Do not add the display state to the vnc list, if the initialization
failed. Add vnc_display_free(), to free the display state and associated
data in such case. The function is meant to be public and reused in the
following changes.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Enable callers to properly tear down keyboard layouts.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/vnc: assert preconditions instead of silently returning
Replace defensive NULL guards with assert() in vnc_display_close()
and vnc_display_open(). These are internal functions whose callers
guarantee non-NULL arguments, so a NULL value would indicate a
programming error rather than a runtime condition.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The datadir module provides general-purpose data file lookup
utilities that are not specific to system emulation. Move it
to util/ so it can be reused more broadly.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The vgafont was added without source origin, but it can be traced back
to Linux kernel, which used
GPL-2 (https://github.com/mpe/linux-fullhistory/blob/master/lib/fonts/font_8x16.c).
ui: avoid duplicating vgafont16 in each translation unit
vgafont.h defined vgafont16 as a static const array, so every .c file
that included it (via console-priv.h) got its own 4 KiB copy, that
the linker may or not deduplicate?
Move the array definition into a new vgafont.c compilation unit and
turn the header into a proper extern declaration with an include guard.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
VT100 escape responses (DSR) used qemu_chr_be_write() to write directly
to the chardev backend, bypassing the output FIFO, while keyboard input
went through the FIFO and flush path. This inconsistency could lead to
out-of-order delivery when both paths are active.
Introduce qemu_text_console_write() that pushes data into the output
FIFO and flushes it, and use it for both keyboard input and VT100
responses. Remove the now-unnecessary vc_respond_str() helper. Rename
kbd_send_chars() to qemu_text_console_flush() to better reflect its
purpose.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: move vc_put_lf() to VT100 layer as vt100_put_lf()
Decouple the line-feed handling from VCChardev by operating on
QemuVT100 directly. The function no longer needs the chardev or
console pointers — callers pass &s->vt instead. This continues the
effort to make the VT100 terminal emulation self-contained.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: refactor text_console_resize() into vt100_set_image()
Decouple the resize logic from QemuTextConsole by operating on
QemuVT100 and taking a pixman_image_t directly, instead of reaching
into the console's scanout surface. The callers now pass the image
explicitly, which makes the VT100 layer independent of the console
object hierarchy.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: move cursor blinking logic into VT100 layer
Maintain a list of QemuVT100 instances so the cursor timer can directly
iterate over them and call vt100_refresh(), instead of going through
qemu_invalidate_text_consoles() which iterated over all consoles
(including graphic ones) and called back into the generic display layer.
This removes the qemu_invalidate_text_consoles() function from
console.c, further decoupling VT100 text rendering from the console
core.
ui/console-vc: decouple VT100 display updates via function pointer
Replace direct dpy_gfx_update() calls from the VT100 emulation code
with an indirect call through a new image_update function pointer in
QemuVT100. This decouples the VT100 terminal emulation from the
QEMU display layer, allowing different backends to provide their own
image update implementation.
The QemuVT100 typedef is changed to a forward-declared struct so the
function pointer signature can reference QemuVT100 itself.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Have the character rendering function operate on QemuVT100 directly
instead of taking a QemuConsole and extracting the VT100 state
internally. This decouples glyph rendering from the console object,
continuing the QemuVT100 abstraction introduced in the previous commits.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Start removing dependency on DisplaySurface for vt100 handling.
Note that before, the rendering is done on the current DisplaySurface.
It's not obvious the QemuTextConsole associated surface isn't changed
over time, in particular if it was doing resize. But
qemu_console_resize() is only implemented for QemuGraphicConsole.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console: dispatch get_label() through QOM virtual method
Replace the type-checking chain in qemu_console_get_label() (using
QEMU_IS_GRAPHIC_CONSOLE/QEMU_IS_TEXT_CONSOLE) with a QemuConsoleClass
virtual method, allowing each console subclass to provide its own
get_label implementation.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Modern terminals and applications emit OSC (Operating System Command),
DCS, SOS, PM, and APC escape sequences (e.g. for setting window
titles). The text console currently does not recognise these
string-type introducers, so each byte of the payload is interpreted as
a normal character or a new escape, producing garbage on screen.
Add a TTY_STATE_OSC state that silently consumes all bytes until the
sequence is terminated by BEL or ST (ESC \).
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: fix off-by-one in CSI J 2 (clear entire screen)
The loop condition used `y <= s->height` instead of `y < s->height`,
causing vc_clear_xy() to be called with y == s->height. This clears
a row in the scrollback buffer beyond the visible screen.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/vnc-jobs: drop redundant (and needless) qemu_thread_get_self()
The call is unnecessary, since "thread" is already set at creation time.
Furthermore, the "thread" field is mostly useless as the thread is
created DETACHED and isn't used for anything but perhaps debugging.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The function was never called, since the worker thread was never
exiting. Also it was incomplete (not clearing pending job list) and
mixing global queue and argument. Let's remove it.
Note: maybe the worker thread could be torn down when vnc_jobs_join()
realizes there is no job left.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Since commit 09526058d0a5 ("ui/vnc: Remove vnc_stop_worker_thread()"),
it's not used anymore. It seems stopping worker thread hasn't been
supported ever.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/clipboard: clear deferred serial reset flag on resume
cb_reset_serial_on_resume defers a clipboard serial reset until the
machine runs again. qemu_clipboard_change_state() performs that reset
on resume, but leaves the flag set.
As a result, every later transition back to RUNNING triggers another
QEMU_CLIPBOARD_RESET_SERIAL notification even when no reset is pending.
That causes unnecessary reset handling in clipboard backends such as
vdagent and dbus.
Clear the deferred flag before resetting so the reset is performed only
once for each deferred request.
Fixes: c967ff606b99 ("ui/clipboard: delay clipboard update when not running") Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20260416070403.1683648-1-zhaoguohan@kylinos.cn>
spice_app_display_early_init() creates the per-VM runtime directory
with g_mkdir_with_parents() before setting up the Spice socket. The
code checks for "< -1", but g_mkdir_with_parents() returns -1 on
failure, so the error path is never taken.
This lets spice-app continue after a directory creation failure and
defers the problem to later setup steps.
Check for "< 0" instead so the failure is reported immediately and
spice-app exits before using an invalid runtime directory.
ui/input-linux: close evdev fd when qemu_set_blocking fails
input_linux_complete() opens the evdev node before switching it to
non-blocking mode. If qemu_set_blocking() fails, the function returns
without closing the file descriptor.
The finalize path only closes initialized devices, so this leaks the fd
on an error path.
Jump to err_close when qemu_set_blocking() fails so the descriptor is
released before returning.
John Levon [Fri, 10 Apr 2026 08:57:14 +0000 (09:57 +0100)]
vfio-user: support VFIO_USER_DEVICE_FEATURE
Plumb through vfio_device_get_feature to the vfio-user server. Note that
we translate EINVAL into ENOTTY, as the existing generic vfio code is
expecting the latter to mean "unsupported".
As part of adding a trace point, clean up the trace file.
vfio: Add VFIO I/O backend capability flags for feature support
Different VFIO I/O backends support different features. For example,
the kernel VFIO backend supports DMA-BUF creation, while vfio-user
does not. Currently, this is handled by attempting the operation and
checking for -ENOTTY, which can lead to misleading warnings when a
feature is simply not supported by a particular backend.
Introduce a capability flags mechanism in VFIODeviceIOOps that allows
backends to explicitly advertise which features they support. Callers
can check these capabilities before attempting operations, avoiding
spurious errors and warnings.
hw/vfio/iommufd: Control dirty tracking for nesting parent HWPT
QEMU smmuv3 accel does not support live migration yet, so dirty
tracking for the nesting parent HWPT is not useful.
Also, nested vIOMMU use cases can break on some platforms. For
example, SMMUv3 with HTTU may advertise dirty tracking capability,
but the kernel supports it only for stage-1. Requesting dirty
tracking for a nesting parent HWPT (stage-2) can fail.
Add a vIOMMU flag to explicitly request dirty tracking for the
nesting parent HWPT. For nested cases, dirty tracking is enabled
only when requested by the vIOMMU.
Non-nested cases and Intel vIOMMU keep the existing behavior.
Pierrick Bouvier [Wed, 18 Mar 2026 17:47:30 +0000 (10:47 -0700)]
hw/vfio/pci.c: eradicate CONFIG_KVM
We just need to add kvm_enabled() guard when calling concerned
functions, but no need to extract those kvm functions since they are not
using any kvm specific types that would not be visible at compilation
time.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260318174733.1717643-6-pierrick.bouvier@linaro.org Signed-off-by: Cédric Le Goater <clg@redhat.com>
Pierrick Bouvier [Wed, 18 Mar 2026 17:47:29 +0000 (10:47 -0700)]
hw/vfio: eradicate CONFIG_IOMMU from sources
This commit removes usage of CONFIG_IOMMU in hw/vfio sources, exposing
inconditionally iommufd related properties, which are declared
statically (in const arrays). The alternative to expose them dynamically
is more complex and requires boilerplate to set properties at runtime,
with set_* callbacks and added logic to check if iommufd backend is
available, with no obvious benefit.
One possible difference is that user may see a different error message
when trying to attach a vfio device with a QEMU not supporting iommufd,
without declaring iommufd object associated.
Instead of:
```
$ qemu-system-* -device vfio-pci,host=0000:01:00.0,iommufd=iommufd0
qemu-system-*: -device vfio-pci,host=0000:01:00.0,iommufd=iommufd0: Property 'vfio-pci.iommufd' not found
```
User will now see:
```
qemu-system-aarch64: -device vfio-pci,host=0000:01:00.0,iommufd=iommufd0: Device 'iommufd0' not found
```
However, since declaring the iommufd object is needed, error reported
before and after is still the same:
```
$ qemu-system-* -object iommufd,id=iommufd0 -device vfio-pci,host=0000:01:00.0,iommufd=iommufd0
qemu-system-*: invalid object type: iommufd
```
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260318174733.1717643-5-pierrick.bouvier@linaro.org Signed-off-by: Cédric Le Goater <clg@redhat.com>
Pierrick Bouvier [Wed, 18 Mar 2026 17:47:28 +0000 (10:47 -0700)]
hw/vfio/pci-quirks.c: remove CONFIG_VFIO_IGD
Add stubs for needed functions.
vfio_pci_hot_reset_info must be forwarded declared on non linux platforms:
In file included from ../hw/vfio/igd-stubs.c:9:
../hw/vfio/pci.h:265:44: error: 'struct vfio_pci_hot_reset_info' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
265 | struct vfio_pci_hot_reset_info **info_p);
|
Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Tested-by: Cédric Le Goater <clg@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260318174733.1717643-4-pierrick.bouvier@linaro.org Signed-off-by: Cédric Le Goater <clg@redhat.com>
Pierrick Bouvier [Wed, 18 Mar 2026 17:47:27 +0000 (10:47 -0700)]
hw/vfio/helpers.c: extract kvm helpers in kvm-helpers.c
Because those functions use kvm specific types, they need to be isolated
in another source file.
This allows us to link kvm-helpers only in configurations with
CONFIG_KVM.
Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Tested-by: Cédric Le Goater <clg@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260318174733.1717643-3-pierrick.bouvier@linaro.org Signed-off-by: Cédric Le Goater <clg@redhat.com>
Chad Jablonski [Fri, 19 Dec 2025 01:45:12 +0000 (20:45 -0500)]
migration: Remove unnecessary zlib include from qemu-file.h
Commit 70eb5fde05 removed zlib from the libmigration dependencies but
missed removing the zlib include from the header file. zlib doesn't
appear to be used anywhere in qemu-file.h. This is fine in most
environments where zlib is nearly always in the default include path but
breaks the build when it isn't (NixOS for example).
Fixes: 70eb5fde05 ("migration: remove unnecessary zlib dependency") Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 13 Apr 2026 10:37:54 +0000 (11:37 +0100)]
docs: Deprecate Arm OABI and NWFPE support
Linux for 32-bit Arm has had two major ABIs: the original OABI and
the more modern EABI. OABI support was marked as obsolete in GCC 4.7
and dropped in GCC 4.8. In the Linux kernel, compatibility handling
for OABI (OABI_COMPAT) is not generally enabled by default and is not
compatible with building a Thumb2 kernel. Distros dropped OABI
support fifteen years or more ago.
NWFPE floating-point emulation handles the ancient FPA11 coprocessor,
which is only needed/supported with OABI. Our implementation is old,
untested and not thread-safe.
Mark OABI and NWFPE support as deprecated so we can remove it in a
future release. Our main motivation here is to be able to drop the
2500+ lines of NWFPE emulation code.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260413103754.45745-1-peter.maydell@linaro.org
Bernhard Beschow [Tue, 14 Apr 2026 11:40:33 +0000 (13:40 +0200)]
util/cutils: Fix heap corruption under Windows
Under Windows, QEMU would only sporadically start successfully. In the
G_OS_WIN32 case, get_relocated_path() first determines a cursor
to the end of the "result" string and then increases its size with
g_string_set_size(). Since g_string_set_size() may reallocate, the
cursor may become dangling. Windows may detect this and crash the QEMU
process with the following message:
Furthermore, QEMU crashes spontaneously, even long after the guest has
booted. For example, it presumably crashes due to the guest setting a
new cursor icon which may be a result of the heap corruption.
Fix this by determining the cursor on the resized string.
Fixes: cf60ccc3306c ("cutils: Introduce bundle mechanism") Cc: qemu-stable@nongnu.org Signed-off-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-id: 20260414114033.2360-1-shentey@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Ani Sinha [Tue, 14 Apr 2026 04:59:11 +0000 (10:29 +0530)]
accel/kvm: return early from kvm_irqchip_create if kvm does not support irqchip
During refactoring of kvm_irqchip_create(), the refactored code was returning
early from do_kvm_irqchip_create() function if the required essential
capabilities were not present in KVM. This was not translating to an early
return from kvm_irqchip_create() as was the case before refactoring.
This is because, do_kvm_irqchip_create() did not have a means to notify the
caller of the lack of required kvm capabilities. Fix this by making
do_notify_irqchip_create() return EOPNOTSUPP error when capabilities
are absent and then the caller can check the return code and return early.
Due to this regression during refactoring, all KVM guests on ppc64le hang
immediately during startup and this completely breaks all functionality on
that platform.
Fixes: 98884e0cc1 ("accel/kvm: add changes required to support KVM VM file descriptor change")
Message-ID: <20260413090010.60339-1-anisinha@redhat.com> Reported-by: Misbah Anjum N <misanjum@linux.ibm.com> Reported-by: Gautam Menghani <gautam@linux.ibm.com> Tested-by: Misbah Anjum N <misanjum@linux.ibm.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Ani Sinha <anisinha@redhat.com>
Message-id: 20260414045911.63662-1-anisinha@redhat.com Suggested-by: Fabiano Rosas <farosas@suse.de> Suggested-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Tested-by: Misbah Anjum N <misanjum@linux.ibm.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Ani Sinha <anisinha@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Fri, 10 Apr 2026 12:11:28 +0000 (08:11 -0400)]
virtio-blk: fix zone report buffer out-of-memory (CVE-2026-5761)
An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT
requests. The buffer's size is controlled by the guest. A large value
can result in g_malloc() failure and the QEMU process aborts, resulting
in a Denial of Service (DoS) (most likely in cases where an untrusted
guest application or a nested guest with virtio-blk passthrough is able
to abort QEMU).
Modify the zone report implementation to work incrementally with a
bounded buffer size.
This is purely a QEMU implementation issue and no VIRTIO spec changes
are needed.
Mingyuan Luo found this bug and provided a reproducer which I haven't
put into tests/qtest/ because it requires a zoned storage device (e.g.
root and modprobe null_blk):
Cc: Sam Li <faithilikerun@gmail.com> Cc: Damien Le Moal <dlemoal@kernel.org> Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com> Fixes: CVE-2026-5761 Fixes: 4f7366506a9 ("virtio-blk: add zoned storage emulation for zoned devices") Reported-by: Mingyuan Luo <myluo24@m.fudan.edu.cn> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config
xkeyboard-config 2.37 removed the "AltGr" virtual modifier in favor
of mapping upper groups directly to Mod5. Since then,
xkb_keymap_mod_get_index(map, "AltGr") returns XKB_MOD_INVALID, so
AltGr-based keysyms were never generated.
hw/timer: ibex_timer: Update IRQs after writing CTRL
When writing to rv_timer.CTRL after setting the compare values the timer
doesn't fire as we don't update the interrupts. Ensure we update the
interrupts after a write to the rv_timer.CTRL register.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796 Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Message-ID: <20260407043614.372871-5-alistair.francis@wdc.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Remove the Radeon specific masks for offset and pitch registers. While
the documentation is not clear about it I believe it is a copy&paste
error from the combined DST_PITCH_OFFSET register that has less bits
so more constrained than the individual registers which should not
have this mask.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <20260404111318.8334E596A22@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When copying the request response into the pio transfer buffer the code
skips the 'struct mm_header' but does not consider that when calculating
transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
bytes, which can overflow uv->pio_xfer_buffer.
Fix that by copying the complete buffer, including the header, which
also makes the pio code path consistent with the (unaffected) dma code
path.
Fixes: CVE-2026-5744 Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c") Reported-by: Yuma Kurogome <yumak@ricsec.co.jp> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20260408073403.3410541-1-kraxel@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paolo Bonzini [Fri, 27 Mar 2026 21:00:09 +0000 (22:00 +0100)]
virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Ensure that there is no allocation/usage mismatch when requests
are processed in virtio_scsi_handle_cmd_vq. To do this,
retrieve the value once and pass it to both functions.
For other calls to virtio_scsi_pop_req the extra size
can be 0, because control and event requests fit
entirely in VirtIOSCSIReq.
Reported-by: Jihe Wang <wangjihe.mail@gmail.com> Tested-by: Jihe Wang <wangjihe.mail@gmail.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Fixes: CVE-2026-5763 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* tag 'hw-misc-20260407' of https://github.com/philmd/qemu:
ati-vga: Do not crash on 24 bits per pixel
ati-vga: Update mode on CRTC_PITCH change
ati-vga: Fix setting CRTC_OFFSET
hw/arm/omap_sx1: map CS3 at the correct base
cirrus-vga: Make frame buffer endianness little endian by default
docs/about/removed-features: Replace 'since' -> 'removed in'
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
util: fix missing aio_wait sym in qemu guest agent only build
Allow building qemu tools on 32-bit hosts
util/meson.build: do not add cpuinfo-$arch to util_ss for 32bit CPUs
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
util/readline: Fix out-of-bounds access in readline_insert_char().
Currently, the readline_insert_char() function is guarded by the cursor
position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).
The current check is:
if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)
This logic is flawed because if the command buffer is full and a user moves the
cursor backward (e.g. by sending left arrow key), cmd_buf_index can be
decreased without descreasing of buffer size.
This allow subsequent insertions to increase cmd_buf_size past its maximum
limit of rs->cmd_buf.
Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is
immediately followed by the cmd_buf_index integer, once the buffer size is
sufficiently inflated, the memmove() operation inside readline_insert_char()
can write past the end of cmd_buf[] and overwrites cmd_buf_index itself.
The subsequent line:
rs->cmd_buf[rs->cmd_buf_index] = ch;
then writes the input character to an address determined by the now-corrupted
index.
By providing a specifically crafted input sequence via HMP, this flaw can be
used to redirect the write operation to overwrite any field within the
ReadLineState structure, which can lead to unpredictable behavior or
application crashes.
Fix this by adding the guard to check for buffer fullness.
FAILED: [code=1] qga/qemu-ga
ld: libqemuutil.a.p/qapi_qmp-dispatch.c.o: in function `do_qmp_dispatch_bh':
qapi/qmp-dispatch.c:140:(.text+0x5c): undefined reference to `aio_wait_kick'
This aio_kick() usage was recently introduced in qmp-dispatch.c
without updating the build logic.
Fixes commit fc1a2ec7da531223b3473185dc2584f8a7c6c659 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Qemu's tools like qemu-img are often needed on 32-bit platforms,
although the actual qemu emulators have been discontinued on 32-bit.
To allow building the tools on 32-bit this patch implements three small
changes:
a) The check in meson.build is changed to still error out if the user
tries to build qemu-system or qemu-user on a 32-bit platform, but allows
building tools (e.g. by "--enable-tools") alone.
b) The compile time check in atomic.h now checks against
sizeof(uint64_t) so that 32-bit environments can still build
successfully, while 128-bit atomic operations are prevented to sneak in.
c) Allow linking against libatomic as long as we don't build the
qemu-system and qemu-user binaries.
Sucessfully tested on the 32-bit big-endian powerpc architecture.
Signed-off-by: Helge Deller <deller@gmx.de> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
The stn_he_p function only supports power of two sizes so it will
assert if we call it with size 3 that happens with 24 bits per pixel.
It's not clear from the documentation if this should be supported or
not and drivers tested so far don't use it so refuse the parameters
that would crash QEMU for now.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <20260406012031.335A0596A24@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Offset (display start address) should also be updated when changing
the register value not only on mode change. Fix the register write
mask to hard code bits 0:2 to 0 as the chip docs say and update the
start address on register write. This fixes virtual screen panning for
screens larger than displayed resolution.
As this register allows values that cannot be handled by the VBE_DISPI
X and Y offsets (which is restricted by line length) we add a function
to set it directly not through the VBE offsets.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <2b8af6022aba06aa98a249ae67922de29d82d86f.1775228029.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
omap_sx1 wires the "sx1.cs3" region to OMAP_CS2_BASE instead of
OMAP_CS3_BASE.
That places both CS2 and CS3 at the same address and leaves the real
CS3 window unmapped. Point the CS3 region at OMAP_CS3_BASE so the
static chip-select layout matches the OMAP address definitions.
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn> Fixes: ba1580299d0 ("omap_sx1: convert to memory API") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260403014441.38725-1-zhaoguohan@kylinos.cn> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
cirrus-vga: Make frame buffer endianness little endian by default
QEMU VGA defaults to target endianness but real Cirrus VGA is little
endian so set it explicitly in cirrus_init_common() to fix it on big
endian machines.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260401205327.914905969EC@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Alex Bennée [Sun, 5 Apr 2026 11:24:10 +0000 (12:24 +0100)]
target/arm: fix fault_s1ns for stage 2 faults
The computation of s1ns was simply wrong. For Stage 2 faults, it
should indicate whether the faulting IPA is in the Non-Secure IPA
space. Correct the logic to check for ARMSS_NonSecure and drop the
extraneous s2_mmu_idx test.
This is effectively a change in the intended semantics of the
ARMMMUFaultInfo::s1ns field, so that we no longer try to make it
exactly match HPFAR_EL2.NS but instead set it for any stage 2 fault
on an NS IPA, relying on users of the field to check whether the
fault is to be taken to Secure EL2 before propagating the field to
the HPFAR_EL2.NS bit. Since the actual writing of HPFAR_EL2.NS is
already gated by arm_is_secure_below_el3(env), we only need to update
the comments to document this change of semantics.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2568 Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260405112410.603223-1-alex.bennee@linaro.org
[PMM: also update comments about the s1ns field] Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Michael Tokarev [Wed, 25 Mar 2026 13:49:26 +0000 (16:49 +0300)]
util/meson.build: do not add cpuinfo-$arch to util_ss for 32bit CPUs
qemu dropped support for 32bit CPUs recently, so this change is an
additional clean-up on top. But in theory it will allow building
qemu-guest-agent on a 32bit system.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Peter Maydell [Tue, 31 Mar 2026 09:23:05 +0000 (10:23 +0100)]
target/arm: do_ats_write(): avoid assertion when ptw failed
In do_ats_write() we try to assert that the cacheattrs from
get_phys_addr_for_at() are in the form we expect:
/*
* ATS operations only do S1 or S1+S2 translations, so we never
* have to deal with the ARMCacheAttrs format for S2 only.
*/
assert(!res.cacheattrs.is_s2_format);
However, the GetPhysAddrResult struct documents that its fields are
only valid when the page table walk succeeded. For a two stage page
table walk which fails during stage two, we will return early from
get_phys_addr_twostage() and depending on the fault type the
res.cacheattrs may have been initialized with the stage 2 cache attr
information in stage 2 format. In this case we will incorrectly
assert here.
Fix the assertion to not look at the res fields if the lookup failed.
Note for stable backports: the do_ats_write() function is in
target/arm/helper.c in older QEMU versions, but the change to the
assert line is the same.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3328 Fixes: 9f225e607f21 ("target/arm: Postpone interpretation of stage 2 descriptor attribute bits") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260331092305.2062580-1-peter.maydell@linaro.org
* tag 'firmware-20260401-for-11.0-pull-request' of https://gitlab.com/kraxel/qemu:
igvm: fix parent object type in IgvmCfg struct
igvm: fix memory leak on failed memory region init
igvm: switch to PRIx64
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 1 Apr 2026 09:49:09 +0000 (10:49 +0100)]
Merge tag 'pull-linux-user-20260401' of https://gitlab.com/pm215/qemu into staging
linux-user:
* don't incorrectly sign extend guest addresses from mlock etc
* fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
* update select timeout writeback
* make openat2() use -L for absolute paths
* correctly handle SIGSEGV generated when trying to deliver
a synchronous signal
* tag 'pull-linux-user-20260401' of https://gitlab.com/pm215/qemu:
bsd-user, linux-user: signal: recursive signal delivery fix
linux-user: Make openat2() use -L for absolute paths
linux-user: update select timeout writeback
linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
include/user/guest-host.h: Provide g2h etc for both abi_ptr and vaddr
include: Don't include guest-host.h in cpu-ldst.h
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 31 Mar 2026 19:46:13 +0000 (20:46 +0100)]
Merge tag 'hppa-more-v11-fixes-pull-request' of https://github.com/hdeller/qemu-hppa into staging
HPPA patches for qemu-v11
A few late fixes for the HPPA architecture for QEMU v11:
- graphics support was broken for 64-bit machines. This series adds
support for VGA graphics for Linux guests
- the various memory ranges were not correctly implemented
- TOC/NMI was not working on 64-bit machines
- minor 64-bit HP-UX boot fixes (but HP-UX 64-bit still crashes)
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCacwXxAAKCRD3ErUQojoP
# X7NxAQCBszDUKsNX5KiB+cxW1AfT1Gyzo4q9T0NNULO5v2Fn7gD/YVzgtZ6F+crK
# 1eG1R0aVekPmx+NClsCLvy/dX1YmTww=
# =L+6i
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 31 19:51:48 2026 BST
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-more-v11-fixes-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 24
hw/hppa: Implement memory ranges
target/hppa: Fix TOC handler for 64-bit CPUs
hw/pci-host/astro: Add GMMIO mapping
hw/pci-host/astro: Fix LMMIO DIRECT mappings
hw/pci-host/astro: Implement LMMIO registers
hw/pci-host/astro: Fix initial addresses in IOC
hw/pci-host/astro: Make astro address arrays accessible for other users
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Helge Deller [Tue, 31 Mar 2026 18:24:24 +0000 (20:24 +0200)]
target/hppa: Update SeaBIOS-hppa to version 24
New SeaBIOS-hppa v24 release with various fixes for qemu-v11:
- Initialize Astro chip with relevant LMMIO, GMMIO and others
- Disable Artist on 64-bit machines
- Fully implement parisc memory ranges
- Change inventory to list CPU first for HP-UX
- Allow 715 to boot from HP-UX 11iv1 CD-ROM
- Prepare for MULTICELL machines
- Initialize PCI_CACHE_LINE_SIZE PCI value
- Call TOC/HPMC handler code from OS if installed
Helge Deller [Sun, 29 Mar 2026 22:11:12 +0000 (00:11 +0200)]
hw/hppa: Implement memory ranges
All 64-bit PA-RISC machines split the memory into (up to 3) different
memory ranges, which are mapped at specific addresses. This patch
mimics the mapping as it's done on physical machines, which includes the
3.75 GB split for C3700, and 1 GB split for newer 64-bit PAT machines
like the A400.
SeaBIOS-hppa needs to know how the memory split is done, so add a new
memsplit_addr variable which stores the specific split address and hand
this over to SeaBIOS-hppa via fwcfg.
Helge Deller [Sun, 29 Mar 2026 18:46:52 +0000 (20:46 +0200)]
target/hppa: Fix TOC handler for 64-bit CPUs
When the TOC handler is triggered, e.g. by using the "NMI" command
in the QEMU monitor, make sure to call the full 64-bit TOC handler
address in SeaBIOS-hppa firmware.
This fixes the TOC handler on 64-bit CPUs (and 64-bit SeaBIOS).
Helge Deller [Sat, 28 Mar 2026 23:30:36 +0000 (00:30 +0100)]
hw/pci-host/astro: Fix LMMIO DIRECT mappings
Fix the existing code which has the mask wrong.
Implement the direct mapping via overlapping subregion with priority 3
to make sure the direct mapping gets precedence over the LMMIO region.
Helge Deller [Sat, 28 Mar 2026 23:26:14 +0000 (00:26 +0100)]
hw/pci-host/astro: Implement LMMIO registers
Add code to adjust the memory mapping windows according to the LMMIO registers
in Astro. This allows SeaBIOS-hppa to configure Astro depending on existing
PCI cards, and especially makes it possible to enable a VGA PCI card.
Nicholas Piggin [Sat, 21 Mar 2026 13:56:22 +0000 (23:56 +1000)]
bsd-user, linux-user: signal: recursive signal delivery fix
Synchronous signals must accommodate a synchronous signal being
raised during delivery, as asynchronous ones do. For example
badframe errors during delivery will cause SIGSEGV to be raised.
Without this fix, cpu_loop() runs process_pending_signals() which
delivers the first synchronous signal (e.g., SIGILL) which fails
to set the handler and forces SIGSEGV, but that is not picked up.
process_pending_signals() returns. Then cpu_loop() runs cpu_exec()
again, which attempts to execute the same instruction, another
SIGILL.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321135624.581398-3-npiggin@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Sun Haoyu [Tue, 17 Mar 2026 05:38:27 +0000 (13:38 +0800)]
linux-user: Make openat2() use -L for absolute paths
openat2() ignored the -L prefix and opened host files directly.
For example, openat2("/tmp/file") opened /tmp/file on the host, not
QEMU_LD_PREFIX/tmp/file like openat() does.
Fix this by using path() to rewrite absolute paths. Skip this
when RESOLVE_BENEATH or RESOLVE_IN_ROOT is set:
- RESOLVE_BENEATH rejects absolute paths anyway
- RESOLVE_IN_ROOT resolves relative to dirfd
Sun Haoyu [Fri, 20 Mar 2026 11:16:47 +0000 (19:16 +0800)]
linux-user: update select timeout writeback
The Linux kernel writes back the remaining timeout for select-family
syscalls in poll_select_finish(). If that writeback fails, it keeps
the original return value.
However, QEMU only writes back the timeout on success. If the writeback
fails, QEMU returns -TARGET_EFAULT. This can lose the remaining
timeout and change the return value.
Update do_select(), do_pselect6(), and do_ppoll() to always write back
the timeout to match the Linux kernel's behavior. If the timeout
writeback fails, keep the original return value.
Tested with the issue reproducer.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3343 Signed-off-by: Sun Haoyu <shyliuli@aosc.io> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260320111647.138984-1-shyliuli@aosc.io Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
