linux-user: Print tid not pid with strace

This aligns with strace, and is very useful when tracing multi-threaded
programs. The result is the same in single-threaded programs.

Signed-off-by: J. Neuschäfer <j.neuschaefer@gmx.net>
Message-Id: 20241024-strace-v1-1-56c4161431cd@gmx.net
[rth: Use TaskState.ts_tid via get_task_state()]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Update version for v9.2.0-rc1 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* target/i386: fix warning on macOS
* target/i386: fix coverity barfing on vmport and smp cache support
* scsi: fix off by one

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmc9LakUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroN1xgf9EuVeHhPtmqTdBElmbCv5wT2Fj5+i
# bWReQRHY6Q99QIte2ztBLyM9Slh5ak7QX9uMAbMLK+G9cq8gS8IqfoMeE6DAMtCK
# PnhFJphkBuxymqIUjd/miJlIUxt2+sePzqdP05UVC9jCPAi6BxuuYOqfSW6z/Ql4
# ffqox3Wwgh1b9cm2a5YzSaT5plYbY7Zw7Tba4HDS1UmLGkAOL9o99t3ctGSRKIYE
# J2Al5bw5PQUn2rPk/bhiZ0vOYpXkm26WDlbdq6iNFCcxTBRC1J6rcS7aHsV2POET
# LuKkIBXLu2Q8WrDU8ifXwjSUbrJA0wmvSaJsRQmzVm87+kODNJ5BHemiNg==
# =eJuY
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 20 Nov 2024 00:30:33 GMT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
  scsi: fix allocation for s390x loadparm
  hw/core/machine-smp: Fix error message parameter
  hw/core/machine-smp: Initialize caches_bitmap before reading
  hvf: remove unused but set variable
  hw/i386/pc: Remove vmport value assertion

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'pull-aspeed-20241119' of https://github.com/legoater/qemu into staging

aspeed queue:

* Restructured the "Boot options" section in the aspeed documentation

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmc8140ACgkQUaNDx8/7
# 7KHcNA//ZGDHZxeeATYDuvTx2o/gYsQKe2F3NFnaR9zSFTDe5yeA49e0SwOeqUN9
# /jHEL5X/6tXWiw+Od0vGbBbbKDuyZf5aMtMYLjObSaD0tAMl5m7NFcP8CjP7Wfrr
# Y/BdbbDZd3PIo8RnqALE02YGqLcjroyVtIw4mD/S1zN/nl30tV61M9fqzx9de4jo
# qMrrixDC+URqOQ2qOn8nfeHLxCirTSbI/yxoBJEyfjeRfFVdLV2P219pQBaY68mD
# zq0ioSNKgXS0Cuj4Ksy0YcXP3NRRU7mTc8G+D1hTAJg5wd27WDlrnA7Q0JvNvASJ
# LiGGrif2QqrgIGr8qJ7C2sqYAQ2gToBa+KGWE491F+Dx3mFeB+naSxhEwvRezhV6
# Qrt5aODiGhc2BICG74UJITms5W1TmwLfmc7uK8WyoKxJWidD/OZINiM4lpjBUTvV
# B5mWpDSq05h98EYnsYeSrHstWw7s8JSxA5mzG4u7pasvao8sioX8IOFvpFIt53pv
# 8D+mcBA+vSc4KbuxWvTnw/0iuBRDGw39JrFr31BvJr9kKJ++VGFmsk7RSGmlKTJ/
# o/CspDP7MM8NWH9Kp/bkJC8MW5njaP4QCtni/z8ka4ivnHg1C2TUmw9uDkoU28Z2
# e/hWp1ru51rm47UerJMeooqqtc3ACXYm1TCDKK0kFWaDVOnzD98=
# =cCyK
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 19 Nov 2024 18:23:09 GMT
# gpg:                using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full]
# gpg:                 aka "Cédric Le Goater <clg@kaod.org>" [full]
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B  0B60 51A3 43C7 CFFB ECA1

* tag 'pull-aspeed-20241119' of https://github.com/legoater/qemu:
  docs: aspeed: Reorganize the "Boot options" section

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

scsi: fix allocation for s390x loadparm

Coverity reports a possible buffer overrun due to a non-NUL-terminated
string in scsi_property_set_loadparm().  While things are not so easy,
because qdev_prop_sanitize_s390x_loadparm is designed to operate on a
buffer that is not NUL-terminated, in this case the string *does* have
to be NUL-terminated because it is read by scsi_property_get_loadparm
and s390_build_iplb.

Reviewed-by: jrossi@linux.ibm.com
Cc: thuth@redhat.com
Fixes: 429442e52d9 ("hw: Add "loadparm" property to scsi disk devices for booting on s390x", 2024-11-18)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

docs: aspeed: Reorganize the "Boot options" section

Add subsubsections for possible boot methods and introduce a new
section on eMMC boot support for the ast2600-evb and rainier-emmc
machines, boot partitions assumptions and limitations.

Acked-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Cédric Le Goater <clg@redhat.com>

hw/core/machine-smp: Fix error message parameter

In the loop checking smp cache support, the error message should report
the current cache level and type.

Fix the parameter of error_setg() to ensure it reports the correct cache
level and type.

Resolves: Coverity CID 1565391
Fixes: f35c0221fef8 ("hw/core: Check smp cache topology support for machine")
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Link: https://lore.kernel.org/r/20241110150901.130647-3-zhao1.liu@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hw/core/machine-smp: Initialize caches_bitmap before reading

The caches_bitmap is defined in machine_parse_smp_cache(), but it was
not initialized.

Initialize caches_bitmap by clearing all its bits to zero.

Resolves: Coverity CID 1565389
Fixes: 4e88e7e3403d ("qapi/qom: Define cache enumeration and properties for machine")
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Link: https://lore.kernel.org/r/20241110150901.130647-2-zhao1.liu@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hvf: remove unused but set variable

fixes associated warning when building on MacOS.

Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Link: https://lore.kernel.org/r/20241023182922.1040964-1-pierrick.bouvier@linaro.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

hw/i386/pc: Remove vmport value assertion

There is no need for this assertion here, as we only use vmport value
for equality/inequality checks. This was originally prompted by the
following Coverity report:
 >>> CID 1559533:  Integer handling issues (CONSTANT_EXPRESSION_RESULT)
 >>> "pcms->vmport >= 0" is always true regardless of the values of
 >>> its operands. This occurs as the logical first operand of "&&".

Signed-off-by: Kamil Szczęk <kamil@szczek.dev>
Reported-By: Philippe Mathieu-Daudé <philmd@linaro.org>
Link: https://lore.kernel.org/r/ZwF9ZexNs1h-uC0MrbkgGtMtdyLinROjVSmMNVzNftjGVWgOiuzdD1dSXEtzNH7OHbBFY6GVDYVFIDBgc3lhGqCOb7kaNZolSBkVyl3rNr4=@szczek.dev
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Merge tag 'pull-target-arm-20241119' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
 * hw/timer/exynos4210_mct: fix possible int overflow
 * hw/net/rocker/rocker_of_dpa.c: Remove superfluous error check
 * hw/intc/openpic: Avoid taking address of out-of-bounds array index
 * hw/watchdog/cmsdk_apb_watchdog: Fix INTEN issues
 * arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors
 * hw/intc/loongarch_extioi: Use set_bit32() and clear_bit32() to avoid UB
 * system/dma-helpers.c: Move trace events to system/trace-events
 * target/arm/hvf: Add trace.h header
 * trace: Don't include trace-root.h in control.c or control-target.c

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmc8nrwZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3n2nEACc4N7TI2QFbuqa1k4G+C5y
# 1bpWVnkPjeqnTGUyYshtl/ByZi+IH4RDFqlCJxUYgfSvfD74+u78haXcx/ukZL/x
# zNbNu/hjP0v6nQF+upzRcQip5PIBjkbIUJSC3ga90HbsNWv8rvTjVSwQmstQ2b8J
# 9mCNA2ri+NVJ4+kBL5xRSzDqxdu/7sC/eooYfcETlVXcnvL/oMWoF//iThvkaBve
# LyySM+PS1Ni4oApx6LY9VpLzabtaCXh5R4yDMsFW0WucKZf58lm9Z1yU2wdPjuwj
# uauHBbQnJy03LazprIyVNXlaT7SI2Qr+7CV4lAco66DoBsaIP16+Kby1XILbY8qo
# JjJmuNQ8DA9c7F9bPqagZ0PLVRy9Wj0UiXKuqaTHrnnKzbgBprPCApR8bj0XPISs
# xv6qsSrd4u9joSCkrD3XEC9ddzdWMi1xN1Hfw+lkuHOvnWKJJ7O3hortuupGhpeq
# h90VBQ8Gb9S15BlLPfSmSmiO+XjRWU53CcZasQew5bFBIMEha1sPnwz01/KrSZqG
# sN/nBBuVUhT6YjRY/7k7tqT1ATigXrEZPtRgCjap7W+zIILWaO9QUb2y2LlJfofp
# febu0L++xw1JvtHnNin1vImmM5rgCMLMLx3QQ5Kq9jc5ytKnZwzJarLV4LbqIpuv
# h1QzI2SJQXsL2zfBem/0yg==
# =lqA0
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 19 Nov 2024 14:20:44 GMT
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg:                 aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20241119' of https://git.linaro.org/people/pmaydell/qemu-arm:
  trace: Don't include trace-root.h in control.c or control-target.c
  target/arm/hvf: Add trace.h header
  system/dma-helpers.c: Move trace events to system/trace-events
  hw/intc/loongarch_extioi: Use set_bit32() and clear_bit32() for s->isr
  hw/intc/arm_gicv3: Use bitops.h uint32_t bit array functions
  bitops.h: Define bit operations on 'uint32_t' arrays
  arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors
  arm/ptw: Make get_S1prot accept decoded AP
  tests/qtest/cmsdk-apb-watchdog-test: Test INTEN as counter enable
  tests/qtest/cmsdk-apb-watchdog-test: Don't abort on assertion failure
  tests/qtest/cmsdk-apb-watchdog-test: Parameterize tests
  hw/watchdog/cmsdk_apb_watchdog: Fix INTEN issues
  hw/intc/openpic: Avoid taking address of out-of-bounds array index
  hw/net/rocker/rocker_of_dpa.c: Remove superfluous error check
  hw/timer/exynos4210_mct: fix possible int overflow

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

trace: Don't include trace-root.h in control.c or control-target.c

The trace-root.h file has the definitions of trace events for
the top-level trace-events file (i.e. for those events which are
used in source files in the root of the source tree). There's
no particular need for trace/control.c or trace/control-target.c
to include this.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20241108162909.4080314-4-peter.maydell@linaro.org

target/arm/hvf: Add trace.h header

The documentation for trace events says that every subdirectory which
has trace events should have a trace.h header, whose only content is
an include of the trace/trace-<subdir>.h file.

When we added the trace events in target/arm/hvf/ we forgot to create
this file and instead hvf.c directly includes
trace/trace-target_arm_hvf.h.

Create the standard trace.h file to bring this into line with the
convention.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20241108162909.4080314-3-peter.maydell@linaro.org

system/dma-helpers.c: Move trace events to system/trace-events

The dma-helpers.c file is in the system/ subdirectory, but it
defines its trace events in the root trace-events file. Move
them to the system/trace-events file where they more naturally
belong.

Fixes: 800d4deda0 ("softmmu: move more files to softmmu/")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20241108162909.4080314-2-peter.maydell@linaro.org

hw/intc/loongarch_extioi: Use set_bit32() and clear_bit32() for s->isr

In extioi_setirq() we try to operate on a bit array stored as an
array of uint32_t using the set_bit() and clear_bit() functions
by casting the pointer to 'unsigned long *'.
This has two problems:
 * the alignment of 'uint32_t' is less than that of 'unsigned long'
   so we pass an insufficiently aligned pointer, which is
   undefined behaviour
 * on big-endian hosts the 64-bit 'unsigned long' will have
   its two halves the wrong way around, and we will produce
   incorrect results

The undefined behaviour is shown by the clang undefined-behaviour
sanitizer when running the loongarch64-virt functional test:

/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/include/qemu/bitops.h:41:5: runtime error: store to misaligned address 0x555559745d9c for type 'unsigned long', which requires 8 byte alignment
0x555559745d9c: note: pointer points here
  ff ff ff ff 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
              ^
    #0 0x555556fb81c4 in set_bit /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/include/qemu/bitops.h:41:9
    #1 0x555556fb81c4 in extioi_setirq /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/clang/../../hw/intc/loongarch_extioi.c:65:9
    #2 0x555556fb6e90 in pch_pic_irq_handler /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/clang/../../hw/intc/loongarch_pch_pic.c:75:5
    #3 0x555556710265 in serial_ioport_write /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/clang/../../hw/char/serial.c

Fix these problems by using set_bit32() and clear_bit32(),
which work with bit arrays stored as an array of uint32_t.

Cc: qemu-stable@nongnu.org
Fixes: cbff2db1e92f8759 ("hw/intc: Add LoongArch extioi interrupt controller(EIOINTC)")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-id: 20241108135514.4006953-4-peter.maydell@linaro.org

hw/intc/arm_gicv3: Use bitops.h uint32_t bit array functions

Now we have official uint32_t bit array functions in bitops.h, use
them instead of the hand-rolled local versions.

We retain gic_bmp_replace_bit() because bitops doesn't provide that
specific functionality.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20241108135514.4006953-3-peter.maydell@linaro.org

bitops.h: Define bit operations on 'uint32_t' arrays

Currently bitops.h defines a set of operations that work on
arbitrary-length bit arrays.  However (largely because they
originally came from the Linux kernel) the bit array storage is an
array of 'unsigned long'.  This is OK for the kernel and even for
parts of QEMU where we don't really care about the underlying storage
format, but it is not good for devices, where we often want to expose
the storage to the guest and so need a type that is not
variably-sized between host OSes.

We already have a workaround for this in the GICv3 model:
arm_gicv3_common.h defines equivalents of the bit operations that
work on uint32_t.  It turns out that we should also be using
something similar in hw/intc/loongarch_extioi.c, which currently
casts a pointer to a uint32_t array to 'unsigned long *' in
extio_setirq(), which is both undefined behaviour and not correct on
a big-endian host.

Define equivalents of the set_bit() function family which work
with a uint32_t array.

(Cc stable because we're about to provide a bugfix to
loongarch_extioi which will depend on this commit.)

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20241108135514.4006953-2-peter.maydell@linaro.org

arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors

Currently the handling of page protection in the short-format
descriptor is open-coded. This means that we forgot to update
it to handle some newer architectural features, including:
 * handling of SCTLR.{UWXN,WXN}
 * handling of SCR.SIF

Make the short-format descriptor code call the same get_S1prot()
that we already use for the LPAE descriptor format. This makes
the code simpler and means it now correctly honours the WXN/UWXN
and SIF bits.

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Message-id: 20241118152537.45277-1-paskripkin@gmail.com
[PMM: fixed a couple of checkpatch nits, tweaked commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

arm/ptw: Make get_S1prot accept decoded AP

AP in armv7 short descriptor mode has 3 bits and also domain, which
makes it incompatible with other arm schemas.

To make it possible to share get_S1prot between armv8, armv7 long
format, armv7 short format and armv6 it's easier to make caller
decode AP.

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Message-id: 20241118152526.45185-1-paskripkin@gmail.com
[PMM: fixed checkpatch nit]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

tests/qtest/cmsdk-apb-watchdog-test: Test INTEN as counter enable

The following tests focus on making sure the counter is not running
out of reset and the proper use of INTEN as the counter enable. As
described in:

https://developer.arm.com/documentation/ddi0479/d/apb-components/apb-watchdog/programmers-model

The new tests have to target an MPS2 machine because the original
machine used by the test (stellaris) has a variation of the
cmsdk_apb_watchdog that locks INTEN when it is programmed to 1. The
stellaris machine also does not reproduce the problem of the counter
running out of cold reset due to the way the clocks are initialized.

Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Reviewed-by: Stephen Longfield <slongfield@google.com>
Message-id: 20241115160328.1650269-6-roqueh@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

tests/qtest/cmsdk-apb-watchdog-test: Don't abort on assertion failure

Currently the watchdog test has a behavior in which the first test
assertion that fails will make the test abort making it impossible to
see the result of other tests:

 # ERROR:../tests/qtest/cmsdk-apb-watchdog-test.c:87:test_watchdog:
 assertion failed ...
 Bail out!
 Aborted

Changing the behavior in order to let the test finish other tests and
report the ones that pass and fail:

 # ERROR:../tests/qtest/cmsdk-apb-watchdog-test.c:101:test_watchdog:
 assertion failed ...
 not ok 1 /arm/cmsdk-apb-watchdog/watchdog

Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Message-id: 20241115160328.1650269-5-roqueh@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

tests/qtest/cmsdk-apb-watchdog-test: Parameterize tests

Currently the CMSDK APB watchdog tests target an specialized version
of the device (luminaris using the lm3s811evb machine) that prevents
the development of tests for the more generic device documented in:

https://developer.arm.com/documentation/ddi0479/d/apb-components/apb-watchdog/programmers-model

This patch allows the execution of the watchdog tests in an MPS2
machine (when applicable) which uses the generic version of the CMSDK
APB watchdog.

Finally the rules for compiling the test have to change because it is
possible not to have CONFIG_STELLARIS (required for the lm3s811evb
machine) while still having CONFIG_CMSDK_APB_WATCHDOG and the test
will fail. Due to the addition of the MPS2 machine CONFIG_MPS2
becomes also a dependency for the test compilation.

Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Reviewed-by: Stephen Longfield <slongfield@google.com>
Message-id: 20241115160328.1650269-4-roqueh@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/watchdog/cmsdk_apb_watchdog: Fix INTEN issues

Current watchdog is free running out of reset, this combined with the
fact that current implementation also ensures the counter is running
when programing WDOGLOAD creates issues when the firmware defer the
programing of WDOGCONTROL.INTEN much later after WDOGLOAD. Arm
Programmer's Model documentation states that INTEN is also the
counter enable:

> INTEN
>
> Enable the interrupt event, WDOGINT. Set HIGH to enable the counter
> and the interrupt, or LOW to disable the counter and interrupt.
> Reloads the counter from the value in WDOGLOAD when the interrupt
> is enabled, after previously being disabled.

Source of the time of writing:

https://developer.arm.com/documentation/ddi0479/d/apb-components/apb-watchdog/programmers-model

Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Reviewed-by: Stephen Longfield <slongfield@google.com>
Reviewed-by: Joe Komlodi <komlodi@google.com>
Message-id: 20241115160328.1650269-3-roqueh@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/intc/openpic: Avoid taking address of out-of-bounds array index

The clang sanitizer complains about the code in the EOI handling
of openpic_cpu_write_internal():

UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1 ./build/clang/qemu-system-ppc -M mac99,graphics=off -display none -kernel day15/invaders.elf
../../hw/intc/openpic.c:1034:16: runtime error: index -1 out of bounds for type 'IRQSource[264]' (aka 'struct IRQSource[264]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/intc/openpic.c:1034:16 in

This is because we do
  src = &opp->src[n_IRQ];
when n_IRQ may be -1.  This is in practice harmless because if n_IRQ
is -1 then we don't do anything with the src pointer, but it is
undefined behaviour. (This has been present since this device
was first added to QEMU.)

Rearrange the code so we only do the array index when n_IRQ is not -1.

Cc: qemu-stable@nongnu.org
Fixes: e9df014c0b ("Implement embedded IRQ controller for PowerPC 6xx/740 & 75")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-id: 20241105180205.3074071-1-peter.maydell@linaro.org

hw/net/rocker/rocker_of_dpa.c: Remove superfluous error check

of_dpa_cmd_add_acl_ip() is called from a single place, and despite the
fact that it always returns ROCKER_OK, its return value is still checked
by the caller.

Change of_dpa_cmd_add_acl_ip() to return void and remove the superfluous
check from of_dpa_cmd_add_acl().

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2471
Signed-off-by: Rodrigo Dias Correa <r@drigo.nl>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Message-id: 20241114075051.404284-1-r@drigo.nl
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/timer/exynos4210_mct: fix possible int overflow

The product "icnto * s->tcntb" may overflow uint32_t.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Message-id: 20241106083801.219578-2-frolov@swemel.ru
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'pull-9.2-rc-updates-181124-1' of https://gitlab.com/stsquad/qemu into staging

Misc fixes for 9.2

  - fix remaining gdbstub test cases to exit cleanly
  - update MAINTAINERS with qemu-rust mailing list details
  - re-factor virtio-gpu and fix coverity warnings

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmc7aQwACgkQ+9DbCVqe
# KkQufwf/XN5dcHxddhUHCLQUNA/5STiO5P10vHOGpknqwT/ZKADAbY8gQsoJovSp
# qxczZPFpHlnGkf+AV3wrj2IcFUWlvlhgTw5njsMTOSSjK0jtI2MZrNn2v+6hmelg
# y8ACB+LHkj34Ood9y5H6augCiKsMC7ad2mpXEMQgcZzpp4KlAutu8nbsYpYlAF40
# 1d2Wdtkrt++jPHQGgp0pPqAxq5WyvR3uSdidUFGfmpAqkCRs0ExosqEgj/ODzdHF
# WrvLy9ISdCjZk+5XOxfadmz1vJ31QcZ6pcmkZRXJAJR4p7EST5BTfS10IBNIipgs
# C25TuT+IH9+It0n/Sohf3NlxTnbTDw==
# =TYAI
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 16:19:24 GMT
# gpg:                using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [full]
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44

* tag 'pull-9.2-rc-updates-181124-1' of https://gitlab.com/stsquad/qemu:
  hw/display: check frame buffer can hold blob
  hw/display: factor out the scanout blob to fb conversion
  MAINTAINERS: CC rust/ patches to qemu-rust list
  tests/tcg: Stop using exit() in the gdbstub testcases

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'pull-nbd-2024-11-18' of https://repo.or.cz/qemu/ericb into staging

NBD patches for 2024-11-18

- Eric Blake: Silence qemu-nbd on harmless client port probes

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEccLMIrHEYCkn0vOqp6FrSiUnQ2oFAmc7lg0ACgkQp6FrSiUn
# Q2qamgf/QJXHzF5koncXvpOC58QXthe1EQlTNqTv9lSz7GNif7UXtkv9RBMMqNEP
# 7MDY2L9LzlvMdTqXx6dndQot2YG+PSpqLFQxdjf7J3YUK5N6dQ/w4lCVI+tfVfYF
# DcYva7TBTfSWMByVdqYhnXc1nAn6liJfaaONf80y3wHObUu8T7qkMY/cb5njpjmT
# YPKyIJO7DX+ZNY5EZkFGntAxPge368nIrBsViYqst8kNWjtr8o2Rzc7fqa6sbBtw
# 47tiBDP6usBJb2kapOrpmC5zqHlbb56AbrIsTJ4Ge/iUOKrODtmCC4d7WWGSM3DC
# udaL74DOMgoMfVGjjaX9KW6Wv3/HFw==
# =DnNy
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 19:31:25 GMT
# gpg:                using RSA key 71C2CC22B1C4602927D2F3AAA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full]
# gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full]
# gpg:                 aka "[jpeg image of size 6874]" [full]
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* tag 'pull-nbd-2024-11-18' of https://repo.or.cz/qemu/ericb:
  nbd-server: Silence server warnings on port probes

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'pull-request-2024-11-18' of https://gitlab.com/thuth/qemu into staging

* Fixes & doc updates for the new "boot order" s390x bios feature
* Provide a "loadparm" property for scsi-hd & scsi-cd devices on s390x
  (required for the "boot order" feature)
* Fix the floating-point multiply-and-add NaN rules on s390x
* Raise timeout on cross-accel build jobs to 60m

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmc7ercRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbVjyg//ZuhSDCj+oBSU6vwM7Lwh3CS6GwZvGECU
# h60V3tizKypiRNtTJRXHoWcx95brXmoZgI+QQhDEXe3fFLkOEKT6AIlDhrKZRUsd
# rpLPr6O8TVKO+rSE7JVJAP3X1tpOOQDxnq83uWBv53b0S+Da0VwDRtI9gcugRMmh
# d58P8Q1bV344fQdcrebejstpSUG7RxSA4Plj2uSQx4mSHT7cy/hN+vA34Ha7reE3
# tcN9yfQq3Rmfvt0MV5I9Umd6JXEoDlEAwjSNsWRsCzo69jBZwiMtXSH8LyLtwRTp
# C919G/MIRuhvImF74dStLVCr82sNq54YR1NP6CGcmqPH76FOH8Mx3vmx9Cxj9ckA
# 6NI6SvIg++bW2O1efG2apz8p5fjbDzYXSAbHnaWTcEu3gPgH4PQ5QXoyKaDymvWV
# JIh5/gXEy+twEXgIBsdWQ44A9E06lL/tNfKnqGdXK4ZYF2JIrI+Lq7AKBee7tebP
# +72I4PljHLSHQ3GxdkoOeJ8ahu70IBdSz2/VEIwOWK1wIf5C5WFNBerLJyDmkyx8
# xIvIm0vlRLwPcuOC711nlaMaKqTNT+8W4DIqIY6fHs2Jy0psMdgey1uHQxYEj9Kh
# fg7CvalK8n3MkGAwTqAvRJIwMFe0a4Ss6c6CaemSaYa38ud/pCNnv+IT+Eqr+mjq
# 6y5PZWNrZi0=
# =UaDH
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 17:34:47 GMT
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2024-11-18' of https://gitlab.com/thuth/qemu:
  .gitlab-ci.d: Raise timeout on cross-accel build jobs to 60m
  pc-bios: Update the s390 bios images with the recent fixes
  pc-bios/s390-ccw: Re-initialize receive queue index before each boot attempt
  pc-bios/s390x: Initialize machine loadparm before probing IPL devices
  pc-bios/s390x: Initialize cdrom type to false for each IPL device
  hw: Add "loadparm" property to scsi disk devices for booting on s390x
  hw/s390x: Restrict "loadparm" property to devices that can be used for booting
  docs/system/bootindex: Make it clear that s390x can also boot from virtio-net
  docs/system/s390x/bootdevices: Update loadparm documentation
  tests/tcg/s390x: Add the floating-point multiply-and-add test
  target/s390x: Fix the floating-point multiply-and-add NaN rules
  hw/usb: Use __attribute__((packed)) vs __packed

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

.gitlab-ci.d: Raise timeout on cross-accel build jobs to 60m

The current 30 minute timeout on the cross_accel_build_job template
is a bit low: sometimes if the k8s runners are running slow the
can hit it, for example this cross-arm64-xen-only job hit the
30 minute timeout while still not quite finished with the compile:
https://gitlab.com/qemu-project/qemu/-/jobs/8401277985

This is partly a "runner performance can be unpredictable" issue:
https://gitlab.com/qemu-project/qemu/-/jobs/8391726482
is the same job from just a day earlier and it finished in
16 minutes. But we already have build jobs that are higher
timeouts than 30 minutes, so we have headroom to raise the
timeout here to something we're less likely to hit on a slow
runner.

Bump the cross_accel_build_job timeout to 60 mins.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20241118153226.1524542-1-peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

pc-bios: Update the s390 bios images with the recent fixes

Add the fixes from the previous three commits to the binary, too.

Signed-off-by: Thomas Huth <thuth@redhat.com>

pc-bios/s390-ccw: Re-initialize receive queue index before each boot attempt

Now that we can boot from multiple boot devices, we have to make sure
to reinitialize static variables like rx_last_idx to avoid that they
contain garbage data during the second boot attempt (which can lead to
crashes when the code tries to access the wrong ring data).

Message-ID: <20241111131120.317796-1-thuth@redhat.com>
Reviewed-by: Jared Rossi <jrossi@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

pc-bios/s390x: Initialize machine loadparm before probing IPL devices

Commit bb185de423 ("s390x: Add individual loadparm assignment to
CCW device") allowed boot devices to be assigned a loadparm value independent
of the machine value, however, when no boot devices are defined, the machine
loadparm becomes ignored. Therefore, let's check the machine loadparm
prior to probing the devices.

Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241114161952.3508554-1-jrossi@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

pc-bios/s390x: Initialize cdrom type to false for each IPL device

Clear information about cdrom type so that current IPL device isn't tainted
by stale data from previous devices.

Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241108194136.2833932-1-jrossi@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

hw: Add "loadparm" property to scsi disk devices for booting on s390x

While adding the new flexible boot order feature on s390x recently,
we missed to add the "loadparm" property to the scsi-hd and scsi-cd
devices. This property is required on s390x to pass the information
to the boot loader about which kernel should be started or whether
the boot menu should be shown. But even more serious: The missing
property is now causing trouble with the corresponding libvirt patches
that assume that the "loadparm" property is either settable for all
bootable devices (when the "boot order" feature is implemented in
QEMU), or none (meaning the behaviour of older QEMUs that only allowed
one "loadparm" at the machine level). To fix this broken situation,
let's implement the "loadparm" property in for the SCSI devices, too.

Message-ID: <20241115141202.1877294-1-thuth@redhat.com>
Acked-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

hw/display: check frame buffer can hold blob

Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by first using stride for all lines and casting input
to uint64_t to ensure a 64 bit multiply is used.

Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20241111230040.68470-3-alex.bennee@linaro.org>

hw/display: factor out the scanout blob to fb conversion

There are two identical sequences of a code doing the same thing that
raise warnings with Coverity. Before fixing those issues lets factor
out the common code into a helper function we can share.

Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20241111230040.68470-2-alex.bennee@linaro.org>

MAINTAINERS: CC rust/ patches to qemu-rust list

As of Nov 2024 [1], we have a new topical mailing list for Rust
related patches. Add a new MAINTAINERS entry to touch all files under
rust/ subdirectory and additionally add it to previous rust related
entries.

[1] https://lore.kernel.org/qemu-devel/CAFEAcA-ZQuyGTtG-vhRTEwpz0L4cpimNxkKix45Yw6gVHXozRQ@mail.gmail.com

Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20241109-update-maintainers-file-rust-v1-1-f4daba6f782f@linaro.org>
[AJB: tweak commit msg]
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

tests/tcg: Stop using exit() in the gdbstub testcases

GDB 15 does not like exit() anymore:

    (gdb) python exit(0)
    Python Exception <class 'SystemExit'>: 0
    Error occurred in Python: 0

Use the GDB's own exit command, like it's already done in a couple
places, everywhere. This is the same fix as commit 93a3048dcf45
("tests: Gently exit from GDB when tests complete"), but applied to
more places.

Acked-by: Gustavo Romero <gustavo.romero@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20241022113939.19989-1-iii@linux.ibm.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

nbd-server: Silence server warnings on port probes

While testing the use of qemu-nbd in a Pod of a Kubernetes cluster, I
got LOTS of log messages of the forms:

qemu-nbd: option negotiation failed: Failed to read flags: Unexpected end-of-file before all data were read
qemu-nbd: option negotiation failed: Failed to read flags: Unable to read from socket: Connection reset by peer

While it is nice to warn about clients that aren't following protocol
(in case it helps diagnosing bugs in those clients), a mere port probe
(where the client never write()s any bytes, and where we might even
hit EPIPE in trying to send our greeting to the client) is NOT
abnormal, but merely serves to pollute the log.  And Kubernetes
_really_ likes to do port probes to determine whether a given Pod is
up and running.

Easy ways to demonstrate the above port probes:
$ qemu-nbd -r -f raw path/to/file &
$ nc localhost 10809 </dev/null
$ bash -c 'exec </dev/tcp/localhost/10809'
$ kill $!

Silence the noise by not capturing errors until after our first
successful read() from a client.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20241115195638.1132007-2-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* target/i386: fix compilation without CONFIG_HYPERV
* configure: improve check for execution in the source directory

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmc7NvAUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroMOSQf/QXfSlvWBpu2OR6EIBVEDWnCUWyK8
# /88A/sWHCcWiD666NX7pKU5c7zzzC5x5e/ajzYriF2rNcwYhjX/MmsaQstfoWULM
# dxtLpvhWxNyfoEPIHYwAXB4/VPpm8LbIfby6kXdKZR3PQcA223qdx3ZmoTB1PI2a
# yVMkfW/+QEss9ZBzu+kUHk7BYWJ/o6o7jv6HZVtfxFV7xg17sJX/QgOZi2xmAXBj
# Z2w/97h1IWwzNpnOqc+vkDzWgqjHI+o9HWK2fQDKgpUE8vW8kJ5SgoQ/wd2BHBu7
# xGwVXw/Yoz4D/+yPZOewxhX7Ep1PBxtwCXpx4Gx7dc1Su1OBPnn5chND4w==
# =bsiH
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 12:45:36 GMT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
  configure: Use -ef to compare paths
  target/i386: hyperv: add stub for hyperv_syndbg_query_options

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'hw-misc-20241118' of https://github.com/philmd/qemu into staging

Misc HW fixes

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmc7NwwACgkQ4+MsLN6t
# wN7zBA//VTiAcjB1KYovOiHQWdhtyE7JU+ZOCzULK2aDoKCP9wZM5yZVQgKbDFX/
# +bI2yjzTfZAWknxnqdShQMxvJE3PkD25mm8D2bP22/U9agKSrX4ll9pGt1NMIHUR
# Hy01gxoLYp0r/Vs0aDWVQGSU4v62hKjTNOFn30Gqg+Xu9W4glEPSwI5GicypxpWZ
# nNAl88whHZ6qouadNCSt0JghwWplw6ZkV3LU4dAUhhhRh+vkPoA3NiCCr4cNqNjJ
# yeGc6lLGf2M9GMpX3t2XEV6lXkBTdhUtdv0inZTzH8W2dYt/SL3n/nSKdddXU+fl
# F5cfUV8vhFTxeGOTodbwjv3GHxk4BAjKXhoHCPikkCC+tdzgCoAn+ie9Q0iSp28A
# kpXt099ByFpkCQ+4fu2+XjX6deC8mxKBKrqjNNEZDqhwuOuiG5Kw8lAzueQErmcZ
# djPm6HqnMQFvs4kAp3VMWiqMgkpjJqwB7dfffJfLcXr3+2WF8Ts181/y9LqnkGqn
# rlEjy57/dzbzTdt547j8GtKCbXmYOxUgd2a3k2sKCGBsCITtIpTjz2YsrafV84iD
# gij8M1IHvt41TNhikvWNKGxJ/5ZY2cx5G/QRbRFVYdFAR14xM45Q/XYuziQgt4if
# 6/g7WibP9d8Sqb5Mlj4HLqpPghY0AZ+aaIAHVCDCVYsLpbw7Ixk=
# =zdCl
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 12:46:04 GMT
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'hw-misc-20241118' of https://github.com/philmd/qemu:
  hw/watchdog/cmsdk_apb_watchdog: Fix broken link
  net: mark struct ip_header as QEMU_PACKED
  hw/net/virtio-net.c: Don't assume IP length field is aligned
  hw/audio/hda: fix memory leak on audio setup
  Revert "hw/audio/hda: fix memory leak on audio setup"
  hw/misc/mos6522: Fix bad class definition of the MOS6522 device
  hw/sd/sdhci: Fix coding style
  tests/qtest/migration: Fix indentations
  usb-hub: Fix handling port power control messages
  MAINTAINERS: Update my email address for COLO
  hw/display: check frame buffer can hold blob
  hw/display: factor out the scanout blob to fb conversion
  hw/i386/elfboot: allocate "header" in heap
  hw/misc/nrf51_rng: Don't use BIT_MASK() when we mean BIT()
  vl: fix qemu_validate_options() indention

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/watchdog/cmsdk_apb_watchdog: Fix broken link

The patch changes the comments to point to the latest Design Kit
Technical Reference Manual.

Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241115160328.1650269-2-roqueh@google.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

net: mark struct ip_header as QEMU_PACKED

The ip_header is not actually guaranteed to be aligned. We attempt to
deal with this in some places such as net_checksum_calculate() by
using stw_be_p and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member
within an unaligned struct is undefined behaviour. The clang
sanitizer will emit warnings like these if net_checksum_calculate()
is called:

     Stopping network: ../../net/checksum.c:106:9: runtime error: member access within misaligned address 0x556aad9b502e for type 'struct ip_header', which requires 4 byte alignment
    0x556aad9b502e: note: pointer points here
     34 56 08 00 45 00  01 48 a5 09 40 00 40 11  7c 8b 0a 00 02 0f 0a 00  02 02 00 44 00 43 01 34  19 56
                 ^
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../net/checksum.c:106:9 in
    ../../net/checksum.c:106:9: runtime error: load of misaligned address 0x556aad9b502e for type 'uint8_t' (aka 'unsigned char'), which requires 4 byte alignment
    0x556aad9b502e: note: pointer points here
     34 56 08 00 45 00  01 48 a5 09 40 00 40 11  7c 8b 0a 00 02 0f 0a 00  02 02 00 44 00 43 01 34  19 56
                 ^

Fix this by marking the ip_header struct as QEMU_PACKED, so that
the compiler knows that it might be unaligned and will generate
the right code for accessing fields.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241114141619.806652-3-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/net/virtio-net.c: Don't assume IP length field is aligned

In virtio-net.c we assume that the IP length field in the packet is
aligned, and we copy its address into a uint16_t* in the
VirtioNetRscUnit struct which we then dereference later.  This isn't
a safe assumption; it will also result in compilation failures if we
mark the ip_header struct as QEMU_PACKED because the compiler will
not let you take the address of an unaligned struct field.

Make the ip_plen field in VirtioNetRscUnit a void*, and make all the
places where we read or write through that pointer instead use some
new accessor functions read_unit_ip_len() and write_unit_ip_len()
which account for the pointer being potentially unaligned and also do
the network-byte-order conversion we were previously using htons() to
perform.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241114141619.806652-2-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/audio/hda: fix memory leak on audio setup

When SET_STREAM_FORMAT is called, the st->buft timer is overwritten, thus
causing a memory leak.  This was originally fixed in commit 816139ae6a5
("hw/audio/hda: fix memory leak on audio setup", 2024-11-14) but that
caused the audio to break in SPICE.

Fortunately, a simpler fix is possible.  The timer only needs to be
reset, because the callback is always the same (st->output is set at
realize time in hda_audio_init); call to timer_new_ns overkill.  Replace
it with timer_del and only initialize the timer once; for simplicity,
do it even if use_timer is false.

An even simpler fix would be to free the old time in hda_audio_setup().
However, it seems better to place the initialization of the timer close
to that of st->ouput.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20241114125318.1707590-3-pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Revert "hw/audio/hda: fix memory leak on audio setup"

This reverts commit 6d03242a7e47815ed56687ecd13f683d8da3f2fe,
which causes SPICE audio to break.  While arguably this is a SPICE bug,
it is possible to fix the leak in a less heavy-handed way.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2639
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20241114125318.1707590-2-pbonzini@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/misc/mos6522: Fix bad class definition of the MOS6522 device

When compiling QEMU with --enable-cfi, the "q800" m68k machine
currently crashes very early, when the q800_machine_init() function
tries to wire the interrupts of the "via1" device.
This happens because TYPE_MOS6522_Q800_VIA1 is supposed to be a
proper SysBus device, but its parent (TYPE_MOS6522) has a mistake
in its class definition where it is only derived from DeviceClass,
and not from SysBusDeviceClass, so we end up in funny memory access
issues here. Using the right class hierarchy for the MOS6522 device
fixes the problem.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2675
Signed-off-by: Thomas Huth <thuth@redhat.com>
Fixes: 51f233ec92 ("misc: introduce new mos6522 VIA device")
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <20241114104653.963812-1-thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/sd/sdhci: Fix coding style

Fix coding style issues from checkpatch.pl

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Message-ID: <20241114094839.4128404-2-jamin_lin@aspeedtech.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

configure: Use -ef to compare paths

configure checks if it is executed in the source directory by comparing
the literal paths, but there may be multiple representations of a
directory due to symbolic links. Use the -ef operator to tell if they
point to the same directory.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Link: https://lore.kernel.org/r/20241111-p-v1-1-001006c68b7e@daynix.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: hyperv: add stub for hyperv_syndbg_query_options

Building without CONFIG_HYPERV is currently broken due to a missing
symbol 'hyperv_syndbg_query_options'.  Add it to the stubs
that exist for that very reasons.

Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

tests/qtest/migration: Fix indentations

Select all the code and hit tab. I'll be moving functions around quite
a lot in the next patches, so make sure all indentation is correct
now.

Add parentheses around some expressions to preserve readability.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-ID: <20241113194630.3385-2-farosas@suse.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

usb-hub: Fix handling port power control messages

The ClearPortFeature control message fails for PORT_POWER because there
is no break; at the end of the case statement, causing it to fall through
to the failure handler. Add the missing break; to solve the problem.

Fixes: 1cc403eb21 ("usb-hub: emulate per port power switching")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241112170152.217664-11-linux@roeck-us.net>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

MAINTAINERS: Update my email address for COLO

Signed-off-by: Zhang Chen <chen.zhang@intel.com>
Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
Message-ID: <20241112084038.6352-1-chen.zhang@intel.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/display: check frame buffer can hold blob

Coverity reports (CID 1564769, 1564770) that we potentially overflow
by doing some 32x32 multiplies for something that ends up in a 64 bit
value. Fix this by first using stride for all lines and casting input
to uint64_t to ensure a 64 bit multiply is used.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20241111230040.68470-3-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/display: factor out the scanout blob to fb conversion

There are two identical sequences of a code doing the same thing that
raise warnings with Coverity. Before fixing those issues lets factor
out the common code into a helper function we can share.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Message-ID: <20241111230040.68470-2-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/i386/elfboot: allocate "header" in heap

In x86_load_linux(), we were using a stack-allocated array as data for
fw_cfg_add_bytes(). Since the latter just takes a reference to the
pointer instead of copying the data, it can happen that the contents
have been overridden by the time the guest attempts to access them.

Instead of using the stack-allocated array, allocate some memory from
the heap, copy the contents of the array, and use it for fw_cfg.

Signed-off-by: Sergio Lopez <slp@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241109053748.13183-1-slp@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/misc/nrf51_rng: Don't use BIT_MASK() when we mean BIT()

The BIT_MASK() macro from bitops.h provides the mask of a bit
within a particular word of a multi-word bit array; it is intended
to be used with its counterpart BIT_WORD() that gives the index
of the word in the array.

In nrf51_rng we are using it for cases where we have a bit number
that we know is the index of a bit within a single word (in fact, it
happens that all the bit numbers we pass to it are zero). This
happens to give the right answer, but the macro that actually
does the job we want here is BIT().

Use BIT() instead of BIT_MASK().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241108135644.4007151-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

vl: fix qemu_validate_options() indention

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240905141211.1253307-2-kraxel@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Merge tag 'pull-vfio-20241118' of https://github.com/legoater/qemu into staging

vfio queue:

* Fixed IGD support
* Fixed QEMU crash when passing through devices in SEV-SNP guests

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmc680AACgkQUaNDx8/7
# 7KGiFBAAx+V9FTkl6WNqNlQvhizu7C/TY7Ern5YoEbS6aJh96b0Hx+57vuxE4LAW
# /45pNXJpcn8vXzzpxohy4gS12Gu8rBY1XxMcCMLoZSbGanp1mPsaCWr37hgadFsj
# nNRwBVj2fpNxcskcEIuzKzmnTCzbxZjDkpAuNzbBVGNM9EGOH3NFfYasRONvSXap
# u+akPFw8BpAfcxfSQea13v0NpGlgDtJedvJZp6kO6d5xc0GvelIhkz2wGqqLpfvP
# 8J3I17yaDwHXFiBzl5pGE5K/tjFRoIlM3EVV1KcDfyqXrwEyOMmDl2pmJv+1K8Sz
# tSgkedMeZCMWGM307+92IyuXlaV8s+meo4NZxxx1mxAF2jNBVDwTj8vhscG/zY6q
# QZgZRhumyeL8S5WoRIMVHCKr3pjvZat/OeBxjVXiQ8GzNZSgNNwBE9EKuu4L4b2b
# GOSGL2epwYTldh4R5GsuLOpNrSDnff9tGvpe2OICDs9KqHjeAPbHkYW0/QNzIYyf
# 2rkFKEu3hRIu0FdFFi6w0r/KE70Wc0wUV11ycxgsYMJpkY68c2u13wnfq0u4Ja4N
# eJERr+AsgQUHIb95ZRJr6CKFaEJxEMceP/986Fdw4YS2U5hOU1ln+Km6sTDcr/kt
# DvjVcBjxQyJHM3m9y7X3WosqtmX7tMo6grWP7L6qIPhb7eLYFUY=
# =JW0J
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 18 Nov 2024 07:56:48 GMT
# gpg:                using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full]
# gpg:                 aka "Cédric Le Goater <clg@kaod.org>" [full]
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B  0B60 51A3 43C7 CFFB ECA1

* tag 'pull-vfio-20241118' of https://github.com/legoater/qemu:
  vfio/container: Fix container object destruction
  vfio/igd: fix calculation of graphics stolen memory
  vfio/igd: add pci id for Coffee Lake

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/s390x: Restrict "loadparm" property to devices that can be used for booting

Commit bb185de423 ("s390x: Add individual loadparm assignment to
CCW device") added a "loadparm" property to all CCW devices. This
was a little bit unfortunate, since this property is only useful
for devices that can be used for booting, but certainly it is not
useful for devices like virtio-gpu or virtio-tablet.

Thus let's restrict the property to CCW devices that we can boot from
(i.e. virtio-block, virtio-net and vfio-ccw devices).

Message-ID: <20241113114741.681096-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jared Rossi <jrossi@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

docs/system/bootindex: Make it clear that s390x can also boot from virtio-net

Let's make it clear that s390x can also boot from virtio-net, to avoid
that people think that s390x can only boot from disk devices.

Reported-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Message-ID: <20241111105506.264640-1-thuth@redhat.com>
Reviewed-by: Prasad Pandit <pjp@fedoraproject.org>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

docs/system/s390x/bootdevices: Update loadparm documentation

Update documentation to include per-device loadparm support.

Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241115002742.3576842-1-jrossi@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/tcg/s390x: Add the floating-point multiply-and-add test

Add a test to prevent regressions.
Share some useful pieces with the vfminmax test.
Remove the duplicates from the floating point class values.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20241023000147.34035-3-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

target/s390x: Fix the floating-point multiply-and-add NaN rules

Order the helper arguments to match the Principles of Operation.
Implement the "Results: MULTIPLY AND ADD" table in pickNaNMulAdd().

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20241023000147.34035-2-iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

hw/usb: Use __attribute__((packed)) vs __packed

__packed is non standard and is not present in clang-cl.
__attribute__((packed)) has the same semantics.

Signed-off-by: Erwin Jansen <jansene@google.com>
Signed-off-by: Roque Arcudia Hernandez <roqueh@google.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241101211720.3354111-1-roqueh@google.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

vfio/container: Fix container object destruction

When commit 96b7af4388b3 intoduced a .instance_finalize() handler,
it did not take into account that the container was not necessarily
inserted into the container list of the address space. Hence, if
the container object is destroyed, by calling object_unref() for
example, before vfio_address_space_insert() is called, QEMU may
crash when removing the container from the list as done in
vfio_container_instance_finalize(). This was seen with an SEV-SNP
guest for which discarding of RAM fails.

To resolve this issue, use the safe version of QLIST_REMOVE().

Cc: Zhenzhong Duan <zhenzhong.duan@intel.com>
Cc: Eric Auger <eric.auger@redhat.com>
Fixes: 96b7af4388b3 ("vfio/container: Move vfio_container_destroy() to an instance_finalize() handler")
Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>

vfio/igd: fix calculation of graphics stolen memory

When copying the calculation of the stolen memory size for Intels integrated
graphics device of gen 9 and later from the Linux kernel [1], we missed
subtracting 0xf0 from the graphics mode select value for values above 0xf0.
This leads to QEMU reporting a very large size of the graphics stolen memory
area. That's just a waste of memory. Additionally the guest firmware might be
unable to allocate such a large buffer.

[1] https://github.com/torvalds/linux/blob/7c626ce4bae1ac14f60076d00eafe71af30450ba/arch/x86/kernel/early-quirks.c#L455-L460

Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fixes: 871922416683 ("vfio/igd: correctly calculate stolen memory size for gen 9 and later")
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
[ clg: Changed commit subject ]
Signed-off-by: Cédric Le Goater <clg@redhat.com>

vfio/igd: add pci id for Coffee Lake

I've tested and verified that Coffee Lake devices are working properly.

Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>

Merge tag 'pull-tcg-20241116' of https://gitlab.com/rth7680/qemu into staging

cpu: ensure we don't call start_exclusive from cpu_exec
tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()
accel/tcg: Fix user-only probe_access_internal plugin check
linux-user: Fix setreuid and setregid to use direct syscalls
linux-user: Tolerate CONFIG_LSM_MMAP_MIN_ADDR
linux-user: Honor elf alignment when placing images
linux-user/*: Reduce vdso alignment to 4k
linux-user/arm: Select vdso for be8 and be32 modes

# -----BEGIN PGP SIGNATURE-----
#
# iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmc4z/8dHHJpY2hhcmQu
# aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/vWgf5Af8105enuWEdJ9c+
# KiyTsOWQEOKXTUSlSUxPs9FEeEr2l/mccvqUhiD7ptZq7P5/40+3tB18KXc5YuiE
# 45CZGRAr/tjALGT5LidSYzm6RgljWXYlvWVShqKlQpOD2L0GP5k8a7KEKsT3SLtS
# 9l+SVvjNOE+Jv23FWSOVYq0K0e5dPKzS1gtviCg+obA56dsiSKiEwwg+a5ca6oRe
# 9SUKoRnudpUv3fiYo8yZaHPW0ADhsITAB20ncN+cI9t4li9q5AWUbPZ+ADP113+2
# pWlco1VqR4pONK2UgbSmxDtjQf1GBi7E2MBFBjBMxTaiw/jXAZcZGIK4geZYKdHT
# NJj/0Q==
# =oKCm
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 16 Nov 2024 17:01:51 GMT
# gpg:                using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg:                issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A  05C0 64DF 38E8 AF7E 215F

* tag 'pull-tcg-20241116' of https://gitlab.com/rth7680/qemu:
  tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()
  linux-user/arm: Select vdso for be8 and be32 modes
  linux-user/ppc: Reduce vdso alignment to 4k
  linux-user/loongarch64: Reduce vdso alignment to 4k
  linux-user/arm: Reduce vdso alignment to 4k
  linux-user/aarch64: Reduce vdso alignment to 4k
  linux-user: Drop image_info.alignment
  linux-user: Honor elf alignment when placing images
  cpu: ensure we don't call start_exclusive from cpu_exec
  target/i386: fix hang when using slow path for ptw_setl
  tests/tcg: Test that sigreturn() does not corrupt the signal mask
  linux-user: Tolerate CONFIG_LSM_MMAP_MIN_ADDR
  accel/tcg: Fix user-only probe_access_internal plugin check
  target/arm: Drop user-only special case in sve_stN_r
  linux-user: Fix setreuid and setregid to use direct syscalls

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()

In simd_desc() we create a SIMD descriptor from various pieces
including an arbitrary data value from the caller.  We try to
sanitize these to make sure everything will fit: the 'data' value
needs to fit in the SIMD_DATA_BITS (== 22) sized field.  However we
do that sanitizing with:
   tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));

This works for the case where the data is supposed to be considered
as a signed integer (which can then be returned via simd_data()).
However, some callers want to treat the data value as unsigned.

Specifically, for the Arm SVE operations, make_svemte_desc()
assembles a data value as a collection of fields, and it needs to use
all 22 bits.  Currently if MTE is enabled then its MTEDESC SIZEM1
field may have the most significant bit set, and then it will trip
this assertion.

Loosen the assertion so that we only check that the data value will
fit into the field in some way, either as a signed or as an unsigned
value.  This means we will fail to detect some kinds of bug in the
callers, but we won't spuriously assert for intentional use of the
data field as unsigned.

Cc: qemu-stable@nongnu.org
Fixes: db432672dc50e ("tcg: Add generic vector expanders")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2601
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20241115172515.1229393-1-peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user/arm: Select vdso for be8 and be32 modes

In be8 mode, instructions are little-endian.
In be32 mode, instructions are big-endian.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2333
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user/ppc: Reduce vdso alignment to 4k

Reduce vdso alignment to minimum page size.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user/loongarch64: Reduce vdso alignment to 4k

Reduce vdso alignment to minimum page size.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user/arm: Reduce vdso alignment to 4k

Reduce vdso alignment to minimum page size.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user/aarch64: Reduce vdso alignment to 4k

Reduce vdso alignment to minimum page size.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user: Drop image_info.alignment

This field is write-only.  Use only the function-local
variable within load_elf_image.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user: Honor elf alignment when placing images

Most binaries don't actually depend on more than page alignment,
but any binary can request it.  Not honoring this was a bug.

This became obvious when gdb reported

    Failed to read a valid object file image from memory

when examining some vdso which are marked as needing more
than page alignment.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

cpu: ensure we don't call start_exclusive from cpu_exec

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20241025175857.2554252-3-pierrick.bouvier@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

target/i386: fix hang when using slow path for ptw_setl

When instrumenting memory accesses for plugin, we force memory accesses
to use the slow path for mmu [1]. This create a situation where we end
up calling ptw_setl_slow. This was fixed recently in [2] but the issue
still could appear out of plugins use case.

Since this function gets called during a cpu_exec, start_exclusive then
hangs. This exclusive section was introduced initially for security
reasons [3].

I suspect this code path was never triggered, because ptw_setl_slow
would always be called transitively from cpu_exec, resulting in a hang.

[1] https://gitlab.com/qemu-project/qemu/-/commit/6d03226b42247b68ab2f0b3663e0f624335a4055
[2] https://gitlab.com/qemu-project/qemu/-/commit/115ade42d50144c15b74368d32dc734ea277d853
[3] https://gitlab.com/qemu-project/qemu/-/issues/279

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2566
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241025175857.2554252-2-pierrick.bouvier@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tests/tcg: Test that sigreturn() does not corrupt the signal mask

Add a small test to prevent regressions.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-ID: <20241108145237.37377-2-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

linux-user: Tolerate CONFIG_LSM_MMAP_MIN_ADDR

Running qemu-i386 on a system running with SELinux in enforcing mode
(more precisely: s390x trixie container on Fedora 40) fails with:

    qemu-i386: tests/tcg/i386-linux-user/sigreturn-sigmask: Unable to find a guest_base to satisfy all guest address mapping requirements
      00000000-ffffffff

The reason is that main() determines mmap_min_addr from
/proc/sys/vm/mmap_min_addr, but SELinux additionally defines
CONFIG_LSM_MMAP_MIN_ADDR, which is normally larger: 32K or 64K, but,
in general, can be anything. There is no portable way to query its
value: /boot/config, /proc/config and /proc/config.gz are distro- and
environment-specific.

Once the identity map fails, the magnitude of guest_base does not
matter, so fix by starting the search from 1M or 1G.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2598
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-ID: <20241023002558.34589-1-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

accel/tcg: Fix user-only probe_access_internal plugin check

The acc_flag check for write should have been against PAGE_WRITE_ORG,
not PAGE_WRITE.  But it is better to combine two acc_flag checks
to a single check against access_type.  This matches the system code
in cputlb.c.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2647
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: 20241111145002.144995-1-richard.henderson@linaro.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

target/arm: Drop user-only special case in sve_stN_r

This path is reachable with plugins enabled, and provoked
with run-plugin-catch-syscalls-with-libinline.so.

Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241112141232.321354-1-richard.henderson@linaro.org>

linux-user: Fix setreuid and setregid to use direct syscalls

The commit fd6f7798ac30 ("linux-user: Use direct syscalls for setuid(),
etc") added direct syscall wrappers for setuid(), setgid(), etc since the
system calls have different semantics than the libc functions.

Add and use the corresponding wrappers for setreuid and setregid which
were missed in that commit.

This fixes the build of the debian package of the uid_wrapper library
(https://cwrap.org/uid_wrapper.html) when running linux-user.

Cc: qemu-stable@nongnu.org
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-ID: <Zyo2jMKqq8hG8Pkz@p100>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Merge tag 'migration-20241113-pull-request' of https://gitlab.com/peterx/qemu into staging

Migration pull request for 9.2-rc1

- Dmitry's small patch to quiesce a warning in possible uint32_t overflow
- Peter's fix on a recent regression to iotests (and potentially elsewhere)

# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCZzUJDxIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wbuEQEAoRiMlHo4cfRTuViRoGHwFkqboLdyqsC9
# ZtDcZ2efgMQBAMR65KSgEAakbm3h4fuj0lUTkg564Wi9XkBleo/w3tAD
# =uIeB
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 13 Nov 2024 20:16:15 GMT
# gpg:                using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg:                issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal]
# gpg:                 aka "Peter Xu <peterx@redhat.com>" [marginal]
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D  D1A9 3B5F CCCD F3AB D706

* tag 'migration-20241113-pull-request' of https://gitlab.com/peterx/qemu:
  migration: fix-possible-int-overflow
  migration: Check current_migration in migration_is_running()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Update version for v9.2.0-rc0 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

migration: fix-possible-int-overflow

stat64_add() takes uint64_t as 2nd argument, but both
"p->next_packet_size" and "p->packet_len" are uint32_t.
Thus, theyr sum may overflow uint32_t.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
Link: https://lore.kernel.org/r/20241113140509.325732-2-frolov@swemel.ru
Signed-off-by: Peter Xu <peterx@redhat.com>

migration: Check current_migration in migration_is_running()

Report shows that commit 34a8892dec broke iotest 055:

https://lore.kernel.org/r/b8806360-a2b6-4608-83a3-db67e264c733@linaro.org

Denis Rastyogin reported more such issue:

https://lore.kernel.org/r/20241107114256.106831-1-gerben@altlinux.org

  In this merge, the migration_is_idle() function was replaced with
  migrate_is_running().  However, the null pointer check for `s` was
  removed, leading to a dereference of `s` when using qemu-system-x86_64
  -hda *.vdi.

When replacing migration_is_idle() with "!migration_is_running()", it was
overlooked that the idle helper also checks for current_migration being
available first.  Sample stack dump:

 migration_is_running
 is_busy
 migrate_add_blocker_modes
 migrate_add_blocker_normal
 vmdk_open
 bdrv_open_driver
 bdrv_open_common
 bdrv_open_inherit
 bdrv_open
 blk_new_open
 blockdev_init
 drive_new
 drive_init_func
 qemu_opts_foreach
 configure_blockdev
 qemu_create_early_backends
 qemu_init
 main

The check would be there if the whole series was applied, but since the
last patches in the previous series rely on some other patches to land
first, we need to recover the behavior of migration_is_idle() first before
that whole set will be merged.

I left migration_is_active / migration_is_device alone, as I don't think
it's possible for them to hit uninitialized current_migration. Also they're
prone to removal soon from VFIO side.

Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 34a8892dec ("migration: Drop migration_is_idle()")
Reported-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reported-by: Denis Rastyogin <gerben@altlinux.org>
Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20241105182725.2393425-1-peterx@redhat.com
[peterx: enhance commit msg]
Signed-off-by: Peter Xu <peterx@redhat.com>

edk2: update submodule to edk2-stable202408.01

Updates the subhook submodule to point to a edk2 mirror repo.
Fixes recursive cloning of the edk2 submodule.

Cc: Peter Maydell <peter.maydell@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2660
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20241111100701.2620020-1-kraxel@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* i386: fix -M isapc with ubsan
* i386: add sha512, sm3, sm4 feature bits
* eif: fix Coverity issues
* i386/hvf: x2APIC support
* i386/hvf: fixes
* i386/tcg: fix 2-stage page walk
* eif: fix coverity issues
* rust: fix subproject warnings with new rust, avoid useless cmake fallback

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmcvEHYUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroNn4AgAl+GaD/fHHU+9TCyKRg1Ux/iTSkqh
# PBs76H2w879TDeuPkKZlnYqc7n85rlh1cJwQz01X79OFEeXP6oHiI9Q6qyflSxF0
# V+DrJhZc1CtZBChx9ZUMWUAWjYJFFjNwYA7/LLuLl6RfOm8bIJUWIhDjliJ4Bcea
# 5VI13OtTvYvVurRLUBXWU0inh9KLHIw4RlNgi8Pmb2wNXkPxENpWjsGqWH0jlKS5
# ZUNgTPx/eY5MDwKoAyif2gsdfJlxGxgkpz3Mic4EGE9cw1cRASI3tKb3KH61hNTE
# K21UI0+/+kv27cPnpZzYMDSkrJs7PEgVJ/70NRmAJySA76IG3XSsb5+xZg==
# =pI4/
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 09 Nov 2024 07:34:14 GMT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
  hw/i386/pc: Don't try to init PCI NICs if there is no PCI bus
  rust: qemu-api-macros: always process subprojects before dependencies
  i386/hvf: Removes duplicate/shadowed variables in hvf_vcpu_exec
  i386/hvf: Raise exception on error setting APICBASE
  i386/hvf: Fixes startup memory leak (vmcs caps)
  i386/hvf: Fix for UB in handling CPUID function 0xD
  i386/hvf: Integrates x2APIC support with hvf accel
  eif: cope with huge section sizes
  eif: cope with huge section offsets
  target/i386: Fix legacy page table walk
  rust: add meson_version to all subprojects
  target/i386/hvf: fix clang compilation warning
  target/i386: add sha512, sm3, sm4 feature bits

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/i386/pc: Don't try to init PCI NICs if there is no PCI bus

The 'isapc' machine type has no PCI bus, but pc_nic_init() still
calls pci_init_nic_devices() passing it a NULL bus pointer.  This
causes the clang sanitizer to complain:

$ ./build/clang/qemu-system-i386 -M isapc
../../hw/pci/pci.c:1866:39: runtime error: member access within null pointer of type 'PCIBus' (aka 'struct PCIBus')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/pci/pci.c:1866:39 in

This is because pci_init_nic_devices() does
 &bus->qbus
which is undefined behaviour on a NULL pointer even though we're not
actually dereferencing the pointer. (We don't actually crash as
a result, so if you aren't running a sanitizer build then there
are no user-visible effects.)

Make pc_nic_init() avoid trying to initialize PCI NICs on a non-PCI
system.

Cc: qemu-stable@nongnu.org
Fixes: 8d39f9ba14d64 ("hw/i386/pc: use qemu_get_nic_info() and pci_init_nic_devices()")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Link: https://lore.kernel.org/r/20241105171813.3031969-1-peter.maydell@linaro.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

rust: qemu-api-macros: always process subprojects before dependencies

Avoid looking for Rust dependencies via cmake.

Reviewed-by: Junjie Mao <junjie.mao@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

i386/hvf: Removes duplicate/shadowed variables in hvf_vcpu_exec

Pointers to the x86 CPU state already exist at the function scope,
no need to re-obtain them in individual exit reason cases.

Signed-off-by: Phil Dennis-Jordan <phil@philjordan.eu>
Link: https://lore.kernel.org/r/20241105155800.5461-6-phil@philjordan.eu
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

i386/hvf: Raise exception on error setting APICBASE

When setting the APICBASE MSR to an illegal value, the APIC
implementation will return an error. This change forwards that report
to the guest as an exception rather than ignoring it when using the hvf
accelerator.

Signed-off-by: Phil Dennis-Jordan <phil@philjordan.eu>
Link: https://lore.kernel.org/r/20241105155800.5461-5-phil@philjordan.eu
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

i386/hvf: Fixes startup memory leak (vmcs caps)

The hvf_caps data structure only exists once as part of the hvf accelerator
state, but it is initialised during vCPU initialisation. This change therefore
adds a check to ensure memory for it is only allocated once.

Signed-off-by: Phil Dennis-Jordan <phil@philjordan.eu>
Link: https://lore.kernel.org/r/20241105155800.5461-4-phil@philjordan.eu
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

i386/hvf: Fix for UB in handling CPUID function 0xD

The handling for CPUID function 0xD (supported XSAVE features) was
improved in a recent patch. Unfortunately, this appears to have
introduced undefined behaviour for cases where ecx > 30, as the result
of (1 << idx) is undefined if idx > 30.

Per Intel SDM section 13.2, the behaviour for ecx values up to and
including 62 are specified. This change therefore specifically sets
all registers returned by the CPUID instruction to 0 for 63 and higher.
Furthermore, the bit shift uses uint64_t, where behaviour for the entire
range of 2..62 is safe and correct.

Signed-off-by: Phil Dennis-Jordan <phil@philjordan.eu>
Link: https://lore.kernel.org/r/20241105155800.5461-3-phil@philjordan.eu
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

i386/hvf: Integrates x2APIC support with hvf accel

Support for x2APIC mode was recently introduced in the software emulated
APIC implementation for TCG. Enabling it when using macOS’s hvf
accelerator is useful and significantly helps performance, as Qemu
currently uses the emulated APIC when running on hvf as well.

This change wires up the read & write operations for the MSR VM exits
and allow-lists the CPUID flag in the x86 hvf runtime.

Signed-off-by: Phil Dennis-Jordan <phil@philjordan.eu>
Link: https://lore.kernel.org/r/20241105155800.5461-2-phil@philjordan.eu
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

eif: cope with huge section sizes

Check for overflow as well as allocation failure.  Resolves Coverity CID 1564859.

Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Merge tag 'pull-request-2024-11-08' of https://gitlab.com/thuth/qemu into staging

* Various fixes and improvements for the functional tests
* Refresh CI container files with the latest changes from libvirt-ci
* Clean up keyboard code of the next-cube machine to get rid of a legacy API

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmct48QRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbUAzw//fOgAe+rNX10KIEWaHzTlw6EPRUHbKEo+
# yvy9mZ4CYiK3PfojuW6u9Mt32RIGFjLRUPC+ljZggjbxY2DUjzAUGx/kSwf0bzwE
# 8eRKRvd+l3ZFKklwDd7YQh+/O38P/uAq+T0AZQv/9h7rr0wPD6O+sVpKjVN4akuh
# 66Ekz974bDFaVJi8iIix0WCPCUFMZwWQqxaQrnoBH3wN8Ibc6Ermchs7aa1e6KNh
# DoX519JVNofXbugONNnqEjp43tbx/hzPZFyWf9tyX8ehp6+8po0zcZZwqdRkWhuv
# BkESKPz8rHuQOGMjm8rAnjmDEsbpJ+vOfn/ShdyAERv78mTNWwSvYVwq5zfpcTCt
# 9gpCNhhFzFLKlbDeIfgy9ky4R8Gzrww3icLzCsLlat6YCK547YkSr57BsYXJzLX4
# /NUYsaJ1RPdutwgNnmSzhBhObtUik3rFYH5aD0ETWZBdVY8ig5OqGpJ29P5zo860
# ROVFn4RX/XpmODOpYez4dwKVetR5SLHNG1aqduWKOwhAxPzLxK5OghjYkGf0bsel
# gA9t7A1TafgneYxJARKi7esD39xeUzhfzdzCOIOLXJga5kD2/bvZnQ4tkoLPl8QR
# iQEp1z758XmSFTYfzGUDA7SgIOzi9JG5dqtzcqJklr9wYurxwMYmqicJqA4ImoQt
# fZV/axe8Em0=
# =YRCB
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 08 Nov 2024 10:11:16 GMT
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2024-11-08' of https://gitlab.com/thuth/qemu:
  ui/input-legacy.c: remove unused legacy qemu_add_kbd_event_handler() function
  next-kbd: convert to use qemu_input_handler_register()
  tests: refresh package lists with latest libvirt-ci
  tests/functional: Split the test_aarch64_sbsaref test
  tests/functional: Bump timeouts of functional tests
  tests/functional: Provide the user with hints where to find more log files
  tests/functional: Fix the ppc64_hv and the ppc_40p test for read-only assets
  test/functional: Fix Aspeed buildroot tests
  tests/functional: Convert the riscv_opensbi avocado test into a standalone test
  scripts/checkpatch.pl: Ignore ObjC #import lines for operator spacing

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>