90y # QKzz0eXV/ECy1kabMFDrZNINkg07KtNFKLrRgrHCPt4gdTO1Nu9UMWUTVjiNYSh4 # aEMy3xHCIKo315BvUsVVwpQLa98CYfLF/rw3J6ECaPTCYN7uCrlWyDEcDdbFfPXD # xPbXgH7ocQoDn7Tj+KxfhQ== # =WmlH # -----END PGP SIGNATURE----- # gpg: Signature made Mon 08 Apr 2024 16:21:05 BST # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * tag 'pull-target-arm-20240408' of https://git.linaro.org/people/pmaydell/qemu-arm: target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 target/arm: Fix CNTPOFF_EL2 trap to missing EL3 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-08Merge tag 'migration-20240407-pull-request' of ↵Peter Maydell2-2/+25
https://gitlab.com/peterx/qemu into staging Migration pull for 9.0-rc3 - Wei/Lei's fix on a rare postcopy race that can hang the channel (since 8.0) - Avihai's fix on maintainers file, points to the right doc links # -----BEGIN PGP SIGNATURE----- # # iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCZhLpJBIccGV0ZXJ4QHJl # ZGhhdC5jb20ACgkQO1/MzfOr1wa87AEAhvXqJyLxYYdlQ5fqp4hVV6O/3N1vNHMu # kT3d9tmM0jsBAJ5KxK176iGDp+ej5MEyYSm1gG7ivj3y3v3wlPnSmJMJ # =T1lk # -----END PGP SIGNATURE----- # gpg: Signature made Sun 07 Apr 2024 19:42:44 BST # gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706 # gpg: issuer "peterx@redhat.com" # gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal] # gpg: aka "Peter Xu <peterx@redhat.com>" [marginal] # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706 * tag 'migration-20240407-pull-request' of https://gitlab.com/peterx/qemu: MAINTAINERS: Adjust migration documentation files migration/postcopy: ensure preempt channel is ready before loading states Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-08target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3Peter Maydell1-2/+5
When we do an AT address translation operation, the page table walk is supposed to be performed in the context of the EL we're doing the walk for, so for instance an AT S1E2R walk is done for EL2. In the pseudocode an EL is passed to AArch64.AT(), which calls SecurityStateAtEL() to find the security state that we should be doing the walk with. In ats_write64() we get this wrong, instead using the current security space always. This is fine for AT operations performed from EL1 and EL2, because there the current security state and the security state for the lower EL are the same. But for AT operations performed from EL3, the current security state is always either Secure or Root, whereas we want to use the security state defined by SCR_EL3.{NS,NSE} for the walk. This affects not just guests using FEAT_RME but also ones where EL3 is Secure state and the EL3 code is trying to do an AT for a NonSecure EL2 or EL1. Use arm_security_space_below_el3() to get the SecuritySpace to pass to do_ats_write() for all AT operations except the AT S1E3* operations. Cc: qemu-stable@nongnu.org Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
2024-04-08Makefile: preserve --jobserver-auth argument when calling ninjaMartin Hundebøll1-1/+1
Qemu wraps its call to ninja in a Makefile. Since ninja, as opposed to make, utilizes all CPU cores by default, the qemu Makefile translates the absense of a `-jN` argument into `-j1`. This breaks jobserver functionality, so update the -jN mangling to take the --jobserver-auth argument into considerationa too. Signed-off-by: Martin Hundebøll <martin@geanix.com> Message-Id: <20240402081738.1051560-1-martin@geanix.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-04-07MAINTAINERS: Adjust migration documentation filesAvihai Horon1-2/+4
Commit 8cb2f8b172e7 ("docs/migration: Create migration/ directory") changed migration documentation file structure but forgot to update the entries in the MAINTAINERS file. Commit 4c6f8a79ae53 ("docs/migration: Split 'dirty limit'") extracted dirty limit documentation to a new file without updating dirty limit section in MAINTAINERS file. Fix the above. Fixes: 8cb2f8b172e7 ("docs/migration: Create migration/ directory") Fixes: 4c6f8a79ae53 ("docs/migration: Split 'dirty limit'") Signed-off-by: Avihai Horon <avihaih@nvidia.com> Link: https://lore.kernel.org/r/20240407081125.13951-1-avihaih@nvidia.com Signed-off-by: Peter Xu <peterx@redhat.com>
2024-04-07migration/postcopy: ensure preempt channel is ready before loading statesWei Wang1-0/+21
Before loading the guest states, ensure that the preempt channel has been ready to use, as some of the states (e.g. via virtio_load) might trigger page faults that will be handled through the preempt channel. So yield to the main thread in the case that the channel create event hasn't been dispatched. Cc: qemu-stable <qemu-stable@nongnu.org> Fixes: 9358982744 ("migration: Send requested page directly in rp-return thread") Originally-by: Lei Wang <lei4.wang@intel.com> Link: https://lore.kernel.org/all/9aa5d1be-7801-40dd-83fd-f7e041ced249@intel.com/T/ Signed-off-by: Lei Wang <lei4.wang@intel.com> Signed-off-by: Wei Wang <wei.w.wang@intel.com> Link: https://lore.kernel.org/r/20240405034056.23933-1-wei.w.wang@intel.com [peterx: add a todo section, add Fixes and copy stable for 8.0+] Signed-off-by: Peter Xu <peterx@redhat.com>
2024-04-05target/arm: Fix CNTPOFF_EL2 trap to missing EL3Pierre-Clément Tosi1-1/+2
EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is present, as described by the reference manual (for MRS): /* ... */ elsif PSTATE.EL == EL2 then if Halted() && HaveEL(EL3) && /*...*/ then UNDEFINED; elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then /* ... */ else X[t, 64] = CNTPOFF_EL2; However, the existing implementation of gt_cntpoff_access() always returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In pseudo-code terminology, this corresponds to assuming that HaveEL(EL3) is always true, which is wrong. As a result, QEMU panics in access_check_cp_reg() when started without EL3 and running EL2 code accessing the register (e.g. any recent KVM booting a guest). Therefore, add the HaveEL(EL3) check to gt_cntpoff_access(). Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling") Signed-off-by: Pierre-Clément Tosi <ptosi@google.com> Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-04Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into stagingPeter Maydell1-81/+142
qemu-sparc queue # -----BEGIN PGP SIGNATURE----- # # iQFSBAABCgA8FiEEzGIauY6CIA2RXMnEW8LFb64PMh8FAmYOtvEeHG1hcmsuY2F2 # ZS1heWxhbmRAaWxhbmRlLmNvLnVrAAoJEFvCxW+uDzIf+5oIAJtRPiTP5aUmN4nU # s72NBtgARBJ+5hHl0fqFFlCrG9elO28F1vhT9DwwBOLwihZCnfIXf+SCoE+pvqDw # c+AMN/RnDu+1F4LF93W0ZIr305yGDfVlU+S3vKGtB9G4rcLeBDmNlhui2d0Bqx9R # jwX1y57vcPclObE0KL6AVOfSDPYiVEVQSiTr3j4oW8TqAs2bduEZMRh6esb3XMIA # hmj8mhZAszfh1YvX8ufbxtPQsnNuFMM+Fxgxp0pux8QaI0addDHwVNObRUYlTUZ1 # o4xCw7TRXXotaHde/OqZApFECs+md3R7rC2wj7s3ae0ynohHHDFfaB5t1f4pm+kA # /6UN/Jc= # =XwaI # -----END PGP SIGNATURE----- # gpg: Signature made Thu 04 Apr 2024 15:19:29 BST # gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F # gpg: issuer "mark.cave-ayland@ilande.co.uk" # gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" [full] # Primary key fingerprint: CC62 1AB9 8E82 200D 915C C9C4 5BC2 C56F AE0F 321F * tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu: esp.c: remove explicit setting of DRQ within ESP state machine esp.c: ensure esp_pdma_write() always calls esp_fifo_push() esp.c: update esp_fifo_{push, pop}() to call esp_update_drq() esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to use it esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the file esp.c: prevent cmdfifo overflow in esp_cdb_ready() esp.c: rework esp_cdb_length() into esp_cdb_ready() esp.c: don't assert() if FIFO empty when executing non-DMA SELATNS esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFO esp.c: change esp_fifo_pop_buf() to take ESPState esp.c: use esp_fifo_push() instead of fifo8_push() esp.c: change esp_fifo_pop() to take ESPState esp.c: change esp_fifo_push() to take ESPState esp.c: replace cmdfifo use of esp_fifo_pop() in do_message_phase() esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_message_phase() esp.c: replace esp_fifo_pop_buf() with esp_fifo8_pop_buf() in do_command_phase() esp.c: move esp_fifo_pop_buf() internals to new esp_fifo8_pop_buf() function Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-04Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into stagingPeter Maydell1-1/+2
Pull request Fix a memory leak in virtio-blk zone report emulation code when the request is invalid. # -----BEGIN PGP SIGNATURE----- # # iQEzBAABCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmYOsfEACgkQnKSrs4Gr # c8iKjAf9FwsKVoMlcTFTbWFDX/JPer3kPYIdpXoKm0KYivwAiGsG++sw2zCAOQdB # F8uCaMi+NDOJ2RA14NSUVKEIEqf7qUL7DjKAqZiQ0H4nsqK3G0bmHI5TknMaKPHm # h7enMy6Ms32z0UE9lATY86GqIJPKK892GtDNPRiSZj9hPYyvaJ8s08f91Qyfl3Qf # sYPpY+2+hQZaXay4DpLhIzXGC3B+AEZNzvVJvuow749jMVGnn7ejH005NWjbdHaG # TwYYMPtY/D1/B+Faf/wA3HyT27zvKi0JWFIpf/hpBX84Ma8dYXdkgv3hUtOQKw9N # zX+38oDL7IUGPvcVBKe3X0LQW1z0+A== # =FGir # -----END PGP SIGNATURE----- # gpg: Signature made Thu 04 Apr 2024 14:58:09 BST # gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full] # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full] # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * tag 'block-pull-request' of https://gitlab.com/stefanha/qemu: block/virtio-blk: Fix memory leak from virtio_blk_zone_report Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-04-04esp.c: remove explicit setting of DRQ within ESP state machineMark Cave-Ayland1-9/+0
Now the esp_update_drq() is called for all reads/writes to the FIFO, there is no need to manually raise and lower the DRQ signal. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/611 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1831 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-18-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: ensure esp_pdma_write() always calls esp_fifo_push()Mark Cave-Ayland1-6/+4
This ensures that esp_update_drq() is called via esp_fifo_push() whenever the host uses PDMA to transfer data to a SCSI device. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-17-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: update esp_fifo_{push, pop}() to call esp_update_drq()Mark Cave-Ayland1-4/+10
This ensures that the DRQ line is always set correctly when reading/writing single bytes to/from the FIFO. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-16-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: introduce esp_update_drq() and update esp_fifo_{push, pop}_buf() to ↵Mark Cave-Ayland1-1/+47
use it This new function sets the DRQ line correctly according to the current transfer mode, direction and FIFO contents. Update esp_fifo_push_buf() and esp_fifo_pop_buf() to use it so that DRQ is always set correctly when reading/writing multiple bytes to/from the FIFO. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-15-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: move esp_set_phase() and esp_get_phase() towards the beginning of the ↵Mark Cave-Ayland1-18/+18
file This allows these functions to be used earlier in the file without needing a separate forward declaration. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-14-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: prevent cmdfifo overflow in esp_cdb_ready()Mark Cave-Ayland1-1/+11
During normal use the cmdfifo will never wrap internally and cmdfifo_cdb_offset will always indicate the start of the SCSI CDB. However it is possible that a malicious guest could issue an invalid ESP command sequence such that cmdfifo wraps internally and cmdfifo_cdb_offset could point beyond the end of the FIFO data buffer. Add an extra check to fifo8_peek_buf() to ensure that if the cmdfifo has wrapped internally then esp_cdb_ready() will exit rather than allow scsi_cdb_length() to access data outside the cmdfifo data buffer. Reported-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240324191707.623175-13-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: rework esp_cdb_length() into esp_cdb_ready()Mark Cave-Ayland1-16/+14
The esp_cdb_length() function is only used as part of a calculation to determine whether the cmdfifo contains an entire SCSI CDB. Rework esp_cdb_length() into a new esp_cdb_ready() function which both enables us to handle the case where scsi_cdb_length() returns -1, plus simplify the logic for its callers. Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240324191707.623175-12-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: don't assert() if FIFO empty when executing non-DMA SELATNSMark Cave-Ayland1-1/+2
The current logic assumes that at least 1 byte is present in the FIFO when executing a non-DMA SELATNS command, but this may not be the case if the guest executes an invalid ESP command sequence. Reported-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240324191707.623175-11-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2024-04-04esp.c: introduce esp_fifo_push_buf() function for pushing to the FIFOMark Cave-Ayland1-3/+8
Instead of pushing data into the FIFO directly with fifo8_push_all(), add a new esp_fifo_push_buf() function and use it accordingly. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20240324191707.623175-10-mark.cave-ayland@ilande.co.uk> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>