From 2053f311f7761b6eb414f1860ef3064fa06b8d24 Mon Sep 17 00:00:00 2001 From: Mohamed Mediouni Date: Fri, 7 Nov 2025 08:23:37 +0100 Subject: [PATCH 01/10] MAINTAINERS: update maintainers for WHPX From Pedro Barbuda (on Teams): > we meant to have that switched a while back. you can add me as the maintainer. Pedro Barbuda (pbarbuda@microsoft.com) Signed-off-by: Mohamed Mediouni Message-id: 20251107072337.28932-1-mohamed@unpredictable.fr Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- MAINTAINERS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 9cb181e1da..38325e0617 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -547,7 +547,8 @@ F: include/system/hvf.h F: include/system/hvf_int.h WHPX CPUs -M: Sunil Muthuswamy +M: Pedro Barbuda +M: Mohamed Mediouni S: Supported F: target/i386/whpx/ F: accel/stubs/whpx-stub.c From 18cf3898e3f59116bd179b2f74fad377d57e7f25 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Thu, 6 Nov 2025 15:49:09 +0100 Subject: [PATCH 02/10] target/arm: Fix accidental write to TCG constant Currently an unpredictable movw such as movw pc, 0x123 results in the tinycode and_i32 $0x123,$0x123,$0xfffffffc mov_i32 pc,$0x123 exit_tb $0x0 which is clearly a bug: writing to a constant is incorrect and discards the result of the mask. Fix this by always doing an and_i32 and trusting the optimizer to turn this into a simple move when the mask is zero. Signed-off-by: Anton Johansson Signed-off-by: Richard Henderson Tested-by: Gustavo Romero Reviewed-by: Message-id: 20251106144909.533997-1-richard.henderson@linaro.org [rth: Avoid an extra temp and extra move.] Signed-off-by: Richard Henderson [PMM: commit message tweak] Signed-off-by: Peter Maydell --- target/arm/tcg/translate.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c index 5f64fed220..63735d9789 100644 --- a/target/arm/tcg/translate.c +++ b/target/arm/tcg/translate.c @@ -303,20 +303,23 @@ TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs) marked as dead. */ void store_reg(DisasContext *s, int reg, TCGv_i32 var) { + uint32_t mask = 0; + if (reg == 15) { - /* In Thumb mode, we must ignore bit 0. + /* + * In Thumb mode, we must ignore bit 0. * In ARM mode, for ARMv4 and ARMv5, it is UNPREDICTABLE if bits [1:0] * are not 0b00, but for ARMv6 and above, we must ignore bits [1:0]. * We choose to ignore [1:0] in ARM mode for all architecture versions. */ - tcg_gen_andi_i32(var, var, s->thumb ? ~1 : ~3); + mask = s->thumb ? 1 : 3; s->base.is_jmp = DISAS_JUMP; s->pc_save = -1; } else if (reg == 13 && arm_dc_feature(s, ARM_FEATURE_M)) { /* For M-profile SP bits [1:0] are always zero */ - tcg_gen_andi_i32(var, var, ~3); + mask = 3; } - tcg_gen_mov_i32(cpu_R[reg], var); + tcg_gen_andi_i32(cpu_R[reg], var, ~mask); } /* From 00de647c0ab69e92cf333d7d061782103b1fd794 Mon Sep 17 00:00:00 2001 From: Osama Abdelkader Date: Mon, 10 Nov 2025 18:15:52 +0200 Subject: [PATCH 03/10] target/arm/cpu64: remove duplicate include MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cpregs.h is included twice. Signed-off-by: Osama Abdelkader Reviewed-by: Alex Bennée Reviewed-by: Gavin Shan Message-id: 20251110161552.700333-1-osama.abdelkader@gmail.com Signed-off-by: Peter Maydell --- target/arm/cpu64.c | 1 - 1 file changed, 1 deletion(-) diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index f81cfd0113..ae84d8e420 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -34,7 +34,6 @@ #include "hw/qdev-properties.h" #include "internals.h" #include "cpu-features.h" -#include "cpregs.h" /* convert between _IDX and SYS_ */ #define DEF(NAME, OP0, OP1, CRN, CRM, OP2) \ From f52db7f34242d3398bab0bacaa3e5dde99be5258 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 6 Nov 2025 14:52:08 +0000 Subject: [PATCH 04/10] hw/display/xlnx_dp.c: Don't abort on AUX FIFO overrun/underrun MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The documentation of the Xilinx DisplayPort subsystem at https://www.xilinx.com/support/documents/ip_documentation/v_dp_txss1/v3_1/pg299-v-dp-txss1.pdf doesn't say what happens if a guest tries to issue an AUX write command with a length greater than the amount of data in the AUX write FIFO, or tries to write more data to the write FIFO than it can hold, or issues multiple commands that put data into the AUX read FIFO without reading it such that it overflows. Currently QEMU will abort() in these guest-error situations, either in xlnx_dp.c itself or in the fifo8 code. Make these cases all be logged as guest errors instead. We choose to ignore the new data on overflow, and return 0 on underflow. This is in line with how we handled the "read from empty RX FIFO" case in commit a09ef5040477. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1418 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1419 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1424 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Edgar E. Iglesias Message-id: 20251106145209.1083998-2-peter.maydell@linaro.org --- hw/display/xlnx_dp.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index 96cbb1b3a7..c2bf692e7b 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -435,7 +435,18 @@ static void xlnx_dp_aux_clear_rx_fifo(XlnxDPState *s) static void xlnx_dp_aux_push_rx_fifo(XlnxDPState *s, uint8_t *buf, size_t len) { + size_t avail = fifo8_num_free(&s->rx_fifo); DPRINTF("Push %u data in rx_fifo\n", (unsigned)len); + if (len > avail) { + /* + * Data sheet doesn't specify behaviour here: we choose to ignore + * the excess data. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: ignoring %zu bytes pushed to full RX_FIFO\n", + __func__, len - avail); + len = avail; + } fifo8_push_all(&s->rx_fifo, buf, len); } @@ -466,7 +477,18 @@ static void xlnx_dp_aux_clear_tx_fifo(XlnxDPState *s) static void xlnx_dp_aux_push_tx_fifo(XlnxDPState *s, uint8_t *buf, size_t len) { + size_t avail = fifo8_num_free(&s->tx_fifo); DPRINTF("Push %u data in tx_fifo\n", (unsigned)len); + if (len > avail) { + /* + * Data sheet doesn't specify behaviour here: we choose to ignore + * the excess data. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: ignoring %zu bytes pushed to full TX_FIFO\n", + __func__, len - avail); + len = avail; + } fifo8_push_all(&s->tx_fifo, buf, len); } @@ -475,8 +497,10 @@ static uint8_t xlnx_dp_aux_pop_tx_fifo(XlnxDPState *s) uint8_t ret; if (fifo8_is_empty(&s->tx_fifo)) { - error_report("%s: TX_FIFO underflow", __func__); - abort(); + /* Data sheet doesn't specify behaviour here: we choose to return 0 */ + qemu_log_mask(LOG_GUEST_ERROR, "%s: attempt to read empty TX_FIFO\n", + __func__); + return 0; } ret = fifo8_pop(&s->tx_fifo); DPRINTF("pop 0x%2.2X from tx_fifo.\n", ret); From 032333eba77b83dfbd74071cc2971f0bda9a3d4f Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 6 Nov 2025 14:52:09 +0000 Subject: [PATCH 05/10] hw/display/xlnx_dp: Don't abort for unsupported graphics formats MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the guest writes an invalid or unsupported value to the AV_BUF_FORMAT register, currently we abort(). Instead, log this as either a guest error or an unimplemented error and continue. The existing code treats DP_NL_VID_CB_Y0_CR_Y1 as x8b8g8r8 via a "case 0" that does not use the enum constant name for some reason; we leave that alone beyond adding a comment about the weird code. Documentation of this register seems to be at: https://docs.amd.com/r/en-US/ug1087-zynq-ultrascale-registers/AV_BUF_FORMAT-DISPLAY_PORT-Register Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1415 Signed-off-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251106145209.1083998-3-peter.maydell@linaro.org --- hw/display/xlnx_dp.c | 55 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 6 deletions(-) diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index c2bf692e7b..a248b943a5 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -665,14 +665,28 @@ static void xlnx_dp_change_graphic_fmt(XlnxDPState *s) case DP_GRAPHIC_BGR888: s->g_plane.format = PIXMAN_b8g8r8; break; + case DP_GRAPHIC_RGBA5551: + case DP_GRAPHIC_RGBA4444: + case DP_GRAPHIC_8BPP: + case DP_GRAPHIC_4BPP: + case DP_GRAPHIC_2BPP: + case DP_GRAPHIC_1BPP: + qemu_log_mask(LOG_UNIMP, "%s: unimplemented graphic format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK); + s->g_plane.format = PIXMAN_r8g8b8a8; + break; default: - error_report("%s: unsupported graphic format %u", __func__, - s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK); - abort(); + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid graphic format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK); + s->g_plane.format = PIXMAN_r8g8b8a8; + break; } switch (s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MASK) { case 0: + /* This is DP_NL_VID_CB_Y0_CR_Y1 ??? */ s->v_plane.format = PIXMAN_x8b8g8r8; break; case DP_NL_VID_Y0_CB_Y1_CR: @@ -681,10 +695,39 @@ static void xlnx_dp_change_graphic_fmt(XlnxDPState *s) case DP_NL_VID_RGBA8880: s->v_plane.format = PIXMAN_x8b8g8r8; break; + case DP_NL_VID_CR_Y0_CB_Y1: + case DP_NL_VID_Y0_CR_Y1_CB: + case DP_NL_VID_YV16: + case DP_NL_VID_YV24: + case DP_NL_VID_YV16CL: + case DP_NL_VID_MONO: + case DP_NL_VID_YV16CL2: + case DP_NL_VID_YUV444: + case DP_NL_VID_RGB888: + case DP_NL_VID_RGB888_10BPC: + case DP_NL_VID_YUV444_10BPC: + case DP_NL_VID_YV16CL2_10BPC: + case DP_NL_VID_YV16CL_10BPC: + case DP_NL_VID_YV16_10BPC: + case DP_NL_VID_YV24_10BPC: + case DP_NL_VID_Y_ONLY_10BPC: + case DP_NL_VID_YV16_420: + case DP_NL_VID_YV16CL_420: + case DP_NL_VID_YV16CL2_420: + case DP_NL_VID_YV16_420_10BPC: + case DP_NL_VID_YV16CL_420_10BPC: + case DP_NL_VID_YV16CL2_420_10BPC: + qemu_log_mask(LOG_UNIMP, "%s: unimplemented video format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MASK); + s->v_plane.format = PIXMAN_x8b8g8r8; + break; default: - error_report("%s: unsupported video format %u", __func__, - s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MASK); - abort(); + qemu_log_mask(LOG_UNIMP, "%s: invalid video format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MASK); + s->v_plane.format = PIXMAN_x8b8g8r8; + break; } xlnx_dp_recreate_surface(s); From 2a2527c8158b77bf767f5672998d2efc90d83c27 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 4 Nov 2025 16:09:41 +0000 Subject: [PATCH 06/10] cxl: Clean up includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit was created with scripts/clean-includes: ./scripts/clean-includes --git cxl hw/cxl hw/mem All .c should include qemu/osdep.h first. The script performs three related cleanups: * Ensure .c files include qemu/osdep.h first. * Including it in a .h is redundant, since the .c already includes it. Drop such inclusions. * Likewise, including headers qemu/osdep.h includes is redundant. Drop these, too. Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Acked-by: Jonathan Cameron Message-id: 20251104160943.751997-8-peter.maydell@linaro.org --- hw/cxl/cxl-mailbox-utils.c | 2 +- hw/mem/cxl_type3.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/cxl/cxl-mailbox-utils.c b/hw/cxl/cxl-mailbox-utils.c index 68c7cc9891..6cfdd98168 100644 --- a/hw/cxl/cxl-mailbox-utils.c +++ b/hw/cxl/cxl-mailbox-utils.c @@ -7,9 +7,9 @@ * COPYING file in the top-level directory. */ +#include "qemu/osdep.h" #include -#include "qemu/osdep.h" #include "hw/pci/msi.h" #include "hw/pci/msix.h" #include "hw/cxl/cxl.h" diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c index be609ff9d0..4f3688a71b 100644 --- a/hw/mem/cxl_type3.c +++ b/hw/mem/cxl_type3.c @@ -8,9 +8,9 @@ * * SPDX-License-Identifier: GPL-v2-only */ +#include "qemu/osdep.h" #include -#include "qemu/osdep.h" #include "qemu/units.h" #include "qemu/error-report.h" #include "qapi/qapi-commands-cxl.h" From b1f4f4695c96bb8e20a00e82d1868b5b018002bc Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 4 Nov 2025 16:09:42 +0000 Subject: [PATCH 07/10] vfio: Clean up includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit was created with scripts/clean-includes: ./scripts/clean-includes --git vfio hw/vfio hw/vfio-user All .c should include qemu/osdep.h first. The script performs three related cleanups: * Ensure .c files include qemu/osdep.h first. * Including it in a .h is redundant, since the .c already includes it. Drop such inclusions. * Likewise, including headers qemu/osdep.h includes is redundant. Drop these, too. Signed-off-by: Peter Maydell Reviewed-by: Cédric Le Goater Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251104160943.751997-9-peter.maydell@linaro.org --- hw/vfio-user/container.c | 2 +- hw/vfio-user/container.h | 1 - hw/vfio-user/device.h | 1 - hw/vfio-user/pci.c | 2 +- hw/vfio/ap.c | 1 - hw/vfio/container.c | 2 +- hw/vfio/cpr-legacy.c | 2 +- hw/vfio/pci-quirks.h | 1 - 8 files changed, 4 insertions(+), 8 deletions(-) diff --git a/hw/vfio-user/container.c b/hw/vfio-user/container.c index e45192fef6..dab7a23224 100644 --- a/hw/vfio-user/container.c +++ b/hw/vfio-user/container.c @@ -6,9 +6,9 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ +#include "qemu/osdep.h" #include #include -#include "qemu/osdep.h" #include "hw/vfio-user/container.h" #include "hw/vfio-user/device.h" diff --git a/hw/vfio-user/container.h b/hw/vfio-user/container.h index a2b42e3169..c952e09063 100644 --- a/hw/vfio-user/container.h +++ b/hw/vfio-user/container.h @@ -7,7 +7,6 @@ #ifndef HW_VFIO_USER_CONTAINER_H #define HW_VFIO_USER_CONTAINER_H -#include "qemu/osdep.h" #include "hw/vfio/vfio-container.h" #include "hw/vfio-user/proxy.h" diff --git a/hw/vfio-user/device.h b/hw/vfio-user/device.h index d183a3950e..49c05848f1 100644 --- a/hw/vfio-user/device.h +++ b/hw/vfio-user/device.h @@ -9,7 +9,6 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ -#include "qemu/osdep.h" #include "linux/vfio.h" #include "hw/vfio-user/proxy.h" diff --git a/hw/vfio-user/pci.c b/hw/vfio-user/pci.c index b53ed3b456..353d07e781 100644 --- a/hw/vfio-user/pci.c +++ b/hw/vfio-user/pci.c @@ -6,8 +6,8 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ -#include #include "qemu/osdep.h" +#include #include "qapi-visit-sockets.h" #include "qemu/error-report.h" diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c index 7719f24579..3368ac8915 100644 --- a/hw/vfio/ap.c +++ b/hw/vfio/ap.c @@ -10,7 +10,6 @@ * directory. */ -#include #include "qemu/osdep.h" #include CONFIG_DEVICES /* CONFIG_IOMMUFD */ #include diff --git a/hw/vfio/container.c b/hw/vfio/container.c index 9ddec300e3..013a691bc5 100644 --- a/hw/vfio/container.c +++ b/hw/vfio/container.c @@ -10,10 +10,10 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ +#include "qemu/osdep.h" #include #include -#include "qemu/osdep.h" #include "system/tcg.h" #include "system/ram_addr.h" #include "qapi/error.h" diff --git a/hw/vfio/cpr-legacy.c b/hw/vfio/cpr-legacy.c index 86c943158e..7c03ddb961 100644 --- a/hw/vfio/cpr-legacy.c +++ b/hw/vfio/cpr-legacy.c @@ -4,9 +4,9 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ +#include "qemu/osdep.h" #include #include -#include "qemu/osdep.h" #include "hw/vfio/vfio-container-legacy.h" #include "hw/vfio/vfio-device.h" #include "hw/vfio/vfio-listener.h" diff --git a/hw/vfio/pci-quirks.h b/hw/vfio/pci-quirks.h index d1532e379b..a6282e063a 100644 --- a/hw/vfio/pci-quirks.h +++ b/hw/vfio/pci-quirks.h @@ -12,7 +12,6 @@ #ifndef HW_VFIO_VFIO_PCI_QUIRKS_H #define HW_VFIO_VFIO_PCI_QUIRKS_H -#include "qemu/osdep.h" #include "exec/memop.h" /* From 168558ed7b4eb215e58d1dd6dea12b53114738ff Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 4 Nov 2025 16:09:43 +0000 Subject: [PATCH 08/10] tests: Clean up includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit was created with scripts/clean-includes: ./scripts/clean-includes --git tests tests with one hand-edit to remove a now-empty #ifndef WIN32...#endif from tests/qtest/dbus-display-test.c . All .c should include qemu/osdep.h first. The script performs three related cleanups: * Ensure .c files include qemu/osdep.h first. * Including it in a .h is redundant, since the .c already includes it. Drop such inclusions. * Likewise, including headers qemu/osdep.h includes is redundant. Drop these, too. Signed-off-by: Peter Maydell Reviewed-by: Cédric Le Goater Message-id: 20251104160943.751997-10-peter.maydell@linaro.org --- tests/qtest/aspeed-hace-utils.h | 1 - tests/qtest/aspeed-smc-utils.h | 1 - tests/qtest/aspeed_gpio-test.c | 1 - tests/qtest/dbus-display-test.c | 3 --- tests/qtest/pnv-spi-seeprom-test.c | 1 - tests/unit/test-cutils.c | 2 +- tests/unit/test-error-report.c | 1 - tests/unit/test-io-channel-command.c | 2 -- 8 files changed, 1 insertion(+), 11 deletions(-) diff --git a/tests/qtest/aspeed-hace-utils.h b/tests/qtest/aspeed-hace-utils.h index c8b2ec45af..27ab2bb975 100644 --- a/tests/qtest/aspeed-hace-utils.h +++ b/tests/qtest/aspeed-hace-utils.h @@ -8,7 +8,6 @@ #ifndef TESTS_ASPEED_HACE_UTILS_H #define TESTS_ASPEED_HACE_UTILS_H -#include "qemu/osdep.h" #include "libqtest.h" #include "qemu/bitops.h" diff --git a/tests/qtest/aspeed-smc-utils.h b/tests/qtest/aspeed-smc-utils.h index b07870f3b8..e2fd8ff1bd 100644 --- a/tests/qtest/aspeed-smc-utils.h +++ b/tests/qtest/aspeed-smc-utils.h @@ -26,7 +26,6 @@ #ifndef TESTS_ASPEED_SMC_UTILS_H #define TESTS_ASPEED_SMC_UTILS_H -#include "qemu/osdep.h" #include "qemu/bswap.h" #include "libqtest-single.h" #include "qemu/bitops.h" diff --git a/tests/qtest/aspeed_gpio-test.c b/tests/qtest/aspeed_gpio-test.c index c2f9ca2298..decbba23c8 100644 --- a/tests/qtest/aspeed_gpio-test.c +++ b/tests/qtest/aspeed_gpio-test.c @@ -27,7 +27,6 @@ #include "qemu/timer.h" #include "qobject/qdict.h" #include "libqtest-single.h" -#include "qemu/typedefs.h" #define AST2600_GPIO_BASE 0x1E780000 diff --git a/tests/qtest/dbus-display-test.c b/tests/qtest/dbus-display-test.c index f7fc873bfb..1d5951b711 100644 --- a/tests/qtest/dbus-display-test.c +++ b/tests/qtest/dbus-display-test.c @@ -7,9 +7,6 @@ #include #include #include "libqtest.h" -#ifndef WIN32 -#include -#endif #include "ui/dbus-display1.h" static GDBusConnection* diff --git a/tests/qtest/pnv-spi-seeprom-test.c b/tests/qtest/pnv-spi-seeprom-test.c index 600493c425..8033261758 100644 --- a/tests/qtest/pnv-spi-seeprom-test.c +++ b/tests/qtest/pnv-spi-seeprom-test.c @@ -5,7 +5,6 @@ * * SPDX-License-Identifier: GPL-2.0-or-later */ -#include #include "qemu/osdep.h" #include "libqtest.h" #include "qemu/bswap.h" diff --git a/tests/unit/test-cutils.c b/tests/unit/test-cutils.c index 227acc5995..75fae29003 100644 --- a/tests/unit/test-cutils.c +++ b/tests/unit/test-cutils.c @@ -25,9 +25,9 @@ * THE SOFTWARE. */ +#include "qemu/osdep.h" #include -#include "qemu/osdep.h" #include "qemu/cutils.h" #include "qemu/units.h" diff --git a/tests/unit/test-error-report.c b/tests/unit/test-error-report.c index 0cbde3c4cf..a8532fc58f 100644 --- a/tests/unit/test-error-report.c +++ b/tests/unit/test-error-report.c @@ -8,7 +8,6 @@ */ #include "qemu/osdep.h" -#include "glib-compat.h" #include #include "qemu/error-report.h" diff --git a/tests/unit/test-io-channel-command.c b/tests/unit/test-io-channel-command.c index 4f022617df..964418b5cd 100644 --- a/tests/unit/test-io-channel-command.c +++ b/tests/unit/test-io-channel-command.c @@ -20,8 +20,6 @@ #include "qemu/osdep.h" #include -#include -#include #include "io/channel-command.h" #include "io-channel-helpers.h" #include "qapi/error.h" From 5fc50b4ec841c8a01e7346c2c804088fc3accb6b Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 7 Nov 2025 15:01:37 +0000 Subject: [PATCH 09/10] hw/misc/npcm_clk: Don't divide by zero when calculating frequency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the guest misprograms the PLL registers to request a zero divisor, we currently fall over with a division by zero: ../../hw/misc/npcm_clk.c:221:14: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/misc/npcm_clk.c:221:14 Thread 1 "qemu-system-aar" received signal SIGFPE, Arithmetic exception. 0x00005555584d8f6d in npcm7xx_clk_update_pll (opaque=0x7fffed159a20) at ../../hw/misc/npcm_clk.c:221 221 freq /= PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(con); Avoid this by treating this invalid setting like a stopped clock (setting freq to 0). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/549 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251107150137.1353532-1-peter.maydell@linaro.org --- hw/misc/npcm_clk.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hw/misc/npcm_clk.c b/hw/misc/npcm_clk.c index c48d40b446..e202a8a299 100644 --- a/hw/misc/npcm_clk.c +++ b/hw/misc/npcm_clk.c @@ -212,13 +212,14 @@ static void npcm7xx_clk_update_pll(void *opaque) { NPCM7xxClockPLLState *s = opaque; uint32_t con = s->clk->regs[s->reg]; - uint64_t freq; + uint64_t freq, freq_div; /* The PLL is grounded if it is not locked yet. */ if (con & PLLCON_LOKI) { freq = clock_get_hz(s->clock_in); freq *= PLLCON_FBDV(con); - freq /= PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(con); + freq_div = PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(con); + freq = freq_div ? freq / freq_div : 0; } else { freq = 0; } From 522444744eb79dd01e377ad2ed15544f10bcc70c Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 7 Nov 2025 15:41:16 +0000 Subject: [PATCH 10/10] hw/audio/lm4549: Don't try to open a zero-frequency audio voice MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the guest incorrectly programs the lm4549 audio chip with a zero frequency, we will pass this to AUD_open_out(), which will complain: A bug was just triggered in AUD_open_out Save all your work and restart without audio I am sorry Context: audio: frequency=0 nchannels=2 fmt=S16 endianness=little The datasheet doesn't say what we should do here, only that the valid range for the freqency is 4000 to 48000 Hz; we choose to log the guest error and ignore an attempt to change the DAC rate to something outside the valid range. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/410 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251107154116.1396769-1-peter.maydell@linaro.org --- hw/audio/lm4549.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/hw/audio/lm4549.c b/hw/audio/lm4549.c index 745441bd79..bf711c49c0 100644 --- a/hw/audio/lm4549.c +++ b/hw/audio/lm4549.c @@ -15,6 +15,7 @@ #include "qemu/osdep.h" #include "hw/hw.h" +#include "qemu/log.h" #include "qemu/audio.h" #include "lm4549.h" #include "migration/vmstate.h" @@ -179,9 +180,23 @@ void lm4549_write(lm4549_state *s, break; case LM4549_PCM_Front_DAC_Rate: - regfile[LM4549_PCM_Front_DAC_Rate] = value; DPRINTF("DAC rate change = %i\n", value); + /* + * Valid sample rates are 4kHz to 48kHz. + * The datasheet doesn't say what happens if you try to + * set the frequency to zero. AUD_open_out() will print + * a bug message if we pass it a zero frequency, so just + * ignore attempts to set the DAC frequency to zero. + */ + if (value < 4000 || value > 48000) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: DAC sample rate %d Hz is invalid, ignoring it\n", + __func__, value); + break; + } + regfile[LM4549_PCM_Front_DAC_Rate] = value; + /* Re-open a voice with the new sample rate */ struct audsettings as; as.freq = value;