hw/arm: Filter machine types for qemu-system-arm/aarch64 binaries
Register machines to be able to run with the qemu-system-arm
and qemu-system-aarch64 binaries, except few machines which
are only available on the qemu-system-aarch64 binary:
hw/core: Allow ARM/Aarch64 binaries to use the 'none' machine
When we'll start to use target_machine_typename() to filter
machines for the ARM/Aarch64 binaries, the 'none' machine
would be filtered. Register the proper interfaces to keep
it available.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20251021205741.57109-3-philmd@linaro.org>
Define the TYPE_TARGET_ARM_MACHINE and TYPE_TARGET_AARCH64_MACHINE
QOM interface names to allow machines to implement them.
Register these interfaces in common code in target_info-qom.c used
by all binaries because QOM interfaces must be registered before
being checked (see next commit with the 'none' machine).
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20251021205741.57109-2-philmd@linaro.org>
Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging
trivial patches for 2025-10-29
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmkB184ACgkQgqpKJDse
# lHiMdw//W7ZxqIlSjhDKopQQnHbsZLXPFNB/Iwu8wDGxEKOsu8D3SFy6vlx1biBP
# aOt8BSqdB6PAbXwmzoFVinpN4jxA1SbPUGxUhO41MPjvXa1I4dzwgH7TVdOtMztp
# x3JKBTclKz2vz8KRxv2uG3jNCHQkbFKwsNqQwTOiQTH5CKu2T996Rc6FipufcjQ4
# hdyEPocgUZR30zDX7bOs4NzBWBtd0hDrV845RPYvnIdmVR+QEDVGB344kVHztXtC
# 8gMajwf3/ZkVf4S9RTE0lcmFYt1uPvkUpRE73KCMRDndOfPNekWs4h4RoIUpqKoQ
# ROHY7iPVM9+Vd9B5o5p66dASZTghEjoXFs6fWHLUZMwfz0Up7aC432YtvPfyy2Gg
# Mn//yuUlmadycVmUmOfuL/hPS+enEYM9hIXlVRnle4wO8LdD3wSxK7D2XEgf+Ap1
# D6lIlw0BA4SIr91SV33bXoC4qzVtWp4oqoWLiWBqoIAvQqANmc7HfXab50YvDj6T
# dSFDGt3s2VO90jKyRt6yAPQxW1aJRuQ9TO7hSCbekg+9mR0XatfASJ+/xNvv9aZq
# z+Sxl5nLKeMxbFElHTG5EUn2nMcCofOBJ4bttyRuXI2iGeY7pg1y6uDhUcEad4+z
# pD8B27NznRdUMYMQ64oaElBR06+LifyuKBkVni8a/21xhxK1OzQ=
# =0I0t
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 29 Oct 2025 10:01:02 AM CET
# gpg: using RSA key 64AA2AB531D56903366BFEF982AA4A243B1E9478
# gpg: Good signature from "Michael Tokarev <mjt@debian.org>" [unknown]
# gpg: aka "Michael Tokarev <mjt@corpit.ru>" [unknown]
# gpg: aka "Michael Tokarev <mjt@tls.msk.ru>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E
# Subkey fingerprint: 64AA 2AB5 31D5 6903 366B FEF9 82AA 4A24 3B1E 9478
* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
linux-user: Use correct type for FIBMAP and FIGETBSZ emulation
hw/xen: Avoid non-inclusive language in params.h
docs/system/sriov.rst: Fix typo in title
tests/functional/i386: Remove unused variable from the replay test
docs/system/keys: fix incorrect reset scaling key binding
net/stream: remove deprecated 'reconnect' option
chardev: remove deprecated 'reconnect' option
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* char: rename CharBackend->CharFrontend
* esp: fix esp_cdb_ready() FIFO wraparound limit calculation
* isapc: warn rather than reject modern x86 CPU models
* mshv: fix Coverity issues
* qdev: Change PropertyInfo method print() to return malloc'ed string
* qobject: make refcount atomic
* rcu: make synchronize_rcu() more efficient
* rust: cleanup glib_sys bindings
* rust: Convert bit value to u8 within #[property]
* rust: only leave leaf crates as workspace members
* scripts: clean up meson-buildoptions.py
* scsi: make refcount atomic
* target/i386: Init SMM cpu address space for hotplugged CPUs
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmkB3UUUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroMrRAgAidqHD3mBOEPhcz3Xh5xuJGd+fFnr
# wD5/zi5DPy2ZmPKY/buMv/92R6GKKQwZVJrKKdj2+yXFayp0LZNs+ZXNhOl8+EWT
# uZayJJt1Wx5E8BB31NKDBLSnvIjVnP+0QDN3pn7ihoIYtdy7ziUd2sS955z+42Vx
# ewLwZMfIodSykYfeUsjA7A4GgXtHZWv1bGOZ4qVX/Bgr06efKui3WUaVAkN6i6T+
# WJBn4Wb3fBiHLhmFzdIxB91hZjyP9athOQb5kiTL1g+2uYsuQPSfWRhqfgy3EWGf
# K72bpnxnMSzhjz0YXKz5S5kjpe/3g7OCiPJm0Jf5Aq7KqGyIkUSSdgo59Q==
# =KCqH
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 29 Oct 2025 10:24:21 AM CET
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [unknown]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
rust: migration: allow passing ParentField<> to vmstate_of!
target/i386: clear CPU_INTERRUPT_SIPI for all accelerators
docs/about/deprecated.rst: document isapc deprecation for modern x86 CPU models
hw/i386/isapc.c: warn rather than reject modern x86 CPU models
qdev: Change PropertyInfo method print() to return malloc'ed string
scsi: make SCSIRequest refcount atomic
rust/qemu-macros: Convert bit value to u8 within #[property]
qtest/am53c974-test: add additional test for cmdfifo overflow
esp.c: fix esp_cdb_ready() FIFO wraparound limit calculation
accel/mshv: use return value of handle_pio_str_read
accel/mshv: initialize thread name
char: rename CharBackend->CharFrontend
qobject: make refcount atomic
rust: only leave leaf crates as workspace members
rust: remove useless glib_sys bindings
rcu: Unify force quiescent state
i386/kvm/cpu: Init SMM cpu address space for hotplugged CPUs
scripts: clean up meson-buildoptions.py
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Paolo Bonzini [Tue, 28 Oct 2025 11:21:29 +0000 (12:21 +0100)]
rust: migration: allow passing ParentField<> to vmstate_of!
The common superclass for devices could have its own migration state;
for it to be included in the subclass's VMState, ParentField<> must
implement the VMState trait.
Reported-by: Chen Miao <chenmiao@openatom.club> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Bastian Blank [Tue, 28 Oct 2025 12:16:12 +0000 (13:16 +0100)]
linux-user: Use correct type for FIBMAP and FIGETBSZ emulation
Both the FIBMAP and FIGETBSZ ioctl get "int *" (pointer to 32bit
integer) as argument, not "long *" as specified in qemu. Using the
correct type makes the emulation work in cross endian context.
Both ioctl does not seem to be documented. However the kernel
implementation has always used "int *".
Signed-off-by: Bastian Blank <waldi@debian.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3185 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Helge Deller <deller@gmx.de> Reviwed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Thomas Huth [Mon, 27 Oct 2025 10:40:12 +0000 (11:40 +0100)]
tests/functional/i386: Remove unused variable from the replay test
Remove a left-over from the time when this test was still an
avocado-based test.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Mark Cave-Ayland [Thu, 23 Oct 2025 14:28:10 +0000 (15:28 +0100)]
docs/about/deprecated.rst: document isapc deprecation for modern x86 CPU models
Add a new paragraph in the "Backwards compatibility" section documenting that
using modern x86 CPU models with the isapc machine is deprecated, and will be
rejected in a future release.
Mark Cave-Ayland [Thu, 23 Oct 2025 14:28:09 +0000 (15:28 +0100)]
hw/i386/isapc.c: warn rather than reject modern x86 CPU models
Commit e1e2909f8e ("hw/i386/pc_piix.c: restrict isapc machine to 32-bit CPUs")
restricted the isapc machine to 32-bit CPUs, but subsequent concern has been
expressed as to the effect this could have on users.
The outcome of the latest discussion is that we should exercise more caution
and follow the official deprecation route, so instead of rejecting modern x86
CPUs issue a deprecation warning but allow the user to continue.
qdev: Change PropertyInfo method print() to return malloc'ed string
Simpler (more so after the next commit), and no risk of truncation
because the caller's buffer is too small. Performance doesn't matter;
the method is only used for "info qdev".
The original calculation in commit 3cc70889a3 ("esp.c: prevent cmdfifo overflow
in esp_cdb_ready()") subtracted cmdfifo_cdb_offset from fifo8_num_used() to
calculate the outstanding cmdfifo length, but this is incorrect because
fifo8_num_used() can also include wraparound data.
Instead calculate the maximum offset used by scsi_cdb_length() which is just
the first byte after cmdfifo_cdb_offset, and then peek the entire content
of the cmdfifo. The fifo8_peek_bufptr() result will then return the maximum
length of remaining data up to the end of the internal cmdfifo array, which
can then be used for the overflow check.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Fixes: 3cc70889a3 ("esp.c: prevent cmdfifo overflow in esp_cdb_ready()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3082 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/r/20250925122846.527615-2-mark.cave-ayland@ilande.co.uk Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Fix incorrect key binding for resetting the graphical frontends scaling
Signed-off-by: Nir Lichtman <nir@lichtman.org> Fixes: 15421f7113 "ui/sdl2: fix reset scaling binding to be consistent with gtk" Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Note, that (which become obvious with this commit) we forget to do some
checks for reconnect-ms options, for example, it was silently ignored
for listening server, instead of error-out. The commit fixes this, as
now we use reconnect_ms everywhere.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Daniil Tatianin <d-tatianin@yandex-team.ru> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Paolo Bonzini [Tue, 30 Sep 2025 11:17:11 +0000 (13:17 +0200)]
qobject: make refcount atomic
The Rust bindings for QObject will only operate on complete objects,
treating them as immutable as long as the Rust QObject is live.
With that constraint, it is trivial for Rust code to treat QObjects as
thread-safe; all that's needed is to make reference count operations
atomic. Do the same when the C code adds or removes references, since
we don't really know what the Rust code is up to; of course C code will
have to agree with not making changes to the QObjects after they've
been passed to Rust code.
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The definition of types needed for g_autolist(), g_autoslist(),
g_autoqueue() need the imports for GList, GSList and GQueue
to appear everything. Rust code is never going to see those,
since they are not used in structs. Block the types from
appearing in the bindings.
Co-authored-by: Martin Kletzander <mkletzan@redhat.com> Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Akihiko Odaki [Thu, 16 Oct 2025 06:34:41 +0000 (15:34 +0900)]
rcu: Unify force quiescent state
Borrow the concept of force quiescent state from Linux to ensure readers
remain fast during normal operation and to avoid stalls.
Background
==========
The previous implementation had four steps to begin reclamation.
1. call_rcu_thread() would wait for the first callback.
2. call_rcu_thread() would periodically poll until a decent number of
callbacks piled up or it timed out.
3. synchronize_rcu() would statr a grace period (GP).
4. wait_for_readers() would wait for the GP to end. It would also
trigger the force_rcu notifier to break busy loops in a read-side
critical section if drain_call_rcu() had been called.
Problem
=======
The separation of waiting logic across these steps led to suboptimal
behavior:
The GP was delayed until call_rcu_thread() stops polling.
force_rcu was not consistently triggered when call_rcu_thread() detected
a high number of pending callbacks or a timeout. This inconsistency
sometimes led to stalls, as reported in a virtio-gpu issue where memory
unmapping was blocked[1].
wait_for_readers() imposed unnecessary overhead in non-urgent cases by
unconditionally executing qatomic_set(&index->waiting, true) and
qemu_event_reset(&rcu_gp_event), which are necessary only for expedited
synchronization.
Solution
========
Move the polling in call_rcu_thread() to wait_for_readers() to prevent
the delay of the GP. Additionally, reorganize wait_for_readers() to
distinguish between two states:
Normal State: it relies exclusively on periodic polling to detect
the end of the GP and maintains the read-side fast path.
Force Quiescent State: Whenever expediting synchronization, it always
triggers force_rcu and executes both qatomic_set(&index->waiting, true)
and qemu_event_reset(&rcu_gp_event). This avoids stalls while confining
the read-side overhead to this state.
This unified approach, inspired by the Linux RCU, ensures consistent and
efficient RCU grace period handling and confirms resolution of the
virtio-gpu issue.
Xiaoyao Li [Tue, 14 Oct 2025 09:42:14 +0000 (17:42 +0800)]
i386/kvm/cpu: Init SMM cpu address space for hotplugged CPUs
The SMM cpu address space is initialized in a machine_init_done
notifier. It only runs once when QEMU starts up, which leads to the
issue that for any hotplugged CPU after the machine is ready, SMM
cpu address space doesn't get initialized.
Fix the issue by initializing the SMM cpu address space in x86_cpu_plug()
when the cpu is hotplugged.
Fixes: 591f817d819f ("target/i386: Define enum X86ASIdx for x86's address spaces") Reported-by: Peter Maydell <peter.maydell@linaro.org> Closes: https://lore.kernel.org/qemu-devel/CAFEAcA_3kkZ+a5rTZGmK8W5K6J7qpYD31HkvjBnxWr-fGT2h_A@mail.gmail.com/ Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com> Link: https://lore.kernel.org/r/20251014094216.164306-2-xiaoyao.li@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Merge tag 'hw-misc-20251028' of https://github.com/philmd/qemu into staging
Misc HW patches
Various fixes and cleanups:
- Set FPCR exception flag bits for HPPA non-trapped exceptions
- Convert VirtIONet::vlans from pointer to array
and remove VMSTATE_BUFFER_POINTER_UNSAFE()
- Remove redundant QOM typedef when OBJECT_DECLARE_SIMPLE_TYPE() is used
- Have various QDev / SysBus helpers take a const device argument
- Improve errors when loaders parse images
- Remove IntelIOMMUState::dma_translation leftover
- Remove most target_[u]long uses in hw/riscv/
- Fix DS1225Y MemoryRegion owner
- Simplification refactors on Raven PCI Host Bridge
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmkAdQ8ACgkQ4+MsLN6t
# wN5ochAAihqZQaRpLWeIt+EQMUAdkJwsg8ctLAz9vJE9leZZh10j1Uw2Y0b5EDKy
# k3vwJUz0gDYnbbq33+FNBVv7Iq4bIvyundqX4odi4AOvRysJRBwkVQ+LeUo+Dyh3
# of1eKDX6psJTo4Jy1ooOkkUq0vWpJPrGZYyzR7bsPDgpuqNOfF6+mwMQkYDXa2uw
# vCJIOnzl+IIHxpnT+XVVXJsO05LUzkAru38jkjQZ1BcWj07ggSs70U7jcOhtvkpC
# x0hXcKNj+uHjoupoX8LMOb6M+D06oL6ZyW51++Cnqu/cAvQqP/VQtb7b4AAKj3G9
# yOMFZPyd4IObf7bxC4Zi/TYLYD43DrSppT4eU5zqYrzKSD6v0fdENkhqJuLTiLTa
# cd4nhWJto+EdZBogp+jVW6ekLoC5CMqNT8HiqdGvDLMp45oSmlYPC030l4gBQdo8
# 4SUWLIRZULybObv+uF3heeaemahWIXOFpclCpITcLqa+VkXlboc0JH2PjbETvAQU
# DBxSJ65izr4795rRhX5yoy2aBfiTFlYxIbpwztEzesdnAHw1N6gQ0J3WraxWSjAh
# Y6IzXBAYLjZNTx5pongcuZT3cX7Cn+0zwaK/ajRcZhIvukDL/bT7GK25akcYIgBR
# XS//Ccm79vs85o1zTBVLQzw343Bvtp4LfRLtrXjdLC+06pEixvo=
# =5G1o
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 28 Oct 2025 08:47:27 AM CET
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20251028' of https://github.com/philmd/qemu: (23 commits)
hw/riscv: Widen OpenSBI dynamic info struct
hw/riscv: Use generic hwaddr for firmware addresses
hw/i386/intel_iommu: Remove an unused state field
nw/nvram/ds1225y: Fix nvram MemoryRegion owner
hw/ppc: Pass error_fatal to load_image_targphys()
hw/core/loader: Pass errp to load_image_targphys_as()
hw/core/loader: add check for zero size in load_image_targphys_as
hw/core/loader: improve error handling in image loading functions
hw/core/loader: capture Error from load_image_targphys
hw/core/loader: Use qemu_open() instead of open() in get_image_size()
hw/int/loongarch: Include missing 'system/memory.h' header
hw/uefi: Include missing 'system/memory.h' header
hw/sysbus: Have various helpers take a const SysBusDevice argument
hw/qdev: Have qdev_get_gpio_out_connector() take const DeviceState arg
hw/pci-host/raven: Simplify PCI bus creation
hw/pci-host/raven: Use DEFINE_TYPES macro
hw/pci-host/raven: Simplify host bridge type declaration
hw/pci-host/raven: Simplify PCI facing part
hw/pci-host/raven: Simplify creating PCI facing part
migration/vmstate: remove VMSTATE_BUFFER_POINTER_UNSAFE macro
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'devel-scsi-ncr710-pull-request' of https://github.com/hdeller/qemu-hppa into staging
HP-PARISC 715 machine with NCR710 SCSI chip
This series adds a new emulation for a HP PA-RISC 715/64 model,
as descrived here: https://www.openpa.net/systems/hp-9000_715.html.
That machine has no PCI bus and instead uses a "LASI" chip which has built-in
NCR 53c710 SCSI and i82596 network chips. Compared to the other already
emulated machines B160L and C3700, this machine should be able to support older
operating systems like HP-UX 9 as well.
The QEMU project participated in the Google Summer of Code 2025 program by
"Implementing LASI Network Card and NCR 710 SCSI Controller Device Models", and
Soumyajyotii Ssarkar stepped up to develop those drivers.
This patch series includes the code for the NCR710 SCSI controller,
the network code will follow in later patch series.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCaP/g8wAKCRD3ErUQojoP
# X1hOAP9WOYVNz7UIpNztQ9p3tUKApALaPR3aaiORMLrjktaDMQD/TIHExaKIKtn6
# iLy+RXzPFdpqmI/cBQx57q8lWzUd2QI=
# =Y7lX
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 27 Oct 2025 10:15:31 PM CET
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'devel-scsi-ncr710-pull-request' of https://github.com/hdeller/qemu-hppa:
hw/hppa: Add 715 machine type including NCR710 SCSI
hw/hppa: Require SeaBIOS version 19 for 715 machine
hw/hppa: PCI devices depend on availability of PCI bus
hw/hppa: Add NCR 710 SCSI driver to LASI chip Kconfig entry
hw/hppa: Fix interrupt of LASI parallel port
hw/hppa: Fix firmware end address for LASI chip
hw/scsi: Add config option for new ncr710 driver
lasi: Forward LASI SCSI ports to NCR 53c710 driver
ncr710: Add driver for the NCR 53c710 SCSI chip
lasi_ncr710: Add LASI wrapper for NCR 53c710 SCSI chip
target/hppa: Update SeaBIOS-hppa to version 19
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging
Pull request
Fiona's virtio-scsi TMF deadlock fix.
Paolo: I merged the scsi fix in my block tree, but realize now that it belongs
to the scsi subsystem. Sorry about that, I'll be more careful next time. Please
reply if you want to handle this patch yourself.
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmj/wl0ACgkQnKSrs4Gr
# c8ga0Qf/TaIXqp2xyFmKCmCxbruNvZZtD96qBmK694AXm8+exZcXkGTuFyBcxC6T
# 1bHaHNBCRw5mu0h6T88lHT5QQ7h7AvZnm6gOa+6MpkeAY59DP0zDGF4GyCC4enUz
# D9kAcC2UGKXDSTv8oyqpFq/ZOamW9T7XI+rjpN+kIr5/Z+vG+IuBFX9atIk5es41
# vuoYCuXldZNcOYeA88L8F0O7ikwpGJk3RI8lJFVPGfGju94BpXiOcP7Csqvkjk8r
# F1p6Uy/GD7031em/sVxvezOpRsC62dtnItYFBwt8FGjtbCN7HNy9bCvoM6mIVK0n
# B2+Rh7oQeDRVAJIMHtSXtJtuA6pPDw==
# =P138
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 27 Oct 2025 08:05:01 PM CET
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [unknown]
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu:
hw/scsi: avoid deadlock upon TMF request cancelling with VirtIO
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Anton Johansson [Mon, 27 Oct 2025 12:35:12 +0000 (13:35 +0100)]
hw/riscv: Widen OpenSBI dynamic info struct
Since fw_dynamic_info is only used for non 32 bit targets, target_long
is int64_t anyway. Rename struct to fw_dynamic_info64 and use int64_t.
Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251027-feature-single-binary-hw-v1-v2-3-44478d589ae9@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Anton Johansson [Mon, 27 Oct 2025 12:35:10 +0000 (13:35 +0100)]
hw/riscv: Use generic hwaddr for firmware addresses
Signed-off-by: Anton Johansson <anjo@rev.ng>
Message-ID: <20251027-feature-single-binary-hw-v1-v2-1-44478d589ae9@rev.ng> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
[PMD: Do not update riscv_load_kernel()] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Vishal Chourasia [Fri, 24 Oct 2025 13:06:03 +0000 (18:36 +0530)]
hw/ppc: Pass error_fatal to load_image_targphys()
Pass error_fatal to load_image_targphys() calls in ppc machine initialization
to capture detailed error information when loading firmware, kernel,
and initrd images.
Passing error_fatal automatically reports detailed error messages and
exits immediately on failure. Eliminating redundant exit(1) calls, as
error_fatal handles termination
The behavior remains functionally identical, but error messages now
come directly from the loader function with more context about the
failure cause.
Vishal Chourasia [Fri, 24 Oct 2025 13:05:59 +0000 (18:35 +0530)]
hw/core/loader: add check for zero size in load_image_targphys_as
Currently load_image_targphys_as() returns -1 on file open failure or
when max size is exceeded. Add an explicit check for zero-sized files
to catch this error early, since some callers check for size <= 0.
Also, remove the redundant size > 0 check later in the function.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-10-vishalc@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Vishal Chourasia [Fri, 24 Oct 2025 13:05:55 +0000 (18:35 +0530)]
hw/core/loader: capture Error from load_image_targphys
Add Error **errp parameter to load_image_targphys(),
load_image_targphys_as(), and get_image_size() to enable better
error reporting when image loading fails.
Pass NULL for errp in all existing call sites to maintain current
behavior. No functional change intended in this patch.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Aditya Gupta <adityag@linux.ibm.com> Tested-by: Aditya Gupta <adityag@linux.ibm.com> Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-6-vishalc@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Vishal Chourasia [Fri, 24 Oct 2025 13:05:53 +0000 (18:35 +0530)]
hw/core/loader: Use qemu_open() instead of open() in get_image_size()
Replace open() with qemu_open() which provides better error handling
via the Error object, automatically sets O_CLOEXEC, and supports FD
passing with /dev/fdset.
Currently pass errp argument as NULL.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-4-vishalc@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/int/loongarch: Include missing 'system/memory.h' header
"system/memory.h" header is indirectly pulled by "hw/sysbus.h".
Include it explicitly to avoid when refactoring the latter:
In file included from ../../hw/intc/loongson_ipi.c:9:
In file included from /Users/philmd/source/qemu/include/hw/intc/loongson_ipi.h:12:
include/hw/intc/loongson_ipi_common.h:37:18: error: field has incomplete type 'MemoryRegion' (aka 'struct MemoryRegion')
37 | MemoryRegion ipi_iocsr_mem;
| ^
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-Id: <20251024190416.8803-21-philmd@linaro.org>
hw/sysbus: Have various helpers take a const SysBusDevice argument
These getters don't update any SysBusDevice internal fields,
make the argument const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20251024190416.8803-3-philmd@linaro.org>
hw/qdev: Have qdev_get_gpio_out_connector() take const DeviceState arg
This getter doesn't update any DeviceState internal fields,
make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20251024190416.8803-2-philmd@linaro.org>
BALATON Zoltan [Thu, 23 Oct 2025 15:26:25 +0000 (17:26 +0200)]
hw/pci-host/raven: Simplify PCI bus creation
Instead of doing it manually use pci_register_root_bus() to create and
register the PCI bus. Also drop pci_bus from PREPPCIState and use the
existing bus field in the parent PCIHostState.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <4ffa168d68947d95a16c51d73cedd141b0df0ea0.1761232472.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Thu, 23 Oct 2025 15:26:21 +0000 (17:26 +0200)]
hw/pci-host/raven: Simplify creating PCI facing part
There is no need to init and realize the PCI facing part of the host
bridge separately as it does not expose any properties that need to be
available before realize. It can be simpilfied using pci_create_simple.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <5a60e395d72e5eb4d01093434fbb645d72ac567a.1761232472.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The only user of this macro was VirtIONet.vlans, which has been
converted to regular VMSTATE_BUFFER.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Peter Xu <peterx@redhat.com>
Message-ID: <20251023135316.31128-3-mjt@tls.msk.ru> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Michael Tokarev [Thu, 23 Oct 2025 13:53:09 +0000 (16:53 +0300)]
hw/net/virtio-net: make VirtIONet.vlans an array instead of a pointer
This field is a fixed-size buffer (number of elements is MAX_VLAN,
known at build time). There's no need to allocate it dynamically,
it can be made an integral part of VirtIONet structure.
This field is the only user of VMSTATE_BUFFER_POINTER_UNSAFE() macro.
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Tested-by: Lei Yang <leiyang@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20251023135316.31128-2-mjt@tls.msk.ru> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Fri, 17 Oct 2025 08:53:50 +0000 (09:53 +0100)]
target/hppa: Set FPCR exception flag bits for non-trapped exceptions
In commit ebd394948de4e8 ("target/hppa: Fix FPE exceptions") when
we added the code for setting up the registers correctly on trapping
FP exceptions, we accidentally broke the handling of the flag bits
for non-trapping exceptions.
In update_fr0_op() we incorrectly zero out the flag bits and the C
bit, so any fp operation would clear previously set flag bits. We
also stopped setting the flag bits when the fp operation raises
an exception and the trap is not enabled.
Adjust the code so that we set the Flag bits for every exception that
happened and where the trap is not enabled. (This is the correct
behaviour for the case where an instruction triggers two exceptions,
one of which traps and one of which does not; that can only happen
for inexact + underflow or inexact + overflow.)
Helge Deller [Sat, 25 Oct 2025 09:30:39 +0000 (11:30 +0200)]
hw/hppa: Add 715 machine type including NCR710 SCSI
Add a new emulation for a 715/64 machine.
This machines has no PCI bus, and has the majority of the devices (SCSI,
network, serial ports, ...) provided by a LASI multi-function I/O chip.
Helge Deller [Tue, 14 Oct 2025 21:15:53 +0000 (23:15 +0200)]
hw/hppa: Require SeaBIOS version 19 for 715 machine
Require at least SeaBIOS version 19 before adding the 715 machine. This is
required, because the machine inventory of the 715 is provided by the SeaBIOS
firmware.
Signed-off-by: Helge Deller <deller@gmx.de> Acked-by: Richard Henderson <richard.henderson@linaro.org>
Helge Deller [Sat, 25 Oct 2025 09:22:45 +0000 (11:22 +0200)]
hw/hppa: PCI devices depend on availability of PCI bus
Only create the PCI serial ports (DIVA) and PCI network cards when there is
actually a PCI bus. The shortly added 715 machine will not have a PCI bus, so
avoid creating further PCI devices.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Helge Deller [Sat, 25 Oct 2025 09:11:23 +0000 (11:11 +0200)]
hw/hppa: Add NCR 710 SCSI driver to LASI chip Kconfig entry
The LASI chip is a multi I/O chip used in many older PA-RISC machines.
It includes functionality for NCR710 SCSI, serial, parallel, audio,
i82596 networking and PS/2 ports.
Add the functionality for NCR710_SCSI to the LASI Kconfig option
and move over the relevant parts from the generic HPPA_B160L Kconfig
option to get the dependency right.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Helge Deller <deller@gmx.de>
Helge Deller [Tue, 14 Oct 2025 20:48:07 +0000 (22:48 +0200)]
hw/hppa: Fix firmware end address for LASI chip
The base address of a LASI chip on a 715 machine starts at HPA
0xf0100000. Make sure that the firmware does not extend beyond that
address, otherwise it's not possible to access the LASI ports.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Add an emulation for the NCR 53c710 SCSI chip.
This SCSI chip was used widely in historic machines, e.g. as SCSI core
in the LASI controller in HP PA-RISC machines.
This driver was developed as part of the Google Summer of Code 2025 program.
lasi_ncr710: Add LASI wrapper for NCR 53c710 SCSI chip
The LASI multi I/O chip in older PA-RISC machines includes a SCSI
core based on the NCR 53c710 SCSI chip.
This driver adds the glue code to talk to the NCR710 via LASI.
This driver was developed as part of the Google Summer of Code 2025 program.
Fiona Ebner [Fri, 17 Oct 2025 09:43:30 +0000 (11:43 +0200)]
hw/scsi: avoid deadlock upon TMF request cancelling with VirtIO
When scsi_req_dequeue() is reached via
scsi_req_cancel_async()
virtio_scsi_tmf_cancel_req()
virtio_scsi_do_tmf_aio_context(),
there is a deadlock when trying to acquire the SCSI device's requests
lock, because it was already acquired in
virtio_scsi_do_tmf_aio_context().
In particular, the issue happens with a FreeBSD guest (13, 14, 15,
maybe more), when it cancels SCSI requests, because of timeout.
This is a regression caused by commit da6eebb33b ("virtio-scsi:
perform TMFs in appropriate AioContexts") and the introduction of the
requests_lock earlier.
To fix the issue, only cancel the requests after releasing the
requests_lock. For this, the SCSI device's requests are iterated while
holding the requests_lock and the requests to be cancelled are
collected in a list. Then, the collected requests are cancelled
one by one while not holding the requests_lock. This is safe, because
only requests from the current AioContext are collected and acted
upon.
Originally reported by Proxmox VE users:
https://bugzilla.proxmox.com/show_bug.cgi?id=6810
https://forum.proxmox.com/threads/173914/
Fixes: da6eebb33b ("virtio-scsi: perform TMFs in appropriate AioContexts") Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-id: 20251017094518.328905-1-f.ebner@proxmox.com
[Changed g_list_append() to g_list_prepend() to avoid traversing the
list each time.
--Stefan] Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Merge tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu into staging
Merge misc, crypto and I/O subsystems changes
* Fix use after free in websocket handshake (CVE-2025-11234)
* Improved stack traces fatal errors/aborts raised for
user creatable objects
* Stop requiring 'key encipherment' usage in x509 certs
* Only sanity check CA certs needed in the chain of trust
* Allow intermediate CA certs to be present in client/server
cert file
* Fix regression propagating errors in premature shutdown
of TLS connections
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmj7nZQACgkQvobrtBUQ
# T9+ezBAAsgKl5O/8FYGoSAaVHq4dzbXl/Q0NzHzX7NJ7W8K6LvNy4w8zpuPZEWIt
# luo3uAeRFmWGCE5kAe/rfySwvNAYfKTJWbd4+c/DN6spK8MViMfY/mL2Zows3LsJ
# LDkmi7OVZpTO+JTDt9O0LpjXmtRGunDsm1Wq8WZcrLtsMe0KatVaQen0nFqc8aUf
# uwAgMrZiMpsGp23PLlxaqQVBV2lzXGQHb1Y2UR0DkMBn19861ovPeNRgODc1SpmV
# pvqoeXNVu3Mw4CmY3jb0fArRD8G6g8y0USahVNfXV3cYFXp1/SaEL4sNbYU3VhxG
# MJXvA+uVir6HHJWiDbjiAG+6zjoggaPAwkp5f4M89fnPGgX9sRRAsCdJnR5IIEDo
# 58bc1WWni+KzkDXY/GJ1lMQ6jJuQxavIcpW/zi/sSLu1ceK+j+JqLmjGzpr1mPrk
# D63MvLSOsKFgJNP51OeC5s3GN9UOo6jO/wOMyLTDUTdhc/WOz3Q+f5/E/bRXtaE0
# S+NxMTHJdwDfeRpDXMglL9f5K1ApBo7GAMmjhwXCD3XqUb1pD7RbFNu+QKMqgT4Z
# Jv/Rsik3XOHMFNoMtm+fSaUfeETASJBQQancnLyUcCUrWR9MTKBAtlm0fJypxaBp
# 787FL5LthIX5u7tNf5Btl67BJalHFICVEQrFe/gPq5YnuIRDmwo=
# =WY6C
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 05:39:00 PM CEST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [unknown]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu:
crypto: switch to newer gnutls API for distinguished name
crypto: stop requiring "key encipherment" usage in x509 certs
crypto: allow client/server cert chains
crypto: fix error reporting in cert chain checks
crypto: validate an error is reported in test expected fails
crypto: remove extraneous pointer usage in gnutls certs
crypto: only verify CA certs in chain of trust
io: fix use after free in websocket handshake code
io: move websock resource release to close method
io: release active GSource in TLS channel finalizer
tests: use macros for registering char tests for sockets
qom: use ERRP_GUARD in user_creatable_complete
crypto: propagate Error object on premature termination
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
crypto: stop requiring "key encipherment" usage in x509 certs
This usage flag was deprecated by RFC8813, such that it is
forbidden to be present for certs using ECDSA/ECDH algorithms,
and in TLS 1.3 is conceptually obsolete.
As such many valid certs will no longer have this key usage
flag set, and QEMU should not be rejecting them, as this
prevents use of otherwise valid & desirable algorithms.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
matoro [Mon, 13 Feb 2023 18:00:49 +0000 (13:00 -0500)]
crypto: allow client/server cert chains
The existing implementation assumes that client/server certificates are
single individual certificates. If using publicly-issued certificates,
or internal CAs that use an intermediate issuer, this is unlikely to be
the case, and they will instead be certificate chains. While this can
be worked around by moving the intermediate certificates to the CA
certificate, which DOES currently support multiple certificates, this
instead allows the issued certificate chains to be used as-is, without
requiring the overhead of shuffling certificates around.
Corresponding libvirt change is available here:
https://gitlab.com/libvirt/libvirt/-/merge_requests/222
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: matoro <matoro_mailinglist_qemu@matoro.tk>
[DB: adapted for code conflicts with multi-CA patch] Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The loop that checks the CA certificate chain can fail to report
an error message if one of the certs in the chain has an issuer
that is not present in the chain. In this case, the outer loop
'while (checking_issuer)' will terminate after failing to find
the issuer, and no error message will be reported.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
crypto: validate an error is reported in test expected fails
There was a bug where TLS x509 credentials validation failed
to fill out the Error object. Validate this in the failure
scenarios.
Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
crypto: remove extraneous pointer usage in gnutls certs
The 'gnutls_x509_crt_t' type is already a pointer, not a struct,
so the extra level of pointer indirection is not needed.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Henry Kleynhans [Wed, 22 Dec 2021 15:06:00 +0000 (15:06 +0000)]
crypto: only verify CA certs in chain of trust
The CA file provided to qemu may contain CA certificates which do not
form part of the chain of trust for the specific certificate we are
sanity checking.
This patch changes the sanity checking from validating every CA
certificate to only checking the CA certificates which are part of the
chain of trust (issuer chain). Other certificates are ignored.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Henry Kleynhans <hkleynhans@fb.com>
[DB: changed 'int' to 'bool' in 'checking_issuer' variable] Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
io: fix use after free in websocket handshake code
If the QIOChannelWebsock object is freed while it is waiting to
complete a handshake, a GSource is leaked. This can lead to the
callback firing later on and triggering a use-after-free in the
use of the channel. This was observed in the VNC server with the
following trace from valgrind:
==2523108== Invalid read of size 4
==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
==2523108== by 0x44863B4: qio_task_complete (task.c:197)
==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd
==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
==2523108== by 0x6EDC444: g_free (gmem.c:208)
==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
==2523108== by 0x4042881: dpy_refresh (console.c:880)
==2523108== by 0x4042881: gui_update (console.c:90)
==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
==2523108== by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495)
==2523108== by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:576)
==2523108== by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.c:663)
==2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Block was alloc'd at
==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108==
The above can be reproduced by launching QEMU with
for i in {1..100}; do
(echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
done
CVE-2025-11234 Reported-by: Grant Millar | Cylo <rid@cylo.io> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The QIOChannelWebsock object releases all its resources in the
finalize callback. This is later than desired, as callers expect
to be able to call qio_channel_close() to fully close a channel
and release resources related to I/O.
The logic in the finalize method is at most a failsafe to handle
cases where a consumer forgets to call qio_channel_close.
This adds equivalent logic to the close method to release the
resources, using g_clear_handle_id/g_clear_pointer to be robust
against repeated invocations. The finalize method is tweaked
so that the GSource is removed before releasing the underlying
channel.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
io: release active GSource in TLS channel finalizer
While code is supposed to call qio_channel_close() before releasing the
last reference on an QIOChannel, this is not guaranteed. QIOChannelFile
and QIOChannelSocket both cleanup resources in their finalizer if the
close operation was missed.
This ensures the TLS channel will do the same failsafe cleanup.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
tests: use macros for registering char tests for sockets
The test-char.c has a couple of helper macros for registering tests that
need to be repeated for both IP and UNIX sockets. One test case was not
using the macro though.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
With error_propagate, the stack trace from any error_abort/fatal
usage will start from the error_propagate() call, which is largely
useless. Using ERRP_GUARD ensures the stack trace starts from
the origin that reported the error.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
crypto: propagate Error object on premature termination
The way that premature termination was handled in TLS connections was
changed to handle an ordering problem during graceful shutdown in the
migration code.
Unfortunately one of the codepaths returned -1 to indicate an error
condition, but failed to set the 'errp' parameter.
This broke error handling in the qio_channel_tls_handshake function,
as the QTask callback would no longer see that an error was raised.
As a result, the client will go on to try to use the already closed
TLS connection, resulting in misleading errors.
This was evidenced in the I/O test 233 which showed changes such as
-qemu-nbd: Certificate does not match the hostname localhost
+qemu-nbd: Failed to read initial magic: Unable to read from socket: Connection reset by peer
Fixes: 7e0c22d585581b8083ffdeb332ea497218665daf Acked-by: Peter Xu <peterx@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Merge tag 'pull-riscv-to-apply-20251024' of https://github.com/alistair23/qemu into staging
Second RISC-V PR for 10.2
* Correct mmu-type property of sifive_u harts in device tree
* Centralize MO_TE uses in a pair of helpers
* Fix Ethernet interface support for microchip-icicle-kit
* Fix mask for smsiaddrcfgh
* Fix env->priv setting in reset_regs_csr()
* Coverity-related fixes
* Fix riscv_cpu_sirq_pending() mask
* Fix a uninitialized variable warning
* Make PMP granularity configurable
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmj6vn4ACgkQr3yVEwxT
# gBORBg/9HMcPIWY4TweyZXcVkcB/4LY3XboBCcumTUO3dEkiVMYc5TDauO++YiyJ
# YPRzFSAgwNxoF2ndtNLSc6OCu6LPRzWpt9a/MavTzfNLOQZ5vUbYCd3g24uR4Plz
# AOt7Jn9l8+95MxGeTq5NfDdOnyC+mF4EiIjhplbZz7UcMpouKRysAibSjuyXlYGD
# DutmQ/bctyDsASNFIl3xwT4po1M4EgMX4nL01ZbfYw2sTjPH2Vj53E0eQ9iZCsP6
# l8L8PEz4Jiad2rapJdm2OS6mirMd3PZbYWqvRga/NQiTs4jGYSxiIhlpqR3Ez2id
# UBGjLKcbsgvyaX1ILq3n6nfftjrXpSEnCMh86/H3xZ8dhA8eBMrGTJvYXAX33ao5
# d3ClcT+E7FTduc+hWl/B/l3eb6fOcEIQ172slBiPEfJJqwJgkXgOfftlxRJQ3iGs
# FbpCL0zEeB1/0SUvgI8Wv5652GiaAljWhhIM7FhWpohc2DxV2iUXuxhhXgHkztwL
# EIddIo9FLQqY7wxlQhvQKRT0hCm/9mtokq6jiQUTuVMn7gf4fWdvDSozRvX1b0DB
# CiJcPnKgM/M4UQHci8rboADWPSJ8oOSdz5dheQfXVNJczFnDqzMMVFbkFicXidJU
# aT+1sPuuSYE6hquR1p4yvxeyyfIQCdffzRBr3WZ2iq7GQ+I4/64=
# =P0/u
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 01:47:10 AM CEST
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20251024' of https://github.com/alistair23/qemu: (25 commits)
target/riscv: Make PMP CSRs conform to WARL constraints
target/riscv: Make PMP granularity configurable
target/riscv: Fix a uninitialized variable warning
target/riscv: fix riscv_cpu_sirq_pending() mask
target/riscv/riscv-qmp-cmds.c: coverity-related fixes
target/riscv/kvm: fix env->priv setting in reset_regs_csr()
hw/intc: Allow gaps in hartids for aclint and aplic
aplic: fix mask for smsiaddrcfgh
microchip icicle: Enable PCS on Cadence Ethernet
hw/net/cadence_gem: Add pcs-enabled property
hw/riscv: microchip_pfsoc: Connect Ethernet PHY channels
hw/net/cadence_gem: Support two Ethernet interfaces connected to single MDIO bus
target/riscv: Introduce mo_endian_env() helper
target/riscv: Introduce mo_endian() helper
target/riscv: Factor MemOp variable out when MO_TE is set
target/riscv: Conceal MO_TE|MO_ALIGN within gen_lr() / gen_sc()
target/riscv: Conceal MO_TE within gen_cmpxchg*()
target/riscv: Conceal MO_TE within gen_storepair_tl()
target/riscv: Conceal MO_TE within gen_fload_idx() / gen_fstore_idx()
target/riscv: Conceal MO_TE within gen_load_idx() / gen_store_idx()
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Jay Chang [Wed, 22 Oct 2025 02:41:41 +0000 (10:41 +0800)]
target/riscv: Make PMP CSRs conform to WARL constraints
This patch ensure pmpcfg and pmpaddr comply with WARL constraints.
When the PMP granularity is greater than 4 bytes, NA4 mode is not valid
per the spec and will be silently ignored.
According to the spec, changing pmpcfg.A only affects the "read" value
of pmpaddr. When G > 2 and pmpcfg.A is NAPOT, bits pmpaddr[G-2:0] read
as all ones. When G > 1 and pmpcfg.A is OFF or TOR, bits pmpaddr[G-1:0]
read as all zeros. This allows software to read back the correct
granularity value.
In addition, when updating the PMP address rule in TOR mode,
the start and end addresses of the PMP region should be aligned
to the PMP granularity. (The current SPEC only state in TOR mode
that bits pmpaddr[G-1:0] do not affect the TOR address-matching logic.)
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022024141.42178-3-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jay Chang [Wed, 22 Oct 2025 02:41:40 +0000 (10:41 +0800)]
target/riscv: Make PMP granularity configurable
Previously, the PMP granularity in qemu always used a minimum
granularity of 4 bytes, this patch add pmp-granularity to allow
platforms to configure the value.
A new CPU parameter pmp-granularity has been introduced to the QEMU
command line. For example:
If no specific value is provided, the default value is 4 bytes.
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022024141.42178-2-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Akihiko Odaki [Tue, 21 Oct 2025 05:07:14 +0000 (14:07 +0900)]
target/riscv: Fix a uninitialized variable warning
riscv_cpu_validate_v() left its variable, min_vlen, uninitialized if
no vector extension is available, causing a compiler warning.
Re-define riscv_cpu_validate_v() as no-op when no vector extension is
available to prevent the scenario that will read the unintialized
variable by construction. It also simplifies its caller as a bonus.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20251021-vlen-v2-1-1fb581d4c6bf@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
We're filtering out (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP) from S-mode
pending interrupts without apparent reason. There's no special treatment
for these ints as far as the spec goes, and this filtering is causing
read_stopi() to miss those VS interrupts [1].
We shouldn't return delegated VS interrupts in S-mode though, so change
the current mask with "~env->hideleg". Note that this is the same
handling we're doing in riscv_cpu_mirq_pending() and env->mideleg.
Coverity CID 1641401 reports that, in reg_is_ulong_integer(), we're
dereferencing a NULL pointer in "reg1" when using it in strcasecmp()
call. A similar case is reported with CID 1641393.
In theory that will never happen - it's guaranteed that both "reg1" and
"reg2" is non-NULL because we're retrieving them in compile-time from
static arrays. Coverity doesn't know that though.
To make Coverity happier and add a bit more clarity in the code,
g_assert() each token to make it clear that those 2 values aren't
supposed to be NULL ever. Do that in both reg_is_ulong_integer() and
reg_is_u64_fpu().
We're also taking the opportunity to implement suggestions made by Peter
in [1] in both functions:
- use g_strsplit() instead of strtok();
- use g_ascii_strcasecmp() instead of strcasecmp().
target/riscv/kvm: fix env->priv setting in reset_regs_csr()
This patch was originally made by Gitlab user Bo Gan (@ganboing) 4
months ago in the context of issue [1]. I asked the author to send a
patch to the mailing list ~3 months ago and got no reply. I'm sending
the patch myself because we already missed 10.1 without this fix.
I'll also just post verbatim Bo Gan comment in the commit msg:
"In RISCV Linux with KVM enabled, gdbstub is broken. The
get_physical_address isn't able to page-walk correctly and resolve the
physical page. This is due to that the vcpu is being treated as starting
in M mode even if KVM enabled. However, with KVM, the vcpu is actually
started in S mode. The mmu_idx will give 3 (M), instead of 1 (S),
resulting in Guest PA == VA (wrong)!"
Set env->priv to PRV_S in kvm_riscv_reset_regs_csr() since the VCPU is
always started in S-mode for KVM.
Cc: qemu-stable@nongnu.org Closes: https://gitlab.com/qemu-project/qemu/-/issues/2991 Originally-by: Bo Gan (@ganboing in Gitlab) Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022111105.483992-1-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
hw/intc: Allow gaps in hartids for aclint and aplic
This is needed for riscv based CPUs by MIPS since those may have
sparse hart-ID layouts. ACLINT and APLIC still assume a dense
range, and if a hart is missing, this causes NULL derefs.
Signed-off-by: Chao-ying Fu <cfu@mips.com> Signed-off-by: Djordje Todorovic <djordje.todorovic@htecgroup.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251018154522.745788-2-djordje.todorovic@htecgroup.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Guenter Roeck [Sat, 4 Oct 2025 20:00:48 +0000 (13:00 -0700)]
hw/net/cadence_gem: Add pcs-enabled property
The Linux kernel checks the PCS disabled bit in the R_DESCONF register
to determine if SGMII is supported. If the bit is set, SGMII support is
disabled. Since the Microchip Icicle devicetree file configures SGMII
interface mode, enabling the Ethernet interfaces fails when booting
the Linux kernel.
Add pcs-enabled property to to let the driver know if PCS should be
enabled. Set the flag to false by default (indicating that PCS is disabled)
to match the exiting code.
Signed-off-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-4-linux@roeck-us.net> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Guenter Roeck [Sat, 4 Oct 2025 20:00:46 +0000 (13:00 -0700)]
hw/net/cadence_gem: Support two Ethernet interfaces connected to single MDIO bus
The Microchip PolarFire SoC Icicle Kit supports two Ethernet interfaces.
The PHY on each may be connected to separate MDIO busses, or both may be
connected on the same MDIO bus using different PHY addresses.
To be able to support two PHY instances on a single MDIO bus, two properties
are needed: First, there needs to be a flag indicating if the MDIO bus on
a given Ethernet interface is connected. If not, attempts to read from this
bus must always return 0xffff. Implement this property as phy-connected.
Second, if the MDIO bus on an interface is active, it needs a link to the
consumer interface to be able to provide PHY access for it. Implement this
property as phy-consumer.
Signed-off-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-2-linux@roeck-us.net> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
mo_endian_env() returns the target endianness from CPUArchState.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-14-philmd@linaro.org>
[ Changes by AF:
- Only define mo_endian_env() for softmmu
] Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
mo_endian() returns the target endianness from DisasContext.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-13-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Factor MemOp variable out when MO_TE is set
In preparation of automatically replacing the MO_TE flag
in the next commit, use an local @memop variable.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-12-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_TE|MO_ALIGN within gen_lr() / gen_sc()
All callers of gen_lr() / gen_sc() set the MO_TE and MO_ALIGN flags.
Set them once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-11-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
All callers of gen_cmpxchg() / gen_cmpxchg64() set the MO_TE flag.
Set it once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-10-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
projects / thirdparty / qemu.git / log
