Since fw_dynamic_info is only used for non 32 bit targets, target_long
is int64_t anyway. Rename struct to fw_dynamic_info64 and use int64_t.
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Anton Johansson <anjo@rev.ng>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251027-feature-single-binary-hw-v1-v2-3-44478d589ae9@rev.ng>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Anton Johansson <anjo@rev.ng>
Message-ID: <20251027-feature-single-binary-hw-v1-v2-1-44478d589ae9@rev.ng>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
[PMD: Do not update riscv_load_kernel()]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
dma_translation has been moved to x86-iommu and is no longer referenced.
Fixes: b6b49c2cd6 (intel-iommu: Move dma_translation to x86-iommu)
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251027075232.95262-1-clement.mathieu--drif@eviden.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
s points to the MemoryRegion itself. dev points to DS1225Y, the real
owner.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251027-ds1225y-v1-1-406888eb495f@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Pass error_fatal to load_image_targphys() calls in ppc machine initialization
to capture detailed error information when loading firmware, kernel,
and initrd images.
Passing error_fatal automatically reports detailed error messages and
exits immediately on failure. Eliminating redundant exit(1) calls, as
error_fatal handles termination
The behavior remains functionally identical, but error messages now
come directly from the loader function with more context about the
failure cause.
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-14-vishalc@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Pass errp to load_image_targphys_as() in generic-loader and
guest-loader to capture detailed error information from the
loader functions.
Use error_prepend() instead of error_setg() to preserve the
underlying error details while adding context about which image
failed to load.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-12-vishalc@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Currently load_image_targphys_as() returns -1 on file open failure or
when max size is exceeded. Add an explicit check for zero-sized files
to catch this error early, since some callers check for size <= 0.
Also, remove the redundant size > 0 check later in the function.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-10-vishalc@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Add error checking for lseek() failure and provide better error
messages when image loading fails, including filenames and addresses.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-8-vishalc@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Add Error **errp parameter to load_image_targphys(),
load_image_targphys_as(), and get_image_size() to enable better
error reporting when image loading fails.
Pass NULL for errp in all existing call sites to maintain current
behavior. No functional change intended in this patch.
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Aditya Gupta <adityag@linux.ibm.com>
Tested-by: Aditya Gupta <adityag@linux.ibm.com>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-6-vishalc@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Replace open() with qemu_open() which provides better error handling
via the Error object, automatically sets O_CLOEXEC, and supports FD
passing with /dev/fdset.
Currently pass errp argument as NULL.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-4-vishalc@linux.ibm.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
"system/memory.h" header is indirectly pulled by "hw/sysbus.h".
Include it explicitly to avoid when refactoring the latter:
In file included from ../../hw/intc/loongson_ipi.c:9:
In file included from /Users/philmd/source/qemu/include/hw/intc/loongson_ipi.h:12:
include/hw/intc/loongson_ipi_common.h:37:18: error: field has incomplete type 'MemoryRegion' (aka 'struct MemoryRegion')
37 | MemoryRegion ipi_iocsr_mem;
| ^
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-Id: <20251024190416.8803-21-philmd@linaro.org>
"system/memory.h" header is indirectly pulled by "hw/sysbus.h".
Include it explicitly to avoid when refactoring the latter:
include/hw/uefi/var-service.h:50:39: error: field has incomplete type 'MemoryRegion' (aka 'struct MemoryRegion')
50 | MemoryRegion mr;
| ^
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20251024190416.8803-14-philmd@linaro.org>
These getters don't update any SysBusDevice internal fields,
make the argument const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20251024190416.8803-3-philmd@linaro.org>
This getter doesn't update any DeviceState internal fields,
make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20251024190416.8803-2-philmd@linaro.org>
Instead of doing it manually use pci_register_root_bus() to create and
register the PCI bus. Also drop pci_bus from PREPPCIState and use the
existing bus field in the parent PCIHostState.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <4ffa168d68947d95a16c51d73cedd141b0df0ea0.1761232472.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Convert to using DEFINE_TYPES macro and move raven_pcihost_class_init
so methods of each object are grouped together.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <4ff8a3e1de847846f08d9ea6b389efeb3eb12aed.1761232472.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Use OBJECT_DECLARE_SIMPLE_TYPE macro instead of open coding it and
change state struct name to match the previous typedef.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <e14793737092eac0642aa87214801a1f4bb1e2e7.1761232472.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The raven PCI device does not need a state struct as it has no data to
store there any more, so we can remove that to simplify code.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <3c4cb144c24a2a729669549c4c0e6e47d230e68e.1761232472.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
There is no need to init and realize the PCI facing part of the host
bridge separately as it does not expose any properties that need to be
available before realize. It can be simpilfied using pci_create_simple.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <5a60e395d72e5eb4d01093434fbb645d72ac567a.1761232472.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The only user of this macro was VirtIONet.vlans, which has been
converted to regular VMSTATE_BUFFER.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Peter Xu <peterx@redhat.com>
Message-ID: <20251023135316.31128-3-mjt@tls.msk.ru>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This field is a fixed-size buffer (number of elements is MAX_VLAN,
known at build time). There's no need to allocate it dynamically,
it can be made an integral part of VirtIONet structure.
This field is the only user of VMSTATE_BUFFER_POINTER_UNSAFE() macro.
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20251023135316.31128-2-mjt@tls.msk.ru>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
When OBJECT_DECLARE_SIMPLE_TYPE is used, it automatically provides
the typedef, so we don’t have to define it ourselves.
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251023063429.1400398-1-phind.uet@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
In commit ebd394948d ("target/hppa: Fix FPE exceptions") when
we added the code for setting up the registers correctly on trapping
FP exceptions, we accidentally broke the handling of the flag bits
for non-trapping exceptions.
In update_fr0_op() we incorrectly zero out the flag bits and the C
bit, so any fp operation would clear previously set flag bits. We
also stopped setting the flag bits when the fp operation raises
an exception and the trap is not enabled.
Adjust the code so that we set the Flag bits for every exception that
happened and where the trap is not enabled. (This is the correct
behaviour for the case where an instruction triggers two exceptions,
one of which traps and one of which does not; that can only happen
for inexact + underflow or inexact + overflow.)
Cc: qemu-stable@nongnu.org
Fixes: ebd394948d ("target/hppa: Fix FPE exceptions")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3158
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Helge Deller <deller@gmx.de>
Tested-by: Helge Deller <deller@gmx.de>
Message-ID: <20251017085350.895681-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
* Fix use after free in websocket handshake (CVE-2025-11234)
* Improved stack traces fatal errors/aborts raised for
user creatable objects
* Stop requiring 'key encipherment' usage in x509 certs
* Only sanity check CA certs needed in the chain of trust
* Allow intermediate CA certs to be present in client/server
cert file
* Fix regression propagating errors in premature shutdown
of TLS connections
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmj7nZQACgkQvobrtBUQ
T9+ezBAAsgKl5O/8FYGoSAaVHq4dzbXl/Q0NzHzX7NJ7W8K6LvNy4w8zpuPZEWIt
luo3uAeRFmWGCE5kAe/rfySwvNAYfKTJWbd4+c/DN6spK8MViMfY/mL2Zows3LsJ
LDkmi7OVZpTO+JTDt9O0LpjXmtRGunDsm1Wq8WZcrLtsMe0KatVaQen0nFqc8aUf
uwAgMrZiMpsGp23PLlxaqQVBV2lzXGQHb1Y2UR0DkMBn19861ovPeNRgODc1SpmV
pvqoeXNVu3Mw4CmY3jb0fArRD8G6g8y0USahVNfXV3cYFXp1/SaEL4sNbYU3VhxG
MJXvA+uVir6HHJWiDbjiAG+6zjoggaPAwkp5f4M89fnPGgX9sRRAsCdJnR5IIEDo
58bc1WWni+KzkDXY/GJ1lMQ6jJuQxavIcpW/zi/sSLu1ceK+j+JqLmjGzpr1mPrk
D63MvLSOsKFgJNP51OeC5s3GN9UOo6jO/wOMyLTDUTdhc/WOz3Q+f5/E/bRXtaE0
S+NxMTHJdwDfeRpDXMglL9f5K1ApBo7GAMmjhwXCD3XqUb1pD7RbFNu+QKMqgT4Z
Jv/Rsik3XOHMFNoMtm+fSaUfeETASJBQQancnLyUcCUrWR9MTKBAtlm0fJypxaBp
787FL5LthIX5u7tNf5Btl67BJalHFICVEQrFe/gPq5YnuIRDmwo=
=WY6C
-----END PGP SIGNATURE-----
Merge tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu into staging
Merge misc, crypto and I/O subsystems changes
* Fix use after free in websocket handshake (CVE-2025-11234)
* Improved stack traces fatal errors/aborts raised for
user creatable objects
* Stop requiring 'key encipherment' usage in x509 certs
* Only sanity check CA certs needed in the chain of trust
* Allow intermediate CA certs to be present in client/server
cert file
* Fix regression propagating errors in premature shutdown
of TLS connections
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmj7nZQACgkQvobrtBUQ
# T9+ezBAAsgKl5O/8FYGoSAaVHq4dzbXl/Q0NzHzX7NJ7W8K6LvNy4w8zpuPZEWIt
# luo3uAeRFmWGCE5kAe/rfySwvNAYfKTJWbd4+c/DN6spK8MViMfY/mL2Zows3LsJ
# LDkmi7OVZpTO+JTDt9O0LpjXmtRGunDsm1Wq8WZcrLtsMe0KatVaQen0nFqc8aUf
# uwAgMrZiMpsGp23PLlxaqQVBV2lzXGQHb1Y2UR0DkMBn19861ovPeNRgODc1SpmV
# pvqoeXNVu3Mw4CmY3jb0fArRD8G6g8y0USahVNfXV3cYFXp1/SaEL4sNbYU3VhxG
# MJXvA+uVir6HHJWiDbjiAG+6zjoggaPAwkp5f4M89fnPGgX9sRRAsCdJnR5IIEDo
# 58bc1WWni+KzkDXY/GJ1lMQ6jJuQxavIcpW/zi/sSLu1ceK+j+JqLmjGzpr1mPrk
# D63MvLSOsKFgJNP51OeC5s3GN9UOo6jO/wOMyLTDUTdhc/WOz3Q+f5/E/bRXtaE0
# S+NxMTHJdwDfeRpDXMglL9f5K1ApBo7GAMmjhwXCD3XqUb1pD7RbFNu+QKMqgT4Z
# Jv/Rsik3XOHMFNoMtm+fSaUfeETASJBQQancnLyUcCUrWR9MTKBAtlm0fJypxaBp
# 787FL5LthIX5u7tNf5Btl67BJalHFICVEQrFe/gPq5YnuIRDmwo=
# =WY6C
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 05:39:00 PM CEST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [unknown]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu:
crypto: switch to newer gnutls API for distinguished name
crypto: stop requiring "key encipherment" usage in x509 certs
crypto: allow client/server cert chains
crypto: fix error reporting in cert chain checks
crypto: validate an error is reported in test expected fails
crypto: remove extraneous pointer usage in gnutls certs
crypto: only verify CA certs in chain of trust
io: fix use after free in websocket handshake code
io: move websock resource release to close method
io: release active GSource in TLS channel finalizer
tests: use macros for registering char tests for sockets
qom: use ERRP_GUARD in user_creatable_complete
crypto: propagate Error object on premature termination
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
The new API automatically allocates the right amount of memory
to hold the distinguished name, avoiding the need to loop and
realloc.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This usage flag was deprecated by RFC8813, such that it is
forbidden to be present for certs using ECDSA/ECDH algorithms,
and in TLS 1.3 is conceptually obsolete.
As such many valid certs will no longer have this key usage
flag set, and QEMU should not be rejecting them, as this
prevents use of otherwise valid & desirable algorithms.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The existing implementation assumes that client/server certificates are
single individual certificates. If using publicly-issued certificates,
or internal CAs that use an intermediate issuer, this is unlikely to be
the case, and they will instead be certificate chains. While this can
be worked around by moving the intermediate certificates to the CA
certificate, which DOES currently support multiple certificates, this
instead allows the issued certificate chains to be used as-is, without
requiring the overhead of shuffling certificates around.
Corresponding libvirt change is available here:
https://gitlab.com/libvirt/libvirt/-/merge_requests/222
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: matoro <matoro_mailinglist_qemu@matoro.tk>
[DB: adapted for code conflicts with multi-CA patch]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The loop that checks the CA certificate chain can fail to report
an error message if one of the certs in the chain has an issuer
that is not present in the chain. In this case, the outer loop
'while (checking_issuer)' will terminate after failing to find
the issuer, and no error message will be reported.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
There was a bug where TLS x509 credentials validation failed
to fill out the Error object. Validate this in the failure
scenarios.
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The 'gnutls_x509_crt_t' type is already a pointer, not a struct,
so the extra level of pointer indirection is not needed.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The CA file provided to qemu may contain CA certificates which do not
form part of the chain of trust for the specific certificate we are
sanity checking.
This patch changes the sanity checking from validating every CA
certificate to only checking the CA certificates which are part of the
chain of trust (issuer chain). Other certificates are ignored.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Henry Kleynhans <hkleynhans@fb.com>
[DB: changed 'int' to 'bool' in 'checking_issuer' variable]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
If the QIOChannelWebsock object is freed while it is waiting to
complete a handshake, a GSource is leaked. This can lead to the
callback firing later on and triggering a use-after-free in the
use of the channel. This was observed in the VNC server with the
following trace from valgrind:
==2523108== Invalid read of size 4
==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
==2523108== by 0x44863B4: qio_task_complete (task.c:197)
==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd
==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
==2523108== by 0x6EDC444: g_free (gmem.c:208)
==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
==2523108== by 0x4042881: dpy_refresh (console.c:880)
==2523108== by 0x4042881: gui_update (console.c:90)
==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
==2523108== by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495)
==2523108== by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:576)
==2523108== by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.c:663)
==2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Block was alloc'd at
==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108==
The above can be reproduced by launching QEMU with
$ qemu-system-x86_64 -vnc localhost:0,websocket=5700
and then repeatedly running:
for i in {1..100}; do
(echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
done
CVE-2025-11234
Reported-by: Grant Millar | Cylo <rid@cylo.io>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The QIOChannelWebsock object releases all its resources in the
finalize callback. This is later than desired, as callers expect
to be able to call qio_channel_close() to fully close a channel
and release resources related to I/O.
The logic in the finalize method is at most a failsafe to handle
cases where a consumer forgets to call qio_channel_close.
This adds equivalent logic to the close method to release the
resources, using g_clear_handle_id/g_clear_pointer to be robust
against repeated invocations. The finalize method is tweaked
so that the GSource is removed before releasing the underlying
channel.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
While code is supposed to call qio_channel_close() before releasing the
last reference on an QIOChannel, this is not guaranteed. QIOChannelFile
and QIOChannelSocket both cleanup resources in their finalizer if the
close operation was missed.
This ensures the TLS channel will do the same failsafe cleanup.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The test-char.c has a couple of helper macros for registering tests that
need to be repeated for both IP and UNIX sockets. One test case was not
using the macro though.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
With error_propagate, the stack trace from any error_abort/fatal
usage will start from the error_propagate() call, which is largely
useless. Using ERRP_GUARD ensures the stack trace starts from
the origin that reported the error.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The way that premature termination was handled in TLS connections was
changed to handle an ordering problem during graceful shutdown in the
migration code.
Unfortunately one of the codepaths returned -1 to indicate an error
condition, but failed to set the 'errp' parameter.
This broke error handling in the qio_channel_tls_handshake function,
as the QTask callback would no longer see that an error was raised.
As a result, the client will go on to try to use the already closed
TLS connection, resulting in misleading errors.
This was evidenced in the I/O test 233 which showed changes such as
-qemu-nbd: Certificate does not match the hostname localhost
+qemu-nbd: Failed to read initial magic: Unable to read from socket: Connection reset by peer
Fixes: 7e0c22d585
Acked-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* Correct mmu-type property of sifive_u harts in device tree
* Centralize MO_TE uses in a pair of helpers
* Fix Ethernet interface support for microchip-icicle-kit
* Fix mask for smsiaddrcfgh
* Fix env->priv setting in reset_regs_csr()
* Coverity-related fixes
* Fix riscv_cpu_sirq_pending() mask
* Fix a uninitialized variable warning
* Make PMP granularity configurable
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmj6vn4ACgkQr3yVEwxT
gBORBg/9HMcPIWY4TweyZXcVkcB/4LY3XboBCcumTUO3dEkiVMYc5TDauO++YiyJ
YPRzFSAgwNxoF2ndtNLSc6OCu6LPRzWpt9a/MavTzfNLOQZ5vUbYCd3g24uR4Plz
AOt7Jn9l8+95MxGeTq5NfDdOnyC+mF4EiIjhplbZz7UcMpouKRysAibSjuyXlYGD
DutmQ/bctyDsASNFIl3xwT4po1M4EgMX4nL01ZbfYw2sTjPH2Vj53E0eQ9iZCsP6
l8L8PEz4Jiad2rapJdm2OS6mirMd3PZbYWqvRga/NQiTs4jGYSxiIhlpqR3Ez2id
UBGjLKcbsgvyaX1ILq3n6nfftjrXpSEnCMh86/H3xZ8dhA8eBMrGTJvYXAX33ao5
d3ClcT+E7FTduc+hWl/B/l3eb6fOcEIQ172slBiPEfJJqwJgkXgOfftlxRJQ3iGs
FbpCL0zEeB1/0SUvgI8Wv5652GiaAljWhhIM7FhWpohc2DxV2iUXuxhhXgHkztwL
EIddIo9FLQqY7wxlQhvQKRT0hCm/9mtokq6jiQUTuVMn7gf4fWdvDSozRvX1b0DB
CiJcPnKgM/M4UQHci8rboADWPSJ8oOSdz5dheQfXVNJczFnDqzMMVFbkFicXidJU
aT+1sPuuSYE6hquR1p4yvxeyyfIQCdffzRBr3WZ2iq7GQ+I4/64=
=P0/u
-----END PGP SIGNATURE-----
Merge tag 'pull-riscv-to-apply-20251024' of https://github.com/alistair23/qemu into staging
Second RISC-V PR for 10.2
* Correct mmu-type property of sifive_u harts in device tree
* Centralize MO_TE uses in a pair of helpers
* Fix Ethernet interface support for microchip-icicle-kit
* Fix mask for smsiaddrcfgh
* Fix env->priv setting in reset_regs_csr()
* Coverity-related fixes
* Fix riscv_cpu_sirq_pending() mask
* Fix a uninitialized variable warning
* Make PMP granularity configurable
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmj6vn4ACgkQr3yVEwxT
# gBORBg/9HMcPIWY4TweyZXcVkcB/4LY3XboBCcumTUO3dEkiVMYc5TDauO++YiyJ
# YPRzFSAgwNxoF2ndtNLSc6OCu6LPRzWpt9a/MavTzfNLOQZ5vUbYCd3g24uR4Plz
# AOt7Jn9l8+95MxGeTq5NfDdOnyC+mF4EiIjhplbZz7UcMpouKRysAibSjuyXlYGD
# DutmQ/bctyDsASNFIl3xwT4po1M4EgMX4nL01ZbfYw2sTjPH2Vj53E0eQ9iZCsP6
# l8L8PEz4Jiad2rapJdm2OS6mirMd3PZbYWqvRga/NQiTs4jGYSxiIhlpqR3Ez2id
# UBGjLKcbsgvyaX1ILq3n6nfftjrXpSEnCMh86/H3xZ8dhA8eBMrGTJvYXAX33ao5
# d3ClcT+E7FTduc+hWl/B/l3eb6fOcEIQ172slBiPEfJJqwJgkXgOfftlxRJQ3iGs
# FbpCL0zEeB1/0SUvgI8Wv5652GiaAljWhhIM7FhWpohc2DxV2iUXuxhhXgHkztwL
# EIddIo9FLQqY7wxlQhvQKRT0hCm/9mtokq6jiQUTuVMn7gf4fWdvDSozRvX1b0DB
# CiJcPnKgM/M4UQHci8rboADWPSJ8oOSdz5dheQfXVNJczFnDqzMMVFbkFicXidJU
# aT+1sPuuSYE6hquR1p4yvxeyyfIQCdffzRBr3WZ2iq7GQ+I4/64=
# =P0/u
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 01:47:10 AM CEST
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20251024' of https://github.com/alistair23/qemu: (25 commits)
target/riscv: Make PMP CSRs conform to WARL constraints
target/riscv: Make PMP granularity configurable
target/riscv: Fix a uninitialized variable warning
target/riscv: fix riscv_cpu_sirq_pending() mask
target/riscv/riscv-qmp-cmds.c: coverity-related fixes
target/riscv/kvm: fix env->priv setting in reset_regs_csr()
hw/intc: Allow gaps in hartids for aclint and aplic
aplic: fix mask for smsiaddrcfgh
microchip icicle: Enable PCS on Cadence Ethernet
hw/net/cadence_gem: Add pcs-enabled property
hw/riscv: microchip_pfsoc: Connect Ethernet PHY channels
hw/net/cadence_gem: Support two Ethernet interfaces connected to single MDIO bus
target/riscv: Introduce mo_endian_env() helper
target/riscv: Introduce mo_endian() helper
target/riscv: Factor MemOp variable out when MO_TE is set
target/riscv: Conceal MO_TE|MO_ALIGN within gen_lr() / gen_sc()
target/riscv: Conceal MO_TE within gen_cmpxchg*()
target/riscv: Conceal MO_TE within gen_storepair_tl()
target/riscv: Conceal MO_TE within gen_fload_idx() / gen_fstore_idx()
target/riscv: Conceal MO_TE within gen_load_idx() / gen_store_idx()
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
This patch ensure pmpcfg and pmpaddr comply with WARL constraints.
When the PMP granularity is greater than 4 bytes, NA4 mode is not valid
per the spec and will be silently ignored.
According to the spec, changing pmpcfg.A only affects the "read" value
of pmpaddr. When G > 2 and pmpcfg.A is NAPOT, bits pmpaddr[G-2:0] read
as all ones. When G > 1 and pmpcfg.A is OFF or TOR, bits pmpaddr[G-1:0]
read as all zeros. This allows software to read back the correct
granularity value.
In addition, when updating the PMP address rule in TOR mode,
the start and end addresses of the PMP region should be aligned
to the PMP granularity. (The current SPEC only state in TOR mode
that bits pmpaddr[G-1:0] do not affect the TOR address-matching logic.)
Signed-off-by: Jay Chang <jay.chang@sifive.com>
Reviewed-by: Frank Chang <frank.chang@sifive.com>
Reviewed-by: Jim Shu <jim.shu@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022024141.42178-3-jay.chang@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Previously, the PMP granularity in qemu always used a minimum
granularity of 4 bytes, this patch add pmp-granularity to allow
platforms to configure the value.
A new CPU parameter pmp-granularity has been introduced to the QEMU
command line. For example:
-cpu rv64, g=true, c=true, pmp=true, pmp-granularity=1024
If no specific value is provided, the default value is 4 bytes.
Signed-off-by: Jay Chang <jay.chang@sifive.com>
Reviewed-by: Frank Chang <frank.chang@sifive.com>
Reviewed-by: Jim Shu <jim.shu@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022024141.42178-2-jay.chang@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
riscv_cpu_validate_v() left its variable, min_vlen, uninitialized if
no vector extension is available, causing a compiler warning.
Re-define riscv_cpu_validate_v() as no-op when no vector extension is
available to prevent the scenario that will read the unintialized
variable by construction. It also simplifies its caller as a bonus.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20251021-vlen-v2-1-1fb581d4c6bf@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
We're filtering out (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP) from S-mode
pending interrupts without apparent reason. There's no special treatment
for these ints as far as the spec goes, and this filtering is causing
read_stopi() to miss those VS interrupts [1].
We shouldn't return delegated VS interrupts in S-mode though, so change
the current mask with "~env->hideleg". Note that this is the same
handling we're doing in riscv_cpu_mirq_pending() and env->mideleg.
[1] https://gitlab.com/qemu-project/qemu/-/issues/2820
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2820
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022124340.493358-1-dbarboza@ventanamicro.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Cc: qemu-stable@nongnu.org
Coverity CID 1641401 reports that, in reg_is_ulong_integer(), we're
dereferencing a NULL pointer in "reg1" when using it in strcasecmp()
call. A similar case is reported with CID 1641393.
In theory that will never happen - it's guaranteed that both "reg1" and
"reg2" is non-NULL because we're retrieving them in compile-time from
static arrays. Coverity doesn't know that though.
To make Coverity happier and add a bit more clarity in the code,
g_assert() each token to make it clear that those 2 values aren't
supposed to be NULL ever. Do that in both reg_is_ulong_integer() and
reg_is_u64_fpu().
We're also taking the opportunity to implement suggestions made by Peter
in [1] in both functions:
- use g_strsplit() instead of strtok();
- use g_ascii_strcasecmp() instead of strcasecmp().
[1] https://lore.kernel.org/qemu-devel/CAFEAcA_y4bwd9GANbXnpTy2mv80Vg_jp+A-VkQS5V6f0+BFRAA@mail.gmail.com/
Coverity: CID 1641393, 1641401
Fixes: e06d209aa6 ("target/riscv: implement MonitorDef HMP API")
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022125643.588947-1-dbarboza@ventanamicro.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
This patch was originally made by Gitlab user Bo Gan (@ganboing) 4
months ago in the context of issue [1]. I asked the author to send a
patch to the mailing list ~3 months ago and got no reply. I'm sending
the patch myself because we already missed 10.1 without this fix.
I'll also just post verbatim Bo Gan comment in the commit msg:
"In RISCV Linux with KVM enabled, gdbstub is broken. The
get_physical_address isn't able to page-walk correctly and resolve the
physical page. This is due to that the vcpu is being treated as starting
in M mode even if KVM enabled. However, with KVM, the vcpu is actually
started in S mode. The mmu_idx will give 3 (M), instead of 1 (S),
resulting in Guest PA == VA (wrong)!"
Set env->priv to PRV_S in kvm_riscv_reset_regs_csr() since the VCPU is
always started in S-mode for KVM.
[1] https://gitlab.com/qemu-project/qemu/-/issues/2991
Cc: qemu-stable@nongnu.org
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2991
Originally-by: Bo Gan (@ganboing in Gitlab)
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022111105.483992-1-dbarboza@ventanamicro.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
This is needed for riscv based CPUs by MIPS since those may have
sparse hart-ID layouts. ACLINT and APLIC still assume a dense
range, and if a hart is missing, this causes NULL derefs.
Signed-off-by: Chao-ying Fu <cfu@mips.com>
Signed-off-by: Djordje Todorovic <djordje.todorovic@htecgroup.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251018154522.745788-2-djordje.todorovic@htecgroup.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
PCS needs to be enabled for SGMII to be supported by the Linux kernel.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-5-linux@roeck-us.net>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
The Linux kernel checks the PCS disabled bit in the R_DESCONF register
to determine if SGMII is supported. If the bit is set, SGMII support is
disabled. Since the Microchip Icicle devicetree file configures SGMII
interface mode, enabling the Ethernet interfaces fails when booting
the Linux kernel.
Add pcs-enabled property to to let the driver know if PCS should be
enabled. Set the flag to false by default (indicating that PCS is disabled)
to match the exiting code.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-4-linux@roeck-us.net>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
The Microchip PolarFire SoC Icicle Kit supports two Ethernet interfaces.
The PHY on each may be connected to separate MDIO busses, or both may be
connected on the same MDIO bus using different PHY addresses.
To be able to support two PHY instances on a single MDIO bus, two properties
are needed: First, there needs to be a flag indicating if the MDIO bus on
a given Ethernet interface is connected. If not, attempts to read from this
bus must always return 0xffff. Implement this property as phy-connected.
Second, if the MDIO bus on an interface is active, it needs a link to the
consumer interface to be able to provide PHY access for it. Implement this
property as phy-consumer.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-2-linux@roeck-us.net>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
