Skip to content
  1. Jan 29, 2024
  2. Jan 27, 2024
    • Peter Maydell's avatar
      target/arm: Fix A64 scalar SQSHRN and SQRSHRN · ccdb4cc2
      Peter Maydell authored
      In commit 1b7bc9b5 we changed handle_vec_simd_sqshrn() so
      that instead of starting with a 0 value and depositing in each new
      element from the narrowing operation, it instead started with the raw
      result of the narrowing operation of the first element.
      
      This is fine in the vector case, because the deposit operations for
      the second and subsequent elements will always overwrite any higher
      bits that might have been in the first element's result value in
      tcg_rd.  However in the scalar case we only go through this loop
      once.  The effect is that for a signed narrowing operation, if the
      result is negative then we will now return a value where the bits
      above the first element are incorrectly 1 (because the narrowfn
      returns a sign-extended result, not one that is truncated to the
      element size).
      
      Fix this by using an extract operation to get exactly the correct
      bits of the output of the narrowfn for element 1, instead of a
      plain move.
      
      Cc: qemu-stable@nongnu.org
      ...
      ccdb4cc2
    • Max Filippov's avatar
      target/xtensa: fix OOB TLB entry access · b86fa3a4
      Max Filippov authored
      r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
      by the guest. The host uses 3 bits of the index for ITLB indexing and 4
      bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
      the DTLB array, so a malicious guest may trigger out-of-bound access to
      these arrays.
      
      Change split_tlb_entry_spec return type to bool to indicate whether TLB
      way passed to it is valid. Change get_tlb_entry to return NULL in case
      invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
      requested TLB way and entry indices are valid. Add checks to the
      [rwi]tlb helpers that requested TLB way is valid and return 0 or do
      nothing when it's not.
      
      Cc: qemu-stable@nongnu.org
      Fixes: b67ea0cd
      
       ("target-xtensa: implement memory protection options")
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      (cherry picked from commit 604927e3
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      b86fa3a4
  3. Jan 26, 2024
    • Daniel P. Berrangé's avatar
      qtest: bump aspeed_smc-test timeout to 6 minutes · d24dd101
      Daniel P. Berrangé authored
      
      
      On a loaded system with --enable-debug, this test can take longer than
      5 minutes. Raising the timeout to 6 minutes gives greater headroom for
      such situations.
      
      Signed-off-by: default avatarDaniel P. Berrangé <berrange@redhat.com>
      [thuth: Increase the timeout to 6 minutes for very loaded systems]
      Signed-off-by: Thomas Huth's avatarThomas Huth <thuth@redhat.com>
      Message-Id: <20231215070357.10888-11-thuth@redhat.com>
      Signed-off-by: default avatarAlex Bennée <alex.bennee@linaro.org>
      (cherry picked from commit e8a12fe3
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      (Mjt: context fixup in tests/qtest/meson.build)
      d24dd101
    • Stefan Hajnoczi's avatar
      monitor: only run coroutine commands in qemu_aio_context · 4b02c718
      Stefan Hajnoczi authored
      monitor_qmp_dispatcher_co() runs in the iohandler AioContext that is not
      polled during nested event loops. The coroutine currently reschedules
      itself in the main loop's qemu_aio_context AioContext, which is polled
      during nested event loops. One known problem is that QMP device-add
      calls drain_call_rcu(), which temporarily drops the BQL, leading to all
      sorts of havoc like other vCPU threads re-entering device emulation code
      while another vCPU thread is waiting in device emulation code with
      aio_poll().
      
      Paolo Bonzini suggested running non-coroutine QMP handlers in the
      iohandler AioContext. This avoids trouble with nested event loops. His
      original idea was to move coroutine rescheduling to
      monitor_qmp_dispatch(), but I resorted to moving it to qmp_dispatch()
      because we don't know if the QMP handler needs to run in coroutine
      context in monitor_qmp_dispatch(). monitor_qmp_dispatch() would have
      been nicer since it's associated with the monitor implementat...
      4b02c718
    • Stefan Hajnoczi's avatar
      iotests: port 141 to Python for reliable QMP testing · 2f5e27ee
      Stefan Hajnoczi authored
      
      
      The common.qemu bash functions allow tests to interact with the QMP
      monitor of a QEMU process. I spent two days trying to update 141 when
      the order of the test output changed, but found it would still fail
      occassionally because printf() and QMP events race with synchronous QMP
      communication.
      
      I gave up and ported 141 to the existing Python API for QMP tests. The
      Python API is less affected by the order in which QEMU prints output
      because it does not print all QMP traffic by default.
      
      The next commit changes the order in which QMP messages are received.
      Make 141 reliable first.
      
      Cc: Hanna Czenczek <hreitz@redhat.com>
      Signed-off-by: Stefan Hajnoczi's avatarStefan Hajnoczi <stefanha@redhat.com>
      Message-ID: <20240118144823.1497953-3-stefanha@redhat.com>
      Reviewed-by: default avatarKevin Wolf <kwolf@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      (cherry picked from commit 9ee2dd4c
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      2f5e27ee
    • Stefan Hajnoczi's avatar
      iotests: add filter_qmp_generated_node_ids() · 03bc938f
      Stefan Hajnoczi authored
      
      
      Add a filter function for QMP responses that contain QEMU's
      automatically generated node ids. The ids change between runs and must
      be masked in the reference output.
      
      The next commit will use this new function.
      
      Signed-off-by: Stefan Hajnoczi's avatarStefan Hajnoczi <stefanha@redhat.com>
      Message-ID: <20240118144823.1497953-2-stefanha@redhat.com>
      Reviewed-by: default avatarKevin Wolf <kwolf@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      (cherry picked from commit da62b507
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      03bc938f
    • Ari Sundholm's avatar
      block/blklogwrites: Fix a bug when logging "write zeroes" operations. · 23a512f4
      Ari Sundholm authored
      There is a bug in the blklogwrites driver pertaining to logging "write
      zeroes" operations, causing log corruption. This can be easily observed
      by setting detect-zeroes to something other than "off" for the driver.
      
      The issue is caused by a concurrency bug pertaining to the fact that
      "write zeroes" operations have to be logged in two parts: first the log
      entry metadata, then the zeroed-out region. While the log entry
      metadata is being written by bdrv_co_pwritev(), another operation may
      begin in the meanwhile and modify the state of the blklogwrites driver.
      This is as intended by the coroutine-driven I/O model in QEMU, of
      course.
      
      Unfortunately, this specific scenario is mishandled. A short example:
          1. Initially, in the current operation (#1), the current log sector
      number in the driver state is only incremented by the number of sectors
      taken by the log entry metadata, after which the log entry metadata is
      written. The current operati...
      23a512f4
    • Jason Wang's avatar
      virtio-net: correctly copy vnet header when flushing TX · dd1d3c8c
      Jason Wang authored
      
      
      When HASH_REPORT is negotiated, the guest_hdr_len might be larger than
      the size of the mergeable rx buffer header. Using
      virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack
      overflow in this case. Fixing this by using virtio_net_hdr_v1_hash
      instead.
      
      Reported-by: default avatarXiao Lei <leixiao.nop@zju.edu.cn>
      Cc: Yuri Benditovich <yuri.benditovich@daynix.com>
      Cc: qemu-stable@nongnu.org
      Cc: Mauro Matteo Cascella <mcascell@redhat.com>
      Fixes: CVE-2023-6693
      Fixes: e22f0603
      
       ("virtio-net: reference implementation of hash report")
      Reviewed-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      Signed-off-by: Jason Wang's avatarJason Wang <jasowang@redhat.com>
      (cherry picked from commit 2220e818
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      dd1d3c8c
  4. Jan 25, 2024
    • Joseph Burt's avatar
      tcg/arm: Fix SIGILL in tcg_out_qemu_st_direct · c1736700
      Joseph Burt authored
      When tcg_out_qemu_st_{index,direct} were merged, the direct case for
      MO_64 was omitted, causing qemu_st_i64 to be encoded as 0xffffffff due
      to underflow when adding h.base and h.index.
      
      Fixes: 1df6d611
      
       ("tcg/arm: Introduce HostAddress")
      Signed-off-by: default avatarJoseph Burt <caseorum@gmail.com>
      Message-Id: <20240121211439.100829-1-caseorum@gmail.com>
      Reviewed-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Signed-off-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      (cherry picked from commit 9f6523e8
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      c1736700
    • Fiona Ebner's avatar
      block/io: clear BDRV_BLOCK_RECURSE flag after recursing in bdrv_co_block_status · 76a9da39
      Fiona Ebner authored
      
      
      Using fleecing backup like in [0] on a qcow2 image (with metadata
      preallocation) can lead to the following assertion failure:
      
      > bdrv_co_do_block_status: Assertion `!(ret & BDRV_BLOCK_ZERO)' failed.
      
      In the reproducer [0], it happens because the BDRV_BLOCK_RECURSE flag
      will be set by the qcow2 driver, so the caller will recursively check
      the file child. Then the BDRV_BLOCK_ZERO set too. Later up the call
      chain, in bdrv_co_do_block_status() for the snapshot-access driver,
      the assertion failure will happen, because both flags are set.
      
      To fix it, clear the recurse flag after the recursive check was done.
      
      In detail:
      
      > #0  qcow2_co_block_status
      
      Returns 0x45 = BDRV_BLOCK_RECURSE | BDRV_BLOCK_DATA |
      BDRV_BLOCK_OFFSET_VALID.
      
      > #1  bdrv_co_do_block_status
      
      Because of the data flag, bdrv_co_do_block_status() will now also set
      BDRV_BLOCK_ALLOCATED. Because of the recurse flag,
      bdrv_co_do_block_status() for the bdrv_file child will be called,
      which returns 0x16 = BDRV_BLOCK_ALLOCATED | BDRV_BLOCK_OFFSET_VALID |
      BDRV_BLOCK_ZERO. Now the return value inherits the zero flag.
      
      Returns 0x57 = BDRV_BLOCK_RECURSE | BDRV_BLOCK_DATA |
      BDRV_BLOCK_OFFSET_VALID | BDRV_BLOCK_ALLOCATED | BDRV_BLOCK_ZERO.
      
      > #2  bdrv_co_common_block_status_above
      > #3  bdrv_co_block_status_above
      > #4  bdrv_co_block_status
      > #5  cbw_co_snapshot_block_status
      > #6  bdrv_co_snapshot_block_status
      > #7  snapshot_access_co_block_status
      > #8  bdrv_co_do_block_status
      
      Return value is propagated all the way up to here, where the assertion
      failure happens, because BDRV_BLOCK_RECURSE and BDRV_BLOCK_ZERO are
      both set.
      
      > #9  bdrv_co_common_block_status_above
      > #10 bdrv_co_block_status_above
      > #11 block_copy_block_status
      > #12 block_copy_dirty_clusters
      > #13 block_copy_common
      > #14 block_copy_async_co_entry
      > #15 coroutine_trampoline
      
      [0]:
      
      > #!/bin/bash
      > rm /tmp/disk.qcow2
      > ./qemu-img create /tmp/disk.qcow2 -o preallocation=metadata -f qcow2 1G
      > ./qemu-img create /tmp/fleecing.qcow2 -f qcow2 1G
      > ./qemu-img create /tmp/backup.qcow2 -f qcow2 1G
      > ./qemu-system-x86_64 --qmp stdio \
      > --blockdev qcow2,node-name=node0,file.driver=file,file.filename=/tmp/disk.qcow2 \
      > --blockdev qcow2,node-name=node1,file.driver=file,file.filename=/tmp/fleecing.qcow2 \
      > --blockdev qcow2,node-name=node2,file.driver=file,file.filename=/tmp/backup.qcow2 \
      > <<EOF
      > {"execute": "qmp_capabilities"}
      > {"execute": "blockdev-add", "arguments": { "driver": "copy-before-write", "file": "node0", "target": "node1", "node-name": "node3" } }
      > {"execute": "blockdev-add", "arguments": { "driver": "snapshot-access", "file": "node3", "node-name": "snap0" } }
      > {"execute": "blockdev-backup", "arguments": { "device": "snap0", "target": "node1", "sync": "full", "job-id": "backup0" } }
      > EOF
      
      Signed-off-by: default avatarFiona Ebner <f.ebner@proxmox.com>
      Reviewed-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
      Message-id: 20240116154839.401030-1-f.ebner@proxmox.com
      Signed-off-by: Stefan Hajnoczi's avatarStefan Hajnoczi <stefanha@redhat.com>
      (cherry picked from commit 8a9be799
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      76a9da39
    • Paolo Bonzini's avatar
      accel/tcg: Revert mapping of PCREL translation block to multiple virtual addresses · 4b06bb58
      Paolo Bonzini authored
      This is causing regressions that have not been analyzed yet.  Revert the
      change on stable branches.
      
      Cc: qemu-stable@nongnu.org
      Cc: Michael Tokarev <mjt@tls.msk.ru>
      Related: #2092
      
      
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      4b06bb58
  5. Jan 23, 2024
  6. Jan 20, 2024
  7. Jan 19, 2024
  8. Jan 13, 2024
  9. Jan 11, 2024
  10. Jan 08, 2024
  11. Jan 05, 2024
  12. Dec 22, 2023
    • Kevin Wolf's avatar
      iotests: Basic tests for internal snapshots · 60472f71
      Kevin Wolf authored
      
      
      We have a few test cases that include tests for corner case aspects of
      internal snapshots, but nothing that tests that they actually function
      as snapshots or that involves deleting a snapshot. Add a test for this
      kind of basic internal snapshot functionality.
      
      The error cases include a regression test for the crash we just fixed
      with snapshot operations on inactive images.
      
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Message-ID: <20231201142520.32255-4-kwolf@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      (cherry picked from commit bb6e2511
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      60472f71
    • Kevin Wolf's avatar
      vl: Improve error message for conflicting -incoming and -loadvm · 4c8315ad
      Kevin Wolf authored
      
      
      Currently, the conflict between -incoming and -loadvm is only detected
      when loading the snapshot fails because the image is still inactive for
      the incoming migration. This results in a suboptimal error message:
      
      $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer
      qemu-system-x86_64: Device 'ide0-hd0' is writable but does not support snapshots
      
      Catch the situation already in qemu_validate_options() to improve the
      message:
      
      $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer
      qemu-system-x86_64: 'incoming' and 'loadvm' options are mutually exclusive
      
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Message-ID: <20231201142520.32255-3-kwolf@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      (cherry picked from commit 5a7f21ef
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      4c8315ad
    • Kevin Wolf's avatar
      block: Fix crash when loading snapshot on inactive node · b769a8e4
      Kevin Wolf authored
      
      
      bdrv_is_read_only() only checks if the node is configured to be
      read-only eventually, but even if it returns false, writing to the node
      may not be permitted at the moment (because it's inactive).
      
      bdrv_is_writable() checks that the node can be written to right now, and
      this is what the snapshot operations really need.
      
      Change bdrv_can_snapshot() to use bdrv_is_writable() to fix crashes like
      the following:
      
      $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer
      qemu-system-x86_64: ../block/io.c:1990: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `!(bs->open_flags & BDRV_O_INACTIVE)' failed.
      
      The resulting error message after this patch isn't perfect yet, but at
      least it doesn't crash any more:
      
      $ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer
      qemu-system-x86_64: Device 'ide0-hd0' is writable but does not support snapshots
      
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      Message-ID: <20231201142520.32255-2-kwolf@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      (cherry picked from commit d3007d34
      
      )
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      b769a8e4
    • Michael Tokarev's avatar
      Update version for 8.1.4 release · c95e38d3
      Michael Tokarev authored
      
      
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      v8.1.4
      c95e38d3
  13. Dec 20, 2023
  14. Dec 14, 2023