[PULL 0/2] Linux user for v11 patches

[PULL 0/2] Linux user for v11 patches

[Helge Deller]

From: Helge Deller <deller@gmx.de>

The following changes since commit 1fd5ff9d76d23ab23a68419cbc76d5ee33e8b455:

  Merge tag 'for-upstream' of https://gitlab.com/kmwolf/qemu into staging (2026-03-10 16:29:24 +0000)

are available in the Git repository at:

  https://github.com/hdeller/qemu-hppa.git tags/linux-user-for-v11-pull-request

for you to fetch changes up to 5e5b278d2b1b81fc2b5ca09dba4848f81cd3a718:

  linux-user: fix mremap with old_size=0 for shared mappings (2026-03-12 21:03:48 +0100)

----------------------------------------------------------------
Two linux-user patches

Two linux-user patches from Razvan Ghiorghe.

----------------------------------------------------------------

Razvan Ghiorghe (2):
  linux-user: Fix zero_bss for RX PT_LOAD segments
  linux-user: fix mremap with old_size=0 for shared mappings

 linux-user/elfload.c | 37 +++++++++++++++++++------------
 linux-user/mmap.c    | 52 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 14 deletions(-)

-- 
2.53.0

[PULL 1/2] linux-user: Fix zero_bss for RX PT_LOAD segments

[Helge Deller]

From: Razvan Ghiorghe <razvanghiorghe16@gmail.com>

zero_bss() incorrectly assumed that any PT_LOAD containing .bss must be
writable, rejecting valid ELF binaries where .bss overlaps the tail of
an RX file-backed page.

Instead of failing, temporarily enable write access on the overlapping
page to zero the fractional bss range, then restore the original page
permissions once initialization is complete.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3179
Signed-off-by: Razvan Ghiorghe <razvanghiorghe16@gmail.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 linux-user/elfload.c | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 35471c0c9a..59b543f740 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -449,12 +449,6 @@ static bool zero_bss(abi_ulong start_bss, abi_ulong end_bss,
 {
     abi_ulong align_bss;
 
-    /* We only expect writable bss; the code segment shouldn't need this. */
-    if (!(prot & PROT_WRITE)) {
-        error_setg(errp, "PT_LOAD with non-writable bss");
-        return false;
-    }
-
     align_bss = TARGET_PAGE_ALIGN(start_bss);
     end_bss = TARGET_PAGE_ALIGN(end_bss);
 
@@ -472,20 +466,35 @@ static bool zero_bss(abi_ulong start_bss, abi_ulong end_bss,
              */
             align_bss -= TARGET_PAGE_SIZE;
         } else {
+            abi_ulong start_page_aligned = start_bss & TARGET_PAGE_MASK;
             /*
-             * The start of the bss shares a page with something.
-             * The only thing that we expect is the data section,
-             * which would already be marked writable.
-             * Overlapping the RX code segment seems malformed.
+             * The logical OR between flags and PAGE_WRITE works because
+             * in include/exec/page-protection.h they are defined as PROT_*
+             * values, matching mprotect().
+             * Temporarily enable write access to zero the fractional bss.
+             * target_mprotect() handles TB invalidation if needed.
              */
             if (!(flags & PAGE_WRITE)) {
-                error_setg(errp, "PT_LOAD with bss overlapping "
-                           "non-writable page");
-                return false;
+                if (target_mprotect(start_page_aligned,
+                                    TARGET_PAGE_SIZE,
+                                    prot | PAGE_WRITE) == -1) {
+                    error_setg_errno(errp, errno,
+                                    "Error enabling write access for bss");
+                    return false;
+                }
             }
 
-            /* The page is already mapped and writable. */
+            /* The page is already mapped and now guaranteed writable. */
             memset(g2h_untagged(start_bss), 0, align_bss - start_bss);
+
+            if (!(flags & PAGE_WRITE)) {
+                if (target_mprotect(start_page_aligned,
+                                    TARGET_PAGE_SIZE, prot) == -1) {
+                    error_setg_errno(errp, errno,
+                                    "Error restoring bss first permissions");
+                    return false;
+                }
+            }
         }
     }
 
-- 
2.53.0

[PULL 2/2] linux-user: fix mremap with old_size=0 for shared mappings

[Helge Deller]

From: Razvan Ghiorghe <razvanghiorghe16@gmail.com>

When old_size is zero and old_address refers to a shareable mapping,
mremap() should create a new mapping of the same pages according to the
mremap(2) man page. The MREMAP_MAYMOVE flag must be specified in this case.

Previously, QEMU's target_mremap() rejected this valid case with EFAULT
during the initial validation, before checking for the special
old_size == 0 behaviour.

This patch adds proper handling for old_size == 0:
- Validates that MREMAP_MAYMOVE flag is set (required by man spec)
- Passes the call through to the host mremap()
- Creates a new mapping without invalidating the original, with both
  being valid and sharing the same physical memory frames.
- Ensures the new mapping address falls within the valid guest address
  region before returning it to the guest.

Tested with the reproducer from the issue on qemu-riscv64, qemu-hppa,
and qemu-aarch64.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3105
Signed-off-by: Razvan Ghiorghe <razvanghiorghe16@gmail.com>
Tested-by: Helge Deller <deller@gmx.de>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
---
 linux-user/mmap.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 76978a56a8..b635b6a21c 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -1120,6 +1120,58 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
         errno = EINVAL;
         return -1;
     }
+
+    if (!old_size) {
+        if (!(flags & MREMAP_MAYMOVE)) {
+            errno = EINVAL;
+            return -1;
+        }
+        mmap_lock();
+        if (flags & MREMAP_FIXED) {
+            host_addr = mremap(g2h_untagged(old_addr), old_size, new_size,
+                             flags, g2h_untagged(new_addr));
+        } else {
+            /*
+             * We ensure that the new mapping stands in the
+             * region of guest mappable addresses.
+             */
+            abi_ulong mmap_start;
+
+            mmap_start = mmap_find_vma(0, new_size, TARGET_PAGE_SIZE);
+
+            if (mmap_start == -1) {
+                errno = ENOMEM;
+                mmap_unlock();
+                return -1;
+            }
+
+            host_addr = mremap(g2h_untagged(old_addr), old_size, new_size,
+                             flags | MREMAP_FIXED, g2h_untagged(mmap_start));
+
+            new_addr = mmap_start;
+        }
+
+        if (host_addr == MAP_FAILED) {
+            mmap_unlock();
+            return -1;
+        }
+
+        if (flags & MREMAP_FIXED) {
+            new_addr = h2g(host_addr);
+        }
+
+        prot = page_get_flags(old_addr);
+        /*
+         * For old_size zero, there is nothing to clear at old_addr.
+         * Only set the flags for the new mapping. They both are valid.
+         */
+        page_set_flags(new_addr, new_addr + new_size - 1,
+                       prot | PAGE_VALID, PAGE_VALID);
+        shm_region_rm_complete(new_addr, new_addr + new_size - 1);
+        mmap_unlock();
+        return new_addr;
+    }
+
     if (!guest_range_valid_untagged(old_addr, old_size)) {
         errno = EFAULT;
         return -1;
-- 
2.53.0

Re: [PULL 0/2] Linux user for v11 patches

[Peter Maydell]

On Fri, 13 Mar 2026 at 18:31, Helge Deller <deller@kernel.org> wrote:
>
> From: Helge Deller <deller@gmx.de>
>
> The following changes since commit 1fd5ff9d76d23ab23a68419cbc76d5ee33e8b455:
>
>   Merge tag 'for-upstream' of https://gitlab.com/kmwolf/qemu into staging (2026-03-10 16:29:24 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/hdeller/qemu-hppa.git tags/linux-user-for-v11-pull-request
>
> for you to fetch changes up to 5e5b278d2b1b81fc2b5ca09dba4848f81cd3a718:
>
>   linux-user: fix mremap with old_size=0 for shared mappings (2026-03-12 21:03:48 +0100)
>
> ----------------------------------------------------------------
> Two linux-user patches
>
> Two linux-user patches from Razvan Ghiorghe.
>



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.0
for any user-visible changes.

-- PMM

Re: [PULL 0/2] Linux user for v11 patches

[Michael Tokarev]

On 13.03.2026 21:30, Helge Deller wrote:

> Razvan Ghiorghe (2):
>    linux-user: Fix zero_bss for RX PT_LOAD segments
>    linux-user: fix mremap with old_size=0 for shared mappings

This looks like qemu-stable material, is it not?

Thanks,

/mjt

Re: [PULL 0/2] Linux user for v11 patches

[Helge Deller]

On 3/16/26 14:43, Michael Tokarev wrote:
> On 13.03.2026 21:30, Helge Deller wrote:
> 
>> Razvan Ghiorghe (2):
>>    linux-user: Fix zero_bss for RX PT_LOAD segments
>>    linux-user: fix mremap with old_size=0 for shared mappings
> 
> This looks like qemu-stable material, is it not?

Yes.

Thanks!
Helge

Re: [PULL 0/2] Linux user for v11 patches

[Michael Tokarev]

On 16.03.2026 20:00, Helge Deller wrote:
> On 3/16/26 14:43, Michael Tokarev wrote:
>> On 13.03.2026 21:30, Helge Deller wrote:
>>
>>> Razvan Ghiorghe (2):
>>>    linux-user: Fix zero_bss for RX PT_LOAD segments
>>>    linux-user: fix mremap with old_size=0 for shared mappings
>>
>> This looks like qemu-stable material, is it not?
> 
> Yes.

..with one caveat: mremap with old_size=0 fix doesn't apply to 10.0,
the current LTS stable series, because 10.0.x doesn't have f55fc1c092
"accel/tcg: Add clear_flags argument to page_set_flags", because of this:

+        page_set_flags(new_addr, new_addr + new_size - 1,
+                       prot | PAGE_VALID, PAGE_VALID);

What would be the correct construct for this for 10.0.x?
(Adding rth to Cc list).

Thanks!

/mjt

Re: [PULL 0/2] Linux user for v11 patches

[Richard Henderson]

On 3/23/26 17:52, Michael Tokarev wrote:
> On 16.03.2026 20:00, Helge Deller wrote:
>> On 3/16/26 14:43, Michael Tokarev wrote:
>>> On 13.03.2026 21:30, Helge Deller wrote:
>>>
>>>> Razvan Ghiorghe (2):
>>>>    linux-user: Fix zero_bss for RX PT_LOAD segments
>>>>    linux-user: fix mremap with old_size=0 for shared mappings
>>>
>>> This looks like qemu-stable material, is it not?
>>
>> Yes.
> 
> ..with one caveat: mremap with old_size=0 fix doesn't apply to 10.0,
> the current LTS stable series, because 10.0.x doesn't have f55fc1c092
> "accel/tcg: Add clear_flags argument to page_set_flags", because of this:
> 
> +        page_set_flags(new_addr, new_addr + new_size - 1,
> +                       prot | PAGE_VALID, PAGE_VALID);
> 
> What would be the correct construct for this for 10.0.x?
> (Adding rth to Cc list).

Probably

   page_set_flags(new_addr, new_addr + new_size - 1,
                  prot | PAGE_VALID | PAGE_RESET);


r~

Re: [PULL 0/2] Linux user for v11 patches

[Michael Tokarev]

On 24.03.2026 01:53, Richard Henderson wrote:
> On 3/23/26 17:52, Michael Tokarev wrote:
>> On 16.03.2026 20:00, Helge Deller wrote:
>>> On 3/16/26 14:43, Michael Tokarev wrote:
>>>> On 13.03.2026 21:30, Helge Deller wrote:
>>>>
>>>>> Razvan Ghiorghe (2):
>>>>>    linux-user: Fix zero_bss for RX PT_LOAD segments
>>>>>    linux-user: fix mremap with old_size=0 for shared mappings
>>>>
>>>> This looks like qemu-stable material, is it not?
>>>
>>> Yes.
>>
>> ..with one caveat: mremap with old_size=0 fix doesn't apply to 10.0,
>> the current LTS stable series, because 10.0.x doesn't have f55fc1c092
>> "accel/tcg: Add clear_flags argument to page_set_flags", because of this:
>>
>> +        page_set_flags(new_addr, new_addr + new_size - 1,
>> +                       prot | PAGE_VALID, PAGE_VALID);
>>
>> What would be the correct construct for this for 10.0.x?
>> (Adding rth to Cc list).
> 
> Probably
> 
>    page_set_flags(new_addr, new_addr + new_size - 1,
>                   prot | PAGE_VALID | PAGE_RESET);
> 

Well, at least the testcase works with this version.  Thank you!

BTW, do we have another testcase for this scenario somewhere,
like in LTP or something?  Looking at linux test project I don't
see this case covered.

/mjt

Re: [PULL 0/2] Linux user for v11 patches

[Helge Deller]

Am 24.03.26 um 07:19 schrieb Michael Tokarev:
> On 24.03.2026 01:53, Richard Henderson wrote:
>> On 3/23/26 17:52, Michael Tokarev wrote:
>>> On 16.03.2026 20:00, Helge Deller wrote:
>>>> On 3/16/26 14:43, Michael Tokarev wrote:
>>>>> On 13.03.2026 21:30, Helge Deller wrote:
>>>>>
>>>>>> Razvan Ghiorghe (2):
>>>>>>    linux-user: Fix zero_bss for RX PT_LOAD segments
>>>>>>    linux-user: fix mremap with old_size=0 for shared mappings
>>>>>
>>>>> This looks like qemu-stable material, is it not?
>>>>
>>>> Yes.
>>>
>>> ..with one caveat: mremap with old_size=0 fix doesn't apply to 10.0,
>>> the current LTS stable series, because 10.0.x doesn't have f55fc1c092
>>> "accel/tcg: Add clear_flags argument to page_set_flags", because of 
>>> this:
>>>
>>> +        page_set_flags(new_addr, new_addr + new_size - 1,
>>> +                       prot | PAGE_VALID, PAGE_VALID);
>>>
>>> What would be the correct construct for this for 10.0.x?
>>> (Adding rth to Cc list).
>>
>> Probably
>>
>>    page_set_flags(new_addr, new_addr + new_size - 1,
>>                   prot | PAGE_VALID | PAGE_RESET);
>>
>
> Well, at least the testcase works with this version.  Thank you!
>
> BTW, do we have another testcase for this scenario somewhere,
> like in LTP or something?  Looking at linux test project I don't
> see this case covered.

At least there is a reproducer here:

https://gitlab.com/qemu-project/qemu/-/work_items/3105

Helge

Re: [PULL 0/2] Linux user for v11 patches

[Michael Tokarev]

On 24.03.2026 13:56, Helge Deller wrote:
> Am 24.03.26 um 07:19 schrieb Michael Tokarev:
>> On 24.03.2026 01:53, Richard Henderson wrote:

>>> Probably
>>>
>>>    page_set_flags(new_addr, new_addr + new_size - 1,
>>>                   prot | PAGE_VALID | PAGE_RESET);
>>>
>>
>> Well, at least the testcase works with this version.  Thank you!
>>
>> BTW, do we have another testcase for this scenario somewhere,
>> like in LTP or something?  Looking at linux test project I don't
>> see this case covered.
> 
> At least there is a reproducer here:
> 
> https://gitlab.com/qemu-project/qemu/-/work_items/3105

Yes, this is what I used to test the change, which I mentioned
above as "testcase works".  But it is a testcase for this particular
corner case only, - there might be more mmap-from-zero testcases
somewhere.  But ok, that's enough for now.

Thanks,

/mjt