target/i386: Fix 32-bit wrapping of pc/eip computation

In 32-bit mode, pc = eip + cs_base is also 32-bit, and must wrap.
Failure to do so results in incorrect memory exceptions to the guest.
Before 732d548732ed, this was implicitly done via truncation to
target_ulong but only in qemu-system-i386, not qemu-system-x86_64.

To fix this, we must add conditional zero-extensions.
Since we have to test for 32 vs 64-bit anyway, note that cs_base
is always zero in 64-bit mode.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2022
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20231212172510.103305-1-richard.henderson@linaro.org>

Update version for v8.2.0-rc3 release

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

i386/sev: Avoid SEV-ES crash due to missing MSR_EFER_LMA bit

Commit 7191f24c7fcf ("accel/kvm/kvm-all: Handle register access errors")
added error checking for KVM_SET_SREGS/KVM_SET_SREGS2. In doing so, it
exposed a long-running bug in current KVM support for SEV-ES where the
kernel assumes that MSR_EFER_LMA will be set explicitly by the guest
kernel, in which case EFER write traps would result in KVM eventually
seeing MSR_EFER_LMA get set and recording it in such a way that it would
be subsequently visible when accessing it via KVM_GET_SREGS/etc.

However, guest kernels currently rely on MSR_EFER_LMA getting set
automatically when MSR_EFER_LME is set and paging is enabled via
CR0_PG_MASK. As a result, the EFER write traps don't actually expose the
MSR_EFER_LMA bit, even though it is set internally, and when QEMU
subsequently tries to pass this EFER value back to KVM via
KVM_SET_SREGS* it will fail various sanity checks and return -EINVAL,
which is now considered fatal due to the aforementioned QEMU commit.

This can be addressed by inferring the MSR_EFER_LMA bit being set when
paging is enabled and MSR_EFER_LME is set, and synthesizing it to ensure
the expected bits are all present in subsequent handling on the host
side.

Ultimately, this handling will be implemented in the host kernel, but to
avoid breaking QEMU's SEV-ES support when using older host kernels, the
same handling can be done in QEMU just after fetching the register
values via KVM_GET_SREGS*. Implement that here.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Akihiko Odaki <akihiko.odaki@daynix.com>
Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: Lara Lazier <laramglazier@gmail.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Cc: <kvm@vger.kernel.org>
Fixes: 7191f24c7fcf ("accel/kvm/kvm-all: Handle register access errors")
Signed-off-by: Michael Roth <michael.roth@amd.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20231206155821.1194551-1-michael.roth@amd.com>

Merge tag 'pull-ufs-20231205' of https://gitlab.com/jeuk20.kim/qemu into staging

ufs fixes for 8.2

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEUBfYMVl8eKPZB+73EuIgTA5dtgIFAmVurjcACgkQEuIgTA5d
# tgLWVBAAkzus4nN2+Z0H23VUmeBPCLPFXRSkK8mOWC3ymbX3kiy/IjgM7Ept6QWA
# btssTf3YEeDtycgbrb5GZ4kEfKThDN7bbGRHvCW5bjwkyLQN1Ys2K61CTRX0VhSi
# U4HDE3gCm+LpO28BuV/1KunlSH4TWjt76AB6YG5PuyzSH+AbC8yY7m+VSJTmCw1k
# cZv0TQ+9lqWc4C6ziETV8UqhhltBmd/57P3xFDKhYNl0EtzxnKGSZ2szzWqE7guY
# DsmTlfB5bnkYPE51xxTcJnRj907utNrIfa2kbu9wXU/GuPuEf9QkDo1Dt3t1Z0Zm
# OZPkloXC2eNufVcGYVJa2PylRjwFlg01IuhYmlhsgerg5LZz2RIyrWM61JTONF2J
# 6EvO89e2S3XpBbnl2ugf2rMIdW1tlLSWhnLZD+jZzOu+V2TeLm6/onHWCVQ02sLr
# ddDVpf2djvUsmRvcBBYlI40FcC9Wt828Spm+wkRsGHC+VbAg2al6jRNXyJ2LWeiS
# wGsAwRV6XhQz996uMOWTA7jEsAawHUFgYCsH4bgiqiWEn+FblufY2iicRxY4ZsJA
# GXpvxGoUHWE8e0XjXG1BnRFo2Q5ns9SRl5gx5X7rcmIKUGGCh3ZI72zfeVgCjm7b
# 5/CV/YzKuCRWJCYcORguli1GVuPO01FJrBloTJc0OSaDAtZL2Mg=
# =o2kr
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 04 Dec 2023 23:59:35 EST
# gpg:                using RSA key 5017D831597C78A3D907EEF712E2204C0E5DB602
# gpg: Good signature from "Jeuk Kim <jeuk20.kim@samsung.com>" [unknown]
# gpg:                 aka "Jeuk Kim <jeuk20.kim@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 5017 D831 597C 78A3 D907  EEF7 12E2 204C 0E5D B602

* tag 'pull-ufs-20231205' of https://gitlab.com/jeuk20.kim/qemu:
  hw/ufs: avoid generating the same ID string for different LU devices

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

hw/ufs: avoid generating the same ID string for different LU devices

QEMU would not start when trying to create two UFS host controllers and
a UFS logical unit for each with the following options:

-device ufs,id=bus0 \
-device ufs-lu,drive=drive1,bus=bus0,lun=0 \
-device ufs,id=bus1 \
-device ufs-lu,drive=drive2,bus=bus1,lun=0 \

This is because the same ID string ("0:0:0/scsi-disk") is generated
for both UFS logical units.

To fix this issue, prepend the parent pci device's path to make
the ID string unique.
("0000:00:03.0/0:0:0/scsi-disk" and "0000:00:04.0/0:0:0/scsi-disk")

Resolves: #2018
Fixes: 096434fea13a ("hw/ufs: Modify lu.c to share codes with SCSI subsystem")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reviewed-by: Jeuk Kim <jeuk20.kim@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20231204150543.48252-1-akinobu.mita@gmail.com>
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>

Merge tag 'misc-fixes-20231204' of https://github.com/philmd/qemu into staging

Misc fixes for 8.2

- memory: Avoid unaligned accesses (Patrick)
- target/riscv: Fix variable shadowing (Daniel)
- tests/avocado: Update URL, skip flaky test (Alex, Phil)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmVt7w4ACgkQ4+MsLN6t
# wN7AzA/+N1ec1I2IC0LYT8ThBCyV/92o+1FH5KaIxiVN5Ty3cACnGAac8IJ1K2tC
# 5WG8Dxg4rq+bM16lUq9ME7k82Y3PoxLoRQa8fuClFKdHMXU2sgY4OwTx2606cO4B
# 0H4gR+i3XgrgIDo8qRezWX0JSd1Srrz9QPlcq6kJfDtRq7DU0329aOobkyzuUJPb
# DJD9YPu9y0KokBCBuVlt5ypNSM9xJGRtznFt1sFfNyPgNOnie3s+fYpPn26UigcY
# 8OY/PMS5hapDw/s/gFKWQb/nCTSRnJKZ5dODOjHXK8HvTbYHedw8C4apXyjSXwBI
# fBerNEKJHwD/1QkFhbNCIwsidH72BWeHljrelbZlsUfXU1VcCqNiXV8d2R9ak3xt
# lrW7UcytC1+PqhmIVEXAOA4cwJcq6Hs9IcZ9G9aMvcmlhY3Fv0UKMoRYgsGTULeP
# ySQF3FDSc6dldsfBdwqHGHlwL12EYmpN2sIhEc5aQ9y5Mmuj2FBOYHUbPpyoVLpw
# e45n9Epc43GUVCMj3lZNjWKd+87nGjwKOM3rpBlcaSG3JRkLUe8o5APxeYzePZfO
# 2IOWcGnrUixsvWbNY+6JF98n5hQK7Va3h/e1YbS1K2OZ013LT1SNiZ1LOrl9KiXf
# agY6HMukKbCpJAqpXnMbgWdxCb7GdtjVaWKIVEgejeZTVdH4f8Y=
# =r21r
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 04 Dec 2023 10:23:58 EST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'misc-fixes-20231204' of https://github.com/philmd/qemu:
  tests/avocado: mark ReplayKernelNormal.test_mips64el_malta as flaky
  tests/avocado: Update yamon-bin-02.22.zip URL
  target/riscv/kvm: fix shadowing in kvm_riscv_(get|put)_regs_csr
  system/memory: use ldn_he_p/stn_he_p

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'pull-target-arm-20231204-1' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
 * Turn off SME if SVE is turned off (this combination doesn't
   currently work and QEMU will assert if you try it)

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmVt3wQZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3vrmD/9zu48IxCdHFSshMRmXz6kI
# tMvTrsMSOGXfuQqCbvLn3CUP/La50Yt/T1C2TKzVII1W8zpw8wEEvraCBjexzUzK
# Jcjw0dPSIllQOHBkoUGsgqA0+UkhfIwH0po10rxm1L+ZP3DfISVdyDV9oxCNfEO0
# pGXI1eAN9GIQtJtUj3kZE+RUoamJfoSjlm5XVeX3T+utEU7yf1461L1/qaylYOrW
# wao72ffbuf41jRJwnVmMFoIPrwueYtEeuKl/EgYU4YPxkSQEo34u6d9fz2Irt6/Y
# utO2SffhhmlxQaFhgPX3hvAsfapMt/p2Jy6oUpThOjN75adCq+g1CYj7lzEfIX16
# kb2CY8zQ8NboJtgnkiQAA062myURnk/kmulv0OF6Hh0jHSuLzuMMLcCfBJgq4H6s
# mnBCJfetwRgwqcSl1JTfrMm4wYOLmSrmOcM5JjYwY2YYjnFXI+XB1MdKm0h8cROG
# nFu5TZtNnxgzqBgoh1140AYN851Y1dshczZIHb1/YuNpBIl+ZUO4v5sRT3KBSzb+
# G21570neBv8QcfDSgrLesrjNBDREfkaWEu9BM85461uTjbCLG8RUpn+Jd4VtpkNe
# YVzomhuM9CI5CmYdrTMJ74gnZUtAT9Q3FTcfGL8G4KiSIe85BTw+gEy4PhLXD6FT
# 68fP1M+s8/hsuXCJYbvmAA==
# =K/u0
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 04 Dec 2023 09:15:32 EST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg:                 aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20231204-1' of https://git.linaro.org/people/pmaydell/qemu-arm:
  target/arm: Disable SME if SVE is disabled

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'pull-request-2023-12-04' of https://gitlab.com/thuth/qemu into staging

* Fix wording in iotest 149
* Fix whitespace issues in sh4 code (ignore checkpatch.pl warnings here)
* Make sure to check return values in qtests

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmVt4PwRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbWhYxAAm6ww++qfCh5uLrKjXrv/ZS+b+8UVMT+p
# wOBNBz0RDpDahAwesxLABAg9b+fabLTx9OpOyQRgmM/ofCoW/Oi7xzCEwv9JPJX0
# Kr7x5AMCTc2hPydxsMenWYZXLZXcc0HSkB+4yN5FTeOl8YPoRetegsGbiirGpod1
# QyD/oLMZzBxqteF/m0a4gxEuwi3qgRVIOkdk8zeSBMAl6EUazsKR8sTrdCrkupHl
# ddMKjRH4Gr2sXoZ8L/mr4T5FodVxAF1pcZnVyPYDlVgNK/V0IWDcbmFFNr0rXxCM
# CZz7gIOZkpm/MXpVE9UEg++ZOQ16gDUNpvQRyNPgIn0vbiuF5kcXmUpstJWHDico
# O98wgH6im3iC7xyaMTOq3pjSb9RNP4cmIw77EKJyS93RDAgiCX0ozN3zEkxsvZYu
# hQadBd3TSUP6jxz2SWQ6irCwkElfozCc1cPfUyW0rFXjLqWei0UirWDdyN5dL8vk
# pkupZG5p3jiiZs1hm+TQ4W1CPVZFTAW+LcI7V/Na3EBKQvrjYDlHMQdx0NaJh5e3
# xn84bvTnuYfT/I63z9zqIbMwPQ5t+lJaR9ohkn9Q4tTEnHuMV9svON5rsRc3YE6p
# XrR02G9zu4kVAKs51DFNWC9SLgviW+LB2DCe+e2CrqwPjiz+MeOVGEEre7/nnj/q
# clP7u3MyX5A=
# =rU6S
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 04 Dec 2023 09:23:56 EST
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2023-12-04' of https://gitlab.com/thuth/qemu:
  tests/qtest: check the return value
  sh4: Coding style: Remove tabs
  tests/qemu-iotests/149: Use more inclusive language in this test

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

tests/avocado: mark ReplayKernelNormal.test_mips64el_malta as flaky

I missed this when going through the recent failure logs. I can run
the test 30 times without failure locally but it seems to hang pretty
reliably on GitLab's CI infra-structure.

Cc: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231201201027.2689404-1-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

tests/avocado: Update yamon-bin-02.22.zip URL

http://www.imgtec.com/tools/mips-tools/downloads/ redirects
to https://mips.com/downloads/yamon-version-02-22/ then points
to an invalid path to a s3 bucket. Use the correct path. The
site will eventually be fixed.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20231201205630.10837-1-philmd@linaro.org>

target/riscv/kvm: fix shadowing in kvm_riscv_(get|put)_regs_csr

KVM_RISCV_GET_CSR() and KVM_RISCV_SET_CSR() use an 'int ret' variable
that is used to do an early 'return' if ret > 0. Both are being called
in functions that are also declaring a 'ret' integer, initialized with
'0', and this integer is used as return of the function.

The result is that the compiler is less than pleased and is pointing
shadowing errors:

../target/riscv/kvm/kvm-cpu.c: In function 'kvm_riscv_get_regs_csr':
../target/riscv/kvm/kvm-cpu.c:90:13: error: declaration of 'ret' shadows a previous local [-Werror=shadow=compatible-local]
   90 |         int ret = kvm_get_one_reg(cs, RISCV_CSR_REG(env, csr), &reg); \
      |             ^~~
../target/riscv/kvm/kvm-cpu.c:539:5: note: in expansion of macro 'KVM_RISCV_GET_CSR'
  539 |     KVM_RISCV_GET_CSR(cs, env, sstatus, env->mstatus);
      |     ^~~~~~~~~~~~~~~~~
../target/riscv/kvm/kvm-cpu.c:536:9: note: shadowed declaration is here
  536 |     int ret = 0;
      |         ^~~

../target/riscv/kvm/kvm-cpu.c: In function 'kvm_riscv_put_regs_csr':
../target/riscv/kvm/kvm-cpu.c:98:13: error: declaration of 'ret' shadows a previous local [-Werror=shadow=compatible-local]
   98 |         int ret = kvm_set_one_reg(cs, RISCV_CSR_REG(env, csr), &reg); \
      |             ^~~
../target/riscv/kvm/kvm-cpu.c:556:5: note: in expansion of macro 'KVM_RISCV_SET_CSR'
  556 |     KVM_RISCV_SET_CSR(cs, env, sstatus, env->mstatus);
      |     ^~~~~~~~~~~~~~~~~
../target/riscv/kvm/kvm-cpu.c:553:9: note: shadowed declaration is here
  553 |     int ret = 0;
      |         ^~~

The macros are doing early returns for non-zero returns and the local
'ret' variable for both functions is used just to do 'return 0', so
remove them from kvm_riscv_get_regs_csr() and kvm_riscv_put_regs_csr()
and do a straight 'return 0' in the end.

For good measure let's also rename the 'ret' variables in
KVM_RISCV_GET_CSR() and KVM_RISCV_SET_CSR() to '_ret' to make them more
resilient to these kind of errors.

Fixes: 937f0b4512 ("target/riscv: Implement kvm_arch_get_registers")
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20231123101338.1040134-1-dbarboza@ventanamicro.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

system/memory: use ldn_he_p/stn_he_p

Using direct pointer dereferencing can allow for unaligned accesses,
which was seen during execution with sanitizers enabled.

Cc: qemu-stable@nongnu.org
Reviewed-by: Chris Rauer <crauer@google.com>
Reviewed-by: Peter Foley <pefoley@google.com>
Signed-off-by: Patrick Venture <venture@google.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-ID: <20231116163633.276671-1-venture@google.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

tests/qtest: check the return value

These variables "ret" are never referenced in the code, thus
add check logic for the "ret"

Signed-off-by: Zhu Jun <zhujun2@cmss.chinamobile.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20231121080802.4500-1-zhujun2@cmss.chinamobile.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

sh4: Coding style: Remove tabs

Replaces TABS with spaces to ensure have a consistent coding
style with an indentation of 4 spaces in the SH4 subsystem.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/376
Signed-off-by: Yihuan Pan <xun794@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20231124044554.513752-1-xun794@gmail.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/qemu-iotests/149: Use more inclusive language in this test

Let's use 'unsupported_configs' and 'tested_configs' here
instead of non-inclusive words.

Message-ID: <20231122084000.809696-1-thuth@redhat.com>
Reviewed-by: "Daniel P. Berrangé" <berrange@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

target/arm: Disable SME if SVE is disabled

There is no architectural requirement that SME implies SVE, but
our implementation currently assumes it. (FEAT_SME_FA64 does
imply SVE.) So if you try to run a CPU with eg "-cpu max,sve=off"
you quickly run into an assert when the guest tries to write to
SMCR_EL1:

#6  0x00007ffff4b38e96 in __GI___assert_fail
    (assertion=0x5555566e69cb "sm", file=0x5555566e5b24 "../../target/arm/helper.c", line=6865, function=0x5555566e82f0 <__PRETTY_FUNCTION__.31> "sve_vqm1_for_el_sm") at ./assert/assert.c:101
#7  0x0000555555ee33aa in sve_vqm1_for_el_sm (env=0x555557d291f0, el=2, sm=false) at ../../target/arm/helper.c:6865
#8  0x0000555555ee3407 in sve_vqm1_for_el (env=0x555557d291f0, el=2) at ../../target/arm/helper.c:6871
#9  0x0000555555ee3724 in smcr_write (env=0x555557d291f0, ri=0x555557da23b0, value=2147483663) at ../../target/arm/helper.c:6995
#10 0x0000555555fd1dba in helper_set_cp_reg64 (env=0x555557d291f0, rip=0x555557da23b0, value=2147483663) at ../../target/arm/tcg/op_helper.c:839
#11 0x00007fff60056781 in code_gen_buffer ()

Avoid this unsupported and slightly odd combination by
disabling SME when SVE is not present.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2005
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20231127173318.674758-1-peter.maydell@linaro.org

tests/avocado: Update yamon-bin-02.22.zip URL

http://www.imgtec.com/tools/mips-tools/downloads/ redirects
to https://mips.com/downloads/yamon-version-02-22/ then points
to an invalid path to a s3 bucket. Use the correct path. The
site will eventually be fixed.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20231201205630.10837-1-philmd@linaro.org>

Merge tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu into staging

ui/audio fixes for 8.2

# -----BEGIN PGP SIGNATURE-----
#
# iQJQBAABCAA6FiEEh6m9kz+HxgbSdvYt2ujhCXWWnOUFAmVtiO0cHG1hcmNhbmRy
# ZS5sdXJlYXVAcmVkaGF0LmNvbQAKCRDa6OEJdZac5UDeEACvbixo8MuxOpBf9DK2
# JTCQeHYeVW7QtwDh9xUUnbcM77+lWgkr9OeCJ7FKxF1J7UHkQ7jIzISs/P0zuCw0
# JRkoOcfOnxV/Pn8XAq79F6Yq55EUdCdvsj0XgsVx+K096VHvjlK3fzNwNebJrkos
# NpwQnnqI37TYBUFSivjKkEkPf1Kp4R4abeNs3eEzsIMUzEmEZQwwi5zZAMxxZ41o
# fyItvdaEEDJxzupS6e0x4O4B5KkTo9RFwsJgstOAbkCxuJk67grV9dm3S3wFiUR3
# iFR2P/EyzctT9QOkU7oEIi87CiociKaYWgw/tDU4lFjXwbkt0a59b783Rha1RlN8
# ICFQ3B0NX+CNlc5PPsF1yp3+DNJRKz8Rap4PmU5IIVXTlPHm+YrWRw6vklw5kq7y
# nAvdcfIJ+UQGVCgqQiLkuZslz4ATFOypnUvSL+eds1jHMS6UQcGd3zD1QCEPhDSP
# jhFirqDQYWU/18ZU3b6VuDe5Ko3erd4V7hDikeQnjLjYfBFX1/Mts+6GmaGdfbqk
# JLOHYa7CUP7akTB7fQF1/4B6cSf3hOsXYlmDHQPZgi1OYEy/BdPuwM5pN4jAikwO
# b2z6TrXS3hQK61bUtU+XnhOOW98+gfz77UwluXDl22KHGV+c/SadyMFJWm8VYX4k
# DuNTQ78vApqCuAhjFcKSXPSt7A==
# =fpz/
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 04 Dec 2023 03:08:13 EST
# gpg:                using RSA key 87A9BD933F87C606D276F62DDAE8E10975969CE5
# gpg:                issuer "marcandre.lureau@redhat.com"
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>" [full]
# gpg:                 aka "Marc-André Lureau <marcandre.lureau@gmail.com>" [full]
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 9CE5

* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
  hw/audio/virtio-sound: mark the device as unmigratable
  ui/vnc-clipboard: fix inflate_buffer
  ui/gtk-egl: move function calls back to regular code path

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'pull-more-8.2-fixes-011223-2' of https://gitlab.com/stsquad/qemu into staging

Flaky avocado tests, gdbstub and gitlab tweaks

  - gdbstub, properly halt when QEMU is having IO issues
  - convert skipIf(GITLAB_CI) to skipUnless(QEMU_TEST_FLAKY_TESTS)
  - tag sbsa-ref tests as TCG only
  - build the correct microblaze for avocado-system-ubuntu
  - add optional flaky tests job to CI

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmVqHFgACgkQ+9DbCVqe
# KkQHLwgAjP2iL5LSa3FaMUoESJQqRB0rpoJ80gtEtmvmgRF0fHsRfHtDdMN9h2Ed
# YilCDhMKLyr2ZoK4atyuc5SR6vCXI5RAvfTddex0xSxlvBX5Z5+1FMC6yA8SDJM7
# ezEXACEKHiGv+l8gvOZOf9ZYEgh8DMJYFMbrtxuxKWw/kAjZ3R3X/ChCL94ZCPRe
# 486wqPIQfp5EPs2ddsW4DYFTjLpK5ImX+u/5kdaEGXwcg8UoLmQ9BVIrN/hYJ6u5
# t/mAp1qVIQwSOSUBnerQ4ZkVQfCgLtEtiDtt8EZjUbQD3DcLjfHFjTwVlpqcC1zs
# wHXYpLbD5jkthqav5E0DObCF9gIZdA==
# =qtvU
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 01 Dec 2023 12:48:08 EST
# gpg:                using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44

* tag 'pull-more-8.2-fixes-011223-2' of https://gitlab.com/stsquad/qemu:
  gitlab: add optional job to run flaky avocado tests
  gitlab: build the correct microblaze target
  tests/avocado: tag sbsa tests as tcg only
  docs/devel: rationalise unstable gitlab tests under FLAKY_TESTS
  gdbstub: use a better signal when we halt for IO reasons

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'for_upstream' of https://git./virt/kvm/mst/qemu into staging

virtio,pc,pci: features, cleanups, fixes

misc fixes, cleanups

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# -----BEGIN PGP SIGNATURE-----
#
# iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmVrmhwPHG1zdEByZWRo
# YXQuY29tAAoJECgfDbjSjVRp/XsH/05hHtQqO+EnKSAW5SEwZnlLfzDcajVVPIkT
# h6Yf6ahHNf4hG1qqa2CICqJtDAOQYamO128QjZdQxsnYejwBmZ/oG//neWh6qLPV
# Hp4AaKV2MjKRQZPNblnrGUirxkSWSTqIONXp4FsVVpKOKW9IX5f9tH6nyFAqXWX7
# KzNY/3KD1CVSwAV1+hY2c6OzWVdTSJykPRocfB0jTYY1RygI0t57Hiq7v8AliGAx
# 7ktSJFD9MBr+4Un7CQZWp24eyrL77j8U+YQRlPVYupkmQyuXHPdBr4RruHcGupIy
# GeIvbkX1mTCEfOd/HFQ1X41hpf8AEyZjjq2SOEBncIRWY6EhSio=
# =opjy
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 02 Dec 2023 15:57:00 EST
# gpg:                using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg:                issuer "mst@redhat.com"
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full]
# gpg:                 aka "Michael S. Tsirkin <mst@redhat.com>" [full]
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
#      Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA  8A0D 281F 0DB8 D28D 5469

* tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu:
  vhost-user-scsi: free the inflight area when reset
  vhost-user: fix the reconnect error
  msix: unset PCIDevice::msix_vector_poll_notifier in rollback
  virtio-iommu: Remove useless !sdev check in virtio_iommu_probe()
  hw/i386: fix short-circuit logic with non-optimizing builds
  hw/acpi/erst: Do not ignore Error* in realize handler
  pcie_sriov: Remove g_new assertion
  virtio-sound: add realize() error cleanup path
  virtio-snd: check AUD_register_card return value
  hw/audio/hda-codec: reenable the audio mixer
  hw/audio/hda-codec: fix multiplication overflow
  hw/audio/virtio-snd-pci: fix the PCI class code
  tests/acpi/bios-tables-test: do not write new blobs unless there are changes
  netdev: set timeout depending on loadavg
  osdep: add getloadavg

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'migration-20231201-pull-request' of https://github.com/xzpeter/qemu into staging

Migration patches for rc3:

- One more memleak regression fix from Het

# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCZWoLbRIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wahYwD+OsD7CaZYjkl9KSooRfblEenD6SdfhAdC
# oZc07f2UxocA/0s1keDBZUUcZOiGYPDFV5his4Jw4F+RRD1YIpVWZg4J
# =T0/r
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 01 Dec 2023 11:35:57 EST
# gpg:                using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg:                issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [full]
# gpg:                 aka "Peter Xu <peterx@redhat.com>" [full]
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D  D1A9 3B5F CCCD F3AB D706

* tag 'migration-20231201-pull-request' of https://github.com/xzpeter/qemu:
  migration: Plug memory leak with migration URIs

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

hw/audio/virtio-sound: mark the device as unmigratable

The virtio-sound device is currently not migratable. QEMU crashes
on the source machine at some point during the migration with a
segmentation fault.

Even with this bug fixed, the virtio-sound device doesn't migrate
the state of the audio streams. For example, running streams leave
the device on the destination machine in a broken condition.

Mark the device as unmigratable until these issues have been fixed.

Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20231204072837.6058-1-vr_qemu@t-online.de>

ui/vnc-clipboard: fix inflate_buffer

Commit d921fea338 ("ui/vnc-clipboard: fix infinite loop in
inflate_buffer (CVE-2023-3255)") removed this hunk, but it is still
required, because it can happen that stream.avail_in becomes zero
before coming across a return value of Z_STREAM_END in the loop.

This fixes the host->guest direction of the clipboard with noVNC and
TigerVNC as clients.

Fixes: d921fea338 ("ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)")
Reported-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20231122125826.228189-1-f.ebner@proxmox.com>

ui/gtk-egl: move function calls back to regular code path

Commit 6f189a08c1 ("ui/gtk-egl: Check EGLSurface before doing
scanout") introduced a regression when QEMU is running with a
virtio-gpu-gl-device on a host under X11. After the guest has
initialized the virtio-gpu-gl-device, the guest screen only
shows "Display output is not active.".

Commit 6f189a08c1 moved all function calls in
gd_egl_scanout_texture() to a code path which is only called
once after gd_egl_init() succeeds in gd_egl_scanout_texture().
Move all function calls in gd_egl_scanout_texture() back to
the regular code path so they get always called if one of the
gd_egl_init() calls was successful.

Fixes: 6f189a08c1 ("ui/gtk-egl: Check EGLSurface before doing scanout")
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20231111104020.26183-1-vr_qemu@t-online.de>

vhost-user-scsi: free the inflight area when reset

Keep it the same to vhost-user-blk.
At the same time, fix the vhost_reset_device.

Signed-off-by: Li Feng <fengli@smartx.com>
Message-Id: <20231123055431.217792-3-fengli@smartx.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

vhost-user: fix the reconnect error

If the error occurs in vhost_dev_init, the value of s->connected is set to true
in advance, and there is no chance to enter this function execution again
in the future.

Signed-off-by: Li Feng <fengli@smartx.com>
Message-Id: <20231123055431.217792-2-fengli@smartx.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

msix: unset PCIDevice::msix_vector_poll_notifier in rollback

In the rollback in msix_set_vector_notifiers(), original patch forgot to
undo msix_vector_poll_notifier pointer.

Fixes: bbef882cc193 ("msi: add API to get notified about pending bit poll")
Signed-off-by: Robert Hoo <robert.hoo.linux@gmail.com>
Message-Id: <20231113081349.1307-1-robert.hoo.linux@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

virtio-iommu: Remove useless !sdev check in virtio_iommu_probe()

The code already checks iommu_mr is not NULL so there is no
need to check container_of() is not NULL. Remove the check.

Fixes: CID 1523901
Fixes: 09b4c3d6a2 ("virtio-iommu: Record whether a probe request has
been issued")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Coverity (CID 1523901)
Message-Id: <20231109170715.259520-1-eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

hw/i386: fix short-circuit logic with non-optimizing builds

`kvm_enabled()` is compiled down to `0` and short-circuit logic is
used to remove references to undefined symbols at the compile stage.
Some build configurations with some compilers don't attempt to
simplify this logic down in some cases (the pattern appears to be
that the literal false must be the first term) and this was causing
some builds to emit references to undefined symbols.

An example of such a configuration is clang 16.0.6 with the following
configure: ./configure --enable-debug --without-default-features
--target-list=x86_64-softmmu --enable-tcg-interpreter

Signed-off-by: Daniel Hoffman <dhoff749@gmail.com>
Message-Id: <20231119203116.3027230-1-dhoff749@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

hw/acpi/erst: Do not ignore Error* in realize handler

erst_realizefn() passes @errp to functions without checking for
failure.  If it runs into another failure, it trips error_setv()'s
assertion.

Use the ERRP_GUARD() macro and check *errp, as suggested in commit
ae7c80a7bd ("error: New macro ERRP_GUARD()").

Cc: qemu-stable@nongnu.org
Fixes: f7e26ffa59 ("ACPI ERST: support for ACPI ERST feature")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20231120130017.81286-1-philmd@linaro.org>
Reviewed-by: Ani Sinha <anisinha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

pcie_sriov: Remove g_new assertion

g_new() aborts if the allocation fails so it returns NULL only if the
requested allocation size is zero. register_vfs() makes such an
allocation if NumVFs is zero so it should not assert that g_new()
returns a non-NULL value.

Fixes: 7c0fa8dff8 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")
Buglink: https://issues.redhat.com/browse/RHEL-17209
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20231123075630.12057-1-akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Tested-by: Yanghang Liu<yanghliu@redhat.com>
Reviewed-by: Cédric Le Goater &lt;<a href="mailto:clg@redhat.com" target="_blank">clg@redhat.com</a>&gt;<br>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

virtio-sound: add realize() error cleanup path

QEMU crashes on exit when a virtio-sound device has failed to
realise. Its vmstate field was not cleaned up properly with
qemu_del_vm_change_state_handler().

This patch changes the realize() order as

1. Validate the given configuration values (no resources allocated
   by us either on success or failure)
2. Try AUD_register_card() and return on failure (no resources allocated
   by us on failure)
3. Initialize vmstate, virtio device, heap allocations and stream
   parameters at once.
   If error occurs, goto error_cleanup label which calls
   virtio_snd_unrealize(). This cleans up all resources made in steps
   1-3.

Reported-by: Volker Rümelin <vr_qemu@t-online.de>
Fixes: 2880e676c000 ("Add virtio-sound device stub")
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20231116072046.4002957-1-manos.pitsidianakis@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

virtio-snd: check AUD_register_card return value

AUD_register_card might fail. Even though errp was passed as an
argument, the call's return value was not checked for failure.

Fixes: Coverity CID 1523899
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20231109162034.2108018-1-manos.pitsidianakis@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

hw/audio/hda-codec: reenable the audio mixer

Commit b7639b7dd0 ("hw/audio: Simplify hda audio init") inverted
the sense of hda codec property mixer during initialization.
Change the code so that mixer=on enables the hda mixer emulation
and mixer=off disables the hda mixer emulation.

With this change audio playback and recording streams don't start
muted by default.

Fixes: b7639b7dd0 ("hw/audio: Simplify hda audio init")
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20231105172552.8405-2-vr_qemu@t-online.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

hw/audio/hda-codec: fix multiplication overflow

After a relatively short time, there is an multiplication overflow
when multiplying (now - buft_start) with hda_bytes_per_second().
While the uptime now - buft_start only overflows after 2**63 ns
= 292.27 years, this happens hda_bytes_per_second() times faster
with the multiplication. At 44100 samples/s * 2 channels
* 2 bytes/channel = 176400 bytes/s that is 14.52 hours. After the
multiplication overflow the affected audio stream stalls.

Replace the multiplication and following division with muldiv64()
to prevent a multiplication overflow.

Fixes: 280c1e1cdb ("audio/hda: create millisecond timers that handle IO")
Reported-by: M_O_Bz <m_o_bz@163.com>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20231105172552.8405-1-vr_qemu@t-online.de>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

hw/audio/virtio-snd-pci: fix the PCI class code

The virtio sound device is currently an unclassified PCI device.

~> sudo lspci -s '00:02.0' -v -nn | head -n 2
00:02.0 Unclassified device [00ff]:
 Red Hat, Inc. Device [1af4:1059] (rev 01)
        Subsystem: Red Hat, Inc. Device [1af4:1100]

Set the correct PCI class code to change the device to a
multimedia audio controller.

~> sudo lspci -s '00:02.0' -v -nn | head -n 2
00:02.0 Multimedia audio controller [0401]:
 Red Hat, Inc. Device [1af4:1059] (rev 01)
        Subsystem: Red Hat, Inc. Device [1af4:1100]

Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20231107185034.6434-1-vr_qemu@t-online.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

tests/acpi/bios-tables-test: do not write new blobs unless there are changes

When dumping table blobs using rebuild-expected-aml.sh, table blobs from all
test variants are dumped regardless of whether there are any actual changes to
the tables or not. This creates lot of new files for various test variants that
are not part of the git repository. This is because we do not check in all table
blobs for all test variants into the repository. Only those blobs for those
variants that are different from the generic test-variant agnostic blob are
checked in.

This change makes the test smarter by checking if at all there are any changes
in the tables from the checked-in gold master blobs and take actions
accordingly.

When there are no changes:
 - No new table blobs would be written.
 - Existing table blobs will be refreshed (git diff will show no changes).
When there are changes:
 - New table blob files will be dumped.
 - Existing table blobs will be refreshed (git diff will show that the files
   changed, asl diff will show the actual changes).
When new tables are introduced:
 - Zero byte empty file blobs for new tables as instructed in the header of
   bios-tables-test.c will be regenerated to actual table blobs.

This would make analyzing changes to tables less confusing and there would
be no need to clean useless untracked files when there are no table changes.

CC: peter.maydell@linaro.org
Signed-off-by: Ani Sinha <anisinha@redhat.com>
Message-Id: <20231107044952.5461-1-anisinha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>

gitlab: add optional job to run flaky avocado tests

One problem with flaky tests is they often only fail under CI
conditions which makes it hard to debug. We add an optional allow_fail
job so developers can trigger the only the flaky tests in the CI
environment if they are debugging.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231201093633.2551497-8-alex.bennee@linaro.org>

gitlab: build the correct microblaze target

We inadvertently built the LE target for BE tests.

Fixes: 78ebc00b06 (gitlab: shuffle some targets and reduce avocado noise)
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231201093633.2551497-7-alex.bennee@linaro.org>

tests/avocado: tag sbsa tests as tcg only

As firmware runs at a higher privilege level than the hypervisor we
can only run these tests under TCG emulation.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231201093633.2551497-6-alex.bennee@linaro.org>

migration: Plug memory leak with migration URIs

migrate_uri_parse() allocates memory to 'channel' if the user
opts for old syntax - uri, which is leaked because there is no
code for freeing 'channel'.
So, free channel to avoid memory leak in case where 'channels'
is empty and uri parsing is required.

Fixes: 5994024f ("migration: Implement MigrateChannelList to qmp migration flow")
Signed-off-by: Het Gala <het.gala@nutanix.com>
Suggested-by: Markus Armbruster <armbru@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Link: https://lore.kernel.org/r/20231129204301.131228-1-het.gala@nutanix.com
Signed-off-by: Peter Xu <peterx@redhat.com>

docs/devel: rationalise unstable gitlab tests under FLAKY_TESTS

It doesn't make sense to have two classes of flaky tests. While it may
take the constrained environment of CI to trigger failures easily it
doesn't mean they don't occasionally happen on developer machines. As
CI is the gating factor to passing there is no point developers
running the tests locally anyway unless they are trying to fix things.

While we are at it update the language in the docs to discourage the
QEMU_TEST_FLAKY_TESTS becoming a permanent solution.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231201093633.2551497-3-alex.bennee@linaro.org>

gdbstub: use a better signal when we halt for IO reasons

The gdb description GDB_SIGNAL_IO is "I/O possible" and by default gdb
will try and restart the guest, getting us nowhere. Report
GDB_SIGNAL_STOP instead which should at least halt the session at the
failure point.

Reviewed-by: Luis Machado <luis.machado@arm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231201093633.2551497-2-alex.bennee@linaro.org>

netdev: set timeout depending on loadavg

netdev test keeps failing sometimes.
I don't think we should increase the timeout some more:
let's try something else instead, testing how busy the
system is.

Seems to work for me.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

osdep: add getloadavg

getloadavg is supported on Linux, BSDs, Solaris.

Following man page:
RETURN VALUE
       If the load average was unobtainable, -1 is returned; otherwise,
       the number of samples actually retrieved is returned.

accordingly, make stub for systems which don't support this function return -1
for consistency.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Merge tag 'pull-ppc-for-8.2-20231130' of https://gitlab.com/npiggin/qemu into staging

* Add a default BIOS for the new amigaone machine so it does not
  require out of tree binary blob.
* SLOF update to fix virtio serial bugs.

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEETkN92lZhb0MpsKeVZ7MCdqhiHK4FAmVof8kACgkQZ7MCdqhi
# HK71ng//TCpoi02/aZY5kAd1a1NxvRDd/gR9d5y79TaixgJ9FoV7joNg7Labu21r
# Gezghpgj7Ph+Wy175/qYhIJJ6JheK6xsAb7JmCJUq5HeOixJHkK0xHCJ0uGf1tcb
# c24+6JYa7K1Yd48EhGQUDwd+7J7QeAKPyJLSZHG2Qg9+sPX2koxa9tzZMoaWoA2L
# pMfXhUTBiK6Q93FtrQw16pRUcGrY542wLeA/nRaUFtuPdv38TDmJ4ktnid27fIh5
# 1+QVGQD0HCO29SVT/VP1TJenJukrYVjBfT8ulVC/wo53tZHhNSDVffXbRijrVFlX
# CPowJ2UebPwpvnvv8F8CSGPL4XPI+IBVdUOwZZMkH5oGaMXQW6mP4zsB7TK+g5z3
# 8+hQ0VZS0MzrrfSqufup8SUJAqJ1Sckx104clrpXtrBSAoiF634Qi1+UurwDVLFS
# VibKnMl31LauNRIWXVfj4BYOdH9oHOEHR5ghoaRguOAe58N7fGNiXC/WnScWbp8r
# PXE9D7SUMPtxNejDFRam+Df7JwTY+CdB56uvZ/behgs3FABfMmqBX+WgBbNhLaP4
# B4Wa0MTOAHz3itXRHYtvd6n3M9ts4nU88Srkuf0akAzp4Nv4b3+isuIncUazDREt
# q2z94oolhuZarLhsi/8Qo2G/SfJBNM0s4fmx4NTrqscupl5SadM=
# =7rvy
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 30 Nov 2023 07:27:53 EST
# gpg:                using RSA key 4E437DDA56616F4329B0A79567B30276A8621CAE
# gpg: Good signature from "Nicholas Piggin <npiggin@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4E43 7DDA 5661 6F43 29B0  A795 67B3 0276 A862 1CAE

* tag 'pull-ppc-for-8.2-20231130' of https://gitlab.com/npiggin/qemu:
  ppc/amigaone: Allow running AmigaOS without firmware image
  pseries: Update SLOF firmware image

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'migration-20231130-pull-request' of https://gitlab.com/juan.quintela/qemu into staging

Migration Pull request (20231130)

Hi

In this pull request:
- fix form p-ioc set too soon
- free 'saddr' at the right time

Please, apply.

CI: https://gitlab.com/juan.quintela/qemu/-/pipelines/1090495323

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEGJn/jt6/WMzuA0uC9IfvGFhy1yMFAmVoZrgACgkQ9IfvGFhy
# 1yOS6BAA2Rag1bz2yrI/Gts+J/+pVu3a8AZh0lu8J5nABkFSGwrQ5RfVuSuq1Cwt
# j9uctmt9qAEbbLeFsTf/CYCxO4R1RDhOw78o7YfPZPiUFOAvuZB+gHCGA+NH1YH7
# a8uzh/yQ0wSQSKrkFHKV7A1Kli7k6c8iYo3v9ibJDqphUpOfjSPLB22hmRqRp/gy
# 2ZQH/mxj9xlkYxQ/WUKVVl3weXbshbniuQ3RM3HnZYzzWlam4PjI+rAyAF6jhmf6
# ReKDm4n55jTNZXXd9Wa5PZQ7g55BwO1suJfGeojJGsdgfqsFXf/TTwRdmvxOMg/V
# 5X/Eo8GxMF2Vf3pul/m3eNmKvlP0Bh+VlN8dF+Ii8ZXawOEsJpXcCE2yNpXn4UqP
# nyaTznnel2QCDMNWaQNHVbGXFc+n5ocwEnDmO5Idwp5W3/+MFM+xP05FpnshpR0h
# 1vq5dUO/mq5jIoYK//iIXe99rHoIJlOP6SRdtTyxRBhJLg76YKRYmF3RaU51B9n4
# qWLWhDQBwbdv0ZEPZIAhDlO5grY9BRQT5aGNLRsLWL0rY4nJtYdVv8/MyISlNCD8
# eY8SOB0cs/vaLG7Nfj0tboXMAh5sPCXxqx25pVf+x+09EJhD1VZ+axTjbnJmRTs/
# nL5tmQ2EPvFzoVzxeOHdEK+jXdJYWBZf6LBlPY1HN+Gt3JjIecE=
# =5Img
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 30 Nov 2023 05:40:56 EST
# gpg:                using RSA key 1899FF8EDEBF58CCEE034B82F487EF185872D723
# gpg: Good signature from "Juan Quintela <quintela@redhat.com>" [full]
# gpg:                 aka "Juan Quintela <quintela@trasno.org>" [full]
# Primary key fingerprint: 1899 FF8E DEBF 58CC EE03  4B82 F487 EF18 5872 D723

* tag 'migration-20231130-pull-request' of https://gitlab.com/juan.quintela/qemu:
  migration: free 'saddr' since be no longer used
  migration/multifd: Stop setting p->ioc before connecting

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

ppc/amigaone: Allow running AmigaOS without firmware image

The machine uses a modified U-Boot under GPL license but the sources
of it are lost with only a binary available so it cannot be included
in QEMU. Allow running without the firmware image which can be used
when calling a boot loader directly and thus simplifying booting
guests. We need a small routine that AmigaOS calls from ROM which is
added in this case to allow booting AmigaOS without external firmware
image.

Fixes: d9656f860a38 ("hw/ppc: Add emulation of AmigaOne XE board")
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>

pseries: Update SLOF firmware image

It's been a while. This fixes compile warning, typos and
a bug with virtio-serial being used after it was shutdown
at "quiesce".

The full changelog is here:

Alexey Kardashevskiy (2):
      Remove ?PICK
      version: update to 20230918

Jordan Niethe (1):
      virtio-serial: Do not close stdout on quiesce

Kautuk Consul (1):
      virtio-serial: Make read and write methods report failure

Thomas Huth (10):
      lib/libnet/ipv6: Silence compiler warning from Clang
      Fix typos in the board-qemu folder
      Fix typos in the lib/libnet folder
      Fix typos in the remaining lib folders
      Fix typos in the slof folder
      Fix typos in the board-js2x folder
      Fix typos in the llfw folder
      Fix typos in the board-js2x folder
      Fix typos in the clients folder
      Fix remaining typos in various folders

Compiled with gcc-12.1.0-nolibc

Tested with (sorry, no KVM):

/home/aik/b/q-slof/qemu-system-ppc64 \
-nodefaults \
-chardev stdio,id=STDIO0,signal=off,mux=on \
-device spapr-vty,id=svty0,reg=0x71000110,chardev=STDIO0 \
-mon id=MON0,chardev=STDIO0,mode=readline \
-nographic \
-vga none \
-m 2G \
-kernel /home/aik/t/vml4150le \
-initrd /home/aik/t/le.cpio \
-machine pseries,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-ccf-assist=off \
-bios pc-bios/slof.bin \
-trace events=/home/aik/qemu_trace_events \
-d guest_errors \
-chardev socket,id=SOCKET0,server=on,wait=off,path=qemu.mon.604650 \
-mon chardev=SOCKET0,mode=control \
-name 604650,debug-threads=on

[ npiggin: Also tested with KVM, including with virtio-console. ]

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>

migration: free 'saddr' since be no longer used

Since socket_parse() will allocate memory for 'saddr',and its value
will pass to 'addr' that allocated by migrate_uri_parse(),
then 'saddr' will no longer used,need to free.
But due to 'saddr->u' is shallow copying the contents of the union,
the members of this union containing allocated strings,and will be used after that.
So just free 'saddr' itself without doing a deep free on the contents of the SocketAddress.

Fixes: 72a8192e225c ("migration: convert migration 'uri' into 'MigrateAddress'")
Signed-off-by: Zongmin Zhou<zhouzongmin@kylinos.cn>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Message-ID: <20231120031428.908295-1-zhouzongmin@kylinos.cn>

migration/multifd: Stop setting p->ioc before connecting

This is being shadowed but the assignments at
multifd_channel_connect() and multifd_tls_channel_connect() .

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-ID: <20231110200241.20679-2-farosas@suse.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>

Update version for v8.2.0-rc2 release

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'misc-next-20231128' of https://github.com/philmd/qemu into staging

Misc fixes for 8.2

* buildsys: Invoke bash via 'env' (Samuel)

* doc: Fix example in s390-cpu-topology.rst (Zhao)

* HW: Fix AVR ATMega reset stack (Gihun) and VT82C686 IRQ routing (Zoltan)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmVl7MUACgkQ4+MsLN6t
# wN4nsQ//U7/GGrMaNJF369pC0UfC0dfD39RoD9jmmrWUQB17baMvXo+BMBcELX0Q
# BtgRjIYwnywnVZlB11JL5Ql9ykSRqd7VeqnZfH//GqQO+ySF7jl6ekNT6YNjUbWu
# iF9bU3o0/LAVl/3pe9LQ4q/yOjzERA5o4JKYviHZYcWE811/5lBNgER4iPyCz6a8
# aGI3S5PGmq6a9x5266jkY2WWldDy7D1ujkuvxxc4tgnmbBjL21soJ/oRLOBjGTNl
# hCRfDTEiFZm7OxjV7oB03Nr3EGGStGdy0aPhhtFwzZxQ9yV7d2DLsbYGgwzZYkKQ
# 9v4DtGqYyvDA7LBmfxOrnzL0WXgN4xO3qekLqHDtChDzFFEYwtHvH0duPUiQv1Yu
# qHyOsfB58rKzWHeo0ACEjMWGdD1opCXCeoJlEf/saiQ5EgyBwph/z2mWYN4yak5H
# Zu3xF15BcnyavC6sVeuE+rT574dhCzOtH8Vf3WVwqfL5D5cyCjHlmPSAXXMqBkmh
# BMOD8O210n6IdzuuOQ038t3yGvIc0YysOmQgfLjRYlZa884q3wExgrufH+NYbGMj
# bFthPjLKgHm+q4k2mH65G98xwXQFT6rdHanw2iEJcPJbhhk9SNWYgaQ0r0Oi2Pfd
# zCQ22F1j9UqGcqKh+8tzAfjayRyQUJtgizPXEWanADkpIDYxrRk=
# =323/
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 28 Nov 2023 08:36:05 EST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'misc-next-20231128' of https://github.com/philmd/qemu:
  docs/s390: Fix wrong command example in s390-cpu-topology.rst
  hw/avr/atmega: Fix wrong initial value of stack pointer
  hw/audio/via-ac97: Route interrupts using via_isa_set_irq()
  hw/isa/vt82c686: Route PIRQ inputs using via_isa_set_irq()
  hw/usb/vt82c686-uhci-pci: Use ISA instead of PCI interrupts
  hw/isa/vt82c686: Bring back via_isa_set_irq()
  target/hexagon/idef-parser/prepare: use env to invoke bash

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'pull-target-arm-20231127' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
 * Set IL bit for pauth, SVE access, BTI trap syndromes
 * Handle overflow in calculation of next timer tick
 * hw/net/can/xlnx-zynqmp: Avoid underflow when popping FIFOs
 * Various devices: Free array property memory on device finalize
 * hw/ssi/xilinx_spips: fix an out of bound access
 * hw/misc, hw/ssi: Fix some URLs for AMD / Xilinx models
 * hw/dma/xlnx_csu_dma: don't throw guest errors when stopping the SRC DMA

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmVkzLAZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3o79D/0Yh7Q7N4+fc4xdBK5hb1GN
# 31rBWZ3z0XzBzXrN80g6ig5i+CvTq7+120yx4Kl5bdyAMGdXpryTeNSoa4ewmNtC
# +c6pqV8IUIHA3axepuHtwjs4wRzWoFz13gy+X/1spfhcrtFpWyRt0f3cc1fElhzX
# 2K/4H9TD2d5yZBvaKLoJ6GzdK2wtWfucvWQDOUigRF7rvSST3awZ6gkumm+/6EM5
# vbIVOqi+0JcnWKJj0i4S1vRUPg0+CuaZN8glXcGkq2BaMfOohpjFGTMY0KsAK1Cv
# Ow1guxxy2mcLixQ8pX7ii5WHVDCuPqTVcwHUQJqN5Ln6CFEre38jM1ZwgHpWhb8G
# CoVOu2B96QwPoICD7QomaKCJYHkAczC4KETsTz/Mc+zcU6+cQiv0swc2sDhwBlmT
# weHQAmZg5dPRl3DQ/8F3llhdYyvOGnUpaaBauJiuH2I5n/qhqbvcgu9G7pGwd2gm
# lk8LuzjbVEtBu2jFlPCMpvuSuJJciR/3/QdHMGlN6L0ooY6dFL9puW51wFKSh+Kx
# JqetuUJXVWLTiL9ekLnNPQkuQQwP3WQsIvQO8tjEiuojw1utk/50JPmXg/xHEahx
# rN8aiLstR4olh1i+CrIee3QR6IwhqZmvEVHROIw0ExJ1L04FCCtPlvJ/G2gD1ta2
# oLvqWLlc752+nND72lIJZg==
# =X700
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 27 Nov 2023 12:06:56 EST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg:                 aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20231127' of https://git.linaro.org/people/pmaydell/qemu-arm:
  hw/dma/xlnx_csu_dma: don't throw guest errors when stopping the SRC DMA
  hw/misc, hw/ssi: Fix some URLs for AMD / Xilinx models
  hw/ssi/xilinx_spips: fix an out of bound access
  hw/input/stellaris_gamepad: Free StellarisGamepad::keycodes[] array
  hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array
  hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize()
  hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize()
  hw/virtio: Free VirtIOIOMMUPCI::vdev.reserved_regions[] on finalize()
  hw/virtio: Add VirtioPCIDeviceTypeInfo::instance_finalize field
  hw/net/can/xlnx-zynqmp: Avoid underflow while popping RX FIFO
  hw/net/can/xlnx-zynqmp: Avoid underflow while popping TX FIFOs
  target/arm: Handle overflow in calculation of next timer tick
  target/arm: Set IL bit for pauth, SVE access, BTI trap syndromes

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging

Block layer patches

- ide/via: Fix BAR4 value in legacy mode
- export/vhost-user-blk: Fix consecutive drains
- vmdk: Don't corrupt desc file in vmdk_write_cid
- iotests: fix default machine type detection

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmVl9GARHGt3b2xmQHJl
# ZGhhdC5jb20ACgkQfwmycsiPL9Y9KRAAx3ryUIdaVZX5RZbVC4ZmkgGIpSv+8dS+
# e98H+accyyVTVXlMNYWy0s7tP6sxhhlmGqfGLx/hDynvjJRxyS8VSOXXNIqYcHqN
# wGXcgLEgb+qxu7+Y8g3UhMeSmDyRhanOE/MxhMqGOKd/5nxfY1XdD7nkRwCsPAAi
# Tud/Jd7t0CSV0wUDfvMtBsQZCBSQyoSu3S3TjZ8I2CPjBaoYojj3XM+LKrlJu+B5
# zwgB5IURac1dOfsjYsX0M0zXxr6pTVNtkdNNwFoiNP+omoRjCXV3W9iTtyU+/zc3
# cnVzQQRE6XufQ/Q7IWHNE3/U5LvM3m+sjB+YryrMTRVItjpGUCgYGsrgodjZp7aj
# 4hmwxyZ8PN3+o96d5RWqhRXnY9fy5hzJZOhUMQV6lV/Z14wt8YYsJoqgi4wryoYf
# 7VdyZP2Szt2Sgl4+n0uSfPBoR+qMEwni1AxO8iK9OZbpewv7aBO3In4tOAvP/eB8
# VAoCZOfrILSXaR5aorlAPr6IOXanPvgOotmzNs0NaaqYnpfYr6KAH9FjyAm3DZqp
# b+/Ep+hrekq9XqnZGMblQsjlTFAc9mRWtqsHUrftl9FhRvSah4R+TyKov8lD23VZ
# bvw1etcc0p55Ws4RkUkGn8G5kRyhec3nkHdr4MODCR0s0uo0cBaITnoV0Ra9p7of
# K78WSodwZKQ=
# =ktlF
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 28 Nov 2023 09:08:32 EST
# gpg:                using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg:                issuer "kwolf@redhat.com"
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* tag 'for-upstream' of https://repo.or.cz/qemu/kevin:
  ide/via: Fix BAR4 value in legacy mode
  export/vhost-user-blk: Fix consecutive drains
  vmdk: Don't corrupt desc file in vmdk_write_cid
  iotests: fix default machine type detection

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

ide/via: Fix BAR4 value in legacy mode

Return default value in legacy mode for BAR4 when unset. This can't be
set in reset method because BARs are cleared on reset so we return it
instead when BARs are read in legacy mode. This fixes UDMA on amigaone
with AmigaOS.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <20231125140135.AF6A075A4C3@zero.eik.bme.hu>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

export/vhost-user-blk: Fix consecutive drains

The vhost-user-blk export implement AioContext switches in its drain
implementation. This means that on drain_begin, it detaches the server
from its AioContext and on drain_end, attaches it again and schedules
the server->co_trip coroutine in the updated AioContext.

However, nothing guarantees that server->co_trip is even safe to be
scheduled. Not only is it unclear that the coroutine is actually in a
state where it can be reentered externally without causing problems, but
with two consecutive drains, it is possible that the scheduled coroutine
didn't have a chance yet to run and trying to schedule an already
scheduled coroutine a second time crashes with an assertion failure.

Following the model of NBD, this commit makes the vhost-user-blk export
shut down server->co_trip during drain so that resuming the export means
creating and scheduling a new coroutine, which is always safe.

There is one exception: If the drain call didn't poll (for example, this
happens in the context of bdrv_graph_wrlock()), then the coroutine
didn't have a chance to shut down. However, in this case the AioContext
can't have changed; changing the AioContext always involves a polling
drain. So in this case we can simply assert that the AioContext is
unchanged and just leave the coroutine running or wake it up if it has
yielded to wait for the AioContext to be attached again.

Fixes: e1054cd4aad03a493a5d1cded7508f7c348205bf
Fixes: https://issues.redhat.com/browse/RHEL-1708
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20231127115755.22846-1-kwolf@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

vmdk: Don't corrupt desc file in vmdk_write_cid

If the text description file is larger than DESC_SIZE, we force the last
byte in the buffer to be 0 and write it out.

This results in a corruption.

Try to allocate a big buffer in this case.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1923

Signed-off-by: Fam Zheng <fam@euphon.net>
Message-ID: <20231124115654.3239137-1-fam@euphon.net>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

iotests: fix default machine type detection

The machine type is being detected based on "-M help" output, and we're
searching for the line ending with " (default)".  However, in downstream
one of the machine types s marked as deprecated might become the
default, in which case this logic breaks as the line would now end with
" (default) (deprecated)".  To fix potential issues here, let's relax
that requirement and detect the mere presence of " (default)" line
instead.

Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Message-ID: <20231122121538.32903-1-andrey.drobyshev@virtuozzo.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>

Merge tag 'firmware/seabios-20231128-pull-request' of https://gitlab.com/kraxel/qemu into staging

seabios: update to 1.16.3 release

This adds one bugfix compared to the snapshot
merged during the 8.2 devel cycle.

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmVloe0ACgkQTLbY7tPo
# cThCmA/9HciX9GJdVKhphS9hxA8ZtqmvB5SCZPEW0wBqpe2/nr6Jb2X7h3oL9h+i
# +pzdv0ZygO+Xxzt1thADO1ZFcF4C5l2j4wOrqrvNoTqtgmBgZBAnw/YkjdK+phjU
# ETaCgl0TsxHqe9XGpVjgTSB4VGgKmj+80DI2xCBUJPyAvOg9fgcvwpRojX8V+vVS
# DG3QM1g2lGlIHMLcYZBM95VNIyPdPED+tCagcw765s0EBT7/Di8yplQqYuosw3Cl
# pOKD7cgtDv/Ca0GeNMJlttM1ZrdPutDnapHeUlDax1Tf5c2FBWnBIe2nTyDHHIjC
# sMQ1DxRT6tI94L/jp+gYfsO02ILRcOZ2+rfUt/wy1fsPqPrIlD1r3HdBdSkdBLRE
# XLw6+5bijPKvyhkHM8fb2qt56ap2JLJ6EgkOHHekpGznEAkYB+sjeTlxiOzNxaDX
# C14SdiYgLmpfobxoNvvwRz4L0TTc4mSVIYhSxrGL0Qs1jucUK0+PpoGcacBXcAg8
# ScNwE3V+nUzjh9fGjqaCB6qcAuv4wijvnQAKmDatAkUeYcGMR9PKHHM1AL/JBchC
# DEQRa0VaNCkmy1Gcd1Hs5Wf98fqWot7O2j5zbzMm8lN+w6muPA4j7yguqRHZYcnA
# Xoor6vDxE9Zt67CLBhuN6Qgv8Ewy4DsJF+w9nVQXVI80Jk973gI=
# =ZbmR
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 28 Nov 2023 03:16:45 EST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'firmware/seabios-20231128-pull-request' of https://gitlab.com/kraxel/qemu:
  seabios: update binaries to 1.16.3 release
  seabios: update submodule to 1.16.3 release

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

docs/s390: Fix wrong command example in s390-cpu-topology.rst

From s390_possible_cpu_arch_ids() in hw/s390x/s390-virtio-ccw.c, the
"core-id" is the index of possible_cpus->cpus[], so it should only be
less than possible_cpus->len, which is equal to ms->smp.max_cpus.

Fix the wrong "core-id" 112, because it isn't less than maxcpus (36) in
-smp, and the valid core ids are 0-35 inclusive.

Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Nina Schoetterl-Glausch <nsg@linux.ibm.com>
Message-ID: <20231127134917.568552-1-zhao1.liu@linux.intel.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/avr/atmega: Fix wrong initial value of stack pointer

The current implementation initializes the stack pointer of AVR devices
to 0. Although older AVR devices used to be like that, newer ones set
it to RAMEND.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1525
Signed-off-by: Gihun Nam <gihun.nam@outlook.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <PH0P222MB0010877445B594724D40C924DEBDA@PH0P222MB0010.NAMP222.PROD.OUTLOOK.COM>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/audio/via-ac97: Route interrupts using via_isa_set_irq()

This device is a function of VIA south bridge and should allow setting
interrupt routing within that chip. This is implemented in
via_isa_set_irq().

Fixes: eb604411a78b82c468e2b8d81a9401eb8b9c7658
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <5329840e4be6dd8ae143d07cbfe61d8d2d106654.1701035944.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/isa/vt82c686: Route PIRQ inputs using via_isa_set_irq()

The chip has 4 pins (called PIRQA-D in VT82C686B and PINTA-D in
VT8231) that are meant to be connected to PCI IRQ lines and allow
routing PCI interrupts to the ISA PIC. Route these in
via_isa_set_irq() to make it possible to share them with internal
functions that can also be routed to the same ISA IRQs.

Fixes: 2fdadd02e675caca4aba4ae26317701fe2c4c901
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <8c4513d8b78fac40e6d4e65a0a4b3a7f2f278a4b.1701035944.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/usb/vt82c686-uhci-pci: Use ISA instead of PCI interrupts

This device is part of a superio/ISA bridge chip and IRQs from it are
routed to an ISA interrupt. Use via_isa_set_irq() function to implement
this in a vt82c686-uhci-pci specific irq handler.

This reverts commit 422a6e8075752bc5342afd3eace23a4990dd7d98.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <ed5cdeaba7cf01eebdaa35f84c63427f4d8876b1.1701035944.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/isa/vt82c686: Bring back via_isa_set_irq()

The VIA integrated south bridge chips combine several functions and
allow routing their interrupts to any of the ISA IRQs also allowing
multiple sources to share the same ISA IRQ. E.g. pegasos2 firmware
configures everything to use IRQ 9 but amigaone routes them to
separate ISA IRQs so the current simplified routing does not work.
Bring back via_isa_set_irq() and change it to take the component that
wants to change an IRQ and keep track of interrupt status of each
source separately and do the mapping to ISA IRQ within the ISA bridge.

This may not handle cases when an ISA IRQ is controlled by devices
directly, not going through via_isa_set_irq() such as serial, parallel
or keyboard but these IRQs being conventionally fixed are not likely
to be change by guests or share with other devices so this does not
cause a problem in practice.

This reverts commit 4e5a20b6da9b1f6d2e9621ed7eb8b239560104ae.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <1c3902d4166234bef0a476026441eaac3dd6cda5.1701035944.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

target/hexagon/idef-parser/prepare: use env to invoke bash

This file is the only one involved in the compilation process which
still uses the /bin/bash path.

Signed-off-by: Samuel Tardieu <sam@rfc1149.net>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-ID: <20231123211506.636533-1-sam@rfc1149.net>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

string-output-visitor: Support lists for non-integer types

With the introduction of list-based array properties in qdev, the string
output visitor has to deal with lists of non-integer elements now ('info
qtree' prints all properties with the string output visitor).

Currently there is no explicit support for such lists, and the resulting
output is only the last element because string_output_set() always
replaces the output with the latest value. Instead of replacing the old
value, append comma separated values in list context.

The difference can be observed in 'info qtree' with a 'rocker' device
that has a 'ports' list with more than one element.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20231121173416.346610-3-kwolf@redhat.com>

qdev: Fix crash in array property getter

Passing an uninitialised list to visit_start_list() happens to work for
the QObject output visitor because it treats the pointer as an opaque
value and never dereferences it, but the string output visitor expects a
valid list to check if it has more than one element.

The existing code crashes with the string output visitor if the
uninitialised value is non-NULL. Passing an explicit NULL would fix the
crash, but still result in wrong output.

Rework get_prop_array() so that it conforms to the expectations that the
string output visitor has. This includes building a real list first and
using visit_next_list() to iterate it.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1993
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Tested-by: Dan Hoffman <dhoff749@gmail.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20231121173416.346610-2-kwolf@redhat.com>

seabios: update binaries to 1.16.3 release

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

seabios: update submodule to 1.16.3 release

git shortlog 1e1da7a96300..rel-1.16.3
-------------------------------------

Gerd Hoffmann (1):
      limit address space used for pci devices.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

hw/dma/xlnx_csu_dma: don't throw guest errors when stopping the SRC DMA

UG1087 states for the source channel that: if SIZE is programmed to 0, and the
DMA is started, the interrupts DONE and MEM_DONE will be asserted.

This implies that it is allowed for the guest to stop the source DMA by writing
a size of 0 to the SIZE register, so remove the LOG_GUEST_ERROR in that case.

While at it remove the comment marking the SIZE register as write-only.

See: https://docs.xilinx.com/r/en-US/ug1087-zynq-ultrascale-registers/CSUDMA_SRC_SIZE-CSUDMA-Register

Signed-off-by: Frederic Konrad <fkonrad@amd.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Message-id: 20231124143505.1493184-4-fkonrad@amd.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/misc, hw/ssi: Fix some URLs for AMD / Xilinx models

It seems that the url changed a bit, and it triggers an error.  Fix the URLs so
the documentation can be reached again.

Signed-off-by: Frederic Konrad <fkonrad@amd.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Message-id: 20231124143505.1493184-3-fkonrad@amd.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/ssi/xilinx_spips: fix an out of bound access

The spips, qspips, and zynqmp-qspips share the same realize function
(xilinx_spips_realize) and initialize their io memory region with different
mmio_ops passed through the class.  The size of the memory region is set to
the largest area (0x200 bytes for zynqmp-qspips) thus it is possible to write
out of s->regs[addr] in xilinx_spips_write for spips and qspips.

This fixes that wrong behavior.

Reviewed-by: Luc Michel <luc.michel@amd.com>
Signed-off-by: Frederic Konrad <fkonrad@amd.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Message-id: 20231124143505.1493184-2-fkonrad@amd.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/input/stellaris_gamepad: Free StellarisGamepad::keycodes[] array

Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:

  * It is the responsibility of the device deinit code to free the
  * @_arrayfield memory.

Commit a75f336b97 added:

  DEFINE_PROP_ARRAY("keycodes", StellarisGamepad, num_buttons,
                    keycodes, qdev_prop_uint32, uint32_t),

but forgot to free the 'keycodes' array. Do it in the instance_finalize
handler.

Fixes: a75f336b97 ("hw/input/stellaris_input: Convert to qdev")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-7-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/nvram/xlnx-efuse-ctrl: Free XlnxVersalEFuseCtrl[] "pg0-lock" array

Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:

  * It is the responsibility of the device deinit code to free the
  * @_arrayfield memory.

Commit 9e4aa1fafe added:

  DEFINE_PROP_ARRAY("pg0-lock",
                    XlnxVersalEFuseCtrl, extra_pg0_lock_n16,
                    extra_pg0_lock_spec, qdev_prop_uint16, uint16_t),

but forgot to free the 'extra_pg0_lock_spec' array. Do it in the
instance_finalize() handler.

Cc: qemu-stable@nongnu.org
Fixes: 9e4aa1fafe ("hw/nvram: Xilinx Versal eFuse device") # v6.2.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-6-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/nvram/xlnx-efuse: Free XlnxEFuse::ro_bits[] array on finalize()

Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:

  * It is the responsibility of the device deinit code to free the
  * @_arrayfield memory.

Commit 68fbcc344e added:

  DEFINE_PROP_ARRAY("read-only", XlnxEFuse, ro_bits_cnt, ro_bits,
                    qdev_prop_uint32, uint32_t),

but forgot to free the 'ro_bits' array. Do it in the instance_finalize
handler.

Cc: qemu-stable@nongnu.org
Fixes: 68fbcc344e ("hw/nvram: Introduce Xilinx eFuse QOM") # v6.2.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-5-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize()

Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:

  * It is the responsibility of the device deinit code to free the
  * @_arrayfield memory.

Commit 4fb013afcc added:

  DEFINE_PROP_ARRAY("oscclk", MPS2SCC, num_oscclk, oscclk_reset,
                    qdev_prop_uint32, uint32_t),

but forgot to free the 'oscclk_reset' array. Do it in the
instance_finalize() handler.

Cc: qemu-stable@nongnu.org
Fixes: 4fb013afcc ("hw/misc/mps2-scc: Support configurable number of OSCCLK values") # v6.0.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-4-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/virtio: Free VirtIOIOMMUPCI::vdev.reserved_regions[] on finalize()

Commit 0be6bfac62 ("qdev: Implement variable length array properties")
added the DEFINE_PROP_ARRAY() macro with the following comment:

  * It is the responsibility of the device deinit code to free the
  * @_arrayfield memory.

Commit 8077b8e549 added:

  DEFINE_PROP_ARRAY("reserved-regions", VirtIOIOMMUPCI,
                    vdev.nb_reserved_regions, vdev.reserved_regions,
                    qdev_prop_reserved_region, ReservedRegion),

but forgot to free the 'vdev.reserved_regions' array. Do it in the
instance_finalize() handler.

Cc: qemu-stable@nongnu.org
Fixes: 8077b8e549 ("virtio-iommu-pci: Add array of Interval properties") # v5.1.0+
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20231121174051.63038-3-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/virtio: Add VirtioPCIDeviceTypeInfo::instance_finalize field

The VirtioPCIDeviceTypeInfo structure, added in commit a4ee4c8baa
("virtio: Helper for registering virtio device types") got extended
in commit 8ea90ee690 ("virtio: add class_size") with the @class_size
field. Do similarly with the @instance_finalize field.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231121174051.63038-2-philmd@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/net/can/xlnx-zynqmp: Avoid underflow while popping RX FIFO

Per https://docs.xilinx.com/r/en-US/ug1085-zynq-ultrascale-trm/Message-Format

  Message Format

  The same message format is used for RXFIFO, TXFIFO, and TXHPB.
  Each message includes four words (16 bytes). Software must read
  and write all four words regardless of the actual number of data
  bytes and valid fields in the message.

There is no mention in this reference manual about what the
hardware does when not all four words are read. To fix the
reported underflow behavior, I choose to fill the 4 frame data
registers when the first register (ID) is accessed, which is how
I expect hardware would do.

Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Reviewed-by: Vikram Garhwal <vikram.garhwal@amd.com>
Message-id: 20231124183325.95392-3-philmd@linaro.org
Fixes: 98e5d7a2b7 ("hw/net/can: Introduce Xilinx ZynqMP CAN controller")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1427
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Reviewed-by: Vikram Garhwal <vikram.garhwal@amd.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

hw/net/can/xlnx-zynqmp: Avoid underflow while popping TX FIFOs

Per https://docs.xilinx.com/r/en-US/ug1085-zynq-ultrascale-trm/Message-Format

  Message Format

  The same message format is used for RXFIFO, TXFIFO, and TXHPB.
  Each message includes four words (16 bytes). Software must read
  and write all four words regardless of the actual number of data
  bytes and valid fields in the message.

There is no mention in this reference manual about what the
hardware does when not all four words are written. To fix the
reported underflow behavior when DATA2 register is written,
I choose to fill the data with the previous content of the
ID / DLC / DATA1 registers, which is how I expect hardware
would do.

Note there is no hardware flag raised under such condition.

Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Reviewed-by: Vikram Garhwal <vikram.garhwal@amd.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231124183325.95392-2-philmd@linaro.org
Fixes: 98e5d7a2b7 ("hw/net/can: Introduce Xilinx ZynqMP CAN controller")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1425
Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Reviewed-by: Vikram Garhwal <vikram.garhwal@amd.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Handle overflow in calculation of next timer tick

In commit edac4d8a168 back in 2015 when we added support for
the virtual timer offset CNTVOFF_EL2, we didn't correctly update
the timer-recalculation code that figures out when the timer
interrupt is next going to change state. We got it wrong in
two ways:
 * for the 0->1 transition, we didn't notice that gt->cval + offset
   can overflow a uint64_t
 * for the 1->0 transition, we didn't notice that the transition
   might now happen before the count rolls over, if offset > count

In the former case, we end up trying to set the next interrupt
for a time in the past, which results in QEMU hanging as the
timer fires continuously.

In the latter case, we would fail to update the interrupt
status when we are supposed to.

Fix the calculations in both cases.

The test case is Alex Bennée's from the bug report, and tests
the 0->1 transition overflow case.

Fixes: edac4d8a168 ("target-arm: Add CNTVOFF_EL2")
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/60
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20231120173506.3729884-1-peter.maydell@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Set IL bit for pauth, SVE access, BTI trap syndromes

The syndrome register value always has an IL field at bit 25, which
is 0 for a trap on a 16 bit instruction, and 1 for a trap on a 32
bit instruction (or for exceptions which aren't traps on a known
instruction, like PC alignment faults). This means that our
syn_*() functions should always either take an is_16bit argument to
determine whether to set the IL bit, or else unconditionally set it.

We missed setting the IL bit for the syndrome for three kinds of trap:
 * an SVE access exception
 * a pointer authentication check failure
 * a BTI (branch target identification) check failure

All of these traps are AArch64 only, and so the instruction causing
the trap is always 64 bit. This means we can unconditionally set
the IL bit in the syn_*() function.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20231120150121.3458408-1-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'qga-pull-2023-11-25' of https://github.com/kostyanf14/qemu into staging

qga-pull-2023-11-25

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEwsLBCepDxjwUI+uE711egWG6hOcFAmViLdsACgkQ711egWG6
# hOfKIQ//fLIycqEGGLqaORaO04lSOUHU5plSHTU6ACQxILZnMas7CDgfEc2ReCor
# iyGCUBmNJ0NiSMRZIKys+0gWh/jgCW613KlOKTvGsn1WOgzXId5TOZSx4P7vfw2o
# t7gizx02KdaTnOe3VeTCxBRUrCl1skNw487lek++5L7lKD6a4rstND8T4I2fnWyB
# 4Y0gWdIyouWMA2xxkQffxD4ycvHxGeEosp//e6KPB3dk7lM4AAh5CrX/WshItXhp
# dL1oykgBDfRCFP42exOs5PrB4fIrYbP58qEzP+9QZpysqsa3OX0AJZw3Wgd1sbHJ
# 40II+dQTZFN27NTEeZGw1dg38q0bTNvj2dHvv+w3CHjB8Er2Wfm0ERmSWurQGYf5
# uYqNeHfDVg2m6gi4Nzav679NtWlYLhDBN1pok+K8U/im9UK2M9Jk5XieKvOiE8qX
# OVBNMC0ty4Utq6KXZUTjbxQcj5/x50OovN+5CP55OAJBwOCk6Er9j5t9RNuKDLY9
# tkllpjZ6d4KI6uwu1zL4znjNGZvNd7eQNagerv5GNpR5mJZqjv/3snpALUqPHjDA
# GKBAXwGUXeMCyFR4Gi5NjX5czgDaK4naGrq8GN6T47q2CwUMvowXRX3nwpw0Q38W
# BwRjaFEg6mCNy6Vlfj6gIvVF/3PqJh3Iq4rL26I9EMqri0LZW0o=
# =RETE
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 25 Nov 2023 12:24:43 EST
# gpg:                using RSA key C2C2C109EA43C63C1423EB84EF5D5E8161BA84E7
# gpg: Good signature from "Kostiantyn Kostiuk (Upstream PR sign) <kkostiuk@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C2C2 C109 EA43 C63C 1423  EB84 EF5D 5E81 61BA 84E7

* tag 'qga-pull-2023-11-25' of https://github.com/kostyanf14/qemu:
  build-sys: fix meson project version usage

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* document what configure does with virtual environments
* bump known good meson version to v1.2.3
* upgrade macOS to 13 (Ventura) and Add manual testing of macOS 14 (Sonoma)
* use simple assertions instead of Coverity models
* miscellaneous fixes
* adjust URL to Coverity tools

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmVgv78UHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroPTmgf/VgDEIRP0teMsz1qAPWyH3eanoF8w
# XN9gN0jYUqv1pYVdBws3qxsZFr0GCUrEhF46wbDBj5BgNYjiO6Cg7la1Ryyry7sV
# GmwgAQhaCelY7USS4tGeK2A/EpEx4M/pOKfzJhAyjm9d87bdOBoankeYjCR0XZqD
# O9CypjA9mxx6Gi28RC1OjIIPxERgazpDMmm1gntEI29qoYiKvD7uOjA3EP7zrBhz
# 6Qi1/cx5WgvhePnFAab25jQDgkFaPViZSV28UdfH/29+bUkcJhyki56+vIoLbEtK
# 18+wVQkOFl10Ibo7cmQ4JnT8q7BaqhXbO54xmT3LKzMi1I8RCOpOiFFGjg==
# =+YGq
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Nov 2023 10:22:39 EST
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
  scripts: adjust url to Coverity tools
  configure: Make only once with pseudo-"in source tree" builds
  system: Use &error_abort in memory_region_init_ram_[device_]ptr()
  disas/cris: Pass buffer size to format_dec() to avoid overflow warning
  audio: Free consumed default audio devices
  .gitlab-ci.d/cirrus: Add manual testing of macOS 14 (Sonoma)
  buildsys: Bump known good meson version to v1.2.3
  docs: document what configure does with virtual environments
  tests: respect --enable/--disable-download for Avocado
  coverity: physmem: use simple assertions instead of modelling

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

build-sys: fix meson project version usage

Program wixl found: YES (/usr/bin/wixl)

../qga/meson.build:149:16: ERROR: Unknown variable "project".

Fixes: e20d68aa0b9 ("configure, meson: use command line options to configure qemu-ga")
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>

scripts: adjust url to Coverity tools

The URL to the Coverity tools download has changed; the old one points
to an obsolete version that is not supported anymore.  Adjust to point
to the correct and supported tools.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

configure: Make only once with pseudo-"in source tree" builds

Pseudo-"in source tree" build used to run make in the build directory
as many times as goals. Worse, although .NOTPARALLEL is specified,
it does not work for patterns, and run make in parallel, which can break
things.

Add a new rule "build", and let it call make. The pattern rule only
needs to specify "build" as its prerequisite and have a no-op recipe so
that it does more than canceling built-in implicit rules.

Fixes: dedad02720 ("configure: add support for pseudo-"in source tree" builds")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20231119101604.47325-1-akihiko.odaki@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

system: Use &error_abort in memory_region_init_ram_[device_]ptr()

If an unexpected error condition happens, we have to abort
(&fatal_error is meant for expected errors).

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20231120133112.82447-1-philmd@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

disas/cris: Pass buffer size to format_dec() to avoid overflow warning

Propagate the buffer size to format_dec() and use snprintf().

This should silence this UBSan -Wformat-overflow warning:

  In file included from /usr/include/stdio.h:906,
                   from include/qemu/osdep.h:114,
                   from ../disas/cris.c:21:
  In function 'sprintf',
      inlined from 'format_dec' at ../disas/cris.c:1737:3,
      inlined from 'print_with_operands' at ../disas/cris.c:2477:12,
      inlined from 'print_insn_cris_generic.constprop' at ../disas/cris.c:2690:8:
  /usr/include/bits/stdio2.h:30:10: warning: null destination pointer [-Wformat-overflow=]
   30 |   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   31 |                                   __glibc_objsize (__s), __fmt,
      |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   32 |                                   __va_arg_pack ());
      |                                   ~~~~~~~~~~~~~~~~~

Reported-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231120132222.82138-1-philmd@linaro.org>
[Rewritten to fix logic and avoid repeated expression. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

audio: Free consumed default audio devices

Failed default audio devices were removed from the list but not freed,
and that made LeakSanitizer sad. Free default audio devices as they are
consumed.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20231120112804.9736-1-akihiko.odaki@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

.gitlab-ci.d/cirrus: Add manual testing of macOS 14 (Sonoma)

Upgrade libvirt-ci so it covers macOS 14. Add a manual entry
(QEMU_JOB_OPTIONAL: 1) to test on Sonoma release. Refresh the
lci-tool generated files.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231109160504.93677-3-philmd@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

buildsys: Bump known good meson version to v1.2.3

We need meson v1.2.3 to build QEMU on macOS Sonoma.  It
also builds fine all our CI jobs (as tested by also bumping
"accepted" in pythondeps.toml), so let's use it as our
"good enough" packaged wheel.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1939
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20231109160504.93677-2-philmd@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

docs: document what configure does with virtual environments

Given the recent confusion around how QEMU detects the system
Meson installation, and/or decides to install its own, it is
time to fill in the "Python virtual environments and the QEMU
build system" section of the documentation.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Merge tag 'pull-for-8.2-fixes-231123-1' of https://gitlab.com/stsquad/qemu into staging

various random fixes for 8.2

  - replace fedora-i386 cross compiler with debian
  - update cirrus MacOS image to Ventura
  - merge debian-native and debian-amd64 docker images
  - fix compile of plugins on Windows mingw cross
  - add some doc notes on semihosting READC
  - add some doc notes on gdbstub
  - skip loading debug symbols if we have failed
  - enable arm-softmmu TCG tests
  - don't attempt to use native cross builds for linux-user
  - clean up registers gdb test case (ppc64/s390x)

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmVfXowACgkQ+9DbCVqe
# KkQY6Af5AVjPG2aHmixvhTjxEx5dXAH3cGYsWbny3EByT2RijaTBBK/A4OB7RTVV
# fr11kGpCkJDk4JPoUz4yTuw6Q+7WBmB0tJJ5wcGyC9cyCjI/PttSTJUC7hiikifw
# dg1IVrJZX0ahOpUiDXAtDbeHK1/i95mDRtot40mnyv5HHYHlJKohKsUVtiQEWMeq
# 0/X/M5Zq8oJ6wCkbw1nsCqkWpZa7eh4YcB9cGNf87dd0ZJ9M93CbjdSQlsugF2gB
# pH+5ZGOj+L/zkbEKoaWJNwYzF4G6hJeLpqP2rLMqRfA5MM43wdd0dJ6gK0ylKeuR
# Bo7jC1oEOcuLibZY40OhlOwLTMWiDg==
# =ME/l
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 23 Nov 2023 09:15:40 EST
# gpg:                using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44

* tag 'pull-for-8.2-fixes-231123-1' of https://gitlab.com/stsquad/qemu:
  tests/tcg: finesse the registers check for "hidden" regs
  configure: don't try a "native" cross for linux-user
  tests/tcg: enable semiconsole test for Arm
  tests/tcg: enable arm softmmu tests
  testing: move arm system tests into their own folder
  hw/core: skip loading debug on all failures
  docs/system: clarify limits of using gdbstub in system emulation
  docs/emulation: expand warning about semihosting
  tests/tcg: fixup Aarch64 semiconsole test
  target/nios2: Deprecate the Nios II architecture
  plugins: fix win plugin tests on cross compile
  tests/docker: merge debian-native with debian-amd64
  .gitlab-ci.d/cirrus: Upgrade macOS to 13 (Ventura)
  tests/docker: replace fedora-i386 with debian-i686

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

tests: respect --enable/--disable-download for Avocado

Pass the content of $mkvenv_flags (which is either "--online"
or empty) down to tests/Makefile.include.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

coverity: physmem: use simple assertions instead of modelling

Unfortunately Coverity doesn't follow the logic aroung "len" and "l"
variables in stacks finishing with flatview_{read,write}_continue() and
generate a lot of OVERRUN false-positives. When small buffer (2 or 4
bytes) is passed to mem read/write path, Coverity assumes the worst
case of sz=8 in stn_he_p()/ldn_he_p() (defined in
include/qemu/bswap.h), and reports buffer overrun.

To silence these false-positives we have model functions, which hide
real logic from Coverity.

However, it turned out that these new two assertions are enough to
quiet Coverity.

Assertions are better than hiding the logic, so let's drop the
modelling and move to assertions for memory r/w call stacks.

After patch, the sequence

 cov-make-library --output-file /tmp/master.xmldb \
    scripts/coverity-scan/model.c
 cov-build --dir ~/covtmp/master make -j9
 cov-analyze --user-model-file /tmp/master.xmldb \
    --dir ~/covtmp/master --all --strip-path "$(pwd)
 cov-format-errors --dir ~/covtmp/master \
    --html-output ~/covtmp/master_html_report

Generate for me the same big set of CIDs excepept for 6 disappeared (so
it becomes even better).

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Acked-by: David Hildenbrand <david@redhat.com>
Message-ID: <20231005140326.332830-1-vsementsov@yandex-team.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

tests/tcg: finesse the registers check for "hidden" regs

The reason the ppc64 and s390x test where failing was because gdb
hides them although they are still accessible via regnum. We can
re-arrange the test a little bit and include these two arches in our
test.

We also need to be a bit more careful handling remote-registers as the
format isn't easily parsed with pure white space separation. Once we
fold types like "long long" and "long double" into a single word we
can now assert all registers are either listed or elided.

Cc: Ilya Leoshkevich <iii@linux.ibm.com>
Cc: <qemu-s390x@nongnu.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Daniel Henrique Barboza <danielhb413@gmail.com>
Cc: <qemu-ppc@nongnu.org>
Cc: Luis Machado <luis.machado@arm.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231121153606.542101-1-alex.bennee@linaro.org>

configure: don't try a "native" cross for linux-user

As 32 bit x86 become rarer we are starting to run into problems with
search paths. Although we switched to a Debian container we still
favour the native CC on a Bookworm host. As a result we have a broken
cross compile setup which then fails to build with:

    BUILD   i386-linux-user guest-tests
  In file included from /usr/include/linux/stat.h:5,
                   from /usr/include/bits/statx.h:31,
                   from /usr/include/sys/stat.h:465,
                   from /home/alex/lsrc/qemu.git/tests/tcg/multiarch/linux/linux-test.c:28:
  /usr/include/linux/types.h:5:10: fatal error: asm/types.h: No such file or directory
      5 | #include <asm/types.h>
        |          ^~~~~~~~~~~~~
  compilation terminated.
  make[1]: *** [Makefile:119: linux-test] Error 1
  make: *** [/home/alex/lsrc/qemu.git/tests/Makefile.include:50: build-tcg-tests-i386-linux-user] Error 2

This is likely to affect more and more linux-user builds so wrap the
whole check in a test for softmmu targets (aka bare metal) which don't
worry about such header niceties. This allows us to keep using the
host compiler for softmmu tests and the roms.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20231120150833.2552739-14-alex.bennee@linaro.org>