Start a simple test program that will exercise the QEMU audio APIs.
It is meant to run manually for now, as it accesses the sound system and
produces sound by default, and also runs for a few seconds. We may want
to make it silent or use the "none" (noaudio) backend by default though,
so it can run as part of the automated test suite.
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Add --skip-missing-deps flag that prints warnings for missing
dependencies but continues without exiting with error code 1.
Acked-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This will allow to use modinfo-generate in cases where devices aren't
relevant (tests etc)
Acked-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>w
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This will allow to tweak argument handling more easily next.
Acked-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This can help create tests, for example.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Windows doesn't support modules, atm, but we can treat it as a regular
audio unit regardless.
MacOs does support module, so this is fine.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
AudioBackend had a vm_running field which was set in
audio_vm_change_state_handler().
The state change handler "bool running" argument is true when
vm_prepare_start() calls it, and the VM runstate is either SUSPENDED or
RUNNING.
Audio hw voices shouldn't be running when the VM is suspended, but only
when running. Thus replacing the vm_running field with a call to
runstate_is_running() is both simpler and more correct.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Set "using_dbus_display" during early_dbus_init(), so that we can try to
create the "dbus" audio backend by default from audio_prio_list.
This makes dbus audio work by default when using an audio device,
without having to setup and wire up the -audiodev manually.
The added FIXME is addressed in the following commits.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Previous commits made this dead code.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Previous commit drop the need for this field.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
AUD_init_time_stamp_{in,out} and AUD_get_elapsed_usec_{in,out} are only
used by the adlib device. The result isn't actually being used since
ADLIB_KILL_TIMERS was set some 20y ago. Let's drop this dead code now.
Drop QEMUAudioTimeStamp as well as reported by Akihiko Odaki.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:144:24: runtime error: member access within misaligned address 0x619a74c32033 for type 'tcp_header' (aka 'struct tcp_header'), which requires 4 byte alignment
0x619a74c32033: note: pointer points here
0a 00 02 02 86 aa 00 16 52 c1 d3 70 00 00 00 00 a0 02 fa f0 00 00 00 00 02 04 05 b4 04 02 08 0a
^
#0 0x619a6ba84794 in net_checksum_calculate /home/pm215/qemu/build/clang/../../net/checksum.c:144:24
#1 0x619a6b5940da in gem_transmit /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x619a6b592141 in gem_write /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the tcp_header struct as QEMU_PACKED.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-6-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:168:24: runtime error: member access within misaligned address 0x5b7a7f829033 for type 'udp_header' (aka 'struct udp_header'), which requires 2 byte alignment
0x5b7a7f829033: note: pointer points here
ff ff ff ff 00 44 00 43 01 34 58 54 01 01 06 00 85 95 80 60 00 00 00 00 00 00 00 00 00 00 00 00
^
#0 0x5b7a71a5887e in net_checksum_calculate /home/pm215/qemu/build/clang/../../net/checksum.c:168:24
#1 0x5b7a7156819a in gem_transmit /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x5b7a71566201 in gem_write /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the udp_header struct as QEMU_PACKED,
so that the compiler knows it might be unaligned and will
generate the right code for accessing fields.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-5-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:78:47: runtime error: member access within misaligned address 0x561f52f35011 for type 'struct eth_header', which requires 2 byte alignment
0x561f52f35011: note: pointer points here
00 00 00 00 33 33 00 00 00 16 52 54 00 12 34 56 86 dd 60 00 00 00 00 24 00 01 00 00 00 00 00 00
^
#0 0x561f20608459 in net_checksum_calculate /home/pm215/qemu/build/clang/../../net/checksum.c:78:47
#1 0x561f20117bfa in gem_transmit /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x561f20115c61 in gem_write /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../net/checksum.c:78:47
Fix this by marking the eth_header struct as QEMU_PACKED, so that the
compiler knows it might be unaligned and will generate the right code
for accessing fields.
This is similar to commit f8b94b4c52 ("net: mark struct ip_header as
QEMU_PACKED") where we fixed this for a different struct defined in
this file.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-4-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
In eth_strip_vlan_ex() we take a pointer to the eth_header h_proto
field into a local uint16_t* variable, and then later in the function
we dereference that pointer. This isn't safe, because the eth_header
struct may not be aligned, and if we mark the struct as QEMU_PACKED
then gcc will complain about taking the address of a field in a
packed struct.
Instead, make the local variable be a void* and use the appropriate
functions for accessing 16 bits of possibly unaligned data through
it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-3-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
In rocker_of_dpa.c we assume that the h_proto field in an eth_header
struct is aligned, and we copy its address into a uint16_t* in the
OfDpaFlowPktFields struct which we then dereference later. This
isn't a safe assumption; it will also result in compilation failures
with gcc if we mark the eth_header struct as QEMU_PACKED because gcc
will not let you take the address of an unaligned struct field.
Make the h_proto field in OfDpaFlowPktFields a void*, and make all
the places where we previously read through that pointer instead use
a new accessor function which allows for the possible lack of
alignment.
(Compare commit 5814c08467
"hw/net/virtio-net.c: Don't assume IP length field is aligned"
which fixed a similar problem elsewhere for an ip_header field.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-2-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The do_interrupt parameter for rtl8139_do_receive was originally added
in commit 6cadb320c7 to avoid generating interrupt when receiving in
loopback mode. Later commit 5311fb805a changed this so that this
parameter became ineffective and now this parameter is unused and
always 1. If this turns out to be a problem maybe there's a better way
to fix this so remove the do_interrupt parameter for now to simplify
code.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260127173849.588F25969F0@zero.eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Add a hint to the developer that this should only be called from a
reset chain.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260219171810.602667-15-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Allow to include it from common code (vhost-user, in next commit),
else it pulls ppc/cpu.h which has target specifics.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260131020100.1115203-4-pierrick.bouvier@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Now that all targets have the graphic dimension variables
initialized the same way, we can move them to the common
file unit, having them built once. Remove the now empty
globals-target.c file. The command line '-g WxH[xD]' option
is not changed and behaves the same.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260216213121.47122-9-philmd@linaro.org>
If a dimension is not set, have the machine init code set
the default values.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260216213121.47122-8-philmd@linaro.org>
If a dimension is not set, have the machine init code
set the default values.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20260216213121.47122-7-philmd@linaro.org>
If a dimension is not set, have the machine init code
(q800_machine_init) set the default values.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20260216213121.47122-6-philmd@linaro.org>
The MACFB_DISPLAY_APPLE_21_COLOR mode is not specific to the Q800
machine. Check and set it once in the MacFB DeviceRealize handler.
No need to explicitly set the MACFB_DISPLAY_VGA mode since this is
the default value.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20260216213121.47122-5-philmd@linaro.org>
Once the Mac Frame Buffer device is realized on the NuBus,
its MacFbMode might be different of the global graphic_depth
and graphic_width globals. Prefer the device MacFbMode fields
to initialize the BootInfo structure.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20260216213121.47122-4-philmd@linaro.org>
macfb_mode_table[] is only read, never updated, so can be const.
Update the call sites accordingly.
Make the MacfbState::mode pointer to const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260216213121.47122-3-philmd@linaro.org>
macfb_sense_table[] is only read, never updated, so can be const.
Update the single call site, macfb_sense_read().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260216213121.47122-2-philmd@linaro.org>
When removing the 'emergency-write' property in commit d0660e5b7f
we neglected to remove the code reducing the virtio_console_config
structure size, allowing to access up to the unallocated 'emerg_wr'
field.
Can be reproduced running:
$ cat << EOF | qemu-system-i386 -nodefaults \
-machine q35 -m 512M \
-device virtio-serial \
-display none \
-machine accel=qtest -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000804
outw 0xcfc 0x01
outl 0xc014 0x00
EOF
==3210206==ERROR: AddressSanitizer: heap-buffer-overflow
on address 0x502000090858 at pc 0x5638f1300a9b bp 0x7fff6b525b80 sp 0x7fff6b525b70
READ of size 4 at 0x502000090858 thread T0
#0 0x5638f1300a9a in set_config hw/char/virtio-serial-bus.c:590
#1 0x5638f0bccdcf in virtio_config_writel hw/virtio/virtio-config-io.c:104
#2 0x5638f0bd0c89 in virtio_pci_config_write hw/virtio/virtio-pci.c:637
#3 0x5638f0cf90cf in memory_region_write_accessor system/memory.c:491
#4 0x5638f0cf975b in access_with_adjusted_size system/memory.c:567
#5 0x5638f0d01d3f in memory_region_dispatch_write system/memory.c:1547
#6 0x5638f0d2fa1e in address_space_stm_internal system/memory_ldst.c.inc:85
#7 0x5638f0d30013 in address_space_stl_le system/memory_ldst_endian.c.inc:53
#8 0x5638f0ceb568 in cpu_outl system/ioport.c:79
#9 0x5638f0d3c0f9 in qtest_process_command system/qtest.c:483
0x502000090858 is located 0 bytes to the right of 8-byte region [0x502000090850,0x502000090858)
allocated by thread T0 here:
#0 0x7f0dc32cba57 in __interceptor_calloc src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f0dc2382c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
#2 0x5638f1303c27 in virtio_serial_device_realize hw/char/virtio-serial-bus.c:1046
#3 0x5638f1396a9c in virtio_device_realize hw/virtio/virtio.c:4053
#4 0x5638f13ea370 in device_set_realized hw/core/qdev.c:523
#5 0x5638f13fdaf6 in property_set_bool qom/object.c:2376
#6 0x5638f13f9098 in object_property_set qom/object.c:1450
#7 0x5638f140283c in object_property_set_qobject qom/qom-qobject.c:28
#8 0x5638f13f9616 in object_property_set_bool qom/object.c:1520
#9 0x5638f13e91cc in qdev_realize hw/core/qdev.c:276
#10 0x5638f0c3d94b in virtio_serial_pci_realize hw/virtio/virtio-serial-pci.c:69
#11 0x5638f0bda886 in virtio_pci_realize hw/virtio/virtio-pci.c:2351
#12 0x5638f09bc2ae in pci_qdev_realize hw/pci/pci.c:2310
#13 0x5638f0bdb2f2 in virtio_pci_dc_realize hw/virtio/virtio-pci.c:2473
#14 0x5638f13ea370 in device_set_realized hw/core/qdev.c:523
SUMMARY: AddressSanitizer: heap-buffer-overflow hw/char/virtio-serial-bus.c:590 in set_config
Fixes: d0660e5b7f ("hw/char/virtio-serial: Do not expose the 'emergency-write' property")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3303
Buglink: https://issues.oss-fuzz.com/issues/484647006
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20260216205527.45938-1-philmd@linaro.org>
Renaming this function removes the confusion with
existing virtio_is_big_endian cpu ops.
Indeed, virtio_vdev_is_big_endian is *not* calling cpu
virtio_is_big_endian everytime.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260212234602.338131-3-pierrick.bouvier@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
VirtIODevice argument is accessed read-only, make it const.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260206221908.1451528-2-pierrick.bouvier@linaro.org>
The virt_ctrl_read() function currently invokes trace_virt_ctrl_write()
instead of trace_virt_ctrl_read(). This results in read operations
appearing as write operations in the trace output, which is misleading
during debugging and analysis.
Replace the incorrect trace call with the proper read-specific trace
event to accurately reflect the hardware behavior.
Fixes: 0791bc02b8 ("m68k: add a system controller")
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260111184915.1363318-1-visitorckw@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Major enhancements to SeaBIOS-hppa to support an A400 server. This server
requires 64-bit PAT firmware, so SeaBIOS-hppa was extendend a lot. PAT firmware
is required as well to support 64-bit HP-UX 11i3 or MPE.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCaZcFewAKCRD3ErUQojoP
X+DzAP92OFkgItNkG1Rv7z1Bk9J+6wzs2aYDyZud7Fc8/xB4IgD+Okm8B5LwXyQx
BQIvYQiIo3e3Ix51tDQQXBvpLappTAw=
=rCC8
-----END PGP SIGNATURE-----
Merge tag 'hppa-a400-pull-request' of https://github.com/hdeller/qemu-hppa into staging
hppa a400 machine support
Major enhancements to SeaBIOS-hppa to support an A400 server. This server
requires 64-bit PAT firmware, so SeaBIOS-hppa was extendend a lot. PAT firmware
is required as well to support 64-bit HP-UX 11i3 or MPE.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCaZcFewAKCRD3ErUQojoP
# X+DzAP92OFkgItNkG1Rv7z1Bk9J+6wzs2aYDyZud7Fc8/xB4IgD+Okm8B5LwXyQx
# BQIvYQiIo3e3Ix51tDQQXBvpLappTAw=
# =rCC8
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Feb 19 12:43:39 2026 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-a400-pull-request' of https://github.com/hdeller/qemu-hppa:
hw/hppa: Add emulation for the 64-bit A400 server
hw/hppa: Require SeaBIOS version 22 for A400 machine
target/hppa: Update SeaBIOS-hppa to version 22
hw/hppa: Add BMC on 64-bit machines only
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
While I was rebasing my series about inflight migration, I missed a
small issue in vhost_inflight_buffer_preload:
* fix wrong return type in function
* fix error check
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru>
Fixes: tag pls?
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220094800.276489-1-dtalexundeer@yandex-team.ru>
The amount of bytes to read passed to AUD_read() should never surpass
the maximum available buffer length. Tighten the current amount by
MIN(<amount>, max_size - <existing size>).
Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8 ("virtio-snd: add max size bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-5-207c4f7200a2@linaro.org>
In 98e77e3d we calculated the max size and checked that each buffer is smaller than it.
We neglected to subtract the size of the virtio_snd_pcm_status header
from the max size, and max_size was thus larger than the correct value,
leading to potential OOB writes.
If the buffer cannot fit the header or can fit only the header, return
the buffer immediately.
Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8 ("virtio-snd: add max size bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org>
The section 5.14.6.2 of the VIRTIO spec says:
5.14.6.2 Driver Requirements: Item Information Request
- The driver MUST NOT set start_id and count such that start_id +
count is greater than the total number of particular items that is
indicated in the device configuration space.
- The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
count * size bytes for the response.
While we performed some check for the second requirement, it failed to
check for integer overflow.
Add also a check for the first requirement, which should limit exposure
to any overflow, since realistically the number of streams will be low
enough in value such that overflow is improbable.
Cc: qemu-stable@nongnu.org
Reported-by: 罗铭源 <myluo24@m.fudan.edu.cn>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-3-207c4f7200a2@linaro.org>
Replying with a VIRTIO_SND_S_BAD_MSG error does not warrant a device
reset. Instead, a device reset happens when the driver requests it from the
transport.
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-2-207c4f7200a2@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-1-207c4f7200a2@linaro.org>
Added assert-deassert PERST implementation for physical ports (both USP
and DSP's).
Assert PERST involves bg operation for holding 100ms.
Reset PPB implementation for physical ports.
Signed-off-by: Arpit Kumar <arpit1.kumar@samsung.com>
Co-developed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204173223.44122-4-Jonathan.Cameron@huawei.com>
Marc-André Lureau
Peter Maydell
BALATON Zoltan
Alex Bennée
Pierrick Bouvier
Philippe Mathieu-Daudé
Kuan-Wei Chiu
Alexandr Moshkov
Manos Pitsidianakis
Arpit Kumar