bwlp/qemu.git/target, branch spice_video_codecs

Merge tag 'pull-request-2022-12-04' of https://gitlab.com/thuth/qemu into staging

2022-12-04T16:07:46+00:00

* Fix potential undefined behavior in cleanup of migration-test * Fix a s390x instruction that causes Java to crash * Fix a typo in a comment in next-fb.c # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmOMRosRHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbVh+Q/+PEMevD61MUr1xl5S1uJpur1Pddr+wSTy # w2PS6eluP8U6SzNZ2x4pGHBjW/ENfoAY/3UgXP5VBHFVaXDLLOfAhoFf7d/uhFLG # gMUDxPtpGMw8uZJY08R5irDLin/zjsVacKUQuXwC0qkOVaLJrkYeOYkLrRPcjS/Y # LiNGmFTVA+odrXX5zH7GPhl12hKrs8Uo44M0K31V8HEwgPT+S+DhY6b7FfjM9w6Q # H/hmrYoApdLPja38Zha4wj4XF6X8o5lSWtFtUCaLoaPPux7FAtzFxWiuzGPpNX+Z # 7+rLxivVsZrPx2iWm2TRIm4E2qHcA+QhcSkmuGA4Fywgjl1BGlAiiE+QTS/QEtyF # G199pcZsgkVE5kqc4wz0LYomwmU6kkaItwMJHhnBMQG16OJFg9tRuJdZaoqHRtUs # OXIMaR/ecGq8F3B6BAmBP9nUet6F7668DIAOmE0AdFgVHQOcIN8+uCCjSn23uu42 # yYn7rPruF39wyyFY9t/CbEflg6ZUTKjs+yuR8ukzU4JYbu8wXOxJ9kwV7l5uPJ/E # rBFm88UY8QT+XfCx2obN4d3UMetcRcluZkY0EBKoJqTDurhvRQwVu02LWzY22pny # a0FI+yvJBm6rP2TO9YJQonXSBizbQaa+JjWqb/GO6p3ZMn40uoQxpiozVD/ovOKO # j9z3B+XxVY8= # =vuhL # -----END PGP SIGNATURE----- # gpg: Signature made Sun 04 Dec 2022 02:04:43 EST # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "thuth@redhat.com" # gpg: Good signature from "Thomas Huth " [full] # gpg: aka "Thomas Huth " [full] # gpg: aka "Thomas Huth " [full] # gpg: aka "Thomas Huth " [unknown] # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5 * tag 'pull-request-2022-12-04' of https://gitlab.com/thuth/qemu: hw/display/next-fb: Fix comment typo target/s390x/tcg: Fix and improve the SACF instruction tests/qtest/migration-test: Fix unlink error and memory leaks Signed-off-by: Stefan Hajnoczi

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

2022-12-04T16:00:44+00:00

* Fix MMX instructions for system emulators * Fix uninitialized TranslateFault after canonical address checks # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmOIa40UHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroON/wf6AuomXEtqw6OxPCKwYwnXwAA64mO0 # rN9tFw1YcrlynFkzwaGkGThQOuQen2FXBVx1NL64781oZFYU9Zq04rxH3CpZCVVq # J/POjnrHzaNeWoipiyj4kBi662FF8a6vS+l3pvwfI38jxi4oqRrPowGuqnqus5LS # Y88Q5y9u+e5MKSO+MpiH0C8/CxlKaKTIUURAr2YKYvwV5vGGVsCQ0BYAxUsfBq5S # IijzilFBgj5N1vbNnGp/Ltr1vS4xdSmfugxf+myGO45kyr9MkwYUpSqE0nKuVlHX # OdbhtOfVgifKPf5vahshILu0dZSeFKAOUuGg3gS1THydTtStjonRQA9TBA== # =ops5 # -----END PGP SIGNATURE----- # gpg: Signature made Thu 01 Dec 2022 03:53:33 EST # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini " [full] # gpg: aka "Paolo Bonzini " [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: target/i386: Always completely initialize TranslateFault target/i386: allow MMX instructions with CR4.OSFXSR=0 Signed-off-by: Stefan Hajnoczi

target/s390x/tcg: Fix and improve the SACF instruction

2022-12-03T21:04:40+00:00

The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be used from problem space, too. Just the switching to the home address space is privileged and should still generate a privilege exception. This bug is e.g. causing programs like Java that use the "getcpu" vdso kernel function to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ). While we're at it, also check if DAT is not enabled. In that case the instruction is supposed to generate a special operation exception. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655 Message-Id: <20221201184443.136355-1-thuth@redhat.com> Reviewed-by: Ilya Leoshkevich Reviewed-by: David Hildenbrand Reviewed-by: Richard Henderson Signed-off-by: Thomas Huth

target/i386: Always completely initialize TranslateFault

2022-12-01T08:53:24+00:00

In get_physical_address, the canonical address check failed to set TranslateFault.stage2, which resulted in an uninitialized read from the struct when reporting the fault in x86_cpu_tlb_fill. Adjust all error paths to use structure assignment so that the entire struct is always initialized. Reported-by: Daniel Hoffman Fixes: 9bbcf372193a ("target/i386: Reorg GET_HPHYS") Signed-off-by: Richard Henderson Message-Id: <20221201074522.178498-1-richard.henderson@linaro.org> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1324 Signed-off-by: Paolo Bonzini

target/i386: allow MMX instructions with CR4.OSFXSR=0

2022-12-01T08:05:05+00:00

MMX state is saved/restored by FSAVE/FRSTOR so the instructions are not illegal opcodes even if CR4.OSFXSR=0. Make sure that validate_vex takes into account the prefix and only checks HF_OSFXSR_MASK in the presence of an SSE instruction. Fixes: 20581aadec5e ("target/i386: validate VEX prefixes via the instructions' exception classes", 2022-10-18) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1350 Reported-by: Helge Konetzka (@hejko on gitlab.com) Reviewed-by: Richard Henderson Signed-off-by: Paolo Bonzini

target/arm: Set TCGCPUOps.restore_state_to_opc for v7m

2022-11-29T23:15:26+00:00

This setting got missed, breaking v7m. Fixes: 56c6c98df85c ("target/arm: Convert to tcg_ops restore_state_to_opc") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1347 Signed-off-by: Richard Henderson Signed-off-by: Evgeny Ermakov Signed-off-by: Stefan Hajnoczi Message-Id: <20221129204146.550394-1-richard.henderson@linaro.org>

target/arm: Use signed quantity to represent VMSAv8-64 translation level

2022-11-22T16:10:25+00:00

The LPA2 extension implements 52-bit virtual addressing for 4k and 16k translation granules, and for the former, this means an additional level of translation is needed. This means we start counting at -1 instead of 0 when doing a walk, and so 'level' is now a signed quantity, and should be typed as such. So turn it from uint32_t into int32_t. This avoids a level of -1 getting misinterpreted as being >= 3, and terminating a page table walk prematurely with a bogus output address. Cc: Peter Maydell Cc: Philippe Mathieu-Daudé Cc: Richard Henderson Signed-off-by: Ard Biesheuvel Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell

target/arm: Don't do two-stage lookup if stage 2 is disabled

2022-11-22T13:18:22+00:00

In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if the CPU supports EL2. However, we don't check here that stage 2 is actually enabled. Instead we only check that inside get_phys_addr_twostage() to skip stage 2 translation. This means that even if stage 2 is disabled we still tell the stage 1 lookup to do its page table walks via stage 2. This works by luck for normal CPU accesses, but it breaks for debug accesses, which are used by the disassembler and also by semihosting file reads and writes, because the debug case takes a different code path inside S1_ptw_translate(). This means that setups that use semihosting for file loads are broken (a regression since 7.1, introduced in recent ptw refactoring), and that sometimes disassembly in debug logs reports "unable to read memory" rather than showing the guest insns. Fix the bug by hoisting the "is stage 2 enabled?" check up to get_phys_addr_with_struct(), so that we handle S2 disabled the same way we do the "no EL2" case, with a simple single stage lookup. Reported-by: Jens Wiklander Reviewed-by: Richard Henderson Signed-off-by: Peter Maydell Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org

target/arm: Limit LPA2 effective output address when TCR.DS == 0

2022-11-21T11:46:46+00:00

With LPA2, the effective output address size is at most 48 bits when TCR.DS == 0. This case is currently unhandled in the page table walker, where we happily assume LVA/64k granule when outputsize > 48 and param.ds == 0, resulting in the wrong conversion to be used from a page table descriptor to a physical address. if (outputsize > 48) { if (param.ds) { descaddr |= extract64(descriptor, 8, 2) << 50; } else { descaddr |= extract64(descriptor, 12, 4) << 48; } So cap the outputsize to 48 when TCR.DS is cleared, as per the architecture. Cc: Peter Maydell Cc: Philippe Mathieu-Daudé Cc: Richard Henderson Signed-off-by: Ard Biesheuvel Reviewed-by: Richard Henderson Message-id: 20221116170316.259695-1-ardb@kernel.org Signed-off-by: Peter Maydell

Merge tag 'pull-ppc-20221117' of https://gitlab.com/danielhb/qemu into staging

2022-11-17T17:39:38+00:00

ppc patch queue for 2022-11-17: Short queue with a build regression fix when using --disable-tcg. # -----BEGIN PGP SIGNATURE----- # # iHUEABYKAB0WIQQX6/+ZI9AYAK8oOBk82cqW3gMxZAUCY3ZP3wAKCRA82cqW3gMx # ZB7uAPwN3C8R0YeL+NR44ZlzJVM75TjT1sDYD3oZjEraIfAz9AD7BKRNMPXmmF3A # sIHlbhVWquFU07ZDq5UmMfa2WudFZgc= # =z2+u # -----END PGP SIGNATURE----- # gpg: Signature made Thu 17 Nov 2022 10:14:39 EST # gpg: using EDDSA key 17EBFF9923D01800AF2838193CD9CA96DE033164 # gpg: Good signature from "Daniel Henrique Barboza " [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 17EB FF99 23D0 1800 AF28 3819 3CD9 CA96 DE03 3164 * tag 'pull-ppc-20221117' of https://gitlab.com/danielhb/qemu: target/ppc: Fix build warnings when building with 'disable-tcg' Signed-off-by: Stefan Hajnoczi