A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory. Add additional asserts
to check for this. Generate a #UD if there are more than 14 prefix bytes.
Found by Julian Stecklina
Signed-off-by: Cameron Esfahani
Signed-off-by
Reviewed by: Cameron Esfahani mailto:di...@apple.com>>
> On Feb 11, 2022, at 8:34 AM, Philippe Mathieu-Daudé via
> wrote:
>
> When building on macOS 12 we get:
>
> block/file-posix.c:3335:18: warning: 'IOMasterPort' is deprecated: first
> deprecated in
Reviewed-by: Cameron Esfahani mailto:di...@apple.com>>
> On Feb 11, 2022, at 8:34 AM, Philippe Mathieu-Daudé via
> wrote:
>
> setAllowedFileTypes is deprecated in macOS 12.
>
> Per Akihiko Odaki [*]:
>
> An image file, which is being chosen by the panel, c
LGTM
Reviewed-by: Cameron Esfahani mailto:di...@apple.com>>
Cameron
> On Feb 9, 2022, at 4:41 AM, Alexander Graf wrote:
>
> We are parsing the syndrome field for sysregs in multiple places across
> the hvf code, but repeat shift/mask operations with hard coded constants
>
Ping
Cameron
> On Oct 28, 2021, at 11:09 PM, Philippe Mathieu-Daudé
> wrote:
>
> On 10/29/21 03:33, Cameron Esfahani wrote:
>> No need to have our own definitions of these registers.
>>
>> Signed-off-by: Cameron Esfahani
>> ---
>> target/i386/hvf/v
Ping
Cameron
> On Oct 29, 2021, at 5:02 PM, Cameron Esfahani wrote:
>
> A guest could craft a specific stream of instructions that will have QEMU
> write 0xF9 to inappropriate locations in memory. Add additional asserts
> to check for this. Generate a #UD if there are more
Ping
Cameron
> On Oct 31, 2021, at 10:48 PM, Cameron Esfahani wrote:
>
> Pass through RDPID and RDTSCP support in CPUID if host supports it.
> Correctly detect if CPU_BASED_TSC_OFFSET and CPU_BASED2_RDTSCP would
> be supported in primary and secondary processor-based VM-execu
Reviewed-by: Cameron Esfahani mailto:di...@apple.com>>
Cameron
> On Feb 7, 2022, at 2:52 PM, Alexander Graf wrote:
>
> Recent Linux versions added support to read ID_AA64ISAR2_EL1. On M1,
> those reads trap into QEMU which handles them as faults.
>
> However, acc
Instead of always returning 0, return actual starttime.
v3: Fix formatting issues
v2: Use clock_gettime() instead of scanning /proc/self/stat
Signed-off-by: Cameron Esfahani
---
linux-user/main.c| 14 ++
linux-user/qemu.h| 3 +++
linux-user/syscall.c | 3 +++
3 files
Instead of always returning 0, return actual starttime.
v2: Use clock_gettime() instead of scanning /proc/self/stat
Signed-off-by: Cameron Esfahani
---
linux-user/main.c| 11 +++
linux-user/qemu.h| 3 +++
linux-user/syscall.c | 3 +++
3 files changed, 17 insertions(+)
diff
Instead of always returning 0, return actual starttime.
Signed-off-by: Cameron Esfahani
---
linux-user/syscall.c | 28
1 file changed, 28 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 5950222a77..59265ab986 100644
--- a/linux-user
CPUID.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf.c | 26 +-
target/i386/hvf/vmcs.h | 3 ++-
target/i386/hvf/x86_cpuid.c | 7 ---
3 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index
A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory. Add additional asserts
to check for this. Generate a #UD if there are more than 14 prefix bytes.
Found by Julian Stecklina
Signed-off-by: Cameron Esfahani
---
target
No need to have our own definitions of these registers.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/vmx.h | 17 +
target/i386/hvf/x86.c | 6 +++---
target/i386/hvf/x86.h | 34 --
target/i386/hvf/x86_mmu.c | 2 +-
target
Reviewed-by: Cameron Esfahani mailto:di...@apple.com>>
Cameron Esfahani
di...@apple.com
> On Jan 12, 2021, at 10:07 PM, Hill Ma wrote:
>
> This prevents illegal instruction on cpus do not support xgetbv.
>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1758819
>
r (at your option) any later version.
> *
> * This program is distributed in the hope that it will be useful,
> * but WITHOUT ANY WARRANTY; without even the implied warranty of
> diff --git a/target/i386/hvf/x86hvf.h b/target/i386/hvf/x86hvf.h
> index 79539f7..860bd2e 100644
> --- a/target/i386/hvf/x86hvf.h
> +++ b/target/i386/hvf/x86hvf.h
> @@ -5,7 +5,7 @@
> * This program is free software; you can redistribute it and/or
> * modify it under the terms of the GNU Lesser General Public
> * License as published by the Free Software Foundation; either
> - * version 2 of the License, or (at your option) any later version.
> + * version 2.1 of the License, or (at your option) any later version.
> *
> * This program is distributed in the hope that it will be useful,
> * but WITHOUT ANY WARRANTY; without even the implied warranty of
> —
> 2.17.1
>
Reviewed-by: Cameron Esfahani mailto:di...@apple.com>>
Cameron Esfahani
Reviewed-by: Cameron Esfahani
Cameron Esfahani
di...@apple.com
"The cake is a lie."
Common wisdom
> On May 28, 2020, at 12:37 PM, Roman Bolshakov wrote:
>
> Hi,
>
> This is a cleanup series for HVF accel.
>
> HVF is using two emulator states CPUX
Reviewed-by: Cameron Esfahani
Cameron Esfahani
di...@apple.com
"It is the spirit and not the form of law that keeps justice alive."
Earl Warren
> On Jun 1, 2020, at 5:42 AM, Roman Bolshakov wrote:
>
> ld64 is making PIE executables for 10.7 and above by default, as
&
Reviewed-by: Cameron Esfahani
Cameron Esfahani
di...@apple.com
"Americans are very skilled at creating a custom meaning from something that's
mass-produced."
Ann Powers
> On May 7, 2020, at 6:16 AM, Gerd Hoffmann wrote:
>
> Use a single io range for _CRS instead
Commit message typo tcg_allowed -> hvf_allowed.
If fixed:
Reviewed-by: Cameron Esfahani
Cameron Esfahani
di...@apple.com
"You only live once, and the way I live, once is enough"
Frank Sinatra
> On May 9, 2020, at 6:09 AM, Philippe Mathieu-Daudé wrote:
>
> When HVF
Signed-off-by: Cameron Esfahani
---
v2:
+ Fix duplicate line Roman Bolshakov found in review.
---
target/i386/cpu.h | 2 ++
target/i386/hvf/hvf.c | 2 +-
target/i386/hvf/vmx.h | 15 ---
target/i386/hvf/x86.c | 6 +++---
target/i386/hvf/x86.h | 34
he start of the last valid
CNF register: 0x77c.
Now, qtests work with or without the unaligned access patches.
Reviewed-by: Cédric Le Goater
Tested-by: Cédric Le Goater
Reviewed-by: Joel Stanley
Signed-off-by: Cameron Esfahani
---
include/hw/gpio/nrf51_gpio.h | 2 +-
1 file changed, 1 inse
e range without losing any compatibility, you'd get
my thumbs up.
Cameron Esfahani
di...@apple.com
"The cake is a lie."
Common wisdom
> On Apr 8, 2020, at 5:59 AM, Gerd Hoffmann wrote:
>
> Hi,
>
>>>>>>> +crs = aml_resource_template();
&
I'll update with your feedback.
Cameron Esfahani
di...@apple.com
"We do what we must because we can."
Aperture Science
> On Apr 5, 2020, at 11:51 AM, Roman Bolshakov wrote:
>
> On Mon, Mar 30, 2020 at 05:16:05PM -0700, Cameron Esfahani wrote:
>> S
Responses inline
Cameron Esfahani
di...@apple.com
"We do what we must because we can."
Aperture Science
> On Apr 5, 2020, at 10:58 AM, Roman Bolshakov wrote:
>
> On Mon, Mar 30, 2020 at 05:16:04PM -0700, Cameron Esfahani wrote:
>> Signed-off-by: Cameron Esfaha
qtest_readl(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_CNF_END - 3) &
> 0x01;
> g_assert_cmpuint(actual, ==, 0x01);
Cameron Esfahani
di...@apple.com
"Americans are very skilled at creating a custom meaning from something that's
mass-produced."
Ann Powers
> On Apr 7, 2020, at 1:4
1_GPIO_REG_CNF_END to the start of the last valid
CNF register: 0x77c.
Now, qtests work with or without Cedric's patch.
Signed-off-by: Cameron Esfahani
---
include/hw/gpio/nrf51_gpio.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/gpio/nrf51_gpio.h b/incl
G_CNF_END 0x77F
+#define NRF51_GPIO_REG_CNF_END 0x77C
#define NRF51_GPIO_PULLDOWN 1
#define NRF51_GPIO_PULLUP 3
Considering this change works for pre-Cedric patch and post, I'll post at
official version shortly.
And hopefully this unblocks review of Cedric's patch...
Cameron
s for any of the 4-byte
fields...
Cameron Esfahani
di...@apple.com
"In the elder days of Art, Builders wrought with greatest care each minute and
unseen part; For the gods see everywhere."
"The Builders", H. W. Longfellow
> On Mar 31, 2020, at 2:57 AM, Cameron Esfahani
to be
2.
But, after that, to support people doing strange things like reading
traditionally 4-byte values as 2 2-byte values, we probably need to change
xhci_cap_read() to handle every memory range in steps of 2-bytes.
But I'll defer to Gerd on this...
Cameron Esfahani
di...@apple.com
&quo
Reviewed-by: Cameron Esfahani
LGTM.
Cameron Esfahani
di...@apple.com
"There are times in the life of a nation when the only place a decent man can
find himself is in prison."
> On Mar 28, 2020, at 10:44 AM, Roman Bolshakov wrote:
>
> The sequence of instructions expos
macOS lazily enables AVX512. Explicitly enable it if the processor
supports it.
cpu_x86_cpuid() tries to handle OSXSAVE but refers to env->cr[4] for the
guest copy of CR4. HVF doesn't support caching CPUID values like KVM,
so we need to track it ourselves.
Signed-off-by: Cameron
Signed-off-by: Cameron Esfahani
---
target/i386/cpu.h | 2 ++
target/i386/hvf/hvf.c | 1 +
target/i386/hvf/vmx.h | 15 ---
target/i386/hvf/x86.c | 6 +++---
target/i386/hvf/x86.h | 34 --
target/i386/hvf/x86_mmu.c | 2
0x01] in EXIT_REASON_CPUID, we
reflect the current state of CR4[OSXSAVE].
- macOS lazily enables AVX512 for processes. Explicitly enable AVX512
for QEMU.
With these two changes, guests can correctly detect and enable AVX512.
Cameron Esfahani (3):
hvf: use standard CR0 and CR4 register definitio
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/vmx.h | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/target/i386/hvf/vmx.h b/target/i386/hvf/vmx.h
index 8ec2e6414e..1a1b150c97 100644
--- a/target/i386/hvf/vmx.h
+++ b/target/i386/hvf/vmx.h
@@ -121,6 +121,7
macOS will read HCIVERSION separate from CAPLENGTH. Add a distinct
handler for that register.
Signed-off-by: Cameron Esfahani
---
hw/usb/hcd-xhci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index b330e36fe6..061f8438de 100644
--- a/hw/usb/hcd
Please add me to the HVF maintainers as well.
Cameron Esfahani
di...@apple.com
"In the elder days of Art, Builders wrought with greatest care each minute and
unseen part; For the gods see everywhere."
"The Builders", H. W. Longfellow
> On Mar 16, 2020, at 5:00 AM,
Sorry I didn't see this yesterday.
We've (Apple) signed up for taking over HVF ownership. I didn't realize I
needed to add to the MAINTAINERS list.
Roman, we also have a bunch of pending fixes for some of the issues you've
listed. We're in the process of upstreamin
In my investigation, ZRLE always compresses better than ZLIB so
prioritize ZRLE over ZLIB, even if the client hints that ZLIB is
preferred.
zlib buffer is always reset in zrle_compress_data(), so using offset to
calculate next_out and avail_out is useless.
Signed-off-by: Cameron Esfahani
s better than ZLIB.
Prioritize ZRLE over ZLIB, even if the client hints that ZLIB is preferred.
Cameron Esfahani (2):
vnc: fix VNC artifacts
vnc: prioritize ZRLE compression over ZLIB
ui/vnc-enc-zrle.c | 4 ++--
ui/vnc.c | 31 +++
2 files chan
on. The mutated
z_stream would generate future zlib blocks which referred to symbols in
past blocks which weren't sent. This would lead to artifacting.
This reverts commit de3f7de7f4e257ce44cdabb90f5f17ee99624557.
Fixes: ("vnc: allow fall back to RAW encoding")
Signed-off-
I’m new to this process, what are the next steps?
Cameron Esfahani
di...@apple.com
> On Jan 16, 2020, at 11:47 PM, Gerd Hoffmann wrote:
>
> On Thu, Jan 16, 2020 at 07:50:58PM -0800, Cameron Esfahani wrote:
>> Remove VNC optimization to reencode framebuffer update as raw if
Yes. Personally, I'd also take the change to vnc-enc-zrle.c: because
vs->zrle->zlib is reset at the top of the function, using vs->zrle->zlib.offset
in determining zstream->next_out and zstream->avail_out is useless.
Cameron Esfahani
di...@apple.com
"All that is
n ZLIB so
prioritize ZRLE over ZLIB, even if the client hints that ZLIB is
preferred.
Fixes: ("vnc: allow fall back to RAW encoding")
Signed-off-by: Cameron Esfahani
---
ui/vnc-enc-zrle.c | 4 ++--
ui/vnc.c | 30 +++---
2 files changed, 13 insertions
Try against 4.2.
Cameron Esfahani
di...@apple.com
"In the elder days of Art, Builders wrought with greatest care each minute and
unseen part; For the gods see everywhere."
"The Builders", H. W. Longfellow
> On Dec 30, 2019, at 8:41 AM, Alex Fliker
> wrote:
Ping.
Cameron Esfahani
di...@apple.com
"Americans are very skilled at creating a custom meaning from something that's
mass-produced."
Ann Powers
> On Dec 12, 2019, at 12:30 AM, Cameron Esfahani via
> wrote:
>
> Fix a small memory leak in the Bochs display dr
Fix a small memory leak in the Bochs display driver.
Each frame would leak about 304 bytes.
v2: Add missing signed-off-by line.
v3: Add reviewed-by and fixes lines.
Cameron Esfahani (1):
display/bochs-display: fix memory leak
hw/display/bochs-display.c | 2 ++
1 file changed, 2 insertions
Fix memory leak in bochs_display_update(). Leaks 304 bytes per frame.
Fixes: 33ebad54056
Signed-off-by: Cameron Esfahani
Reviewed-by: Philippe Mathieu-Daudé
---
hw/display/bochs-display.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/display/bochs-display.c b/hw/display/bochs
Fix a small memory leak in the Bochs display driver.
Each frame would leak about 304 bytes.
v2: Add missing signed-off-by line.
Cameron Esfahani (1):
display/bochs-display: fix memory leak
hw/display/bochs-display.c | 2 ++
1 file changed, 2 insertions(+)
--
2.24.0
Fix memory leak in bochs_display_update(). Leaks 304 bytes per frame.
Signed-off-by: Cameron Esfahani
---
hw/display/bochs-display.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
index dc1bd1641d..215db9a231 100644
--- a/hw
Fix memory leak in bochs_display_update(). Leaks 304 bytes per frame.
---
hw/display/bochs-display.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
index dc1bd1641d..215db9a231 100644
--- a/hw/display/bochs-display.c
+++ b/hw/display/
Fix a small memory leak in the Bochs display driver.
Each frame would leak about 304 bytes.
Cameron Esfahani (1):
display/bochs-display: fix memory leak
hw/display/bochs-display.c | 2 ++
1 file changed, 2 insertions(+)
--
2.24.0
Signed-off-by: Cameron Esfahani
Reviewed-by: Stefan Weil
---
target/i386/machine.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/target/i386/machine.c b/target/i386/machine.c
index 2699eed94e..ee342ddd50 100644
--- a/target/i386/machine.c
+++ b/target/i386
Signed-off-by: Cameron Esfahani
---
target/i386/machine.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/target/i386/machine.c b/target/i386/machine.c
index 2699eed94e..f21823f179 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -261,7 +261,7 @@ static
ea as read/write/execute, respect area flags.
Signed-off-by: Cameron Esfahani
Signed-off-by: Paolo Bonzini
---
target/i386/hvf/hvf.c | 50 ++-
1 file changed, 35 insertions(+), 15 deletions(-)
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index
The existing code in QEMU's HVF support to attempt to synchronize TSC
across multiple cores is not sufficient. TSC value on other cores
can go backwards. Until implementation is fixed, remove calls to
hv_vm_sync_tsc(). Pass through TSC to guest OS.
Signed-off-by: Cameron Esfahani
Signe
More accurately match SDM when setting CR0 and PDPTE registers.
Clear PDPTE registers when resetting vcpus.
Signed-off-by: Cameron Esfahani
Signed-off-by: Paolo Bonzini
---
target/i386/hvf/hvf.c | 8
target/i386/hvf/vmx.h | 18 ++
2 files changed, 18 insertions(+), 8
- Fix code style errors.
Cameron Esfahani (5):
hvf: non-RAM, non-ROMD memory ranges are now correctly mapped in
hvf: remove TSC synchronization code because it isn't fully complete
hvf: correctly handle REX prefix in relation to legacy prefixes
hvf: more accurately match SDM when setti
valid and error_code isn't set.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf.c| 4 +++-
target/i386/hvf/x86hvf.c | 14 +-
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index 784e67d77e..d72543dc31 10
In real x86 processors, the REX prefix must come after legacy prefixes.
REX before legacy is ignored. Update the HVF emulation code to properly
handle this. Fix some spelling errors in constants. Fix some decoder
table initialization issues found by Coverity.
Signed-off-by: Cameron Esfahani
pe
away, instead of attempting to reconstruct it from other information
(env->ins_len) in hvf_inject_interrupts()?
Cameron Esfahani
di...@apple.com
"There are times in the life of a nation when the only place a decent man can
find himself is in prison."
> On Nov 28, 2019, at 5:56 AM,
he assert trigger and get the following output:
> VMCS_INTR_T_SWINTR (400) != intr_type (0)
> Assertion failed: (VMCS_INTR_T_SWINTR == intr_type), function
> hvf_inject_interrupts, file qemu_upstream/target/i386/hvf/x86hvf.c, line 362.
So, as far as I can see, the proposed changes are still ne
Let me see if I can add some assertions.
Cameron Esfahani
di...@apple.com
"The cake is a lie."
Common wisdom
> On Nov 25, 2019, at 2:28 AM, Paolo Bonzini wrote:
>
> Certainly no doubt about patches 1-4, while for patch 5 I'm wondering if
> it's masking anot
Our test case was booting many concurrent macOS VMs under heavy system load. I
don't know if I could create one to replicate that.
Cameron Esfahani
di...@apple.com
"In the elder days of Art, Builders wrought with greatest care each minute and
unseen part; For the gods see everywhe
More accurately match SDM when setting CR0 and PDPTE registers.
Clear PDPTE registers when resetting vcpus.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf.c | 8
target/i386/hvf/vmx.h | 18 ++
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a
ea as read/write/execute, respect area flags.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf.c | 50 ++-
1 file changed, 35 insertions(+), 15 deletions(-)
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index 231732aaf7..0b50cfcbc6 100644
--
hvf_store_events() so
they can be correctly reinjected in hvf_inject_interrupts(). Under
heavy loads, exceptions got misrouted.
Changes in v2:
- Fix code style errors.
Cameron Esfahani (5):
hvf: non-RAM, non-ROMD memory ranges are now correctly mapped in
hvf: remove TSC synchronization code
The existing code in QEMU's HVF support to attempt to synchronize TSC
across multiple cores is not sufficient. TSC value on other cores
can go backwards. Until implementation is fixed, remove calls to
hv_vm_sync_tsc(). Pass through TSC to guest OS.
Signed-off-by: Cameron Esfahani
---
t
In real x86 processors, the REX prefix must come after legacy prefixes.
REX before legacy is ignored. Update the HVF emulation code to properly
handle this. Fix some spelling errors in constants. Fix some decoder
table initialization issues found by Coverity.
Signed-off-by: Cameron Esfahani
Save away type as well as vector in hvf_store_events() so we can
correctly reinject both in hvf_inject_interrupts().
Make sure to clear ins_len and has_error_code when ins_len isn't
valid and error_code isn't set.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf
More accurately match SDM when setting CR0 and PDPTE registers.
Clear PDPTE registers when resetting vcpus.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf.c | 8
target/i386/hvf/vmx.h | 18 ++
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a
In real x86 processors, the REX prefix must come after legacy prefixes.
REX before legacy is ignored. Update the HVF emulation code to properly
handle this. Fix some spelling errors in constants. Fix some decoder
table initialization issues found by Coverity.
Signed-off-by: Cameron Esfahani
ea as read/write/execute, respect area flags.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf.c | 47 +++
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index 231732aaf7..60c995470b 100644
--
Save away type as well as vector in hvf_store_events() so we can
correctly reinject both in hvf_inject_interrupts().
Make sure to clear ins_len and has_error_code when ins_len isn't
valid and error_code isn't set.
Signed-off-by: Cameron Esfahani
---
target/i386/hvf/hvf
hvf_store_events() so
they can be correctly reinjected in hvf_inject_interrupts(). Under
heavy loads, exceptions got misrouted.
Cameron Esfahani (5):
hvf: non-RAM, non-ROMD memory ranges are now correctly mapped in
hvf: remove TSC synchronization code because it isn't fully complete
The existing code in QEMU's HVF support to attempt to synchronize TSC
across multiple cores is not sufficient. TSC value on other cores
can go backwards. Until implementation is fixed, remove calls to
hv_vm_sync_tsc(). Pass through TSC to guest OS.
Signed-off-by: Cameron Esfahani
---
t
76 matches
Mail list logo
