Peter Maydell [Thu, 11 Sep 2025 11:41:01 +0000 (12:41 +0100)]
Merge tag 'pull-request-2025-09-09' of https://gitlab.com/thuth/qemu into staging
* Silence warnings from the undefined-behaviour sanitizer
* Many small improvements to various functional tests
* Remove remainders from storing avocado artifacts in the Gitlab CI
* Keep more meson log files as artifacts in the Gitlab CI instead
* Re-enable -fzero-call-used-regs on OpenBSD
* tag 'pull-request-2025-09-09' of https://gitlab.com/thuth/qemu: (23 commits)
tests/functional: purge scratch dir on test startup
tests/functional: avoid tearDown failure when QEMU dies
tests/functional: avoid duplicate messages on failures
tests/functional: fix infinite loop on console EOF
tests/functional: add vm param to cmd.py helpers
tests/functional: return output from cmd.py helpers
gitlab: prevent duplicated meson log artifacts in test jobs
gitlab: include all junit XML files from meson
gitlab: always include entire of meson-logs directory
gitlab: replace avocado results files with meson results files
tests/functional/arm: Update test ASPEED SDK v09.07 for AST2700 vbootrom
tests/functional/arm: Update test ASPEED SDK v09.07 for AST2600
tests/functional/arm: Update test ASPEED SDK v09.07 for AST2500
tests/functional/arm: Update test ASPEED SDK v03.02 for AST1030
tests/functional: handle URLError when fetching assets
tests/functional: fix formatting of exception args
tests/functional: enable force refresh of cached assets
tests/functional/m68k: Avoid ResourceWarning in the nextcube test
ui/vnc: Fix crash when specifying [vnc] without id in the config file
system/physmem: Silence warning from ubsan
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 11 Sep 2025 11:40:38 +0000 (12:40 +0100)]
Merge tag 'pull-vfio-20250908' of https://github.com/legoater/qemu into staging
vfio queue:
* Large refactor of the VFIO code to use QOM casts and follow the
current coding style guidelines
* Removal of the deprecated vfio-platform, vfio-calxeda-xgmac and
vfio-amd-xgbe devices
* Fail with error if dma_max_mappings limit is hit
* Added 'x-pci-class-code' property to vfio-user-pci device
* Added a new helper to retrieve a VFIOPCIDevice from a VFIODevice
* Fixed IGD OpRegion detection
* tag 'pull-vfio-20250908' of https://github.com/legoater/qemu: (31 commits)
vfio/pci.h: rename VFIOPCIDevice pdev field to parent_obj
s390x/s390-pci-vfio.c: use QOM casts where appropriate
vfio-user/pci.c: use QOM casts where appropriate
vfio/igd.c: use QOM casts where appropriate
vfio/cpr.c: use QOM casts where appropriate
vfio/pci-quirks.c: use QOM casts where appropriate
vfio/pci.c: use QOM casts where appropriate
vfio/pci.h: update VFIOPCIDevice declaration
vfio-user/pci.c: rename VFIOUserPCIDevice device field to parent_obj
vfio-user/pci.c: use QOM casts where appropriate
vfio-user/pci.c: update VFIOUserPCIDevice declaration
vfio-user/container.h: rename VFIOUserContainer bcontainer field to parent_obj
vfio/container.c: use QOM casts where appropriate
vfio-user/container.h: update VFIOUserContainer declaration
vfio/vfio-container.h: rename VFIOContainer bcontainer field to parent_obj
vfio/spapr.c: use QOM casts where appropriate
ppc/spapr_pci_vfio.c: use QOM casts where appropriate
hw/vfio/container.c: use QOM casts where appropriate
hw/vfio/cpr-legacy.c: use QOM casts where appropriate
vfio/vfio-container.h: update VFIOContainer declaration
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
tests/functional: purge scratch dir on test startup
The test suite purges the scratch dir in the tearDown method, but
if python crashes (or is non-gracefully killed) this won't get run.
Also the user can set QEMU_TEST_KEEP_SCRATCH to disable cleanup.
Purging the scratch dir on startup ensures that tests always run
from a clean state.
Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250908135722.3375580-5-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: avoid tearDown failure when QEMU dies
In a QEMU process under test dies unexpectedly, the 'shutdown'
method may well raise an exception. This causes the tearDown
method to fail, which means any later cleanup code fails to
get run. Most notably the log handlers don't get removed so
the base.log file from an earlier test will get polluted with
messages from any subsequent tests. The tearDown failure also
results in pages of exceptions printed on the console, which
obscures the real failure message / trace printed by the test.
Ignore any shutdown failures in the tearDown method, since any
test which cares about clean shutdown should have already
cleaned up any running VMs. The tearDown method is just there
as a safety net to cleanup resources. The base.log file will
still containing log messages from the failed 'vm.shutdown'
call too.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250908135722.3375580-4-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: avoid duplicate messages on failures
In some scenarios the same tests is mentioned in both the
'res.results.errors' and 'res.results.failures' array returned
by unittest.main(). This was seen when the 'tearDown' method
raised an exception.
In such a case, we printed out the same information about where
to find a log file twice for each test. Track which tests we
have already reported on, to avoid the duplication.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250908135722.3375580-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: fix infinite loop on console EOF
The 'recv' method will return an empty byte array, not None, when
the socket has EOF.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250908135722.3375580-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
John Levon [Wed, 3 Sep 2025 20:19:30 +0000 (22:19 +0200)]
tests/functional: add vm param to cmd.py helpers
Extend the "vm" parameter of wait_for_console_pattern() to all the other
utility functions; this allows them to be used on a VM other than
test.vm.
Signed-off-by: John Levon <john.levon@nutanix.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20250903201931.168317-3-john.levon@nutanix.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
John Levon [Wed, 3 Sep 2025 20:19:29 +0000 (22:19 +0200)]
tests/functional: return output from cmd.py helpers
Tests might want to look at the whole output from a command execution,
as well as just logging it. Add support for this.
Signed-off-by: John Levon <john.levon@nutanix.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20250903201931.168317-2-john.levon@nutanix.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
gitlab: prevent duplicated meson log artifacts in test jobs
The build jobs will populate build/meson-logs/ with various files
that are added as artifacts.
The test jobs preserve the state of the build jobs, so we must
delete any pre-existing logs to prevent confusion from duplicate
artifacts.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250908190901.3571859-5-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
The junit XML file produced by meson does not always have the
name 'testlog.junit.xml' - in the case of 'make check-functional'
there is a 'testlog-thorough.junit.xml' file too.
Improve CI debugging robustness by capturing all junit files that
meson produces.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250908190901.3571859-4-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
gitlab: always include entire of meson-logs directory
There are files besides testlog.txt that may be useful as published
CI artifacts.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250908190901.3571859-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
gitlab: replace avocado results files with meson results files
The 'results.xml' file and 'test-results' directory were both outputs
of the avovcado test runner. Since we're now using meson with the new
functional test framework, we must reference meson results files as the
CI artifacts.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250908190901.3571859-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: handle URLError when fetching assets
We treat most HTTP errors as non-fatal when fetching assets,
but forgot to handle network level errors. This adds catching
of URLError so that we retry on failure, and will ultimately
trigger graceful skipping in the pre-cache task.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250829142616.2633254-4-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: fix formatting of exception args
The catch-all exception handler forgot the placeholder for
the exception details.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250829142616.2633254-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: enable force refresh of cached assets
If the 'QEMU_TEST_REFRESH_CACHE' environment variable is set, then
ignore any existing cached asset and download a fresh copy.
This can be used to selectively refresh assets if set before running
a single test script.
Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20250829142616.2633254-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Fri, 29 Aug 2025 14:20:00 +0000 (16:20 +0200)]
tests/functional/m68k: Avoid ResourceWarning in the nextcube test
Since commit c3fd296cf7b1 ("functional: always enable all python
warnings") we enabled more warnings for the functional tests. This
triggers now a warning in the nextcube test:
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250829142000.62320-1-thuth@redhat.com>
The required "id" is only set up automatically while parsing the command
line, but not when reading the options from the config file.
Thus let's move code that automatically adds the id (if it does not
exist yet) to the init function that needs the id for the first time,
replacing the assert() statement there.
Thomas Huth [Mon, 28 Jul 2025 11:51:51 +0000 (13:51 +0200)]
hw/mips/malta: Silence warning from ubsan
When compiling QEMU with --enable-ubsan there is a undefined behavior
warning when using the malta machine:
hw/mips/malta.c:1200:32: runtime error: addition of unsigned offset
to 0x7fb620600000 overflowed to 0x7fb6205fffff
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/mips/malta.c:1200:32
To fix the issue, check the bios_size whether we really loaded the
firmware before trying to byte-swap the instructions here.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250728115152.187728-1-thuth@redhat.com>
OpenBSD 7.7 fixed the problem with the -fzero-call-used-regs on OpenBSD,
see https://github.com/openbsd/src/commit/03eca72d1e030b7a542cd6aec1 for
the fix there.
Suggested-by: Brad Smith <brad@comstyle.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250508144120.163009-6-thuth@redhat.com>
Thomas Huth [Thu, 8 May 2025 14:41:17 +0000 (16:41 +0200)]
hw/display/bcm2835_fb: Move inclusion of console.h to the .c file
The definitions from console.h are not needed in the bcm2835_fb.h
header file yet, so let's move it to the place that really needs
its definitions, i.e. into the bcm2835_fb.c file.
This way the header can also be used by code that is not compiled
with the CFLAGS that are required for pixman or OpenGL (in case
their headers do not reside under /usr/include).
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20250508144120.163009-3-thuth@redhat.com>
Mark Cave-Ayland [Tue, 15 Jul 2025 09:26:02 +0000 (10:26 +0100)]
vfio/pci.h: rename VFIOPCIDevice pdev field to parent_obj
Now that nothing accesses the pdev field directly, rename pdev to
parent_obj as per our current coding guidelines.
Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Steve Sistare <steven.sistare@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20250715093110.107317-23-mark.caveayland@nutanix.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Mark Cave-Ayland [Tue, 15 Jul 2025 09:25:53 +0000 (10:25 +0100)]
vfio-user/pci.c: rename VFIOUserPCIDevice device field to parent_obj
Now that nothing accesses the device field directly, rename device to
parent_obj as per our current coding guidelines.
Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: John Levon <john.levon@nutanix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20250715093110.107317-14-mark.caveayland@nutanix.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Update the VFIOUserPCIDevice declaration so that it is closer to our coding
guidelines: add a blank line after the parent object.
Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: John Levon <john.levon@nutanix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20250715093110.107317-12-mark.caveayland@nutanix.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Mark Cave-Ayland [Tue, 15 Jul 2025 09:25:50 +0000 (10:25 +0100)]
vfio-user/container.h: rename VFIOUserContainer bcontainer field to parent_obj
Now that nothing accesses the bcontainer field directly, rename bcontainer to
parent_obj as per our current coding guidelines.
Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: John Levon <john.levon@nutanix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20250715093110.107317-11-mark.caveayland@nutanix.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Update the VFIOUserContainer declaration so that it is closer to our coding
guidelines: remove the explicit typedef (this is already handled by the
OBJECT_DECLARE_TYPE() macro) and add a blank line after the parent object.
Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: John Levon <john.levon@nutanix.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20250715093110.107317-9-mark.caveayland@nutanix.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Update the VFIOContainer declaration so that it is closer to our coding
guidelines: emove the explicit typedef (this is already handled by the
OBJECT_DECLARE_TYPE() macro) and add a blank line after the parent object.
Update the VFIOContainerBase declaration to match our current coding
guidelines: remove the explicit typedef (this is already handled by the
OBJECT_DECLARE_TYPE() macro), add a blank line after the parent object,
rename parent to parent_obj, and move the macro declaration next to the
VFIOContainerBase struct declaration.
Cédric Le Goater [Thu, 14 Aug 2025 15:34:19 +0000 (17:34 +0200)]
vfio: Report an error when the 'dma_max_mappings' limit is reached
The VFIO IOMMU Type1 kernel driver enforces a default IOMMU mapping
limit of 65535, which is configurable via the 'dma_max_mappings'
module parameter. When this limit is reached, QEMU issues a warning
and fails the mapping operation, but allows the VM to continue
running, potentially causing issues later. This scenario occurs with
SEV-SNP guests, which must update all IOMMU mappings during
initialization.
To address this, update vfio_ram_discard_register_listener() to accept
an 'Error **' parameter and propagate the error to the caller. This
change will halt the VM immediately, at init time, with the same error
message.
Additionally, the same behavior will be enforced at runtime. While
this might be considered too brutal, the rarity of this case and the
planned removal of the dma_max_mappings module parameter make it a
reasonable approach.
The VFIO_PLATFORM device type has been deprecated in the QEMU 10.0
timeframe. All dependent devices have been removed. Now remove the
core vfio platform framework.
Rename VFIO_DEVICE_TYPE_PLATFORM enum to VFIO_DEVICE_TYPE_UNUSED to
maintain the same index for the CCW and AP VFIO device types.
Tomita Moeko [Wed, 13 Aug 2025 16:05:10 +0000 (00:05 +0800)]
vfio/igd: Enable quirks when IGD is not the primary display
Since linux 6.15, commit 41112160ca87 ("vfio/pci: match IGD devices in
display controller class"), IGD related regions are also exposed when
IGD is not primary display (device class is Display controller).
Allow IGD quirks to be enabled in this configuration so that guests can
have display output on IGD when it is not the primary display.
Merge tag 'pull-tcg-20250905' of https://gitlab.com/rth7680/qemu into staging
tcg/arm: Fix tgen_deposit
tcg/i386: Use vgf2p8affineqb for MO_8 vector shifts
# -----BEGIN PGP SIGNATURE-----
#
# iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmi6lgYdHHJpY2hhcmQu
# aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9zUggAjXoSFDgMz3yr959F
# e6pSGkV+UIAYZ+fm9TAFQuKccUlEjX6Sq6sxV1my2ODnUnwFF1sV6rx8TG1VHFL/
# GxADQuwY3/6tsiZ24drU8oaocxISi91Km+5P7xwrAbdhSGVMJakzQqTPS178l1Fw
# pXRWN9Offz74gKKUxk6AiPyCUPZutUiM6Hwe5wZSwWIxSoEQWwnAoH8lTPrzAD/Z
# Bo0Cs/LHzmeantok7BRKTlQT4wpvCwRIunkD1V28zdFN63Ny6qTsbxtbRxmKvYC7
# UKli29d/KxFad1ccTNGo9DpFKBB9xHb7W4gBzSrJm9D1bWKcL4wLTmp29Z9aWWpW
# TnsyaQ==
# =8WbV
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 05 Sep 2025 09:49:26 AM CEST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [ultimate]
* tag 'pull-tcg-20250905' of https://gitlab.com/rth7680/qemu:
tcg/i386: Use vgf2p8affineqb for MO_8 vector shifts
tcg/i386: Add INDEX_op_x86_vgf2p8affineqb_vec
tcg/i386: Use canonical operand ordering in expand_vec_sari
tcg/i386: Expand sari of bits-1 as pcmpgt
cpuinfo/i386: Detect GFNI as an AVX extension
tcg/arm: Fix tgen_deposit
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
When converting from tcg_out_deposit, the arguments were not
shuffled properly.
Cc: qemu-stable@nongnu.org Fixes: cf4905c03135f1181e8 ("tcg: Convert deposit to TCGOutOpDeposit") Reported-by: Michael Tokarev <mjt@tls.msk.ru> Tested-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging
trivial patches for 2025-09-03
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmi39UwACgkQgqpKJDse
# lHjfmRAAuDVM9SwcLIPhZCIbI9R6+T1LEpBidsEQ1O3n0Eatz4zkHPxPdzkwilve
# hbUjsiNjvpiWm4D0SY2njnwYr7ZLzvQK+hQnVRl0ViyI5+qJZMBhrqYZqmh7Usnx
# zYsRMzCacgZDxNzD3+tcKH7mk/60WsmnCFwnb+46cp8YewMRInSRhvjT8hpAINWl
# BBQkiXH8ZYpyWmo5LD2CM/PmHblhr1Mo623EAOgPjsTpwOTaA+JxT2j+Xol5nu3D
# CCyx4zaLdH6CmJKjcVHPG672g7NQZSJYzo7+GGNziEmDLH0lCze9mi4iPoyH5Osu
# Oiv4Zv7+9HoHVp+VVRPKfLrdYWDVfQtI/LC5cKEdNIvUtTOzVwBt4+x4hgQqNHAV
# He1Ye4msuWo1whlGboJFrlY1bX+6Rg/ZP2CiGjbDKOOUlCySsQQ7cVE8plzErll1
# tpEI3p6kxWXSSsqANrpdkgfKi7AA+w3w+PHTeuXiXbzk2dRFjQ16/OX6WE+FBRCJ
# zzDYRSq4T0hEbqR5TUW5ps4f20Im0rDwMtJWoKWJkgURXWgjttOsH3Px2zUbb2f4
# QlwQF5mIv+rXhM7GrwJAcGeC7JnC5qn8wY0T/Quc1TNgVs28Td1dQL7tlA65rAqG
# VAuj7iAoqKnMlqD1J1n46xqoU+w/UAlTKUIjRloMl5mFD/VacEs=
# =sVU5
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 03 Sep 2025 09:59:08 AM CEST
# gpg: using RSA key 64AA2AB531D56903366BFEF982AA4A243B1E9478
# gpg: Good signature from "Michael Tokarev <mjt@debian.org>" [unknown]
# gpg: aka "Michael Tokarev <mjt@corpit.ru>" [unknown]
# gpg: aka "Michael Tokarev <mjt@tls.msk.ru>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E
# Subkey fingerprint: 64AA 2AB5 31D5 6903 366B FEF9 82AA 4A24 3B1E 9478
* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
docs: fix typo in xive doc
scripts/coverity-scan/COMPONENTS.md: Add a 'plugins' category
block/curl: drop old/unuspported curl version checks
block/curl: fix curl internal handles handling
chardev/baum: Fix compiler warning for Windows builds
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
scripts/coverity-scan/COMPONENTS.md: Add a 'plugins' category
Cover the TCG plugins files under their own Coverity category.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Michael Tokarev [Sun, 24 Aug 2025 00:05:32 +0000 (03:05 +0300)]
block/curl: fix curl internal handles handling
block/curl.c uses CURLMOPT_SOCKETFUNCTION to register a socket callback.
According to the documentation, this callback is called not just with
application-created sockets but also with internal curl sockets, - and
for such sockets, user data pointer is not set by the application, so
the result qemu crashing.
Pass BDRVCURLState directly to the callback function as user pointer,
instead of relying on CURLINFO_PRIVATE.
This problem started happening with update of libcurl from 8.9 to 8.10 --
apparently with this change curl started using private handles more.
(CURLINFO_PRIVATE is used in one more place, in curl_multi_check_completion() -
it might need a similar fix too)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3081 Cc: qemu-stable@qemu.org Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Stefan Weil via [Sat, 9 Aug 2025 06:13:02 +0000 (08:13 +0200)]
chardev/baum: Fix compiler warning for Windows builds
Compiler warning:
../chardev/baum.c:657:25: warning: comparison between pointer and integer
Use brlapi_fileDescriptor instead of int for brlapi_fd and
BRLAPI_INVALID_FILE_DESCRIPTOR instead of -1.
Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Merge tag 'hw-misc-20250902' of https://github.com/philmd/qemu into staging
Misc HW patches
- Compile various system files once
- Remove SDCard spec v1.10
- Remove mipssim machine and mipsnet device model
- Prevent crash in e1000e when legacy interrupt fires after enabling MSI-X
- Introduce qemu_init_irq_child()
- Remove various memory leaks reported by ASan
- Few Coverity fixes
- Use 74Kf CPU to run MIPS16e binaries and M14Kc for microMIPS ones
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmi3FDYACgkQ4+MsLN6t
# wN7fwA//WqegI1RTs65uHGV2M0vcYtGYTrucLyJtE9lJubb3wVjzdZpNcVVwKFRi
# lXNjnOfmA7lIsC2CMRaiFO/hIk40yN2BLoEupSrLXjiygtiwlhG8OX0mU/6o06/k
# Q41rEAu0wLVdJDpyUZWnVi1WvjMzaal3RvENRMr5CsrFw/Yk6Z7HKBDMEMuJjOWL
# qBTAf8o8pnfliiyeS+OE4r5iIFUHzCtGlQtJH1GZ+zFgR2LNe6UUbofmUnzIFU0j
# KuepdXemmd29nEz7wk8a7sjbJmoN9vLdJtsM+zcwNOsxmFC9+1ap/8BAGzRmhrWp
# l5zJmL2YbvdHExKLC3qlnhGsKutK+9K4VAB6jLZu0MHfUQBYCGgFgYFcLdlGlRzg
# OGgCvx5M7vZekTEHQu3zT29iUOAKAkD7dYlGIPqSUGuPGDZgPOqIMMc1HJAblXB1
# xNATGo2T2D3M01/ugwPAMF2IhLmKa9oAQDKnsW+bG6WJ4rjhqQpbmvxn51JB8q/x
# a7xuUJa8BqX24NMo5d6JqPZPQhor0P0J0ws6oKutLf381FQ9JAnVEVmbQqPSijHY
# BW3by77G2e97hfK0MwqUi43yuRHmNsh3flCdgCt7Zx6lsqmnMJuuhuOL4jQx6JRR
# hPWDFiR+mns12AL3J56A0Y92enoLTawMzrA5M/06my9HLjXuu5M=
# =WRLz
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 02 Sep 2025 05:58:46 PM CEST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20250902' of https://github.com/philmd/qemu: (38 commits)
hw/i386/pc_piix.c: remove unnecessary if() from pc_init1()
hw/arm/boot: Correctly free the MemoryDeviceInfoList
docs/about/removed-features: Clarify 'device_add' is removed
hw/mips/malta: Include 'system/system.h'
hw/mips/loongson3_virt: Include 'system/system.h'
hw/isa/superio: Include 'system/system.h'
hw/arm/virt: Include 'system/system.h'
crypto/hmac: Allow to build hmac over multiple qcrypto_gnutls_hmac_bytes[v] calls
hw/sd/sdcard: Refactor sd_bootpart_offset
hw/sd/sdcard: Add validation for boot-partition-size
hw/net: Remove mipsnet device model
hw/mips: Remove mipssim machine
hw/display/xlnx_dp: Don't leak dpcd and edid objects
hw/misc/xlnx-versal-cframe-reg: Free FIFO, g_tree on deinit
hw/char/max78000_uart: Destroy FIFO on deinit
hw/gpio/pca9554: Avoid leak in pca9554_set_pin()
hw/ide/ich.c: Use qemu_init_irq_child() to avoid memory leak
hw/char/serial-pci-multi: Use qemu_init_irq_child() to avoid leak
hw/irq: New qemu_init_irq_child() function
hw/ppc: Fix build error with CONFIG_POWERNV disabled
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
hw/i386/pc_piix.c: remove unnecessary if() from pc_init1()
Now that the isapc logic has been split out of pc_piix.c, the PCI Host Bridge
(phb) object is now always set in pc_init1().
Since phb is now guaranteed not to be NULL, Coverity reports that the if()
statement surrounding ioapic_init_gsi() is now unnecessary and can be removed
along with the phb NULL initialiser.
Coverity: CID 1620557 Signed-off-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Fixes: 99d0630a45 ("hw/i386/pc_piix.c: assume pcmc->pci_enabled is always true in pc_init1()") Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250901203409.1196620-1-mark.caveayland@nutanix.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Mon, 1 Sep 2025 10:22:14 +0000 (11:22 +0100)]
hw/arm/boot: Correctly free the MemoryDeviceInfoList
When running the bios-tables-test under ASAN we see leaks like this:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x5bc58579b00d in calloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-aarch64+0x250400d) (BuildId: 2e27b63dc9ac45f522ced40a17c2a60cc32f1d38)
#1 0x7b4ad90337b1 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x637b1) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5bc5861826db in qmp_memory_device_list /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/mem/memory-device.c:307:34
#3 0x5bc587a9edb6 in arm_load_dtb /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/arm/boot.c:656:15
Indirect leak of 28 byte(s) in 2 object(s) allocated from:
#0 0x5bc58579ae23 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-aarch64+0x2503e23) (BuildId: 2e27b63dc9ac45f522ced40a17c2a60cc32f1d38)
#1 0x7b4ad6c8f947 in __vasprintf_internal libio/vasprintf.c:116:16
#2 0x7b4ad9080a52 in g_vasprintf (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xb0a52) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#3 0x7b4ad90515e4 in g_strdup_vprintf (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x815e4) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#4 0x7b4ad9051940 in g_strdup_printf (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x81940) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#5 0x5bc5885eb739 in object_get_canonical_path /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:2123:19
#6 0x5bc58618dca8 in pc_dimm_md_fill_device_info /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/mem/pc-dimm.c:268:18
#7 0x5bc586182792 in qmp_memory_device_list /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/mem/memory-device.c:310:9
This happens because we declared the MemoryDeviceInfoList *md_list
with g_autofree, which will free the direct memory with g_free() but
doesn't free all the other data structures referenced by it. Instead
what we want is to declare the pointer with g_autoptr(), which will
automatically call the qapi_free_MemoryDeviceInfoList() cleanup
function when the variable goes out of scope.
Fixes: 36bc78aca83cfd ("hw/arm: add static NVDIMMs in device tree") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250901102214.3748011-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
docs/about/removed-features: Clarify 'device_add' is removed
All other titles in removed-features.rst mention when
the feature was removed using "removed in". Use that
instead of "since" which we use for when a feature is
deprecated.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20250901113957.17113-1-philmd@linaro.org>
Files using serial_hd() should include 'system/system.h'. Fix that.
Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250901064631.530723-3-clg@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jan Kiszka [Mon, 1 Sep 2025 05:56:26 +0000 (07:56 +0200)]
crypto/hmac: Allow to build hmac over multiple qcrypto_gnutls_hmac_bytes[v] calls
If the buffers that should be considered for building the hmac are not
available at the same time, the current API is unsuitable. Extend it so
that passing a NULL pointer as result_len is used as indicator that
further buffers will be passed in succeeding calls to
qcrypto_gnutls_hmac_bytes[v].
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <2d3539c247a6c323491a3821f0e5b6fc382a4686.1756706188.git.jan.kiszka@siemens.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jan Kiszka [Mon, 1 Sep 2025 05:56:24 +0000 (07:56 +0200)]
hw/sd/sdcard: Refactor sd_bootpart_offset
This function provides the offset for any partition in the block image,
not only the boot partitions, therefore rename it. Align the constant
names with the numbering scheme in the standard and use constants for
both boot partitions for consistency reasons. There is also no reason to
return early if boot_part_size is zero because the existing code will
provide the right value in that case as well.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <66e9b07476aad61820c4f42f4f984cc90752ba5e.1756706188.git.jan.kiszka@siemens.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jan Kiszka [Mon, 1 Sep 2025 05:56:22 +0000 (07:56 +0200)]
hw/sd/sdcard: Add validation for boot-partition-size
Make sure we are not silently rounding down or even wrapping around,
causing inconsistencies with the provided image.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
[PMD: Use g_autofree, suggested by Alex]
Message-ID: <1fff448da042bdf8cff7733ce67cadff4c540f1d.1756706188.git.jan.kiszka@siemens.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The mipsnet device model was only used by the mipssim machine,
which just got removed. Remove as now dead code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Message-Id: <20250828143800.49842-3-philmd@linaro.org>
The "mipssim" machine is deprecated since commit facfc943cb9
("hw/mips: Mark the "mipssim" machine as deprecated"), released
in v10.0; time to remove.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Message-Id: <20250828143800.49842-2-philmd@linaro.org>
Peter Maydell [Tue, 26 Aug 2025 17:49:56 +0000 (18:49 +0100)]
hw/display/xlnx_dp: Don't leak dpcd and edid objects
In the xnlx_dp_init() function we create the s->dpcd and
s->edid objects with qdev_new(); then in xlnx_dp_realize()
we realize the dpcd with qdev_realize() and the edid with
qdev_realize_and_unref().
This is inconsistent, and both ways result in a memory
leak for the instance_init -> deinit lifecycle tested
by device-introspect-test:
Indirect leak of 1968 byte(s) in 1 object(s) allocated from:
#0 0x5aded4d54e23 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-aarch64+0x24ffe23) (BuildId: 9f1e6c5 3fecd904ba5fc1f521d7da080a0e4103b)
#1 0x71fbfac9bb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5aded7b9211c in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:767:15
#3 0x5aded7b92240 in object_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:789:12
#4 0x5aded7b773e4 in qdev_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/core/qdev.c:149:19
#5 0x5aded54458be in xlnx_dp_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/display/xlnx_dp.c:1272:20
Direct leak of 344 byte(s) in 1 object(s) allocated from:
#0 0x5aded4d54e23 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-aarch64+0x24ffe23) (BuildId: 9f1e6c53fecd904ba5fc1f521d7da080a0e4103b)
#1 0x71fbfac9bb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5aded7b9211c in object_new_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:767:15
#3 0x5aded7b92240 in object_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:789:12
#4 0x5aded7b773e4 in qdev_new /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/core/qdev.c:149:19
#5 0x5aded5445a56 in xlnx_dp_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/display/xlnx_dp.c:1275:22
Instead, explicitly object_unref() after we have added the objects as
child properties of the device. This means they will automatically
be freed when this device is deinited. When we do this,
qdev_realize() is the correct way to realize them in
xlnx_dp_realize().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-ID: <20250826174956.3010274-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Tue, 26 Aug 2025 17:49:55 +0000 (18:49 +0100)]
hw/misc/xlnx-versal-cframe-reg: Free FIFO, g_tree on deinit
In the xlnx-versal-cframe-reg device we create a FIFO in
instance_init but don't destroy it on deinit, causing ASAN
to report a leak in the device-introspect-test:
Direct leak of 400 byte(s) in 1 object(s) allocated from:
#0 0x5aded4d54e23 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-aarch64+0x24ffe23) (BuildId: 9f1e6c53fecd904ba5fc1f521d7da080a0e4103b)
#1 0x71fbfac9bb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5aded850059d in fifo8_create /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../util/fifo8.c:27:18
#3 0x5aded582b9e4 in fifo32_create /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/include/qemu/fifo32.h:35:5
#4 0x5aded582b326 in cframe_reg_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/misc/xlnx-versal-cframe-reg.c:693:5
Similarly, we don't clean up the g_tree we create:
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x5aded4d54e23 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-aarch64+0x24ffe23) (BuildId: 9f1e6c5 3fecd904ba5fc1f521d7da080a0e4103b)
#1 0x71fbfac9bb09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x71fbfaccc799 in g_tree_new_full (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x93799) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d7
5)
#3 0x5aded582b21a in cframe_reg_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/misc/xlnx-versal-cframe-reg.c:691:18
Add an instance_finalize method to clean up what we
allocated in instance_init.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com>
Message-ID: <20250826174956.3010274-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 21 Aug 2025 15:43:58 +0000 (16:43 +0100)]
hw/char/max78000_uart: Destroy FIFO on deinit
In the max78000_uart we create a FIFO in the instance_init function,
but we don't destroy it on deinit, so ASAN reports a leak in the
device-introspect-test:
#0 0x561cc92d5de3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-arm+0x21f1de3) (BuildId: 98fdf9fc85c3beaeca8eda0be8412f1e11b9c6ad)
#1 0x70cbf2afab09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x561ccc4c884d in fifo8_create /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../util/fifo8.c:27:18
#3 0x561cc9744ec9 in max78000_uart_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/char/max78000_uart.c:241:5
Add an instance_finalize method to destroy the FIFO.
Cc: qemu-stable@nongnu.org Fixes: d447e4b70295 ("MAX78000: UART Implementation") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250821154358.2417744-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 21 Aug 2025 15:44:59 +0000 (16:44 +0100)]
hw/gpio/pca9554: Avoid leak in pca9554_set_pin()
In pca9554_set_pin() we have a string property which we parse in
order to set some non-string fields in the device state. So we call
visit_type_str(), passing it the address of the local variable
state_str.
visit_type_str() will allocate a new copy of the string; we
never free this string, so the result is a memory leak, detected
by ASAN during a "make check" run:
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x5d605212ede3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-arm+0x21f1de3) (
BuildId: 3d5373c89317f58bfcd191a33988c7347714be14)
#1 0x7f7edea57b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1eb6131419edb83b2178b68282 9a6913cf682d75)
#2 0x7f7edea6d4d8 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x784d8) (BuildId: 1eb6131419edb83b2178b68282 9a6913cf682d75)
#3 0x5d6055289a91 in g_strdup_inline /usr/include/glib-2.0/glib/gstrfuncs.h:321:10
#4 0x5d6055289a91 in qobject_input_type_str /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qapi/qo
bject-input-visitor.c:542:12
#5 0x5d605528479c in visit_type_str /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qapi/qapi-visit
-core.c:349:10
#6 0x5d60528bdd87 in pca9554_set_pin /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/gpio/pca9554.c:179:10
#7 0x5d60549bcbbb in object_property_set /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:1450:5
#8 0x5d60549d2055 in object_property_set_qobject /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/qom-qobject.c:28:10
#9 0x5d60549bcdf1 in object_property_set_str /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:1458:15
#10 0x5d605439d077 in gb200nvl_bmc_i2c_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/arm/aspeed.c:1267:5
#11 0x5d60543a3bbc in aspeed_machine_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/arm/aspeed.c:493:9
Make the state_str g_autofree, so that we will always free
it, on both error-exit and success codepaths.
Cc: qemu-stable@nongnu.org Fixes: de0c7d543bca ("misc: Add a pca9554 GPIO device model") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Glenn Miles <milesg@linux.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250821154459.2417976-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 21 Aug 2025 15:40:53 +0000 (16:40 +0100)]
hw/ide/ich.c: Use qemu_init_irq_child() to avoid memory leak
The ICH9 PCI device uses qemu_init_irq() in its instance_init method,
but fails to clean it up in its uninit. This results in a leak,
detected by ASAN when running the device-introspect-test:
Direct leak of 96 byte(s) in 1 object(s) allocated from:
#0 0x58f3b53ecde3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qem
u-system-arm+0x21f1de3) (BuildId: 8dcd38b1d76bd7bd44f905c38200f4cceafd7ca4)
#1 0x72e446dd5b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1 eb6131419edb83b2178b682829a6913cf682d75)
#2 0x72e446db745a in g_hash_table_new_full (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4445a
) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#3 0x58f3b7c6fc67 in object_initialize_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qem
u/build/arm-asan/../../qom/object.c:568:23
#4 0x58f3b7c6f670 in object_initialize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/ar
m-asan/../../qom/object.c:578:5
#5 0x58f3b7c6611b in qemu_init_irq /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/core/irq.c:48:5
#6 0x58f3b5c6e931 in pci_ich9_ahci_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/ide/ich.c:117:5
We could call qemu_free_irq() in pci_ich9_uninit(), but
since we have a method of initializing the IRQ that doesn't
need manual freeing, use that instead: qemu_init_irq_child().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250821154053.2417090-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 21 Aug 2025 15:40:52 +0000 (16:40 +0100)]
hw/char/serial-pci-multi: Use qemu_init_irq_child() to avoid leak
The serial-pci-multi device initializes an IRQ with qemu_init_irq()
in its instance_init function; however it never calls qemu_free_irq(),
so the init/deinit cycle has a memory leak, which ASAN catches
in the device-introspect-test:
Direct leak of 576 byte(s) in 6 object(s) allocated from:
#0 0x626306ddade3 in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qem
u-system-arm+0x21f1de3) (BuildId: 52ece17287eba2d68e5be980e1856cd1f6be932f)
#1 0x7756ade79b09 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId: 1 eb6131419edb83b2178b682829a6913cf682d75)
#2 0x7756ade5b45a in g_hash_table_new_full (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4445a
) (BuildId: 1eb6131419edb83b2178b682829a6913cf682d75)
#3 0x62630965da37 in object_initialize_with_type /mnt/nvmedisk/linaro/qemu-from-laptop/qem
u/build/arm-asan/../../qom/object.c:568:23
#4 0x62630965d440 in object_initialize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/ar
m-asan/../../qom/object.c:578:5
#5 0x626309653eeb in qemu_init_irq /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-as
an/../../hw/core/irq.c:48:5
#6 0x6263072370bb in multi_serial_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/char/serial-pci-multi.c:183:9
Use the new qemu_init_irq_child() function instead, so that the
IRQ object is automatically unreffed when the serial-pci
device is deinited.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250821154053.2417090-3-peter.maydell@linaro.org>
[PMD: Use "irq[*]" as child property name] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 21 Aug 2025 15:40:51 +0000 (16:40 +0100)]
hw/irq: New qemu_init_irq_child() function
The qemu_init_irq() function initializes a TYPE_IRQ QOM object. The
caller is therefore responsible for eventually calling
qemu_free_irq() to unref (and thus free) it.
In many places where we want to initialize an IRQ we are in
the init/realize of some other QOM object; if we have a variant
of this function that calls object_initialize_child() then the
IRQ will be automatically cleaned up when its parent object is
destroyed, and we don't need to remember to manually free it.
Implement qemu_init_irq_child(), which is to qemu_init_irq()
what object_initialize_child() is to object_initialize().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250821154053.2417090-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Aditya Gupta [Wed, 20 Aug 2025 12:25:17 +0000 (17:55 +0530)]
hw/ppc: Fix build error with CONFIG_POWERNV disabled
Currently when CONFIG_POWERNV is not enabled, the build fails, such as
with --without-default-devices:
$ ./configure --without-default-devices
$ make
[281/283] Linking target qemu-system-ppc64
FAILED: qemu-system-ppc64
cc -m64 @qemu-system-ppc64.rsp
/usr/bin/ld: libqemu-ppc64-softmmu.a.p/target_ppc_misc_helper.c.o: in function `helper_load_sprd':
.../target/ppc/misc_helper.c:335:(.text+0xcdc): undefined reference to `pnv_chip_find_core'
/usr/bin/ld: libqemu-ppc64-softmmu.a.p/target_ppc_misc_helper.c.o: in function `helper_store_sprd':
.../target/ppc/misc_helper.c:375:(.text+0xdf4): undefined reference to `pnv_chip_find_core'
collect2: error: ld returned 1 exit status
...
This is since target/ppc/misc_helper.c references PowerNV specific
'pnv_chip_find_core' call.
Split the PowerNV specific SPRD code out of the generic PowerPC code, by
moving the SPRD code to pnv.c
Fixes: 9808ce6d5cb ("target/ppc: Big-core scratch register fix") Cc: Philippe Mathieu-Daudé <philmd@linaro.org> Reported-by: Thomas Huth <thuth@redhat.com> Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Aditya Gupta <adityag@linux.ibm.com> Acked-by: Cédric Le Goater <clg@redhat.com>
Message-ID: <20250820122516.949766-2-adityag@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Denis Rastyogin [Thu, 14 Aug 2025 10:48:32 +0000 (13:48 +0300)]
target/mips: fix TLB huge page check to use 64-bit shift
Use extract64(entry, psn, 1) instead of (entry & (1 << psn)) to avoid
undefined behavior for shifts by 32–63 and to make bit extraction intent explicit.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
Message-ID: <20250814104914.13101-1-gerben@altlinux.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Include MIPS ASE ELF definitions from binutils:
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=include/elf/mips.h;h=4fc190f404d828ded84e621bfcece5fa9f9c23c8;hb=HEAD#l210
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250814070650.78657-2-philmd@linaro.org>
hw/scsi/mptsas: Avoid silent integer truncation in MPI_FUNC_IOC_INIT
For the MaxDevices 8-bit field of the request / response structures
of the MPI_FUNCTION_IOC_INIT command, the 0x00 value means "max 256
devices". This is not a problem because when max_devices=256, its
value (0x100), being casted to a uint8_t, is truncated to 0x00.
However Coverity complains for an "Overflowed constant". Fix by
re-using the request fields in the response, since they are not
modified and use the same types.
Fix: Coverity 1547736 (Overflowed constant) Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20250811095550.93655-1-philmd@linaro.org>
scripts/coverity-scan/COMPONENTS.md: Add a 'plugins' category
Cover the TCG plugins files under their own Coverity category.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20250811094341.91597-1-philmd@linaro.org>
Laurent Vivier [Thu, 7 Aug 2025 11:08:06 +0000 (13:08 +0200)]
e1000e: Prevent crash from legacy interrupt firing after MSI-X enable
A race condition between guest driver actions and QEMU timers can lead
to an assertion failure when the guest switches the e1000e from legacy
interrupt mode to MSI-X. If a legacy interrupt delay timer (TIDV or
RDTR) is active, but the guest enables MSI-X before the timer fires,
the pending interrupt cause can trigger an assert in
e1000e_intmgr_collect_delayed_causes().
This patch removes the assertion and executes the code that clears the
pending legacy causes. This change is safe and introduces no unintended
behavioral side effects, as it only alters a state that previously led
to termination.
- when core->delayed_causes == 0 the function was already a no-op and
remains so.
- when core->delayed_causes != 0 the function would previously
crash due to the assertion failure. The patch now defines a safe
outcome by clearing the cause and returning. Since behavior after
the assertion never existed, this simply corrects the crash.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1863 Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Laurent Vivier <lvivier@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20250807110806.409065-1-lvivier@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
projects / thirdparty / qemu.git / log
