Jamin Lin [Wed, 11 Mar 2026 07:26:17 +0000 (08:26 +0100)]
hw/usb/hcd-ehci.h: Fix coding style issues reported by checkpatch
No functional change.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260424080508.53992-4-jamin_lin@aspeedtech.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jamin Lin [Fri, 24 Apr 2026 08:05:12 +0000 (08:05 +0000)]
hw/usb/hcd-ehci: Remove unused EHCIfstn structure and dead code
The EHCIfstn structure, defined according to EHCI spec section 3.7,
is currently unused in the EHCI implementation. Remove it to reduce
unused code and improve maintainability.
Additionally, drop a block of disabled (#if 0) code in
ehci_state_advqueue() that was never implemented. This code path
is incomplete and has no functional impact.
No functional change.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Cédric Le Goater <clg@redhat.com>
Message-ID: <20260424080508.53992-3-jamin_lin@aspeedtech.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/arm/virt: Do not select Kconfig symbol PCI_EXPRESS
The PCIe bus is not provided by the Virt machine but by
its GPEX host bridge (selected via PCI_EXPRESS_GENERIC_BRIDGE).
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260423170229.64655-4-philmd@linaro.org>
Add a stub for cxl_fmws_get_all_sorted() to fix building
a QEMU configured with the '--without-default-devices' option:
Undefined symbols for architecture arm64:
"_cxl_fmws_get_all_sorted", referenced from:
_cxl_build_cedt in hw_acpi_cxl.c.o
Note, the CXL <-> ACPI Kconfig relationship is a bit convoluted.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260423170229.64655-3-philmd@linaro.org>
Looking at the history of the code, the abort() here has likely just
been forgotten when the register handler had been implemented (it used
to be a reminder about unimplemented functionality initially):
Set the valid max access size to 1 to fix the problem.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3393 Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260421082935.85995-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Fri, 17 Apr 2026 09:38:05 +0000 (10:38 +0100)]
hw/arm, hw/ppc: Remove unnecessary audio.h includes from board code
Some boards (mostly arm, but also ppc/prep) include audio.h, but they
don't need anything from it. Drop the unnecessary include lines.
These seem to have been introduced with commits 2b16397264a8e, b8ab0303de, which added the machine-default audiodev handling, but as
far as I can tell they were unecessary right from the start, as the
machine_add_audiodev_property() function has always been in boards.h.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20260417093805.1076954-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Junjie Cao [Tue, 14 Apr 2026 21:35:23 +0000 (05:35 +0800)]
ati-vga: mask out lock bit from CUR_OFFSET in cursor offset calculation
Bit 31 of CUR_OFFSET is the cursor lock bit, not part of the actual
cursor address (bits 26:4). Although the callers already check for the
lock bit and return early, mask it out with 0x07fffff0 when computing
the cursor source offset so the calculation only uses the address bits.
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Junjie Cao <junjie.cao@intel.com> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <20260414213523.1125859-2-junjie.cao@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Junjie Cao [Tue, 14 Apr 2026 14:14:58 +0000 (22:14 +0800)]
ati-vga: fix unsigned integer overflow in cursor bounds checks
The cursor bounds checks compare (srcoff + N) against vram_size, but
both sides are uint32_t so the addition can wrap past UINT32_MAX when
srcoff underflows from the cur_hv_offs subtraction, causing the check
to be bypassed.
Rewrite the checks as (srcoff > vram_size - N) to avoid the
overflow-prone addition, matching the style already used in
ati_mm_read() and ati_mm_write().
Cc: qemu-stable@nongnu.org Fixes: 2f1fbe6ee9b5 ("ati-vga: Make sure hardware cursor data is within vram") Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Message-ID: <20260414141458.1076014-1-junjie.cao@intel.com> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Vivien LEGER [Sat, 11 Apr 2026 15:45:35 +0000 (17:45 +0200)]
hw/ppc/e500: fix bus-frequency property hardcoded to zero in CPU FDT node
The bus-frequency property in the CPU FDT node was hardcoded to 0.
This is incorrect - it should reflect the actual platform bus clock
frequency, as firmware and RTOSes use it to derive peripheral clock
rates.
Notably, the RTEMS QorIQ BSP uses bus-frequency to program the MPIC
global timer interval. With bus-frequency=0, the timer interval
overflows to ~85 seconds, preventing any clock interrupts from firing.
Fix by adding a bus_freq field to PPCE500MachineClass and using it in
the FDT generator. Set bus_freq = PLATFORM_CLK_FREQ_HZ (400MHz) for
existing machines, matching the existing clock_freq value.
Signed-off-by: Vivien LEGER <vivien.leger@gmail.com> Reviewed-by: Bernhard Beschow <shentey@gmail.com>
Message-ID: <20260411154535.1451361-1-vivien.leger@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/arm/smmuv3: Avoid including CONFIG_DEVICES in hw/ header
By turning the inline functions into stubs we can avoid the
use of target-specific CONFIG_DEVICES include in a hw/ header,
allowing to build the source files including it as common objects.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com>
Message-Id: <20260410200031.18572-3-philmd@linaro.org>
hw/arm/smmuv3: Have smmuv3_accel_init() take an Error* parameter
By giving smmuv3_accel_init() the ability to populate an error,
we can fail early in smmu_realize() when CONFIG_ARM_SMMUV3_ACCEL
is not available, simplifying smmu_validate_property().
Bin Guo [Wed, 1 Apr 2026 10:00:05 +0000 (18:00 +0800)]
physmem: Simplify dirty memory type checks with loop
In physical_memory_range_includes_clean(), we have three nearly identical
if-statements checking different DIRTY_MEMORY types (VGA, CODE, MIGRATION).
This code duplication makes maintenance harder and increases the risk of
inconsistencies when adding new dirty memory types.
Replace the repetitive checks with a simple loop that iterates through
all DIRTY_MEMORY_NUM types, checking only those specified in the mask.
This reduces code size and makes it easier to add new dirty memory types
in the future.
Signed-off-by: Bin Guo <guobin@linux.alibaba.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260401100005.20651-1-guobin@linux.alibaba.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/acpi/tpm: parameterize PPI base address in tpm_build_ppi_acpi
Add a ppi_base parameter to tpm_build_ppi_acpi() instead of
hardcoding TPM_PPI_ADDR_BASE. This prepares for ARM64 support where
PPI memory is dynamically allocated by the platform bus and the
address is not known at compile time.
Update the x86 callers (ISA TIS and CRB) to pass TPM_PPI_ADDR_BASE
explicitly. No behavioral change.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mohammadfaiz Bawa <mbawa@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260327173209.148180-3-mbawa@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
docs/specs/tpm: document PPI support on ARM64 virt
Document that tpm-tis-device on the ARM virt machine supports PPI
with dynamically allocated MMIO via the platform bus, unlike x86
where PPI is at the fixed address 0xFED45000.
Also add hw/arm/virt-acpi-build.c and hw/acpi/tpm.c to the list
of files related to TPM ACPI tables.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mohammadfaiz Bawa <mbawa@redhat.com>
Message-ID: <20260327173209.148180-2-mbawa@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
qom: Restrict compat properties API to system emulation
Move compat properties API definitions to their own file
unit, compile it only when system emulation is configured.
Add a pair of stubs for user emulation.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20260325151728.45378-6-philmd@linaro.org>
qom: Declare compat properties API in 'qom/compat-properties.h'
While most of QEMU files use the QOM concept, few of them
use the compatibility properties API (mostly use in system
emulation). Move its prototype to a new "qom/compat-properties.h"
header, keeping "qom/object.h" for generic QOM.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20260325151728.45378-5-philmd@linaro.org>
qom: Declare GlobalProperty structure in 'qom/compat-properties.h'
While GlobalProperty is expected to only be used by QDev board
layer, it is used by the lower QOM API, so define it in the
qom/ namespace. This helps to build binary which use QOM but
don't need the QDev layer.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20260325151728.45378-4-philmd@linaro.org>
hw/core: Move compat_props_add() to 'hw/core/boards.h'
compat_props_add() is only used by board models, no need
to expose it to any device model. Restrict by defining it
only in "hw/core/boards.h".
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20260325151728.45378-3-philmd@linaro.org>
Prefer the address_space_ld/st API over the legacy ld/st_phys()
because it allow checking for bus access fault, which shouldn't
happen here.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Message-ID: <20260319082954.65069-1-philmd@linaro.org>
The 32-bit binary doesn't use these helpers, so don't need to
compile them. Rather than using 64-bit target #ifdef'ry in a
global header, un-inline the calls since the helpers are called
from I/O (cold) path.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Reviewed-by: Chinmay Rath <rathc@linux.ibm.com> Acked-by: Glenn Miles <milesg@linux.ibm.com>
Message-Id: <20260319111936.68041-2-philmd@linaro.org>
TPM instances don't expose any "ppi" property anymore,
remove that dead code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Message-Id: <20260317120241.16320-6-philmd@linaro.org>
hw/tpm: Propagate @ppi_enabled to tpm_tis_reset() and remove in TPMState
Of the TPM devices using FIFO mode, only the ISA variant has
PPI, and calls tpm_ppi_init() to initialize the PPI state.
Propagate @ppi_enabled to tpm_tis_reset() so it only resets
the PPI part when requested (ISA case) otherwise the PPI is in
uninitialized state. Remove the now unused TPMState::ppi_enabled
field. Set the generic TPMIfClass::ppi_enabled so ACPI subsystem
can keep checking its availability.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Message-Id: <20260317120241.16320-5-philmd@linaro.org>
The CRBState::ppi_enabled boolean was only set in the
hw_compat_3_1[] array, via the 'ppi=false' property.
We removed all machines using that array, and the array
itself in commit a861ffef237 ("hw/core/machine: Remove
the hw_compat_3_1[] array"). We can safely remove the
now unused property. Since CRB devices always use PPI,
simplify removing the CRBState::ppi_enabled field.
Set the generic TPMIfClass::ppi_enabled so ACPI subsystem
can keep checking its availability.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Message-Id: <20260317120241.16320-4-philmd@linaro.org>
Each TPM derived device has a @ppi_enabled field, itself
exposed as a QOM property. External layers (like the ACPI
subsystem) wanting to know whether a device implements PPI
has to check for the QOM property available. This can be
simplified by declaring a single field in the TPM interface.
Here we add such field to TPMIfClass, before converting each
TPM devices to use it in the following commits.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Message-Id: <20260317120241.16320-3-philmd@linaro.org>
Factor out tpm_ppi_enabled() before modifying it in a unique place.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Message-Id: <20260317120241.16320-2-philmd@linaro.org>
The comment about @start_powered_off is buried within the
CPUState structure. Hoist it to the structure docstring
comment.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260423170229.64655-6-philmd@linaro.org>
Stefan Hajnoczi [Fri, 24 Apr 2026 00:51:57 +0000 (20:51 -0400)]
Merge tag 'pull-11.1-virtio-gpu-hotfixes-230426-1' of https://gitlab.com/stsquad/qemu into staging
virtio-gpu fixes:
- fix build on Windows due to EGL assumption
- fix use-after-free on virgl resource
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmnqN/sACgkQ+9DbCVqe
# KkR+cAf+INMexc1Wzc81XUs3UamDOPQmIKTu/36P7K3PrVwvwtb/KhIjlgsiUDjy
# thP9wZcMVJNA8heCFOp3kMzydEBbZ3Ywiz5TWulrvGrwBwPDf93+bTlgr1cDzDwI
# bi2CjR4NUHtICGC/6Smh9UbRLMh5FkGB/XpyXr+Gkl+THT4s+evQXP8xYuvbfKZj
# qKsxz2oaCZNqYJRfUPBxNLaiS7VRGVJBaOLSuhLUegQZ4T0CzcyprOfreOfjolwC
# hmGcC1w/Sb1EJZkgE9ZKi30AMXS4NuHfMXHNCI76xIMYd/c9/B19AVUv3ZVIbuNs
# vAdamiBnIRffPLGhttOqhLCndNHGHA==
# =uXFe
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 23 Apr 2026 11:17:15 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.1-virtio-gpu-hotfixes-230426-1' of https://gitlab.com/stsquad/qemu:
hw/display: don't accidentally autofree existing virgl resources
ui/sdl2: Fix assumption of EGL presence at runtime
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 24 Apr 2026 00:51:46 +0000 (20:51 -0400)]
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* accel/mshv: ioeventfd fixes
* memory: avoid memmove in flatview_simplify()
* first batch of clang-cl support patches for qemu-ga
* target/i386: fix emulator issue
* target/i386: fix strList leak
* target/i386: emulate: include name of unhandled instruction
* target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode
* thread-win32: replace CRITICAL_SECTION with SRWLOCK
* target/i386: fix missing PF_INSTR in SIGSEGV context
* util: actually use in pthread_condattr_setclock
* vapic: restore IRQ polling for non-kernel irqchip backends
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (25 commits)
target/i386: emulate: include name of unhandled instruction
memory: Optimize flatview_simplify() to eliminate redundant memmove calls
meson: add missing semicolon in pthread_condattr_setclock test
thread-win32: replace CRITICAL_SECTION with SRWLOCK
target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit mode
accel/mshv: return correct errno value from ioeventfd failure
accel/mshv: fix ioeventfd deassignment to forward correct datamatch value
target/i386/mshv: Fix segment regression in MMIO emu
meson: Don't require nm for non-modular builds
storage-daemon: use same link arguments as other tools
util: Remove unused sys/param.h
util: Remove unused dirent.h
osdep: Remove unused strings.h
hw/ppc: Use glib2 instead of strcasecmp/strncasecmp
target/xtensa: Use glib2 instead of strcasecmp/strncasecmp
target/ppc: Use glib2 instead of strcasecmp/strncasecmp
target/riscv: Use glib2 instead of strcasecmp/strncasecmp
target/sparc: Use glib2 instead of strcasecmp/strncasecmp
io: Use glib2 instead of strcasecmp/strncasecmp
block: Use glib2 instead of strcasecmp/strncasecmp
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 24 Apr 2026 00:51:23 +0000 (20:51 -0400)]
Merge tag 'pull-target-arm-20260423' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* virt: Allow user to specify cache topology
* target/arm: Move OMAP CP15 register definitions to cpregs-omap.c
* target/arm: cleanups for single-binary work
* MAINTAINERS: remove people who are no longer active in the project
Marco Liebel [Thu, 22 Jan 2026 22:34:23 +0000 (14:34 -0800)]
target/hexagon: Change DisasContext packet type
The pkt variable inside DisasContext is of type Packet * and gets
assigned to a local variable in decode_and_translate_packet. Right now
there seems to be no problem with it but future changes to e.g.
hexagon_tr_transalte_packet are potentially dangerous if pkt is accessed
after the local variable goes out of scope.
Since packets are being translated one at a time, the type of pkt can be
changed to just Packet to avoid risk of having a dangling pointer.
Signed-off-by: Marco Liebel <marco.liebel@oss.qualcomm.com> Reviewed-by: Brian Cain <brian.cain@oss.qualcomm.com> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Brian Cain [Tue, 17 Feb 2026 21:22:44 +0000 (14:22 -0700)]
tests/tcg/hexagon: Add test for revision-gated instruction decoding
Add check_rev_gating, a linux-user test that verifies the decoder
rejects instructions from a newer CPU revision than the one selected
by the ELF binary's e_flags.
Co-authored-by: Taylor Simpson <ltaylorsimpson@gmail.com> Co-authored-by: Matheus Tavares Bernardino <matheus.bernardino@oss.qualcomm.com> Reviewed-by: Marco Liebel <marco.liebel@oss.qualcomm.com> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Taylor Simpson [Tue, 17 Feb 2026 21:22:43 +0000 (14:22 -0700)]
Hexagon (target/hexagon) Disassembly of invalid packets
We pass the Hexagon CPU definition to disassemble_hexagon. This allows
decode_packet to know if the opcodes are supported.
Note that we print valid instructions in a packet when one or more is
invalid. Rather than this
0x0002128c: 0x1eae4fec { <invalid>
0x00021290: 0x1c434c04 <invalid>
0x00021294: 0x1e03edf0 <invalid> }
We print this
0x0002128c: 0x1eae4fec { <invalid>
0x00021290: 0x1c434c04 V4.w = vadd(V12.w,V3.w)
0x00021294: 0x1e03edf0 V16 = V13 }
Co-authored-by: Matheus Tavares Bernardino <matheus.bernardino@oss.qualcomm.com> Co-authored-by: Brian Cain <brian.cain@oss.qualcomm.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Taylor Simpson [Tue, 17 Feb 2026 21:22:42 +0000 (14:22 -0700)]
Hexagon (target/hexagon) Check each opcode against current CPU definition
During decoding, check that the opcode is supported in the current
Hexagon CPU definition
Co-authored-by: Matheus Tavares Bernardino <matheus.bernardino@oss.qualcomm.com> Co-authored-by: Brian Cain <brian.cain@oss.qualcomm.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Table that records which CPU revision introduced or removed
for each opcode
Co-authored-by: Brian Cain <brian.cain@oss.qualcomm.com> Co-authored-by: Taylor Simpson <ltaylorsimpson@gmail.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Taylor Simpson [Tue, 17 Feb 2026 21:22:40 +0000 (14:22 -0700)]
Hexagon (target/hexagon) Add Hexagon definition field to DisasContext
Initialize the field in hexagon_tr_init_disas_context
Co-authored-by: Matheus Tavares Bernardino <matheus.bernardino@oss.qualcomm.com> Co-authored-by: Brian Cain <brian.cain@oss.qualcomm.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Taylor Simpson [Tue, 17 Feb 2026 21:22:39 +0000 (14:22 -0700)]
Hexagon (linux-user/hexagon) Identify Hexagon version in ELF file
Return proper Hexagon CPU version from get_elf_cpu_model
Co-authored-by: Matheus Tavares Bernardino <matheus.bernardino@oss.qualcomm.com> Co-authored-by: Brian Cain <brian.cain@oss.qualcomm.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Taylor Simpson [Tue, 17 Feb 2026 21:22:38 +0000 (14:22 -0700)]
Hexagon (target/hexagon) Properly handle Hexagon CPU version
Add the following CPU versions that were previously missing
v5
v55
v60
v61
v62
v65
Create a CPUHexagonDef struct to represent the definition of a core
Currently contains an enum with the known Hexagon CPU versions
Add a field to HexagonCPUClass to note the Hexagon definition
Co-authored-by: Matheus Tavares Bernardino <matheus.bernardino@oss.qualcomm.com> Co-authored-by: Brian Cain <brian.cain@oss.qualcomm.com> Signed-off-by: Taylor Simpson <ltaylorsimpson@gmail.com> Reviewed-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Junjie Cao [Mon, 20 Apr 2026 20:13:16 +0000 (04:13 +0800)]
migration/file: switch file_write_ramblock_iov to pwritev_all
file_write_ramblock_iov() uses single-shot qio_channel_pwritev() and
only checks for ret < 0. A short write (0 <= ret < requested) would be
treated as success.
Switch to qio_channel_pwritev_all() which retries until all bytes are
written or an error occurs.
Junjie Cao [Mon, 20 Apr 2026 20:13:15 +0000 (04:13 +0800)]
migration/qemu-file: switch buffer_at functions to positioned I/O _all helpers
qemu_put_buffer_at() and qemu_get_buffer_at() have the same pattern as
the bug fixed in multifd_file_recv_data(): the ssize_t return value from
the channel layer is stored in a size_t variable, and a short transfer
would be mishandled rather than retried.
Switch to qio_channel_pwrite_all() / qio_channel_pread_all() which
handle short transfers internally and make the code more robust and
consistent with the rest of the positioned I/O call sites.
Fixes: 7f5b50a401 ("migration/qemu-file: add utility methods for working with seekable channels") Signed-off-by: Junjie Cao <junjie.cao@intel.com> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260420201317.30199-2-junjie.cao@intel.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
tests/qtest/migration: fix fd leak in ufd_version_check
ufd_version_check() opens a userfaultfd via uffd_open() but never closes
it on any path where the open succeeded: the UFFDIO_API failure path,
the missing-ioctls path, and the success path all returned without
calling close(ufd).
Convert to a goto-out pattern consistent with uffd_open() used in
util/userfaultfd.c and migration/postcopy-ram.c, ensuring the fd is
always closed before returning.
Junjie Cao [Mon, 13 Apr 2026 21:45:49 +0000 (05:45 +0800)]
tests/unit: add pread/pwrite _all tests for io channel file
Add unit tests for the new qio_channel_pread{v,}_all{,_eof}() and
qio_channel_pwrite{v,}_all() APIs.
The basic tests write data to a file channel, then read it back at
various offsets using both the single-buffer and iovec variants to
make sure the round-trip produces identical content. The _eof tests
verify all three return cases -- full read (1), clean EOF (0), and
partial-then-EOF (-1 with error set) -- and check that the strict
wrappers (preadv_all / pread_all) treat a clean EOF as an error.
All tests are guarded by CONFIG_PREADV since the underlying channel
methods require preadv(2).
Signed-off-by: Junjie Cao <junjie.cao@intel.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: Daniel P. Berrangé <berrange@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260413214549.926435-5-junjie.cao@intel.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Junjie Cao [Mon, 13 Apr 2026 21:45:48 +0000 (05:45 +0800)]
migration/file: fix type mismatch and NULL deref in multifd_file_recv_data
multifd_file_recv_data() stores the return value of qio_channel_pread()
(ssize_t) in a size_t variable. On I/O error the -1 return value wraps
to SIZE_MAX, producing a nonsensical read size in the error message.
More critically, a short read (0 <= ret < data->size) is possible when
the migration file is truncated. In that case qio_channel_pread()
returns a non-negative value without setting *errp. The function then
calls error_prepend(errp, ...) which dereferences *errp -- a NULL
pointer -- crashing QEMU.
Fix both issues by switching to qio_channel_pread_all() introduced in
a previous patch, which retries on short reads and treats end-of-file
as an error, so the caller no longer needs to check the byte count
manually. Add ERRP_GUARD() so that error_prepend() works correctly
even when errp is &error_fatal or NULL.
Fixes: a49d15a38d3d ("migration/multifd: Support incoming mapped-ram stream format") Suggested-by: Peter Xu <peterx@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Junjie Cao <junjie.cao@intel.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/qemu-devel/20260413214549.926435-4-junjie.cao@intel.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
qio_channel_pread() and qio_channel_preadv() perform a single
positioned read and may return a short result. Callers that need all
bytes currently have to open-code a retry loop or simply treat a short
read as an error.
Introduce four new helpers following the existing read_all / readv_all
pattern:
qio_channel_preadv_all_eof() -- retry loop; returns 1 on success,
0 on clean EOF, -1 on error.
qio_channel_preadv_all() -- wraps _eof; treats early EOF as
error; returns 0 / -1.
qio_channel_pread_all_eof() -- single-buffer convenience wrapper
around preadv_all_eof().
qio_channel_pread_all() -- single-buffer convenience wrapper
around preadv_all().
These advance the file offset internally after each partial read.
All four are marked coroutine_mixed_fn, consistent with the existing
_all helpers.
Suggested-by: Peter Xu <peterx@redhat.com> Signed-off-by: Junjie Cao <junjie.cao@intel.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: Daniel P. Berrangé <berrange@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260413214549.926435-2-junjie.cao@intel.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
migration: validate page_size in mapped-ram header before use
mapped_ram_read_header() reads page_size from the migration stream and
stores it in MappedRamHeader, but does not validate that the value is
non-zero before it is later used in parse_ramblock_mapped_ram():
num_pages = length / header.page_size;
If a corrupted or malformed migration stream provides invalid, guest
resumes either with corrupted memory or crashes unexpectedly (eg.
page_size = 0)
Add validation in mapped_ram_read_header() to reject invalid page_size
values early and return an error instead of continuing with an invalid
header.
Steps to reproduce:
Create a migration snapshot with mapped-ram enabled:
(qemu) migrate_set_capability mapped-ram on
(qemu) migrate file:/tmp/qemu-snapshots/snapshot.bin
Modify the snapshot so that MappedRamHeader.page_size becomes diff with
target psize. (0/512/8192/1GB).
Restore the snapshot:
(qemu) migrate_set_capability mapped-ram on
(qemu) migrate_incoming file:/tmp/qemu-snapshots/snapshot.bin
tests/unit/test-vmstate: add tests for VMS_ARRAY_OF_POINTER_AUTO_ALLOC
Add tests for VMSTATE_VARRAY_OF_POINTER_TO_STRUCT_UINT32_ALLOC.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
[peterx: Removed two tests due to macro not used, rebase, fix warning] Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Juraj Marcin <jmarcin@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260401202844.673494-12-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
vmstate: Stop checking size for nullptr compression
The NULL pointer marker code applies only to VMS_ARRAY_OF_POINTER,
where the size is never NULL. Move the setting of is_null under
VMS_ARRAY_OF_POINTER, so we can stop checking the size.
Introduce a new flag, VMS_ARRAY_OF_POINTER_AUTO_ALLOC, for VMSD field. It
must be used together with VMS_ARRAY_OF_POINTER.
It can be used to allow migration of an array of pointers where the
pointers may point to NULLs.
Note that we used to allow migration of a NULL pointer within an array that
is being migrated. That corresponds to the code around vmstate_info_nullptr
where we may get/put one byte showing that the element of an array is NULL.
That usage is fine but very limited, it's because even if it will migrate a
NULL pointer with a marker, it still works in a way that both src and dest
QEMUs must know exactly which elements of the array are non-NULL, so
instead of dynamically loading an array (which can have NULL pointers), it
actually only verifies the known NULL pointers are still NULL pointers
after migration.
Also, in that case since dest QEMU knows exactly which element is NULL,
which is not NULL, dest QEMU's device code will manage all allocations for
the elements before invoking vmstate_load_vmsd().
That's not enough per evolving needs of new device states that may want to
provide real dynamic array of pointers, like what Alexander proposed here
with the NVMe device migration:
Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io> Tested-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io> Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Juraj Marcin <jmarcin@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260401202844.673494-10-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Peter Xu [Wed, 1 Apr 2026 20:28:41 +0000 (16:28 -0400)]
vmstate: Implement load of ptr marker in vmstate core
The loader side of ptr marker is pretty straightforward, instead of playing
the inner_field trick, just do the load manually assuming the marker layout
is a stable ABI (which it is true already).
This will remove some logic while loading VMSD, and hopefully it makes it
slightly easier to read. Unfortunately, we still need to keep the sender
side because of the JSON blob we're maintaining..
This paves way for future processing of non-NULL markers as well.
When at it, not check "size" anymore for existing NULL markers, and move it
under the same VMS_ARRAY_OF_POINTER section because that's the only place
that NULL marker can happen (which guarantess size==host ptr size, which is
non-zero).
Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io> Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Juraj Marcin <jmarcin@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260401202844.673494-9-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Introduce a helper to do both the JSON blob generations and save vmstate.
This further shrinks the function a bit. More importantly, we'll need to
save two fields in one loop very soon in the future with the JSON blob.
Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io> Reviewed-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Juraj Marcin <jmarcin@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260401202844.673494-7-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Peter Xu [Wed, 1 Apr 2026 20:28:37 +0000 (16:28 -0400)]
vmstate: Update max_elems early and check field compressable once
QEMU has a trick in vmstate_save_vmsd_v(), where it will try to compress
multiple JSON entries into one with a count to avoid duplicated entries.
That only applies to the cases where vmsd_can_compress() should return
true. For example, vmsd_desc_field_start() later (who will take the
updated max_elems as the last parameter) will ignore the value passed in
when vmsd_can_compress() returns false.
Do that check once at the start of loop, and use it to update max_elems, so
that max_elems keeps 1 for uncompressable VMSD fields, which is more
straightforward.
This also paves way to make this counter work for ptr marker VMSD fields
too.
No functional change intended in this patch alone.
Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io> Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Juraj Marcin <jmarcin@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260401202844.673494-5-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Trieu Huynh [Sat, 28 Mar 2026 12:12:14 +0000 (21:12 +0900)]
migration: fix QIOChannelFile leak on error in file_connect_outgoing
Commit 03a680c978 changed g_autoptr(QIOChannelFile) to a plain pointer
but failed to restore the necessary object_unref() calls on error paths.
Previously, these were handled implicitly by the g_autoptr cleanup
mechanism.
Two error paths currently leak the QIOChannelFile object and its
underlying file descriptor:
1. When ftruncate() fails (e.g., on character or block devices).
2. When qio_channel_io_seek() fails after the channel is created.
In environments that retry migration automatically (e.g., libvirt),
these FDs accumulate until QEMU hits RLIMIT_NOFILE and fails with
EMFILE (Too many open files).
Add the missing object_unref() calls to both error paths to ensure
resources are properly released.
migration: introduce vmstate_load_vmsd() and vmstate_save_vmsd()
Introduce new APIs, returning bool.
The analysis
https://lore.kernel.org/qemu-devel/aQDdRn8t0B8oE3gf@x1.local/
shows, that vmstate_load_state() return value actually only
used to check for success, specific errno values doesn't make
sense.
With this commit we introduce new functions with modern bool
interface, and in following commits we'll update the
code base to use them, starting from migration/ code, and
finally we will remove old vmstate_load_state() and
vmstate_save_state().
This patch reworks existing functions to new one, so that
old interfaces are simple wrappers, which will be easy to
remove later.
To simplify further changes (convertion to bool+errp APIs),
let's rework some error paths:
- get rid of int ret in traces, as we are moving to bool+errp APIs
- split traces to _fail / _success (seems better than add boolean
result to the message).
- prefer short error paths (return immediately on error)
- around trace_vmstate_load_field_error(), do not call
qemu_file_set_error(), if the erroc comes from qemu_file_get_error()
projects / thirdparty / qemu.git / log
