From cf885b19579646d6a085470658bc83432d6786d2 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Fri, 7 Apr 2023 17:12:00 +0200 Subject: [PATCH 01/10] hw/xen: fix off-by-one in xen_evtchn_set_gsi() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverity points out (CID 1508128) a bounds checking error. We need to check for gsi >= IOAPIC_NUM_PINS, not just greater-than. Also fix up an assert() that has the same problem, that Coverity didn't see. Fixes: 4f81baa33ed6 ("hw/xen: Support GSI mapping to PIRQ") Signed-off-by: David Woodhouse Reviewed-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230801175747.145906-2-dwmw2@infradead.org> Signed-off-by: Philippe Mathieu-Daudé --- hw/i386/kvm/xen_evtchn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c index 3d810dbd59..0e9c108614 100644 --- a/hw/i386/kvm/xen_evtchn.c +++ b/hw/i386/kvm/xen_evtchn.c @@ -1587,7 +1587,7 @@ static int allocate_pirq(XenEvtchnState *s, int type, int gsi) found: pirq_inuse_word(s, pirq) |= pirq_inuse_bit(pirq); if (gsi >= 0) { - assert(gsi <= IOAPIC_NUM_PINS); + assert(gsi < IOAPIC_NUM_PINS); s->gsi_pirq[gsi] = pirq; } s->pirq[pirq].gsi = gsi; @@ -1601,7 +1601,7 @@ bool xen_evtchn_set_gsi(int gsi, int level) assert(qemu_mutex_iothread_locked()); - if (!s || gsi < 0 || gsi > IOAPIC_NUM_PINS) { + if (!s || gsi < 0 || gsi >= IOAPIC_NUM_PINS) { return false; } From 19c417ec87a446ffd1a13eeec23226fe30f31b7e Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 22 May 2023 20:52:00 +0200 Subject: [PATCH 02/10] i386/xen: consistent locking around Xen singleshot timers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverity points out (CID 1507534, 1507968) that we sometimes access env->xen_singleshot_timer_ns under the protection of env->xen_timers_lock and sometimes not. This isn't always an issue. There are two modes for the timers; if the kernel supports the EVTCHN_SEND capability then it handles all the timer hypercalls and delivery internally, and all we use the field for is to get/set the timer as part of the vCPU state via an ioctl(). If the kernel doesn't have that support, then we do all the emulation within qemu, and *those* are the code paths where we actually care about the locking. But it doesn't hurt to be a little bit more consistent and avoid having to explain *why* it's OK. Signed-off-by: David Woodhouse Reviewed-by: Paul Durrant Message-Id: <20230801175747.145906-3-dwmw2@infradead.org> Signed-off-by: Philippe Mathieu-Daudé --- target/i386/kvm/xen-emu.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/target/i386/kvm/xen-emu.c b/target/i386/kvm/xen-emu.c index d7c7eb8d9c..a8146115f0 100644 --- a/target/i386/kvm/xen-emu.c +++ b/target/i386/kvm/xen-emu.c @@ -43,6 +43,7 @@ static void xen_vcpu_singleshot_timer_event(void *opaque); static void xen_vcpu_periodic_timer_event(void *opaque); +static int vcpuop_stop_singleshot_timer(CPUState *cs); #ifdef TARGET_X86_64 #define hypercall_compat32(longmode) (!(longmode)) @@ -466,6 +467,7 @@ void kvm_xen_inject_vcpu_callback_vector(uint32_t vcpu_id, int type) } } +/* Must always be called with xen_timers_lock held */ static int kvm_xen_set_vcpu_timer(CPUState *cs) { X86CPU *cpu = X86_CPU(cs); @@ -483,6 +485,7 @@ static int kvm_xen_set_vcpu_timer(CPUState *cs) static void do_set_vcpu_timer_virq(CPUState *cs, run_on_cpu_data data) { + QEMU_LOCK_GUARD(&X86_CPU(cs)->env.xen_timers_lock); kvm_xen_set_vcpu_timer(cs); } @@ -545,7 +548,6 @@ static void do_vcpu_soft_reset(CPUState *cs, run_on_cpu_data data) env->xen_vcpu_time_info_gpa = INVALID_GPA; env->xen_vcpu_runstate_gpa = INVALID_GPA; env->xen_vcpu_callback_vector = 0; - env->xen_singleshot_timer_ns = 0; memset(env->xen_virq, 0, sizeof(env->xen_virq)); set_vcpu_info(cs, INVALID_GPA); @@ -555,8 +557,13 @@ static void do_vcpu_soft_reset(CPUState *cs, run_on_cpu_data data) INVALID_GPA); if (kvm_xen_has_cap(EVTCHN_SEND)) { kvm_xen_set_vcpu_callback_vector(cs); + + QEMU_LOCK_GUARD(&X86_CPU(cs)->env.xen_timers_lock); + env->xen_singleshot_timer_ns = 0; kvm_xen_set_vcpu_timer(cs); - } + } else { + vcpuop_stop_singleshot_timer(cs); + }; } @@ -1059,6 +1066,10 @@ static int vcpuop_stop_periodic_timer(CPUState *target) return 0; } +/* + * Userspace handling of timer, for older kernels. + * Must always be called with xen_timers_lock held. + */ static int do_set_singleshot_timer(CPUState *cs, uint64_t timeout_abs, bool future, bool linux_wa) { @@ -1086,12 +1097,8 @@ static int do_set_singleshot_timer(CPUState *cs, uint64_t timeout_abs, timeout_abs = now + delta; } - qemu_mutex_lock(&env->xen_timers_lock); - timer_mod_ns(env->xen_singleshot_timer, qemu_now + delta); env->xen_singleshot_timer_ns = now + delta; - - qemu_mutex_unlock(&env->xen_timers_lock); return 0; } @@ -1115,6 +1122,7 @@ static int vcpuop_set_singleshot_timer(CPUState *cs, uint64_t arg) return -EFAULT; } + QEMU_LOCK_GUARD(&X86_CPU(cs)->env.xen_timers_lock); return do_set_singleshot_timer(cs, sst.timeout_abs_ns, !!(sst.flags & VCPU_SSHOTTMR_future), false); @@ -1141,6 +1149,7 @@ static bool kvm_xen_hcall_set_timer_op(struct kvm_xen_exit *exit, X86CPU *cpu, if (unlikely(timeout == 0)) { err = vcpuop_stop_singleshot_timer(CPU(cpu)); } else { + QEMU_LOCK_GUARD(&X86_CPU(cpu)->env.xen_timers_lock); err = do_set_singleshot_timer(CPU(cpu), timeout, false, true); } exit->u.hcall.result = err; @@ -1826,6 +1835,7 @@ int kvm_put_xen_state(CPUState *cs) * If the kernel has EVTCHN_SEND support then it handles timers too, * so the timer will be restored by kvm_xen_set_vcpu_timer() below. */ + QEMU_LOCK_GUARD(&env->xen_timers_lock); if (env->xen_singleshot_timer_ns) { ret = do_set_singleshot_timer(cs, env->xen_singleshot_timer_ns, false, false); @@ -1844,10 +1854,8 @@ int kvm_put_xen_state(CPUState *cs) } if (env->xen_virq[VIRQ_TIMER]) { - ret = kvm_xen_set_vcpu_timer(cs); - if (ret < 0) { - return ret; - } + do_set_vcpu_timer_virq(cs, + RUN_ON_CPU_HOST_INT(env->xen_virq[VIRQ_TIMER])); } return 0; } @@ -1896,6 +1904,15 @@ int kvm_get_xen_state(CPUState *cs) if (ret < 0) { return ret; } + + /* + * This locking is fairly pointless, and is here to appease Coverity. + * There is an unavoidable race condition if a different vCPU sets a + * timer for this vCPU after the value has been read out. But that's + * OK in practice because *all* the vCPUs need to be stopped before + * we set about migrating their state. + */ + QEMU_LOCK_GUARD(&X86_CPU(cs)->env.xen_timers_lock); env->xen_singleshot_timer_ns = va.u.timer.expires_ns; } From 75a87af9b228ca7d14902a9390fe5e83c4898eb0 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 25 Jul 2023 12:05:00 +0200 Subject: [PATCH 03/10] hw/xen: prevent guest from binding loopback event channel to itself MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fuzzing showed that a guest could bind an interdomain port to itself, by guessing the next port to be allocated and putting that as the 'remote' port number. By chance, that works because the newly-allocated port has type EVTCHNSTAT_unbound. It shouldn't. Signed-off-by: David Woodhouse Reviewed-by: Paul Durrant Message-Id: <20230801175747.145906-4-dwmw2@infradead.org> Signed-off-by: Philippe Mathieu-Daudé --- hw/i386/kvm/xen_evtchn.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c index 0e9c108614..a731738411 100644 --- a/hw/i386/kvm/xen_evtchn.c +++ b/hw/i386/kvm/xen_evtchn.c @@ -1408,8 +1408,15 @@ int xen_evtchn_bind_interdomain_op(struct evtchn_bind_interdomain *interdomain) XenEvtchnPort *rp = &s->port_table[interdomain->remote_port]; XenEvtchnPort *lp = &s->port_table[interdomain->local_port]; - if (rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) { - /* It's a match! */ + /* + * The 'remote' port for loopback must be an unbound port allocated for + * communication with the local domain (as indicated by rp->type_val + * being zero, not PORT_INFO_TYPEVAL_REMOTE_QEMU), and must *not* be + * the port that was just allocated for the local end. + */ + if (interdomain->local_port != interdomain->remote_port && + rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) { + rp->type = EVTCHNSTAT_interdomain; rp->type_val = interdomain->local_port; From 866b24e4c3d27b5b8bedd741bb92b62b9fa58044 Mon Sep 17 00:00:00 2001 From: Marc-Andre Lureau Date: Tue, 25 Jul 2023 15:25:40 +0400 Subject: [PATCH 04/10] ui/dbus: fix win32 compilation when !opengl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1782 Signed-off-by: Marc-André Lureau Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230725112540.53284-1-marcandre.lureau@redhat.com> Signed-off-by: Philippe Mathieu-Daudé --- ui/dbus-listener.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ui/dbus-listener.c b/ui/dbus-listener.c index 68ff343799..02fc6ae239 100644 --- a/ui/dbus-listener.c +++ b/ui/dbus-listener.c @@ -338,6 +338,7 @@ static bool dbus_scanout_map(DBusDisplayListener *ddl) return true; } +#ifdef CONFIG_OPENGL static bool dbus_scanout_share_d3d_texture( DBusDisplayListener *ddl, @@ -399,7 +400,8 @@ dbus_scanout_share_d3d_texture( return true; } -#endif +#endif /* CONFIG_OPENGL */ +#endif /* WIN32 */ #ifdef CONFIG_OPENGL static void dbus_scanout_texture(DisplayChangeListener *dcl, From 7b4a3f814560341b1a18b3954b52e3318c2725d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 26 Jul 2023 19:12:21 +0400 Subject: [PATCH 05/10] ui/dbus: fix clang compilation issue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ../ui/dbus-listener.c:236:9: error: expected expression Error *err = NULL; See: https://gitlab.com/qemu-project/qemu/-/issues/1782#note_1488517427 Signed-off-by: Marc-André Lureau Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20230726151221.515761-1-marcandre.lureau@redhat.com> Signed-off-by: Philippe Mathieu-Daudé --- ui/dbus-listener.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ui/dbus-listener.c b/ui/dbus-listener.c index 02fc6ae239..30917271ab 100644 --- a/ui/dbus-listener.c +++ b/ui/dbus-listener.c @@ -232,7 +232,7 @@ static void dbus_call_update_gl(DisplayChangeListener *dcl, egl_fb_read_rect(ddl->ds, &ddl->fb, x, y, w, h); dbus_gfx_update(dcl, x, y, w, h); break; - case SHARE_KIND_D3DTEX: + case SHARE_KIND_D3DTEX: { Error *err = NULL; assert(ddl->d3d_texture); @@ -249,6 +249,7 @@ static void dbus_call_update_gl(DisplayChangeListener *dcl, dbus_update_gl_cb, g_object_ref(ddl)); break; + } default: g_warn_if_reached(); } From 313e162951682906430a6efeffdd1f2d67fd5bb4 Mon Sep 17 00:00:00 2001 From: Stefan Weil Date: Sun, 30 Jul 2023 20:03:29 +0200 Subject: [PATCH 06/10] misc: Fix some typos in documentation and comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stefan Weil Reviewed-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230730180329.851576-1-sw@weilnetz.de> Signed-off-by: Philippe Mathieu-Daudé --- docs/about/deprecated.rst | 2 +- docs/devel/qom.rst | 2 +- docs/system/devices/nvme.rst | 2 +- hw/core/loader.c | 4 ++-- include/exec/memory.h | 2 +- ui/vnc-enc-tight.c | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 1c35f55666..92a2bafd2b 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -369,7 +369,7 @@ mapping permissions et al by using its 'mapped' security model option. Nowadays it would make sense to reimplement the ``proxy`` backend by using QEMU's ``vhost`` feature, which would eliminate the high latency costs under which the 9p ``proxy`` backend currently suffers. However as of to date nobody -has indicated plans for such kind of reimplemention unfortunately. +has indicated plans for such kind of reimplementation unfortunately. Block device options diff --git a/docs/devel/qom.rst b/docs/devel/qom.rst index 0b506426d7..9918fac7f2 100644 --- a/docs/devel/qom.rst +++ b/docs/devel/qom.rst @@ -30,7 +30,7 @@ user configuration. Creating a QOM class ==================== -A simple minimal device implementation may look something like bellow: +A simple minimal device implementation may look something like below: .. code-block:: c :caption: Creating a minimal type diff --git a/docs/system/devices/nvme.rst b/docs/system/devices/nvme.rst index a8bb8d729c..2a3af268f7 100644 --- a/docs/system/devices/nvme.rst +++ b/docs/system/devices/nvme.rst @@ -232,7 +232,7 @@ parameters: Set the number of Reclaim Groups. ``fdp.nruh`` (default: ``0``) - Set the number of Reclaim Unit Handles. This is a mandatory paramater and + Set the number of Reclaim Unit Handles. This is a mandatory parameter and must be non-zero. ``fdp.runs`` (default: ``96M``) diff --git a/hw/core/loader.c b/hw/core/loader.c index 8b7fd9e9e5..4dd5a71fb7 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -863,7 +863,7 @@ ssize_t load_image_gzipped(const char *filename, hwaddr addr, uint64_t max_sz) /* * The Linux header magic number for a EFI PE/COFF - * image targetting an unspecified architecture. + * image targeting an unspecified architecture. */ #define EFI_PE_LINUX_MAGIC "\xcd\x23\x82\x81" @@ -1492,7 +1492,7 @@ RomGap rom_find_largest_gap_between(hwaddr base, size_t size) if (rom->mr || rom->fw_file) { continue; } - /* ignore anything finishing bellow base */ + /* ignore anything finishing below base */ if (rom->addr + rom->romsize <= base) { continue; } diff --git a/include/exec/memory.h b/include/exec/memory.h index 7f5c11a0cc..68284428f8 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -942,7 +942,7 @@ struct MemoryListener { * * @listener: The #MemoryListener. * @last_stage: The last stage to synchronize the log during migration. - * The caller should gurantee that the synchronization with true for + * The caller should guarantee that the synchronization with true for * @last_stage is triggered for once after all VCPUs have been stopped. */ void (*log_sync_global)(MemoryListener *listener, bool last_stage); diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c index 09200d71b8..ee853dcfcb 100644 --- a/ui/vnc-enc-tight.c +++ b/ui/vnc-enc-tight.c @@ -77,7 +77,7 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y, #ifdef CONFIG_VNC_JPEG static const struct { - double jpeg_freq_min; /* Don't send JPEG if the freq is bellow */ + double jpeg_freq_min; /* Don't send JPEG if the freq is below */ double jpeg_freq_threshold; /* Always send JPEG if the freq is above */ int jpeg_idx; /* Allow indexed JPEG */ int jpeg_full; /* Allow full color JPEG */ From 7a06a8fec9df3b6a0f72e7b37dff0969430aab96 Mon Sep 17 00:00:00 2001 From: Akihiko Odaki Date: Mon, 31 Jul 2023 18:10:39 +0900 Subject: [PATCH 07/10] tests/migration: Add -fno-stack-protector MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A build of GCC 13.2 will have stack protector enabled by default if it was configured with --enable-default-ssp option. For such a compiler, it is necessary to explicitly disable stack protector when linking without standard libraries. Signed-off-by: Akihiko Odaki Reviewed-by: Juan Quintela Reviewed-by: Thomas Huth Message-Id: <20230731091042.139159-2-akihiko.odaki@daynix.com> Signed-off-by: Philippe Mathieu-Daudé --- tests/migration/s390x/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/migration/s390x/Makefile b/tests/migration/s390x/Makefile index 6393c3e5b9..6671de2efc 100644 --- a/tests/migration/s390x/Makefile +++ b/tests/migration/s390x/Makefile @@ -6,8 +6,8 @@ all: a-b-bios.h fwdir=../../../pc-bios/s390-ccw CFLAGS+=-ffreestanding -fno-delete-null-pointer-checks -fPIE -Os \ - -msoft-float -march=z900 -fno-asynchronous-unwind-tables -Wl,-pie \ - -Wl,--build-id=none -nostdlib + -msoft-float -march=z900 -fno-asynchronous-unwind-tables \ + -fno-stack-protector -Wl,-pie -Wl,--build-id=none -nostdlib a-b-bios.h: s390x.elf echo "$$__note" > header.tmp From c11d5bdae79a8edaf00dfcb2e49c064a50c67671 Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Tue, 1 Aug 2023 08:22:45 -0700 Subject: [PATCH 08/10] target/nios2: Pass semihosting arg to exit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of using R_ARG0 (the semihost function number), use R_ARG1 (the provided exit status). Signed-off-by: Keith Packard Reviewed-by: Peter Maydell Message-Id: <20230801152245.332749-1-keithp@keithp.com> Signed-off-by: Philippe Mathieu-Daudé --- target/nios2/nios2-semi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/nios2/nios2-semi.c b/target/nios2/nios2-semi.c index 3738774976..f3b7aee4f1 100644 --- a/target/nios2/nios2-semi.c +++ b/target/nios2/nios2-semi.c @@ -133,8 +133,8 @@ void do_nios2_semihosting(CPUNios2State *env) args = env->regs[R_ARG1]; switch (nr) { case HOSTED_EXIT: - gdb_exit(env->regs[R_ARG0]); - exit(env->regs[R_ARG0]); + gdb_exit(env->regs[R_ARG1]); + exit(env->regs[R_ARG1]); case HOSTED_OPEN: GET_ARG(0); From 71e2dd6aa1bdbac19c661638a4ae91816002ac9e Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Mon, 31 Jul 2023 16:52:45 -0700 Subject: [PATCH 09/10] target/nios2: Fix semihost lseek offset computation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The arguments for deposit64 are (value, start, length, fieldval); this appears to have thought they were (value, fieldval, start, length). Reorder the parameters to match the actual function. Signed-off-by: Keith Packard Reviewed-by: Philippe Mathieu-Daudé Fixes: d1e23cbaa403b2d ("target/nios2: Use semihosting/syscalls.h") Reviewed-by: Peter Maydell Message-Id: <20230731235245.295513-1-keithp@keithp.com> Signed-off-by: Philippe Mathieu-Daudé --- target/nios2/nios2-semi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/nios2/nios2-semi.c b/target/nios2/nios2-semi.c index f3b7aee4f1..9d0241c758 100644 --- a/target/nios2/nios2-semi.c +++ b/target/nios2/nios2-semi.c @@ -169,7 +169,7 @@ void do_nios2_semihosting(CPUNios2State *env) GET_ARG64(2); GET_ARG64(3); semihost_sys_lseek(cs, nios2_semi_u64_cb, arg0, - deposit64(arg2, arg1, 32, 32), arg3); + deposit64(arg2, 32, 32, arg1), arg3); break; case HOSTED_RENAME: From 8caaae7319a5f7ca449900c0e6bfcaed78fa3ae2 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 1 Aug 2023 16:45:19 +0100 Subject: [PATCH 10/10] target/m68k: Fix semihost lseek offset computation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The arguments for deposit64 are (value, start, length, fieldval); this appears to have thought they were (value, fieldval, start, length). Reorder the parameters to match the actual function. Cc: qemu-stable@nongnu.org Fixes: 950272506d ("target/m68k: Use semihosting/syscalls.h") Reported-by: Philippe Mathieu-Daudé Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20230801154519.3505531-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé --- target/m68k/m68k-semi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/m68k/m68k-semi.c b/target/m68k/m68k-semi.c index 88ad9ba814..239f6e44e9 100644 --- a/target/m68k/m68k-semi.c +++ b/target/m68k/m68k-semi.c @@ -166,7 +166,7 @@ void do_m68k_semihosting(CPUM68KState *env, int nr) GET_ARG64(2); GET_ARG64(3); semihost_sys_lseek(cs, m68k_semi_u64_cb, arg0, - deposit64(arg2, arg1, 32, 32), arg3); + deposit64(arg2, 32, 32, arg1), arg3); break; case HOSTED_RENAME: