Issue:

+ lxc exec testkvm-impish-from -- virsh migrate --unsafe --live kvmguest-bionic-normal qemu+ssh://10.104.227.250/system
error: internal error: process exited while connecting to monitor: /usr/bin/kvm-spice: W: this is an old compat wrapper script for qemu-system-x86_64 -enable-kvm
/usr/bin/kvm-spice: W: please use qemu-system-x86_64 instead of /usr/bin/kvm-spice
2022-02-07T15:16:56.765786Z qemu-system-x86_64: The -accel and "-machine accel=" options are incompatible

Original check since qemu 5.0
commit 6f6e1698
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Wed Nov 13 10:10:47 2019 +0100

    vl: configure accelerators from -accel options

But since recent commit (qemu 6.1)

commit dadafe67


Author: Jason Andryuk <jandryuk@gmail.com>
Date:   Mon Jul 12 22:15:52 2021 -0400

    vl: Parse legacy default_machine_opt

Combined with our fallback legacy kvm-spice wrapper that does
  exec qemu-system-x86_64 -enable-kvm "$@"

It can happen that we have -enable-kvm added by our wrapper (e.g. a guest
created on Bionic has that set as emulator, migrating to a new system).
Then the wrapper adds -enable-kvm.
Internally that is mapped to QEMU_OPTION_enable_kvm which becomes
  qdict_put_str(machine_opts_dict, "accel", "kvm")
that is equivalent to '-accel kvm'

But if libvirt is already passing the new style '-machine accel=kvm' then the
above older check triggers and rightfully complains about the duplication.

Repro, on jammy spawn a guest and set <emulator>/usr/bin/kvm-spice</emulator>
Then starting it will fail with above message.

An example arg might look like:
-machine none,accel=kvm:tcg
-machine none,accel=tcg
-machine accel=tcg
-accel kvm
-accel tcg

In that case we can not add -enable-kvm without breaking it.

To resolve that split kvm-spice and qemu-system-x86_64-spice, set the wanted
permissions and check in kvm-spice for that pattern and skip adding -enable-kvm.
This also allows to eliminate quite some d/rules magic that is no more
needed.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

With qemu 6.2, the source archive contains symlinks. Previously
we used to pack only regular files. Pack everything, and rework
archive creation to include everything too.

Sort archive by name too.

We need CONFIG_PARISC to be set for:
 target-$(CONFIG_PARISC) += $(OUT)hppa-firmware.img
But in roms/seabios-hppa/.config it is:
 # CONFIG_PARISC is not set

This was formerly delivered as part of qemu tarball, but no more:
$ tar tf qemu-6.0.0.tar.xz | grep -e 'seabios-hppa/\.config'
qemu-6.0.0/roms/seabios-hppa/.config
$ tar tf qemu-6.1.0.tar.xz | grep -e 'seabios-hppa/\.config'
qemu-6.1.0/roms/seabios-hppa/.config
$ tar tf qemu-6.2.0.tar.xz | grep -e 'seabios-hppa/\.config'
<nothing>

This is due to commit
https://gitlab.com/qemu-project/qemu/-/commit/e770b8cf76083cc51497b854e73f0a9bb92d1bc7
And the reference no more shipping a .config
https://gitlab.com/qemu-project/seabios-hppa/-/tags/seabios-hppa-v2



Select what we want PARISC and let kconfig pick the rest from defaults.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Revert "make fuse debian-only, since libfuse3 in ubuntu is in universe", it is now in main (LP: #1934510)

This reverts commit 7bfe9b6e.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

- d/p/hmp-unbreak-change-vnc.patch
- d/p/qemu-sockets-fix-unix-socket-path-copy-again.patch
- d/p/skiboot-no-Werror.patch
- d/p/uas-add-stream-number-sanity-checks-CVE-2021-3713.patch
- d/p/virtio-net-fix-use-after-unmap-free-for-sg-CVE-2021-3748.patch

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

v6.2.0 release

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Merge tag 'pull-target-arm-20211207' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
 * Fix calculation of ICH_MISR_EL2.LRENP to avoid incorrect generation
   of maintenance interrupts

# gpg: Signature made Tue 07 Dec 2021 09:18:50 AM PST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]

* tag 'pull-target-arm-20211207' of https://git.linaro.org/people/pmaydell/qemu-arm

:
  gicv3: fix ICH_MISR's LRENP computation

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

According to the "Arm Generic Interrupt Controller Architecture
Specification GIC architecture version 3 and 4" (version G: page 345
for aarch64 or 509 for aarch32):
LRENP bit of ICH_MISR is set when ICH_HCR.LRENPIE==1 and
ICH_HCR.EOIcount is non-zero.

When only LRENPIE was set (and EOI count was zero), the LRENP bit was
wrongly set and MISR value was wrong.

As an additional consequence, if an hypervisor set ICH_HCR.LRENPIE,
the maintenance interrupt was constantly fired. It happens since patch
9cee1efe ("hw/intc: Set GIC maintenance interrupt level to only 0 or 1")
which fixed another bug about maintenance interrupt (most significant
bits of misr, including this one, were ignored in the interrupt trigger).

Fixes: 83f036fe

 ("hw/intc/arm_gicv3: Add accessors for ICH_ system registers")
Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211207094427.3473-1-damien.hedde@greensocs.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Fix stack spills for arm neon.

# gpg: Signature made Tue 07 Dec 2021 06:33:57 AM PST
# gpg:                using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg:                issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [ultimate]

* tag 'pull-tcg-20211207' of https://gitlab.com/rth7680/qemu

:
  tcg/arm: Reduce vector alignment requirement for NEON

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

With arm32, the ABI gives us 8-byte alignment for the stack.
While it's possible to realign the stack to provide 16-byte alignment,
it's far easier to simply not encode 16-byte alignment in the
VLD1 and VST1 instructions that we emit.

Remove the assertion in temp_allocate_frame, limit natural alignment
to the provided stack alignment, and add a comment.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1999878


Reported-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20210912174925.200132-1-richard.henderson@linaro.org>
Message-Id: <20211206191335.230683-2-richard.henderson@linaro.org>

Pull request

# gpg: Signature made Mon 06 Dec 2021 07:27:19 AM PST
# gpg:                using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full]
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>" [full]

* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu

:
  virtio-blk: Fix clean up of host notifiers for single MR transaction.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

MIPS fixes

- Do not emit SD instruction on 32-bit CPU (Jiaxun Yang)
- Correctly catch load_elf() errors on Boston board (Jiaxun Yang)
- Revert bogus CLI fix for ISA VGA devices (Alex Bennée)

# gpg: Signature made Mon 06 Dec 2021 03:03:24 AM PST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]

* tag 'mips-20211206' of https://github.com/philmd/qemu

:
  Revert "vga: don't abort when adding a duplicate isa-vga device"
  hw/mips/boston: Fix load_elf() error detection
  hw/mips/bootloader: Fix write_ulong()

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

The code that introduced "virtio-blk: Configure all host notifiers in
a single MR transaction" introduced a second loop variable to perform
cleanup in second loop, but mistakenly still refers to the first
loop variable within the second loop body.

Fixes: d0267da6

 ("virtio-blk: Configure all host notifiers in a single MR transaction")
Signed-off-by: Mark Mielke <mark.mielke@gmail.com>
Message-id: CALm7yL08qarOu0dnQkTN+pa=BSRC92g31YpQQNDeAiT4yLZWQQ@mail.gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Alex Bennée authored Dec 02, 2021 and Philippe Mathieu-Daudé committed Dec 06, 2021

This reverts commit 7852a77f

.

The check is bogus as it ends up finding itself and falling over.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/733


Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211206095209.2332376-1-alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Jiaxun Yang authored Nov 30, 2021 and Philippe Mathieu-Daudé committed Dec 06, 2021

load_elf() gives negative return in case of error, not zero.

Fixes: 10e3f30f

 ("hw/mips/boston: Allow loading elf kernel and dtb")
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211130211729.7116-3-jiaxun.yang@flygoat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Jiaxun Yang authored Nov 30, 2021 and Philippe Mathieu-Daudé committed Dec 06, 2021

bl_gen_write_ulong uses sd for both 32 and 64 bit CPU,
while sd is illegal on 32 bit CPUs.

Replace sd with sw on 32bit CPUs.

Fixes: 3ebbf861

 ("hw/mips: Add a bootloader helper")
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20211130211729.7116-2-jiaxun.yang@flygoat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

seabios: update from snapshot to final 1.15.0 release (no code changes).

# gpg: Signature made Fri 03 Dec 2021 12:55:34 AM PST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]

* tag 'seabios-20211203-pull-request' of git://git.kraxel.org/qemu

:
  seabios: update binaries to 1.15.0
  seabios: update submodule to 1.15.0

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Update seabios to the final release.  No code changes
compared to the snapshot merged a few weeks ago.

shortlog 64f37cc530f1..rel-1.15.0
---------------------------------

Kevin O'Connor (1):
      docs: Note v1.15.0 release

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Pull request

# gpg: Signature made Wed 01 Dec 2021 10:17:38 PM PST
# gpg:                using RSA key F9B7ABDBBCACDF95BE76CBD07DEF8106AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>" [full]

* tag 'ide-pull-request' of https://gitlab.com/jsnow/qemu

:
  tests/qtest/fdc-test: Add a regression test for CVE-2021-20196
  hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
  hw/block/fdc: Extract blk_create_empty_drive()

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Without the previous commit, when running 'make check-qtest-i386'
with QEMU configured with '--enable-sanitizers' we get:

  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344
  ==287878==The signal is caused by a WRITE memory access.
  ==287878==Hint: address points to the zero page.
      #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5
      #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5
      #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11
      #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17
      #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9
      #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9

Add the reproducer for CVE-2021-20196.

Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20211124161536.631563-4-philmd@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>